LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 11-01-2013, 11:10 AM   #1
bypper
LQ Newbie
 
Registered: Jun 2013
Posts: 8

Rep: Reputation: Disabled
IPTABLES: Give access to my LAN to IMAPS server in the Internet


Hi everybody:
I'm sure this is a trivial problem for any Iptables'es expert, but I can't find the solution.

Gateway with Linux Debian Stable (DEBGW from now) with 2 netcards
eth0: 192.168.1.10 with access to internet
eth1: 192.168.2.10 with access to LAN


LAN: 192.168.2.0/24 with the only access to Internet through Squid proxy in the DEBGW.


DEBGW has a iptables rules with INPUT & FORWARD policy DROP by default.

Now, I need give IMAPS/SMTP access from LAN to IMAPS server(111.111.111.111) in the Internet, and no more.

I know, if I set MASQUERADE for LAN, and open FORWARD access to ports, it runs. This is the way...

$ iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE
$ iptables -A FORWARD -p tcp --dport 993
$ iptables -A FORWARD -p tcp --dport 567


But, the LAN's users can now browse the web without set proxy config in theirs browsers.

what rules must I define to setup this correctly?
Thank you

Last edited by bypper; 11-01-2013 at 11:30 AM.
 
Old 11-01-2013, 03:42 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,126

Rep: Reputation: Disabled
Quote:
Originally Posted by bypper View Post
DEBGW has a iptables rules with INPUT & FORWARD policy DROP by default.

Now, I need give IMAPS/SMTP access from LAN to IMAPS server(111.111.111.111) in the Internet, and no more.

I know, if I set MASQUERADE for LAN, and open FORWARD access to ports, it runs. This is the way...

$ iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE
This rule will cause all forwarded traffic to be NATed behind the outgoing interface. You may want to add "-o eth0" and even "-i eth1" to avoid unintended consequences (security issues).

Quote:
Originally Posted by bypper View Post
$ iptables -A FORWARD -p tcp --dport 993
$ iptables -A FORWARD -p tcp --dport 567
These rules do nothing at all, as there's no target.

Quote:
Originally Posted by bypper View Post
But, the LAN's users can now browse the web without set proxy config in theirs browsers.
If these are the only rules and the FORWARD policy is DROP, that should be impossible. You need to check your ruleset (iptables -S FORWARD).
 
Old 11-01-2013, 07:05 PM   #3
bypper
LQ Newbie
 
Registered: Jun 2013
Posts: 8

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
This rule will cause all forwarded traffic to be NATed behind the outgoing interface. You may want to add "-o eth0" and even "-i eth1" to avoid unintended consequences (security issues).
What do you want to say??
As this?

$ iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE

The result is the same, and if I add "-i eth1" nothing runs. The browser can't browse without proxy, but the conection to 993 port does not work.

Quote:
These rules do nothing at all, as there's no target.
Sorry, I forgot write the final "-j ACCEPT" in the post.

Quote:
If these are the only rules and the FORWARD policy is DROP, that should be impossible. You need to check your ruleset (iptables -S FORWARD).
These are...
-P FORWARD DROP
-A FORWARD -s 130.193.126.125/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 99.24.186.236/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 64.60.169.59/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 79.125.19.127/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 114.44.101.60/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 85.174.231.98/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 184.80.13.252/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 80.240.200.206/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 190.2.16.134/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 98.207.90.250/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 220.130.85.181/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 60.217.235.5/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 70.52.248.153/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 213.27.158.45/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 135:139 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 993 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5800 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5900:5910 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 135:139 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 993 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 5800 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 5900:5910 -j ACCEPT
-A FORWARD -p udp -m udp --dport 135:139 -j ACCEPT
-A FORWARD -p udp -m udp --sport 135:139 -j ACCEPT
-A FORWARD -s 192.168.2.26/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -s 192.168.2.26/32 -j logeo


Can you find the cause?

Best Regards
 
Old 11-01-2013, 07:09 PM   #4
bypper
LQ Newbie
 
Registered: Jun 2013
Posts: 8

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by bypper View Post
$ iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE

The result is the same, and if I add "-i eth1" nothing runs. The browser can't browse without proxy, but the conection to 993 port does not work.
Oh, wait
it give me an error...

iptables v1.4.14: Can't use -i with POSTROUTING
 
Old 11-01-2013, 07:15 PM   #5
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,126

Rep: Reputation: Disabled
Quote:
Originally Posted by bypper View Post
Oh, wait
it give me an error...

iptables v1.4.14: Can't use -i with POSTROUTING
You're right; the "-i" parameter should be used in the corresponding FORWARD rule(s). The idea is to block connections from the outside using spoofed IP addresses.
 
Old 11-01-2013, 07:18 PM   #6
bypper
LQ Newbie
 
Registered: Jun 2013
Posts: 8

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
You're right; the "-i" parameter should be used in the corresponding FORWARD rule(s). The idea is to block connections from the outside using spoofed IP addresses.
Sorry, I don't undestand you :-(
Can you write some example?
 
Old 11-01-2013, 07:41 PM   #7
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,126

Rep: Reputation: Disabled
Quote:
Originally Posted by bypper View Post
-P FORWARD DROP
"Implicit deny" is always a good start.
Quote:
Originally Posted by bypper View Post
-A FORWARD -s 130.193.126.125/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 99.24.186.236/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 64.60.169.59/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 79.125.19.127/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 114.44.101.60/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 85.174.231.98/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 184.80.13.252/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 80.240.200.206/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 190.2.16.134/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 98.207.90.250/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 220.130.85.181/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 60.217.235.5/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 70.52.248.153/32 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 213.27.158.45/32 -j REJECT --reject-with icmp-port-unreachable
FWIW, if you're trying to block IP addresses that attempt to spread malware or log in using various automated/scripted techniques, there are better ways to do it than creating a rule for every single address.
Quote:
Originally Posted by bypper View Post
-A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Here's your problem. You're allowing all NEW connections, regardless of protocol or port number. All rules below this point will make absolutely no difference. Remove NEW, and the rule will allow only active sessions that have already been allowed through by other rules, which is what you want.

Once you've fixed this rule, you should probably keep it at the very top of the chain, to keep the kernel from having to parse a long list of single-IP rules for each and every incoming packet.
Quote:
Originally Posted by bypper View Post
-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
This one is probably going to bite you hard once a PC gets infected with a spamming trojan. Almost no mail providers use port 25 for outbound mail, they use authenticated SMTP with STARTTLS over the "mail submission" port (TCP/587).

If you're running a mail server, then by all means allow outbound SMTP for that IP, but not for the entire network.
Quote:
Originally Posted by bypper View Post
-A FORWARD -p tcp -m tcp --dport 135:139 -j ACCEPT
Why are you allowing Microsoft SMB over the Internet?
Quote:
Originally Posted by bypper View Post
-A FORWARD -p tcp -m tcp --dport 993 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5800 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 5900:5910 -j ACCEPT
If you're using VNC, it might be a good idea to specify directionality (source and/or destination IPs) or ingress/egress interfaces. As things stand, anyone on the Internet can send spoofed packets to the VNC ports of hosts on your LAN.
Quote:
Originally Posted by bypper View Post
-A FORWARD -p tcp -m tcp --sport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 135:139 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 993 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 5800 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 5900:5910 -j ACCEPT
-A FORWARD -p udp -m udp --sport 135:139 -j ACCEPT
None of these are needed. Reply packets are handled by the state rule.
 
1 members found this post helpful.
Old 11-02-2013, 06:02 AM   #8
bypper
LQ Newbie
 
Registered: Jun 2013
Posts: 8

Original Poster
Rep: Reputation: Disabled
Smile

Quote:
Originally Posted by Ser Olmy View Post
"Implicit deny" is always a good start.
Yes, of course ;-)
Quote:
FWIW, if you're trying to block IP addresses that attempt to spread malware or log in using various automated/scripted techniques, there are better ways to do it than creating a rule for every single address.
Well, I have a file with the banned IPs, really, but perhaps isn't very professional :-P
Can you give a track about it?
Quote:
Here's your problem. You're allowing all NEW connections, regardless of protocol or port number. All rules below this point will make absolutely no difference. Remove NEW, and the rule will allow only active sessions that have already been allowed through by other rules, which is what you want.

Once you've fixed this rule, you should probably keep it at the very top of the chain, to keep the kernel from having to parse a long list of single-IP rules for each and every incoming packet.
YES, You are GREAT! ;-)
I have removed the "NEW" and the users can't browse directly, but the conection to 993 port runs.
Quote:
This one is probably going to bite you hard once a PC gets infected with a spamming trojan. Almost no mail providers use port 25 for outbound mail, they use authenticated SMTP with STARTTLS over the "mail submission" port (TCP/587).

If you're running a mail server, then by all means allow outbound SMTP for that IP, but not for the entire network.
Well, the rule is bad, I need open the 587 port, really. They have to auth to SMPT server for send mail, but the used port is 587, not 25. You get every single thing. :-D
Quote:
Why are you allowing Microsoft SMB over the Internet?

If you're using VNC, it might be a good idea to specify directionality (source and/or destination IPs) or ingress/egress interfaces. As things stand, anyone on the Internet can send spoofed packets to the VNC ports of hosts on your LAN.

None of these are needed. Reply packets are handled by the state rule.
Really, these rules are probes. it aren't used, and I'm going to remove it.

Thank you so much, Ser Olmy.
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Iptables: LAN clients cannot access internet Sum1 Linux - Security 28 09-21-2009 12:42 AM
allow internet access from LAN using IPTABLES cccc Linux - Networking 2 03-24-2006 05:47 PM
IPTABLES How to access to web server on gateway from LAN? kozaki Linux - Networking 4 08-26-2005 12:27 PM
Allowing access to FTP server on LAN using IPTABLES - Help please sergio3986 Linux - Security 2 12-18-2003 01:22 PM
linux squid and iptables for secure lan for internet access. pune_abhishek Linux - Networking 4 11-30-2003 08:20 PM


All times are GMT -5. The time now is 09:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration