LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-08-2005, 05:55 PM   #1
DeadTaco
LQ Newbie
 
Registered: Apr 2005
Location: Nevada
Distribution: Mandrake 10.1
Posts: 10

Rep: Reputation: 0
Unhappy iptables - Opening a range of ports


I've been reading post after post about iptables, and I have to admit that I'm still a little confused (newbie warning).

Here's the situation...
I have 15 win-x computers connected to a Mandrake 8.1 server. I am the new IT guy here, and I'm not too familiar with Linux firewalls.

I need everyone to be able to connect to the internet through port 400. Currently, we are blocked when trying to connect thru this port. I may also need ports 6660 thru 6670 to be opened up.

I tried using:
iptables -A INPUT -p tcp -i interface0_in --dport 400 -j ACCEPT

That didn't do anything.

Is there even a way to open the port for our entire office? This is a huge problem if it can't be done.

Also, I'm not sure if we're using NAT or not. I looked at the iptables -nL and it's all greek to me.

The listing was rather large, but here's some of it:
Code:
Chain FORWARD (policy DROP)
target     prot opt source               destination         
network1_in  all  --  0.0.0.0/0            0.0.0.0/0          
network1_out  all  --  0.0.0.0/0            0.0.0.0/0          

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
loopback_out  all  --  0.0.0.0/0            0.0.0.0/0          
interface0_out  all  --  0.0.0.0/0            0.0.0.0/0          
interface1_out  all  --  0.0.0.0/0            0.0.0.0/0          

Chain interface0_in (1 references)
target     prot opt source               destination         
syn_flood_interface0_in  tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x16/0x02 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:!0x16/0x02 state NEW 
DROP       all  -f  0.0.0.0/0            0.0.0.0/0          
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x3F 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x00 
DROP       all  --  63.202.100.150       0.0.0.0/0          
DROP       all  --  0.0.0.0/8            0.0.0.0/0          
DROP       all  --  127.0.0.0/8          0.0.0.0/0          
DROP       all  --  10.0.0.0/8           0.0.0.0/0          
DROP       all  --  172.16.0.0/12        0.0.0.0/0          
DROP       all  --  224.0.0.0/3          0.0.0.0/0          
ACCEPT     udp  --  192.168.100.100      63.202.100.150     udp spt:53 dpts:1024:65535 state ESTABLISHED 
ACCEPT     tcp  --  192.168.100.100      63.202.100.150     tcp spt:53 dpts:1024:65535 state ESTABLISHED 
<snip>  

Chain interface0_out (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  63.202.100.150       192.168.100.100    udp spts:1024:65535 dpt:53 state NEW,ESTABLISHED 
ACCEPT     tcp  --  63.202.100.150       192.168.100.100    tcp spts:1024:65535 dpt:53 state NEW,ESTABLISHED 
ACCEPT     udp  --  63.202.100.150       192.168.100.100    udp spt:53 dpt:53 state NEW,ESTABLISHED 
ACCEPT     udp  --  63.202.100.150       206.13.31.12       udp spts:1024:65535 dpt:53 state NEW,ESTABLISHED 
ACCEPT     tcp  --  63.202.100.150       206.13.31.12       tcp spts:1024:65535 dpt:53 state NEW,ESTABLISHED 
<snip>

Chain interface1_in (1 references)
target     prot opt source               destination         
syn_flood_interface1_in  tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x16/0x02 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:!0x16/0x02 state NEW 
DROP       all  -f  0.0.0.0/0            0.0.0.0/0          
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x3F 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x00 
DROP       all  --  192.168.100.100      0.0.0.0/0          
DROP       all  --  127.0.0.0/8          0.0.0.0/0          
DROP       all  --  10.0.0.0/8           0.0.0.0/0          
DROP       all  --  172.16.0.0/12        0.0.0.0/0          
DROP       all  --  224.0.0.0/3          0.0.0.0/0          
ACCEPT     udp  --  192.168.100.0/24     63.202.100.150     udp spts:1024:65535 dpt:53 state NEW,ESTABLISHED 
ACCEPT     tcp  --  192.168.100.0/24     63.202.100.150     tcp spts:1024:65535 dpt:53 state NEW,ESTABLISHED 
ACCEPT     udp  --  192.168.100.0/24     63.202.100.150     udp spt:53 dpt:53 state NEW,ESTABLISHED 
<snip>

Chain interface1_out (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  63.202.100.150       192.168.100.0/24   udp spt:53 dpts:1024:65535 state ESTABLISHED 
ACCEPT     tcp  --  63.202.100.150       192.168.100.0/24   tcp spt:53 dpts:1024:65535 state ESTABLISHED 
<snip>

Chain loopback_in (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          

Chain loopback_out (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          

Chain network1_in (1 references)
target     prot opt source               destination         
syn_flood_network1_in  tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x16/0x02 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:!0x16/0x02 state NEW 
DROP       all  -f  0.0.0.0/0            0.0.0.0/0          
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x3F 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x00 
DROP       all  --  127.0.0.0/8          0.0.0.0/0          
DROP       all  --  10.0.0.0/8           0.0.0.0/0          
DROP       all  --  172.16.0.0/12        0.0.0.0/0          
DROP       all  --  224.0.0.0/3          0.0.0.0/0          
ACCEPT     udp  --  192.168.100.100      192.168.100.0/24   udp spt:53 dpts:1024:65535 state ESTABLISHED 
ACCEPT     tcp  --  192.168.100.100      192.168.100.0/24   tcp spt:53 dpts:1024:65535 state ESTABLISHED 
<snip>

Chain network1_out (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  192.168.100.0/24     192.168.100.100    udp spts:1024:65535 dpt:53 state NEW,ESTABLISHED 
ACCEPT     tcp  --  192.168.100.0/24     192.168.100.100    tcp spts:1024:65535 dpt:53 state NEW,ESTABLISHED 
ACCEPT     udp  --  192.168.100.0/24     206.13.31.12       udp spts:1024:65535 dpt:53 state NEW,ESTABLISHED 
<snip>

Chain syn_flood_interface0_in (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 1/sec burst 3 
DROP       all  --  0.0.0.0/0            0.0.0.0/0          

Chain syn_flood_interface1_in (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 3/sec burst 5 
DROP       all  --  0.0.0.0/0            0.0.0.0/0          

Chain syn_flood_network1_in (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 5/sec burst 7 
DROP       all  --  0.0.0.0/0            0.0.0.0/0
Sorry, I'm infected with newbetitis.

Last edited by DeadTaco; 08-08-2005 at 06:57 PM.
 
Old 08-09-2005, 12:38 PM   #2
demian
Member
 
Registered: Apr 2001
Location: Bremen, Germany
Distribution: Debian
Posts: 303

Rep: Reputation: 30
Re: iptables - Opening a range of ports

You should edit your post to not display the public IP address of your firewall!

Quote:
Originally posted by DeadTaco
I have 15 win-x computers connected to a Mandrake 8.1 server. I am the new IT guy here, and I'm not too familiar with Linux firewalls.
That doesn't sound good. Security support for Mandrake 8.1 ceased a couple of years ago. You really need to upgrade to a distribution that has active security support. (Unless you're doing the upgrade yourself by closely monitoring all installed package for vulnarabilities.)

Quote:
I need everyone to be able to connect to the internet through port 400. Currently, we are blocked when trying to connect thru this port. I may also need ports 6660 thru 6670 to be opened up.
Do you mean that people from outside of your network need to access every single computer on the inside on port 400 (or 6660-6670) or the other way around? The former is impossible if you use NAT: If you use portforwarding you will have to use a single (private) IP as the destination. You can't just stick an entire network in and expect netfilter to magically determine which IP to use. If, however, the connections are initiated inside your network then you need to enable destination port 400 in the forward chain for outgoing connections (that would be the chain named network1_out in your case).

Quote:
I tried using:
iptables -A INPUT -p tcp -i interface0_in --dport 400 -j ACCEPT
This allows access to the machine that runs the firewall on port 400 (assuming you substitude an interface name for interface0_in). As it is interface0_in looks like the name of a user-defined chain (judging from the bits you posted) and as such can only be used as the target in an iptables rule.

Quote:
Also, I'm not sure if we're using NAT or not. I looked at the iptables -nL and it's all greek to me.
You are using NAT for what is called network1 in the iptables rules (192.168.100.0/24).

Quite frankly it looks like you will have a lot of work to do: You can't expect people to understand the firewall concept you have implemented without posting the whole script along with a description of your network topology. Then again this is very sensitive information about your network so at least edit out the public IP addresses should you decide to post this.

Bottom line is you will have to understand iptables inside out and know what every one of the lines in your script do exactly or else you're in for a lot of trouble. A good starting point are Rusty Russell's guides and man iptables.
http://people.netfilter.org/rusty/unreliable-guides/
 
Old 08-09-2005, 01:39 PM   #3
DeadTaco
LQ Newbie
 
Registered: Apr 2005
Location: Nevada
Distribution: Mandrake 10.1
Posts: 10

Original Poster
Rep: Reputation: 0
Right on. Thanks for the help. I'll see what I can find out.

Just for note, I didn't use my own IP address. I replaced all of my real IP addresses with a quickly spoofed one (63.202.100.150). Luckily I'm not that newbish

If I can get just a single computer in my office to have access in/out on port 400, that may work. We have two people that need it, but even having one would be beneficial.

This person's internal IP addy is 192.168.100.48.

What's the easiest way to port forward to that address?

Thanks again for your help. I'm still going through the tons of iptables documents I've printed out, so it could take awhile.
 
Old 08-10-2005, 03:11 PM   #4
demian
Member
 
Registered: Apr 2001
Location: Bremen, Germany
Distribution: Debian
Posts: 303

Rep: Reputation: 30
Quote:
Originally posted by DeadTaco
If I can get just a single computer in my office to have access in/out on port 400, that may work. We have two people that need it, but even having one would be beneficial.
So the connections are being initiated on the inside to a remote host on port 400? In that case you can, of course, open port 400 for the entire network. You need to allow port 400 is the forward chain:
Code:
iptables -A FORWARD -i $IFACE_INT -p tcp --dport 400 -j ACCEPT
And you need source nat in postrouting:
Code:
iptables -t nat -A POSTROUTING -i $IFACE_INT -s 192.168.100.0/24 -j SNAT --to $IP_EXT
Replace $IFACE_INT with the internal interface name (probably eth0 or eth1) and $IP_EXT with your external IP address.
The second rule probably already is in place (or otherwise none of the workstations would have access to the outside world). If you want to keep the structure of the existing firewall script you should put the first rule in the network1_out chain.

If what you want is people from the outside being able to contact your external IP and get redirected to 192.168.100.48 you need two rules:

Redirect $IP_EXT:400 to 192.168.100.48:400:
Code:
iptables -t nat -A PREROUTING -p tcp --dport 400 -i $IFACE_EXT -d $IP_EXT -j DNAT --to 192.168.100.48
Allow packets to flow through the firewall to 192.168.100.48:
Code:
iptables -A FORWARD -p tcp --dport 400 -d 192.168.100.48 -j ACCEPT
If you need udp port 400 accessible add two more rules with -p udp. Again, to follow the logic of the script this should go in the network1_out chain.

The above will work without any other rules in place. You will need to find the right place to add them to your iptables script. The order of the rules in a chain is vital. You didn't post your nat table (iptables -t nat -nvL) so I can't tell you if there are rules in there that might interfere with this one.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables opening/forwarding ports broxtor Linux - Security 4 09-29-2004 02:43 PM
iptables and synce (opening ports) Simon Bridge Linux - Security 3 05-03-2004 06:28 PM
Help with iptables and opening ports barbar4854 Linux - Security 7 02-07-2004 08:24 PM
Help with iptables and opening ports barbar4854 General 3 02-06-2004 01:00 PM
Opening ports with IPtables nrbowker Linux - Security 3 12-22-2003 06:32 PM


All times are GMT -5. The time now is 08:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration