iptables questions: NAT & firewall

insanitee · 08-12-2003, 02:40 AM

Hi, I'm still learning the syntax to iptables and it's difficult to test a firewall unless you have a 2nd connection to the outside world.
I've searched and there's a lot of different answers. The sheer mass of information is a little overwhelming.
Since firewalls are quite an important thing maybe yet another thread (but simplified) on this subject can help enlighten others too.

I have a typical setup for dialup (ppp0) to be shared over lan (eth0).
The NAT server will be 192.168.0.1/255.255.255.0 and the clients will be 192.168.0.x/255.255.255.0.
I would like to allow all outgoing connections to the internet and traffic on the lan to flow freely.
I would like to drop all incoming connections from the internet except on a couple of ports.

I do not want anyone to write a whole script for my setup which would only be useful to me and not others, and also I wouldn't be able to learn from it and recreate/modify it myself easily. Instead if anyone could give the minimum command required for each of the following rules, it would be highly appreciated.

How do you drop all incoming connections (from the internet) on ppp0 by default?
How do you allow one? lets say TCP port 80 for a local web server.
How do you MASQ your connection to the LAN?
How do you do the above in a secure way? (ie only allow local IP's (eg. 192.168.0.0/24) to be routed (distunguished from just dropping all other IPs at interface level - that should be a last line of defense)).
How do you forward a port to a client on the LAN? eg 192.168.0.2 wants to send files on MSN (that needs incoming TCP port 6891).
Is there an easy way to do the above for a range of ports without specifying each one seperately? (eg. 5000-5010).
Will port forwarding also require the port to be opened locally? Depends if the forwarding rules are done before or after the blocking I guess.
What's the easiest way of running local DNS so that machines on your lan can use 192.168.0.1 as their DNS server? (this is the way MS-ICS works - I like it for consistency as hosts on the LAN don't need to know anything about your ISP).
A part of the bind package or perhaps something simpler?
Extra security - should I bother blocking various types of ICMP and syn / spoofing / redirects / whatever? suggestions welcome but please state any possible side effects =)

Thanks for any help! =) *goes off to read and try stuff*

insanitee · 08-12-2003, 02:50 AM

C) A friend told me this and it works

Code:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i ppp0 -j ACCEPT
iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

However I fear it's not secure as what interfaces/hosts can use it is not defined, and also I saw this in the masq howto:

Quote:

It appears that a common mistake with new IP Masq users is to make the first command simply the following:

IPTABLES:
---------
iptables -t nat -A POSTROUTING -j MASQUERADE

Do NOT make your default policy MASQUERADING. Otherwise, someone can manipulate their routing tables to tunnel straight back through your gateway, using it to masquerade their OWN identity!

Also only the first line seems to be needed, the next two seem to be defaults anyway just there to make sure it's all good, correct?

E) I pulled this off a random webpage and changed it slightly.

Code:

iptables -t nat -A PREROUTING -p tcp --dport 6891 -i ppp0 -j DNAT --to 192.168.0.2
iptables -A FORWARD -p tcp --dport 6891 -o eth0 -d 192.168.0.2 -j ACCEPT

Look good?

Robert0380 · 08-12-2003, 04:00 AM

A. How do you drop all incoming connections (from the internet) on ppp0 by default?

iptables -P INPUT DROP

B. How do you allow one? lets say TCP port 80 for a local web server.

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

D. How do you do the above in a secure way? (ie only allow local IP's (eg. 192.168.0.0/24) to be routed (distunguished from just dropping all other IPs at interface level - that should be a last line of defense)).

iptables -P FORWARD DROP

iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -j MASQUERADE

iptables -A FORWARD -m state --state ETABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT

E. How do you forward a port to a client on the LAN? eg 192.168.0.2 wants to send files on MSN (that needs incoming TCP port 6891).

iptables -A PREROUTING -t nat -p tcp --dport 6891 -j DNAT --to 192.168.0.2

F. Good question, i dont know

G. If a packet is to be forwarded, it never checks to see if it passes the INPUT table, so no, it does not have to be open on the router itself. You might want to add that forward part for safe measure (as i am unsure) the way insanitee did it.

H. Another post all together, DNS is not "simple". I myself just bought DNS and BIND (the O'reilly book). You have to understand a lot about how the config files work...and a post on LQ probably wont do you much good, you'd probably want to research that....a HOWTO perhaps.

I. i just block ALL incomming accept for what needs to be serverd, im not pingable or anything. for me, there is no point in being pingable if the web server is running and if the web server isnt running...pinging the machine does me no good. if the webserver is down and i cant ssh in, then ping still does no good because it wont solve my issues....so i just have:

iptables -P INPUT DROP

and only open the ports i need for my server to run.

tip on firewall rules that worked for me when i 1st got started:

try 1 rule at a time instead of typing out 50 rules and hoping they will all work.

insanitee · 08-12-2003, 04:57 AM

Thanks fot you reply. I've not tried them all yet but:

Quote:

A. How do you drop all incoming connections (from the internet) on ppp0 by default?

iptables -P INPUT DROP

This also drops packets over the LAN. IE it prevents me SSHing into the machine via LAN.

Robert0380 · 08-12-2003, 05:06 AM

oh my bad, missed the "internet " part.

if u want all LAN machines to have full access:

iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT

BUT i wouldnt do this because if say...a computer on your LAN is hacked, the hacker can now use tools on your machine to see what u are running on which ports and will be able to "see" more. im a lil paranoid because the other boxes on my network are not very secure (some windows boxes taht i dont own).

instead, you should only open the ports that u need, i fyou need ssh then do this:

iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT

if u want ssh from anywhere then just take out the
"-s 192.168.0.0/24" and it will default to "From anywhere"

insanitee · 08-12-2003, 08:15 AM

Thanks for your help, it has been extremely useful so far. I now have it all up and running well and just making some minor changes.

I'm just not quite sure of your line

Code:

iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT

vs my friends

Code:

iptables -A FORWARD -i ppp0 -j ACCEPT

as his appears to be incoming and yours outgoing, and the entire MASQ sections are almost identical besides this.

Here's my script so far

Code:

#IP MasQ in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#flush all rules
iptables -F

#deny forwarding by default
iptables -P FORWARD DROP

#forward port to my workstation for MSN file sending
iptables -t nat -A PREROUTING -p tcp --dport 6891 -i ppp0 -j DNAT --to 192.168.0.2
iptables -A FORWARD -p tcp --dport 6891 -o eth0 -d 192.168.0.2 -j ACCEPT

#forward ports to my workstation for ICQ file recieving
iptables -t nat -A PREROUTING -p tcp --dport 5001 -i ppp0 -j DNAT --to 192.168.0.2
iptables -A FORWARD -p tcp --dport 5001 -o eth0 -d 192.168.0.2 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 5002 -i ppp0 -j DNAT --to 192.168.0.2
iptables -A FORWARD -p tcp --dport 5002 -o eth0 -d 192.168.0.2 -j ACCEPT

#masquerade subnet to ppp0
iptables -A POSTROUTING -t nat -o ppp0 -s 192.168.0.0/24 -j MASQUERADE 
iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o ppp0 -s 192.168.0.0/24 -j ACCEPT

#allow local webserver (currently disabled as it was only an example)
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT

#open everything on LAN interface (may make more strict later, would just be a hassle at the moment while I'm setting up various lan services)
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT

#allow self access by loopback interface
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

#drop everything not specified above
iptables -P INPUT DROP

I'm specifying interface as well as address for extra security and also to clarify to myself what is actually happening.

I'm beginning to get the hang of it..
I'm still in shock that I could share my connection to the LAN with just 1 short command!

edit: changed port forwarding

insanitee · 08-12-2003, 11:06 AM

Just to clarify, I don't want to do any complex domain management or even map a name to an IP. I just want to basically forward on any lookup requests from the LAN to my ISP's DNS server, and perhaps cache them.
This is an automatic part of many ICS / MASQ / router packages. But I'll post a seperate topic if you think it isn't that simple. (It is off topic after all).

radupastia · 08-13-2003, 04:33 AM

About the port range issue from questions E and F you should do this :
iptables -A PREROUTING -t nat -p tcp --dport 5000:5010 -j DNAT --to 192.168.0.2

insanitee · 08-13-2003, 04:26 PM

Thanks!

insanitee · 08-24-2003, 06:12 AM

well I appear to have forgotten to give localhost access to the internet.

Code:

ping google.com
ping: unknown host google.com

Test: If I change iptables -P INPUT DROP to iptables -P INPUT ACCEPT it works.

iptables -A INPUT -i ppp0 -p all -j ACCEPT makes it work, but also allows everyone in.

I would have thought it would be iptables -A OUTPUT -o ppp0 -p all -j ACCEPT to make it work. But it doesn't.

er, not sure how to allow without allowing incoming connections from the net... do I have a serious logic flaw here or what?

insanitee · 08-24-2003, 06:32 AM

route

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
acc01-fred-lau. *               255.255.255.255 UH    0      0        0 ppp0
localnet        *               255.255.255.0   U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
default         acc01-fred-lau. 0.0.0.0         UG    0      0        0 ppp0

ifconfig

Code:

eth0      Link encap:Ethernet  HWaddr 00:A0:CC:29:BA:84
          inet addr:192.168.0.33  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28842 errors:1 dropped:0 overruns:0 frame:0
          TX packets:28348 errors:2 dropped:0 overruns:0 carrier:2
          collisions:0 txqueuelen:100
          RX bytes:3249187 (3.0 Mb)  TX bytes:11559577 (11.0 Mb)
          Interrupt:11 Base address:0xec00

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:212 errors:0 dropped:0 overruns:0 frame:0
          TX packets:212 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:16704 (16.3 Kb)  TX bytes:16704 (16.3 Kb)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:203.220.205.75  P-t-P:203.220.249.177  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:23061 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20254 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:10378474 (9.8 Mb)  TX bytes:2248741 (2.1 Mb)

cat /etc/resolv.conf

Code:

nameserver 203.194.56.150
nameserver 203.194.27.57
search