IPTables Firewall + Unable to surf locally

yvesg · 08-10-2005, 01:33 PM

Here is my situation:

INTERNET -- CABLE MODEM
|
(eth0)
LINUX Server (eth1) -- SWITCH
|
Internal Network

Internal network is withing the 10.0.0.0/8 range.
Linux server is running a home brew firewall script with IPTABLES
Internet is connected via cable modem @ eth0 interface
Internal network is connected @ eth1 (10.0.0.1/ interface

Here is my routing table (autogenerated):
Destination Gateway Genmask Flags Metric Ref Use Iface
84.194.32.0 * 255.255.224.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
10.0.0.0 * 255.0.0.0 U 0 0 0 eth1
default d54c22001.acces 0.0.0.0 UG 0 0 0 eth0

Each device on my internal network has no problems at all with internet connection. But on my linux box itself I cant get it to work. No ping, no www, no ftp ..... (dns works fine cause google.be gets resolved via my internal dns server)

Something wrong with routing table ?

Matir · 08-10-2005, 01:44 PM

Routing table looks fine. I'd look to iptables.

yvesg · 08-10-2005, 01:47 PM

Well, here is my home written script:

${IPTABLES} -F INPUT
${IPTABLES} -F OUTPUT
${IPTABLES} -F FORWARD
${IPTABLES} -t nat -F PREROUTING
${IPTABLES} -t nat -F OUTPUT
${IPTABLES} -t nat -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT
${IPTABLES} -t mangle -F FORWARD
${IPTABLES} -X
${IPTABLES} -t nat -X
${IPTABLES} -t mangle -X
${IPTABLES} -t filter -X

${IPTABLES} -t filter -P INPUT DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

${IPTABLES} -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A FORWARD -i eth1 -o eth0 -j ACCEPT
${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE

${IPTABLES} -P INPUT DROP
${IPTABLES} -A INPUT -i eth1 -j ACCEPT
${IPTABLES} -P OUTPUT ACCEPT
${IPTABLES} -P FORWARD ACCEPT

${IPTABLES} -A INPUT -i lo -j ACCEPT

${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
${IPTABLES} -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
${IPTABLES} -A INPUT -i eth0 -p icmp -j DROP
${IPTABLES} -A FORWARD -d 255.0.0.0/8 -j DROP
${IPTABLES} -A OUTPUT -d 255.0.0.0/8 -j DROP
${IPTABLES} -A INPUT -i eth0 -p udp --sport 137 --dport 137 -j DROP

[EDIT]
Here is also the output of IFCONFIG

eth0 Link encap:Ethernet HWaddr 00:C0

F:0C:16

D
inet addr:84.194.51.97 Bcast:255.255.255.255 Mask:255.255.224.0
inet6 addr: fe80::2c0:dfff:fe0c:16dd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:562796 errors:0 dropped:0 overruns:0 frame:0
TX packets:146050 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:230948759 (220.2 MiB) TX bytes:10059687 (9.5 MiB)
Interrupt:11 Base address:0xe400

eth1 Link encap:Ethernet HWaddr 00:50:BF:59:71

6
inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::250:bfff:fe59:71d6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:147251 errors:0 dropped:0 overruns:0 frame:0
TX packets:183708 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10163109 (9.6 MiB) TX bytes:208174961 (198.5 MiB)
Interrupt:5 Base address:0xe800

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:143 errors:0 dropped:0 overruns:0 frame:0
TX packets:143 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10770 (10.5 KiB) TX bytes:10770 (10.5 KiB)

[/EDIT]

Matir · 08-10-2005, 01:55 PM

What is the purpose of these two lines:

Code:

${IPTABLES} -A FORWARD -d 255.0.0.0/8 -j DROP
${IPTABLES} -A OUTPUT -d 255.0.0.0/8 -j DROP

I'm not sure they cause your problem (probably not, in fact) but I am curious.

Actually, your problem is probably this:
you don't accept ESTABLISHED,RELATED on the INPUT chain.

Code:

${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

yvesg · 08-10-2005, 02:11 PM

Quote:

Originally posted by Matir
What is the purpose of these two lines:

Code:

${IPTABLES} -A FORWARD -d 255.0.0.0/8 -j DROP ${IPTABLES} -A OUTPUT -d 255.0.0.0/8 -j DROP

[/code]

Hmz, it has been a few years

I know that I've read about it somwhere in a tutorial.
It has something to do with security issues... need to look it up.

[EDIT]
Well, adding that line solved my problem !
Tnx for that.
I think that is was to drop broadcast messages on my interface.
Not sure :s
[/EDIT]

Matir · 08-10-2005, 02:32 PM

Dropping broadcast would require something a bit more complex, I would think. Unless it was like broadcast to ALL networks, which most ISP routers would nix anyway.

But, so long as it works, it's probably best not to fiddle.