LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables rules problem (http://www.linuxquestions.org/questions/linux-networking-3/iptables-rules-problem-558006/)

robert.ion 05-31-2007 10:22 AM

iptables rules problem
 
Hi. I am new born in linux world. My born was assisted by ubuntu comunity
So. I write my first script for my first ubuntu server for secure it. I connect to server throught ssh and when i run the script I got the message:
BAD STATE `'
and my ssh sesion is disconnected and ip 192.168.42.198 is loosing the internet access, but my ip (192.168.42.3) still have internet connection.
I don-t know why, can you help me? please ?
Here is my script . I tryed to copy exactly.

#!/bin/sh
#nano -w/ IMRfirewall
RDS_IP="xxx.xxx.xxx.xxx"
IPTABLES="/sbin/iptables"
RDS_NIC="eth0"
INT_NIC="eth1"
INT_IP="192.168.42.40"
INT_LAN="192.168.42.0/24"

#delete previous rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X

#by default drop all
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P FORWARD DROP

#input chain
#do not allow pachets that are not connection request (syn)
$IPTABLES -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -t filter -A INPUT -p all -m state --state INVALID -j DROP

#permit established connection
$IPTABLES -t filter -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT

#ssh from outside to inside
$IPTABLES -t filter -A INPUT -p tcp -i $RDS_NIC --dport 22 -d $RDS_IP -s xxx.xxx.xxx.xxx/xx -m state --state NEW -j ACCEPT

#ssh from inside to server
$IPTABLES -t filter -A INPUT -p tcp -i $INT_NIC --dport 22 -d $INT_IP -s 192.168.42.3 -m state --state NEW -j ACCEPT

#smtp for all
$IPTABLES -t filter -A INPUT -p tcp -i $RDS_NIC --dport 25 -d $RDS_IP -m state --state NEW -j ACCEPT

#dns for all
$IPTABLES -t filter -A INPUT -p tcp -i $RDS_NIC --dport 53 -d $RDS_IP -m state --state NEW -j ACCEPT
$IPTABLES -t filter -A INPUT -p udp -i $RDS_NIC --dport 53 -d $RDS_IP -m state --state NEW -j ACCEPT

#http for all
$IPTABLES -t filter -A INPUT -p tcp -i $RDS_NIC --dport 80 -d $RDS_IP -m state --state NEW -j ACCEPT

#https for all
$IPTABLES -t filter -A INPUT -p tcp -i $RDS_NIC --dport 443 -d $RDS_IP -m state --state NEW -j ACCEPT

#ping and trace route anti flood
$IPTABLES -t filter -A INPUT -p icmp --icmp-type 0 -i $RDS_NIC -s any/0 -d $RDS_IP -m limit --limit 3/s -j ACCEPT
$IPTABLES -t filter -A INPUT -p icmp --icmp-type 3 -i $RDS_NIC -s any/0 -d $RDS_IP -m limit --limit 3/s -j ACCEPT
$IPTABLES -t filter -A INPUT -p icmp --icmp-type 8 -i $RDS_NIC -s any/0 -d $RDS_IP -m limit --limit 3/s -j ACCEPT
$IPTABLES -t filter -A INPUT -p icmp --icmp-type 11 -i $RDS_NIC -s any/0 -d $RDS_IP -m limit --limit 3/s -j ACCEPT
$IPTABLES -t filter -A INPUT -p icmp --icmp-type 5 -i $RDS_NIC -s any/0 -d $RDS_IP -m limit --limit 3/s -j ACCEPT

#traceroute
$IPTABLES -t filter -A INPUT -p udp -i $RDS_NIC -s any/0 -d $RDS_IP --dport 33434:33523 -j ACCEPT

#permit to all pachets from inside
$IPTABLES -t filter -A INPUT -i $INT_NIC -s $INT_LAN -m state --state NEW -j ACCEPT

#permit to all pachets to lo interface
$IPTABLES -t filter -A INPUT -i lo -m state --state NEW -j ACCEPT

#output chain
#PERMIT TO established connection
$IPTABLES -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o lo -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $RDS_NIC -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $INT_NIC -j ACCEPT

#forward chain
$IPTABLES -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -t filter -A FORWARD -p all -m state --state INVALID -j DROP

#permit to established connection
$IPTABLES -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#susspect ip that are used for virtual networks
$IPTABLES -t filter -A FORWARD -i $RDS_NIC -s 10.0.0.0/8 -j DROP
$IPTABLES -t filter -A FORWARD -i $RDS_NIC -s 172.16.0.0/12 -j DROP
$IPTABLES -t filter -A FORWARD -i $RDS_NIC -s 192.168.0.0/16 -j DROP

#access without restrictions (my ip)
$IPTABLES -t filter -A FORWARD -p all -s 192.168.42.3 -i $INT_NIC -m state --state NEW -j ACCEPT

#just 80 port for browsing
$IPTABLES -t filter -A FORWARD -p tcp -s 192.168.42.198 -i $INT_NIC --dport 80 -m state --state NEW -j ACCEPT

#masquarading
$IPTABLES -t nat -A POSROUTING -s $INT_LAN -o $RDS_NIC -j SNAT --to-source $RDS_IP
__________________

camh 06-01-2007 07:10 PM

Quote:

#masquarading
$IPTABLES -t nat -A POSROUTING -s $INT_LAN -o $RDS_NIC -j SNAT --to-source $RDS_IP
You're missing a T in POST. Could be it..

robert.ion 06-04-2007 05:04 AM

it is something else
 
I check in my firewall and there it is written correctly. It seems it is another problem.
What could be ?

Thanks for helping.

SlackDaemon 06-04-2007 05:31 AM

Code:

#by default drop all
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P FORWARD DROP

Basically after flushing the rules, your kicking yourself out of the server with the above three lines. Keep these lines towards the end of your script.

robert.ion 06-05-2007 02:39 AM

another thing
 
well...
I put the flush rulez to the end , and i made this change :

I remove this line:

#ssh from inside to server
$IPTABLES -t filter -A INPUT -p tcp -i $INT_NIC --dport 22 -d $INT_IP -s 192.168.42.3 -m state --state NEW -j ACCEPT

and replaced with this one:

#ssh from inside to server
$IPTABLES -t filter -A INPUT -i INT_NIC -s INT_LAN -p tcp --dport 22 -j ACCEPT

now is ok, BUT ... only ip with access to internet is:
192.168.42.3 !

WHY 192.168.42.198 does not have access for browsing, when i used this rule ?
#just 80 port for browsing
$IPTABLES -t filter -A FORWARD -p tcp -s 192.168.42.198 -i $INT_NIC --dport 80 -m state --state NEW -j ACCEPT

thanks

SlackDaemon 06-05-2007 03:06 AM

$IPTABLES -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

EDIT:

nevermind. I didn't see the ! --syn part. Try to place the following rule at the beginning of the FORWARD chain and see what happens:

$IPTABLES -t filter -A FORWARD -p tcp -s 192.168.42.198 -i $INT_NIC --dport 80 -m state --state NEW -j ACCEPT


The -A should be replaced with an -I.


All times are GMT -5. The time now is 11:41 PM.