LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 10-14-2006, 01:44 PM   #1
Dakkar
Member
 
Registered: Dec 2003
Location: Turkey
Distribution: Suse
Posts: 89

Rep: Reputation: 15
Iptables drop policy problem


Hi i have designed my network with iptables script that i write but there is a problem if i make policy's default behaviour drop then my firewall doesnt work.
Let me first explain why i need it?
I have a host machine with ip adress(192.168.2.2-eth0) this network interface connected to adsl modem and in same machine i have another network interface (10.0.0.1-eth2) and i have a web server machine with ip (10.0.0.3-gateway:10.0.0.1)
and my iptables script make this web server machine connect to internet and also the web page requests directly forwarded to it
but for effective iptables script i have to be able to make default policys drop but when i write iptables -P FORWARD DROP web server's internet connection is failing
here is my script

Code:
#!/bin/sh
#Temizle

sysctl -w net.ipv4.ip_forward=1

iptables -t nat -F
iptables -t nat -X

iptables -t filter -F
iptables -t filter -X

# NAT Kuralları
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -p tcp -m multiport --dports 25,80,110 -o eth0 -j SNAT --to-source 192.168.2.2
iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 25,80,110 -j DNAT --to 10.0.0.3


#DNS AYARLARI
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -p tcp --dport 53 -o eth0 -j SNAT --to-source 192.168.2.2
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -p udp --dport 53 -o eth0 -j SNAT --to-source 192.168.2.2
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j DNAT --to 10.0.0.3
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to 10.0.0.3
iptables -A FORWARD -i eth2 -s 10.0.0.0/24 -p tcp --dport 53 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth2 -s 10.0.0.0/24 -p udp --dport 53 -o eth0 -j ACCEPT


# Filtering kuralları
iptables -P FORWARD ACCEPT
# LAN -> Internet erisim izinleri
iptables -A FORWARD -i eth2 -s 10.0.0.0/24 -p tcp --dport 80 -o eth0 -j ACCEPT
#Internetten Lana Erişim
iptables -A FORWARD -i eth0 -p tcp -m multiport --dports  25,80,110 -d 10.0.0.3 -j ACCEPT


# Tüm gelen bağlantıları yasakla
iptables -P INPUT ACCEPT
# Loopback'den gelen bağlantıları kabul et
iptables -A INPUT -i lo -j ACCEPT
# SSH bağlantılarını yerel ağdan kabul et
iptables -A INPUT -i eth2 -j ACCEPT
# Internet yönünden gelen SSH bağlantılarını kabul et
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
#Pingleri kapatir
iptables -A INPUT -p icmp -j DROP
#Ataklara karsi korur
iptables -A INPUT -p tcp -m hashlimit --hashlimit 5/min --hashlimit-mode srcip --hashlimit-name http --dport 80 -m state --state NEW -j ACCEPT
as you see all chains have default accept policy so this doesnt mean anything.
By the way i forgot to mention that i'm using suse 10.0 on my host comp and suse 10.1 on my web server comp both o.s 's default firewalls and apparmor is disabled
Thanks
 
Old 10-15-2006, 08:45 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
If you want default DROP policies then just change it to that. Then if you run into access problems adding "-j LOG" rules is the best way to start IMHO if you want to learn and troubleshoot it yourself.
 
Old 10-15-2006, 11:13 AM   #3
Dakkar
Member
 
Registered: Dec 2003
Location: Turkey
Distribution: Suse
Posts: 89

Original Poster
Rep: Reputation: 15
like i said when i change them to -j DROP the client machine becomes unable to connect to internet and i dont know how to seperate forward logs from another so i tried to iptables -A FORWARD -j LOG but im unable to trace it
 
Old 10-15-2006, 06:57 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Add an appropriate "--log-prefix", like -j LOG --log-prefix="IN_drop_icmp" or -j LOG --log-prefix="FWD_drop_related" to distinguish entries. Since you can only use 29 chars you may have to make it a bit cryptic if you have a lot of rules to track.
 
Old 10-16-2006, 10:49 AM   #5
Dakkar
Member
 
Registered: Dec 2003
Location: Turkey
Distribution: Suse
Posts: 89

Original Poster
Rep: Reputation: 15
I made log prefix YONLENDIRME_RED and here is the forward chain's logs

Code:
Oct 16 18:47:52 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=202.12.27.33 DST=10.0.0.3 LEN=159 TOS=0x00 PREC=0x00 TTL=52 ID=63511 PROTO=UDP SPT=53 DPT=32769 LEN=139 
Oct 16 18:47:52 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=192.5.5.241 DST=10.0.0.3 LEN=148 TOS=0x00 PREC=0x00 TTL=51 ID=16733 PROTO=UDP SPT=53 DPT=32769 LEN=128 
Oct 16 18:47:53 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=192.48.79.30 DST=10.0.0.3 LEN=163 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=32769 LEN=143 
Oct 16 18:47:54 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=198.41.0.4 DST=10.0.0.3 LEN=159 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=UDP SPT=53 DPT=32769 LEN=139 
Oct 16 18:47:54 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=128.63.2.53 DST=10.0.0.3 LEN=148 TOS=0x00 PREC=0x00 TTL=45 ID=50312 DF PROTO=UDP SPT=53 DPT=32769 LEN=128 
Oct 16 18:47:55 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=192.55.83.30 DST=10.0.0.3 LEN=163 TOS=0x00 PREC=0x00 TTL=236 ID=64925 DF PROTO=UDP SPT=53 DPT=32769 LEN=143 
Oct 16 18:47:56 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=192.31.80.30 DST=10.0.0.3 LEN=163 TOS=0x00 PREC=0x00 TTL=44 ID=0 DF PROTO=UDP SPT=53 DPT=32769 LEN=143 
Oct 16 18:47:56 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=192.228.79.201 DST=10.0.0.3 LEN=148 TOS=0x00 PREC=0x00 TTL=47 ID=36160 DF PROTO=UDP SPT=53 DPT=32769 LEN=128 
Oct 16 18:47:56 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=198.32.64.12 DST=10.0.0.3 LEN=148 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=53 DPT=32769 LEN=128 
Oct 16 18:47:58 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=202.12.27.33 DST=10.0.0.3 LEN=148 TOS=0x00 PREC=0x00 TTL=52 ID=6393 PROTO=UDP SPT=53 DPT=32769 LEN=128 
Oct 16 18:47:58 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=192.35.51.30 DST=10.0.0.3 LEN=163 TOS=0x00 PREC=0x00 TTL=233 ID=9329 DF PROTO=UDP SPT=53 DPT=32769 LEN=143 
Oct 16 18:48:00 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=192.54.112.30 DST=10.0.0.3 LEN=163 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=53 DPT=32769 LEN=143 
Oct 16 18:48:00 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=128.8.10.90 DST=10.0.0.3 LEN=148 TOS=0x00 PREC=0x00 TTL=38 ID=25551 PROTO=UDP SPT=53 DPT=32769 LEN=128 
Oct 16 18:48:02 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=192.43.172.30 DST=10.0.0.3 LEN=163 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=32769 LEN=143 
Oct 16 18:48:02 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=192.203.230.10 DST=10.0.0.3 LEN=148 TOS=0x00 PREC=0x00 TTL=45 ID=44159 PROTO=UDP SPT=53 DPT=32769 LEN=128 
Oct 16 18:48:04 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=192.112.36.4 DST=10.0.0.3 LEN=148 TOS=0x00 PREC=0x00 TTL=237 ID=9741 DF PROTO=UDP SPT=53 DPT=32769 LEN=128 
Oct 16 18:48:04 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=192.33.14.30 DST=10.0.0.3 LEN=163 TOS=0x00 PREC=0x00 TTL=47 ID=32560 DF PROTO=UDP SPT=53 DPT=32769 LEN=143 
Oct 16 18:48:06 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=192.36.148.17 DST=10.0.0.3 LEN=148 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP SPT=53 DPT=32769 LEN=128 
Oct 16 18:48:06 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=192.5.6.30 DST=10.0.0.3 LEN=163 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=32769 LEN=143 
Oct 16 18:48:08 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=192.26.92.30 DST=10.0.0.3 LEN=163 TOS=0x00 PREC=0x00 TTL=237 ID=26105 DF PROTO=UDP SPT=53 DPT=32769 LEN=143 
Oct 16 18:48:10 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=193.0.14.129 DST=10.0.0.3 LEN=148 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=53 DPT=32769 LEN=128 
Oct 16 18:48:12 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=192.5.5.241 DST=10.0.0.3 LEN=148 TOS=0x00 PREC=0x00 TTL=51 ID=24717 PROTO=UDP SPT=53 DPT=32769 LEN=128 
Oct 16 18:48:14 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=128.63.2.53 DST=10.0.0.3 LEN=148 TOS=0x00 PREC=0x00 TTL=45 ID=39291 DF PROTO=UDP SPT=53 DPT=32769 LEN=128 
Oct 16 18:48:17 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=198.32.64.12 DST=10.0.0.3 LEN=148 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=53 DPT=32769 LEN=128 
Oct 16 18:48:18 istanbul kernel: YONLENDIRME_RED_IN=eth0 OUT=eth2 SRC=202.12.27.33 DST=10.0.0.3 LEN=148 TOS=0x00 PREC=0x00 TTL=52 ID=30047 PROTO=UDP SPT=53 DPT=32769 LEN=128
what could be the problem

Last edited by Dakkar; 10-16-2006 at 12:29 PM.
 
Old 10-18-2006, 02:38 PM   #6
Dakkar
Member
 
Registered: Dec 2003
Location: Turkey
Distribution: Suse
Posts: 89

Original Poster
Rep: Reputation: 15
any idea ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables DEFAULT POLICY lappen Linux - Newbie 8 02-23-2011 03:55 AM
security policy iptables Ammad Linux - Security 2 11-14-2005 06:15 AM
iptables - drop all -> allow needed OR allow all -> drop specific lucastic Linux - Security 5 12-21-2004 02:07 AM
iptables: Bad policy name rioguia Linux - Security 10 01-09-2003 11:21 PM
WU-FTPD and IPTABLES DROP Policy Cpare Linux - Networking 0 10-23-2001 09:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 05:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration