jgtg32a |
12-08-2007 01:38 AM |
IPtables Forward to Lan, and other Q
I may have figured out whats my big problem is but I still want to ask.
Not gonna lie I didn't write this got it from here http://iptables-tutorial.frozentux.n...-tutorial.html, was the DHCP example but DHCP made me cry so I just used a static IP.
I got most everything working I'm having one big problem and a few questions.
FIREWALL Server
########## ###### ###### ######
#Internet#<-------->#Eth1#<->#Eth0#<------->#Eth0#
########## ###### ###### ######
This is my basic set up currently most everything works except anything from the internet doesn't have access to the server. I run Wireshark on all interfaces (2 on fw and 1 server) and watch traffic, connections from server can go to web and traffic comes back, happy day. I don't have a web server up on the server, just an SSH, not really important though. I can SSH into the server from the server itself, and from the firewall only if I use the servers IP, if I try to SSH into the server from the internet it doesn't work (It doesn't matter that when I say internet I mean I use the IP of eth1 on the FW or the server does it).
Thats my real problem wireshark shows no traffic when I try it from the internet. There are a few other question inside the code itself, I think I may have figured it out but I've been doing this all day and I'm going to bed.
-Thank you so much for any help you can provide.
Code:
#!/bin/sh
WAN="eth1" #To internet DHCP assigned by ISP
LAN_IP="192.168.8.0"
LAN_IP_RANGE="192.168.8.0/254"
LAN="eth0"#to my "server" static IP of 192...103
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTABLES="/sbin/iptables"
echo "1" > /proc/sys/net/ipv4/ip_forward #proc conf
#default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#User Tables
#$IPTABLES -N bad_tcp_packets #still trying to fully understand this table
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
#$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
#Am I don't understand this rule, from what I can tell it rejects all TCP packets
#$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
#$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A allowed -p TCP --syn -j ACCEPT #allow TCP with SYN set
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT #allow current connections
$IPTABLES -A allowed -p TCP -j DROP #drop everything else?
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed #TCP connection on these ports
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#syn flood defence found on net and added first, seems like the best place to check for Syn flood is up front
$IPTABLES -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --set
$IPTABLES -A INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood --update --seconds 1 --hitcount 60 -j DROP
#
#$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p ALL -i $LAN -s $LAN_IP_RANGE -j ACCEPT #anything from the LAN is accepted
$IPTABLES -A INPUT -i $WAN -s 192.168.8.0/254 -j DROP #Ingress filtering
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT #local loopback is trusted
$IPTABLES -A INPUT -p ALL -i $WAN -m state --state ESTABLISHED,RELATED -j ACCEPT #if already allowed keep it coming
$IPTABLES -A INPUT -p TCP -i $WAN -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $WAN -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $WAN -j icmp_packets
#$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A FORWARD -i $LAN -j ACCEPT #anything from lan is accepted
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #current connections are go
#I think my problem is around here there isn't a rule that will allow for forwarding of connections to my lan
#I would assume that I need one
#$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $WAN -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE
|