LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-31-2007, 10:22 AM   #1
robert.ion
LQ Newbie
 
Registered: May 2007
Posts: 3

Rep: Reputation: 0
iptables rules problem


Hi. I am new born in linux world. My born was assisted by ubuntu comunity
So. I write my first script for my first ubuntu server for secure it. I connect to server throught ssh and when i run the script I got the message:
BAD STATE `'
and my ssh sesion is disconnected and ip 192.168.42.198 is loosing the internet access, but my ip (192.168.42.3) still have internet connection.
I don-t know why, can you help me? please ?
Here is my script . I tryed to copy exactly.

#!/bin/sh
#nano -w/ IMRfirewall
RDS_IP="xxx.xxx.xxx.xxx"
IPTABLES="/sbin/iptables"
RDS_NIC="eth0"
INT_NIC="eth1"
INT_IP="192.168.42.40"
INT_LAN="192.168.42.0/24"

#delete previous rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X

#by default drop all
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P FORWARD DROP

#input chain
#do not allow pachets that are not connection request (syn)
$IPTABLES -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -t filter -A INPUT -p all -m state --state INVALID -j DROP

#permit established connection
$IPTABLES -t filter -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT

#ssh from outside to inside
$IPTABLES -t filter -A INPUT -p tcp -i $RDS_NIC --dport 22 -d $RDS_IP -s xxx.xxx.xxx.xxx/xx -m state --state NEW -j ACCEPT

#ssh from inside to server
$IPTABLES -t filter -A INPUT -p tcp -i $INT_NIC --dport 22 -d $INT_IP -s 192.168.42.3 -m state --state NEW -j ACCEPT

#smtp for all
$IPTABLES -t filter -A INPUT -p tcp -i $RDS_NIC --dport 25 -d $RDS_IP -m state --state NEW -j ACCEPT

#dns for all
$IPTABLES -t filter -A INPUT -p tcp -i $RDS_NIC --dport 53 -d $RDS_IP -m state --state NEW -j ACCEPT
$IPTABLES -t filter -A INPUT -p udp -i $RDS_NIC --dport 53 -d $RDS_IP -m state --state NEW -j ACCEPT

#http for all
$IPTABLES -t filter -A INPUT -p tcp -i $RDS_NIC --dport 80 -d $RDS_IP -m state --state NEW -j ACCEPT

#https for all
$IPTABLES -t filter -A INPUT -p tcp -i $RDS_NIC --dport 443 -d $RDS_IP -m state --state NEW -j ACCEPT

#ping and trace route anti flood
$IPTABLES -t filter -A INPUT -p icmp --icmp-type 0 -i $RDS_NIC -s any/0 -d $RDS_IP -m limit --limit 3/s -j ACCEPT
$IPTABLES -t filter -A INPUT -p icmp --icmp-type 3 -i $RDS_NIC -s any/0 -d $RDS_IP -m limit --limit 3/s -j ACCEPT
$IPTABLES -t filter -A INPUT -p icmp --icmp-type 8 -i $RDS_NIC -s any/0 -d $RDS_IP -m limit --limit 3/s -j ACCEPT
$IPTABLES -t filter -A INPUT -p icmp --icmp-type 11 -i $RDS_NIC -s any/0 -d $RDS_IP -m limit --limit 3/s -j ACCEPT
$IPTABLES -t filter -A INPUT -p icmp --icmp-type 5 -i $RDS_NIC -s any/0 -d $RDS_IP -m limit --limit 3/s -j ACCEPT

#traceroute
$IPTABLES -t filter -A INPUT -p udp -i $RDS_NIC -s any/0 -d $RDS_IP --dport 33434:33523 -j ACCEPT

#permit to all pachets from inside
$IPTABLES -t filter -A INPUT -i $INT_NIC -s $INT_LAN -m state --state NEW -j ACCEPT

#permit to all pachets to lo interface
$IPTABLES -t filter -A INPUT -i lo -m state --state NEW -j ACCEPT

#output chain
#PERMIT TO established connection
$IPTABLES -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o lo -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $RDS_NIC -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $INT_NIC -j ACCEPT

#forward chain
$IPTABLES -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -t filter -A FORWARD -p all -m state --state INVALID -j DROP

#permit to established connection
$IPTABLES -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#susspect ip that are used for virtual networks
$IPTABLES -t filter -A FORWARD -i $RDS_NIC -s 10.0.0.0/8 -j DROP
$IPTABLES -t filter -A FORWARD -i $RDS_NIC -s 172.16.0.0/12 -j DROP
$IPTABLES -t filter -A FORWARD -i $RDS_NIC -s 192.168.0.0/16 -j DROP

#access without restrictions (my ip)
$IPTABLES -t filter -A FORWARD -p all -s 192.168.42.3 -i $INT_NIC -m state --state NEW -j ACCEPT

#just 80 port for browsing
$IPTABLES -t filter -A FORWARD -p tcp -s 192.168.42.198 -i $INT_NIC --dport 80 -m state --state NEW -j ACCEPT

#masquarading
$IPTABLES -t nat -A POSROUTING -s $INT_LAN -o $RDS_NIC -j SNAT --to-source $RDS_IP
__________________
 
Old 06-01-2007, 07:10 PM   #2
camh
Member
 
Registered: Feb 2005
Distribution: Slack/Debian
Posts: 163
Blog Entries: 2

Rep: Reputation: 33
Quote:
#masquarading
$IPTABLES -t nat -A POSROUTING -s $INT_LAN -o $RDS_NIC -j SNAT --to-source $RDS_IP
You're missing a T in POST. Could be it..
 
Old 06-04-2007, 05:04 AM   #3
robert.ion
LQ Newbie
 
Registered: May 2007
Posts: 3

Original Poster
Rep: Reputation: 0
it is something else

I check in my firewall and there it is written correctly. It seems it is another problem.
What could be ?

Thanks for helping.
 
Old 06-04-2007, 05:31 AM   #4
SlackDaemon
Member
 
Registered: Mar 2006
Distribution: RedHat, Slackware, Experimenting with FreeBSD
Posts: 222

Rep: Reputation: 30
Code:
#by default drop all
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P FORWARD DROP
Basically after flushing the rules, your kicking yourself out of the server with the above three lines. Keep these lines towards the end of your script.
 
Old 06-05-2007, 02:39 AM   #5
robert.ion
LQ Newbie
 
Registered: May 2007
Posts: 3

Original Poster
Rep: Reputation: 0
another thing

well...
I put the flush rulez to the end , and i made this change :

I remove this line:

#ssh from inside to server
$IPTABLES -t filter -A INPUT -p tcp -i $INT_NIC --dport 22 -d $INT_IP -s 192.168.42.3 -m state --state NEW -j ACCEPT

and replaced with this one:

#ssh from inside to server
$IPTABLES -t filter -A INPUT -i INT_NIC -s INT_LAN -p tcp --dport 22 -j ACCEPT

now is ok, BUT ... only ip with access to internet is:
192.168.42.3 !

WHY 192.168.42.198 does not have access for browsing, when i used this rule ?
#just 80 port for browsing
$IPTABLES -t filter -A FORWARD -p tcp -s 192.168.42.198 -i $INT_NIC --dport 80 -m state --state NEW -j ACCEPT

thanks
 
Old 06-05-2007, 03:06 AM   #6
SlackDaemon
Member
 
Registered: Mar 2006
Distribution: RedHat, Slackware, Experimenting with FreeBSD
Posts: 222

Rep: Reputation: 30
$IPTABLES -t filter -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

EDIT:

nevermind. I didn't see the ! --syn part. Try to place the following rule at the beginning of the FORWARD chain and see what happens:

$IPTABLES -t filter -A FORWARD -p tcp -s 192.168.42.198 -i $INT_NIC --dport 80 -m state --state NEW -j ACCEPT


The -A should be replaced with an -I.

Last edited by SlackDaemon; 06-05-2007 at 03:13 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
where are my new iptables-rules? xpucto Fedora 4 03-21-2007 08:42 AM
what's problem in my iptables rules? ayiiq180 Linux - Software 4 12-19-2004 09:23 AM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM
Problem Iptables, Firewall rules. Can anybody help ? ZliTroX Linux - Networking 9 09-06-2004 05:48 PM
Firewall Rules Problem with Iptables JereBear Linux - Networking 1 06-16-2002 05:28 PM


All times are GMT -5. The time now is 08:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration