|
I am having real problems understanding Iptables. Listed below is the current rc.firewall running on my system. This is a modified copy of the firewall from
http://www.boingworld.com/workshops/...c.firewall.txt This uses PPP as its internet connection. the problem i am having is that the linux box with the modem on it can NOT see the internet but all the other machines on the internal network can all use the internet with out any problems I sure im an just missing a rule for the firewall any help would be appreached Thanks Tim ps. i thinks its a DNS problem (Maybe) LAN_IP_RANGE="192.168.200.0/24" LAN_IP="192.168.200.2/32" LAN_BCAST_ADRESS="192.168.200.255/32" LOCALHOST_IP="192.168.200.190/32" STATIC_IP="192.168.200.2/32" INET_IFACE="ppp0" LAN_IFACE="eth1" IPTABLES="/usr/local/sbin/iptables" ######### # Load all required IPTables modules # # # Needed to initially load modules # /sbin/depmod -a # # Adds some iptables targets like LOG, REJECT and MASQUARADE. # /sbin/modprobe ipt_LOG /sbin/modprobe ipt_REJECT /sbin/modprobe ipt_MASQUERADE # # Support for owner matching # #/sbin/modprobe ipt_owner # # Support for connection tracking of FTP and IRC. # #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc #CRITICAL: Enable IP forwarding since it is disabled by default. # echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this # option. This enables dynamic-ip address hacking in IP MASQ, making the connection # with Diald and similar programs much easier. # #echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable simple IP FORWARDing and Masquerading # # NOTE: The following is an example for an internal LAN, where the lan # runs on eth1, and the Internet is on eth0. # # Please change the network devices to match your own configuration. # $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # set default policies for the INPUT, FORWARD and OUTPUT chains # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # Create separate chains for ICMP, TCP and UDP to traverse # $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets # # the allowed chain for TCP connections # # This chain will be utilised if someone tries to connect to an allowed # port from the internet. If they are opening the connection, or if it's # already established we ACCEPT the packages, if not we don't. This is # where the state matching is performed also, we allow ESTABLISHED and # RELATED packets. $IPTABLES -N allowed $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # # ICMP rules # $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # TCP rules # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed # # UDP ports # $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # # PREROUTING chain. # # Do some checks for obviously spoofed IP's # $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP # # INPUT chain # # establish the basic INPUT chain and filter the packets onto the correct # chains. # $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT $IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -d $STATIC_IP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # OUTPUT chain # # establish the basic OUTPUT chain and filter them onto the correct chain # $IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " |
Hi
Did anyone come up with an answer to this? I've managed to sort a firewall script that works, but now have this same problem. Do I need to specify my DNS somewhere in the script? Jim |
Same symptom!! I've been hunting for a solution for months now!! Any luck here?
Symptom: Linux box as gateway. Machines behind linux can see out just fine. the box itself can't. When pinging from the box, I've also noticed 98% packet drop (but some do get through). All I know is that it *CAN* be resolved. I accidentally solved it once. i have absolutely *no* idea what I did =( |
While I am also waiting to be illuminated, I was wondering if iptables support has been declared secure yet? The last I heard there were a few bugz and the recommendation was to go to the old ipcahins route(no pun) unless you really needed statueful inspection (which I still haven't wrapped my tiny brain around).
I'm no expert on iptables, and what I see in the script does not offend me in any way, but it doesn't appear to do much more than ipchains. The fact that 'some' packets get through is really quite odd. I'm guessing that when ipchains is stopped the host gateway behaves normally? If not I would have a look at the routing tables. DNS sholdn't matter AFIK as we are dealing in ip addresses, not names. |
Hi
Still can's figure this. Have Emailed Oskar Andreasson who wrote the tutorial, and am waiting to hear back. Anyone figured it yet? Jim |
OK
Oskar got back with a suggestion. My current FW script is this... #!/bin/sh #firewall310501 #LAN_IP_RANGE="192.168.1.0/24" #LAN_IP="192.168.1.1" #LAN_B'CAST_ADDRESS="192.168.1.255/32" #LOCALHOST_IP="172.0.0.1/32" #INET_IFACE="ppp0" #LAN_IFACE="eth0" #IPTABLES="sbin/iptables" echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr ##echo "1" > /proc/sys/net/ipv4/ip_always_defrag echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects echo "1" > /proc/sys/net/ipv4/conf/all/send_redirects iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE iptables -A FORWARD -i eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:" iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -N icmp_packets iptables -N tcp_packets iptables -N udpincoming_packets iptables -N allowed iptables -A allowed -p TCP --syn -j ACCEPT iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A allowed -p TCP -j DROP iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -s 192.168.1.0/16 -j DROP iptables -t nat -A PREROUTING -i ppp0 -s 10.0.0.0/8 -j DROP iptables -t nat -A PREROUTING -i ppp0 -s 172.16.0.0/12 -j DROP iptables -A INPUT -p ICMP -i ppp0 -j icmp_packets iptables -A INPUT -p TCP -i ppp0 -j tcp_packets iptables -A INPUT -p UDP -i ppp0 -j udpincoming_packets iptables -A INPUT -p ALL -i eth0 -d 192.168.1.255/32 -j ACCEPT iptables -A INPUT -p ALL -d 127.0.0.1 -j ACCEPT iptables -A INPUT -p ALL -d 192.168.1.1 -j ACCEPT iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " exit 0 Oskar got back to me with this... Found your problem, and it was not a problem of the default rc.firewall file=) First of all you do: iptables -P OUTPUT DROP Then further on you configure the OUTPUT chain: iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT iptables -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " In other words, you set the default policy to DROP, then you allow localhost + your LAN IP to send packets. Problem is, you dont allow your internet connection to send packets. Add something like the following and I hope it will work: iptables -A OUTPUT -p ALL -o ppp0 -j ACCEPT This is a bit open, but heck, it'll allow your outgoing packets to go out. I hope this will solve your problem. So I did what he suggested. Now I can ping yahoo successfully, but Netscape etc, while clearly able to lookup the IP adds, don't seem to get anything back from the server. I think I need an input rule to allow stuff back, but remain bewildered! I guess Oskars original script works for his static IP. I've mailed him back again with the latest, and await further developments. If Network Guru type Raz reads this, what do you think of the script (though I know you don't use IPTables)??? Regards Jim |
Latest from Oskar
Sent: Tuesday, June 12, 2001 11:57 AM Subject: Re: IPTables tutorial > Oopsy, my fault since i didn't test your script edited before replying. > Anyways, you're not allowing replies back in again to your own connections. > The best way I can see to fix this problem would be: > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > However, this way is flawed in several ways. It does rely on the > statematching code though and it should be fairly secure. It is up to you to > think about this though. The above proposed way will work, but might be a > security risc.... perhaps add an state matching code for each port you will > want to use, such as: > > iptables -A INPUT --source-port 80 -m state --state ESTABLISHED,RELATED -j \ > ACCEPT > > > etc. That way you'll only allow certain ports, but it'll require yourself to > open them etc. Have to go in to work now, but will try this on my return. |
Problem solved!
|
| All times are GMT -5. The time now is 06:40 PM. |