IPTables help please

kraziekris · 08-30-2016, 04:33 PM

Hi

My company is using an old version of iptables, it has lots of rules and chains. I have a new subnet which is coming in through a vpn tunnel into the iptables. The range is 10.11.0.0/16, I have added an allow rule and put it at the top but its stil getting blocked.

Here is how I added the rule

Code:

 iptables -I INPUT 1 -s 10.11.0.0/16 -j ACCEPT

It now looks like this

Code:

oot@www:/etc/iptables# iptables -L -n|more
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
FailSafe   all  --  0.0.0.0/0            0.0.0.0/0
CountryLockouts  tcp  --  0.0.0.0/0            0.0.0.0/0
PortDenies  tcp  --  0.0.0.0/0            0.0.0.0/0
HostingLockouts  tcp  --  0.0.0.0/0            0.0.0.0/0
Cyveillance  tcp  --  0.0.0.0/0            0.0.0.0/0
Websense   tcp  --  0.0.0.0/0            0.0.0.0/0
Verisign   tcp  --  0.0.0.0/0            0.0.0.0/0
PicScout   tcp  --  0.0.0.0/0            0.0.0.0/0
MSAzure    tcp  --  0.0.0.0/0            0.0.0.0/0
MailLockouts  tcp  --  0.0.0.0/0            0.0.0.0/0
WebLockouts  tcp  --  0.0.0.0/0            0.0.0.0/0
ProblemIPs  tcp  --  0.0.0.0/0            0.0.0.0/0
REJECT     tcp  --  82.81.32.0/20        0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     tcp  --  192.185.0.0/16       0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     tcp  --  162.144.0.0/16       0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

but its still getting blocked, I am seeing this in the log

Code:

Aug 30 18:37:33 fw-gs iptables GSFWD denied:  IN=tun1 OUT=eth0 MAC= SRC=10.11.0.201 DST=10.1.60.50 LEN=60 TOS=00 PREC=0x00 TTL=60 ID=6274 DF PROTO=TCP SPT=48066 DPT=10050 SEQ=488128362 ACK=0 WINDOW=29200 SYN URGP=0

Really need some urgent help please

unSpawn · 08-30-2016, 05:13 PM

First of all the best representation of the current rule set is to post '/sbin/iptables-save;' output.
Secondly you don't just slot a rule in the filter table INPUT chain 1st place: understand the actual rule set, then decide.
Third did you notice your rule doesn't even "stick"? It's not shown in your output. Please check such things before you post (efficiency).
Finally the block occurs on "-i tun1" to "-o eth0" so would you need masquerading and FORWARD chain usage?
(Also see https://www.frozentux.net/iptables-t...-tutorial.html ?)

agillator · 08-31-2016, 12:15 AM

I agree partially with unSpawn except I rarely use the save format unless I am saving to reload later. The -L output you use is what I am most comfortable with for just looking at the rules. What he says about your rule is correct - you shouldn't need the '1' you show. Try this command:
iptables -I INPUT -s 10.11.0.0/16 -j ACCEPT

Be aware of what you are telling it to do. It will accept anything on any interface from anyone with an ip address in the 10.11.0.0 to 10.11.255.255 range. No further checking is done. Is that what you want?

By the way, for listing the rules I add rule numbers for my convenience: iptables -L -v -n --line-numbers is my standard command. I find that useful if I then want to delete a rule because THEN the line number can be used: iptables -D INPUT 3 deletes the third rule in the INPUT chain (whatever that may be, so be cautious).

lazydog · 09-01-2016, 08:34 AM

I think what everyone above is missing is how is your dropped packet being logged without having a logging rule?
You state that the version of iptables you are running has lots of rules and chains but you are not showing this above.
So the question is are you showing us the correct rule set from the correct firewall, and I believe you are not.