Linux gateway with iptables - Everybody help me, please
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Linux gateway with iptables - Everybody help me, please
This is the firewall script that i collect from Internet, i have applied it to my network, however i have more problem with it such as:
- Can not restrict FTP
- Can deny software download: xmule, BitTorrent.
Here is network diagram:
======================================================================
#######################################################################
# Local Area Network Configuration
#######################################################################
#
LAN_IP="192.168.1.10"
#
LAN_IP_RANGE="192.168.1.0/24"
#
LAN_BCAST_ADDRESS="192.168.255.255"
#
LAN_IFACE="eth1"
#
#######################################################################
# Localhost Configuration
#######################################################################
#
LO_IFACE="lo"
#
LO_IP="127.0.0.1"
#
#######################################################################
# Internet Configuration
#######################################################################
#
INET_IP="192.168.2.10"
#
INET_IFACE="eth0"
#
#######################################################################
# iptables configuration
#######################################################################
#
iptables="/usr/sbin/iptables"
#
#######################################################################
# Module Loading
#######################################################################
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUERADE
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#/sbin/modprobe ipt_owner
#
# Non require modules
#
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
#
######################################################################
# /proc setup - Enable ip_forward
######################################################################
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Non-Required proc configuration
#
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
######################################################################
# iptables rule setup
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -F
iptables --delete-chain
#
#Create chain for bad tcp packets
#
iptables -N bad_tcp_packets
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets
#
######################################################################
# Create content in userspecified chains
######################################################################
#
#bad_tcp_packets chain
#
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
#allowed chain
#
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP
#
# TCP rules
#
##iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
##iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
##iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
##iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
#
# UDP ports
#
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
##iptables -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
##iptables -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
#--destination-port 135:139 -j DROP
#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP
#
# ICMP rules
#
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
####################################################################
# INPUT chain
####################################################################
#
# Bad TCP packets we don't want.
#
iptables -A INPUT -p tcp -j bad_tcp_packets
#
###################################################################
# Rules for special networks not part of the Internet
###################################################################
#
iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
#
###################################################################
# special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
###################################################################
#
iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
#
###################################################################
# Rules for incoming packets from the internet.
###################################################################
#
iptables -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i $INET_IFACE -j udp_packets
iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
#
#
# Log weird packets that don't match the above.
#
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
###################################################################
# FORWARD chain
###################################################################
#
# Bad TCP packets we don't want
#
iptables -A FORWARD -p tcp -j bad_tcp_packets
iptables -A FORWARD -s 192.168.16.0/24 -d 192.168.16.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Accept the packets we actually want to forward
#
iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Log weird packets that don't match the above.
#
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
###################################################################
# OUTPUT chain
###################################################################
#
# Bad TCP packets we don't want.
#
iptables -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP's to allow.
#
iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
#
# Log weird packets that don't match the above.
#
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
#
###################################################################
# POSTROUTING chain
###################################################################
#
# Enable simple IP Forwarding and Network Address Translation
#
##iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
#
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8008
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j REDIRECT --to-port 8008
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8000 -j REDIRECT --to-port 8008
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3128 -j REDIRECT --to-port 8008
#
#################################################################
###################### Private Rule #############################
#################################################################
##################
##################
# rule for FTP connection
iptables -N ftp_rule
# admin
iptables -A ftp_rule -m mac --mac-source 00:50:8B:AF:73:C4 -p tcp --dport 20:21 -j ACCEPT
# manager
iptables -A ftp_rule -m mac --mac-source 00:02:55:64:03:6D -p tcp --dport 20:21 -j ACCEPT
# drop all
iptables -A ftp_rule -p tcp --dport 20:21 -j DROP
#
##################
##################
##################
===================================================================
And network's status:
Purpose:
- Localnetwork connect Internet through Squid proxy
- POP3, SMTP
- FTP only allow for admin and manager
- No protocol run through Linux Gateway
Current problems:
- Can't filter FTP as my purpose
- Some users can use BitTorrent, xmule,...
Please help me to find the error in my firewall script. I really need your help ,and more idea from all of you.
I think you should consider letting another software do this. IPTABLES is not the best for this. I recommend using SQUID, which technically is a HTTP proxy, but it uses ACL (access control lists) for example, managers, users, admins; it also allows you to restrict the amount of bytes users can download.
Remark :
LAN_IP_RANGE="192.168.1.0/24"
LAN_BCAST_ADDRESS="192.168.255.255"
your bdcast address doesn't match your /24 mask !
What exactly do you mean by restricting ftp ?
If you need to limit the throughput, you can do it through QOS (see http://www.ds9a.nl/2.4Networking/howto/, especially the Hierarchical Token Bucket part).
There're also some special targets for iptables, which can be more simple than using QoS (http://www.netfilter.org/documentati...ons-HOWTO.html) that you could use (look at quota, fuzzy, iplimit...)
As for the problem of xmule, bitorent and so on, if they use well-known port numbers, then it's not a problem, you just have to reject those ports (iptables -I FORWARD -p udp --sport 4662 -j DROP for emule -- I used -I and not -A so that the line can be added after your script)... if the softwares you want to stop use common ports (80 such as kazaa), then it's more complicated... and maybe more the task of an IDS than iptables's.
I think you should consider letting another software do this. IPTABLES is not the best for this. I recommend using SQUID, which technically is a HTTP proxy, but it uses ACL (access control lists) for example, managers, users, admins; it also allows you to restrict the amount of bytes users can download.
There is plenty of documentation on using SQUID for access control levels as well.
You would use IPTABLES to block malicious traffic, and then redirect all requests from your LAN to squid.
Hope this helps.
Currently, i'm using iptables, combine it with Squid proxy. I also think how to restrict FTP with "acl ftp_deny proto FTP - http_access deny ftp_deny", however it doesn't work. Maybe the cause occur by iptables have allowed trafiic go out Internet.
Quote:
Remark :
LAN_IP_RANGE="192.168.1.0/24"
LAN_BCAST_ADDRESS="192.168.255.255"
your bdcast address doesn't match your /24 mask !
What exactly do you mean by restricting ftp ?
If you need to limit the throughput, you can do it through QOS (see http://www.ds9a.nl/2.4Networking/howto/, especially the Hierarchical Token Bucket part).
There're also some special targets for iptables, which can be more simple than using QoS (http://www.netfilter.org/documentat...ions-HOWTO.html) that you could use (look at quota, fuzzy, iplimit...)
As for the problem of xmule, bitorent and so on, if they use well-known port numbers, then it's not a problem, you just have to reject those ports (iptables -I FORWARD -p udp --sport 4662 -j DROP for emule -- I used -I and not -A so that the line can be added after your script)... if the softwares you want to stop use common ports (80 such as kazaa), then it's more complicated... and maybe more the task of an IDS than iptables's.
I want deny all FTP and xmule, BitTorrent user,..... in my local network to Internet. Only allow access Internet, mail pop3 in outside.
i think part of the reason you are having problems is because your script is so complicated...
i have cleaned it up somewhat and maybe now it'll be easier for people to help you also...
the changes i made to your script will allow only web and pop3 access for the lan, like you say you want... i think you were trying to provide FTP access to two mac addresses only, so i did that in the script...
HTTP traffic will still use the squid proxy (in transparent mode), make it listen on port 3128...
i've made a changelog so you can see the changes i've made to your script...
Quote:
CHANGELOG
- removed all comments
- eliminated some module loads...
- replaced "iptables" with the variable $IPT as using iptables as a variable is redundant
- replaced the flushing rules with better ones
- eliminated the user chains as they aren't "needed" for such a simple firewall
- created a simpler bad packet chain
- added some decent simple kernel parameters
- removed bogus INPUT rules for LO from LAN/INET??
- changed MASQUERADE to SNAT as their is a static external ip
- removed insane input rule which allowed ALL input from lan
- allow lan to ONLY be able to use POP3 and WEB (HTTP/HTTPS/DNS)
- HTTP traffic from the lan the the internet should be redirected to the local proxy on port 3128/tcp
- allow two mac addresses (00:50:8B:AF:73:C4 and 00:02:55:64:03:6D) FTP access
(everyone else will be limited to POP3 and WEB)
- moved the rule which activates forwarding to the end of the script, so that forwarding
is only activated after everything is set...
- changed output policy to accept as there was nothing special being done for output anyways...
- added loading of module for mac filtering
- major cleanups all over the place
okay, here's the modified script:
Code:
#!/bin/sh
LAN_IP="192.168.1.10"
LAN_IP_RANGE="192.168.1.0/24"
LAN_IFACE="eth1"
INET_IP="192.168.2.10"
INET_IFACE="eth0"
IPT="/usr/sbin/iptables"
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ipt_mac
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_irc
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -N BAD_PACKETS
$IPT -A BAD_PACKETS -m state --state INVALID -j DROP
$IPT -A BAD_PACKETS -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A BAD_PACKETS -p ICMP --fragment -j DROP
$IPT -A BAD_PACKETS -j RETURN
$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -j BAD_PACKETS
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE \
--dport 3128 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "INPUT DROP: "
$IPT -A FORWARD -j BAD_PACKETS
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $INET_IFACE -s $LAN_IP_RANGE \
--dport 53 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE -s $LAN_IP_RANGE \
--dport 110 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE -s $LAN_IP_RANGE \
--dport 443 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE -m mac --mac-source \
00:50:8B:AF:73:C4 --dport 21 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE -m mac --mac-source \
00:02:55:64:03:6D --dport 21 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "FORWARD DROP: "
$IPT -t nat -A PREROUTING -i $LAN_IFACE -p TCP \
--dport 80 -j REDIRECT --to-port 3128
$IPT -t nat -A POSTROUTING -o $INET_IFACE \
-j SNAT --to-source $INET_IP
echo "1" > /proc/sys/net/ipv4/ip_forward
i am really thank you 'win32sux' and all people who help me. It's work well.
Thanks for anyway, for your time and your love .
I will learn more about iptables firewall as your knowledge.
Hello, 'win32sux'
I still meet the problem with POP3 email. User in my local network can access POP3 server outside Internet.
Can you help me solve it?
Thanks so much.
i'm very sorry, i type the letter wrong.
I want our user can access POP3, Yahoo and MSN however they can't ('can' above is wrong) access POP, and Y!M 'win32sux'when i apply the firewall script.
Please help me. thanks so much.
the script i contributed only allows POP3, HTTP (via squid), HTTPS, and DNS from the LAN to the Internet...
to add things like MSN Messenger and Yahoo Messenger you need to find-out what protocol and ports they use, and then add a rule to the FORWARD chain following the same syntax of the rules already there... for example, if msn messenger uses protocol TCP and ports 6500 to 6599, then you'd put a rule like this in the FORWARD section of the script:
Code:
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE -s $LAN_IP_RANGE \
--dport 6500:6599 -m state --state NEW -j ACCEPT
but i don't know what ports msn or yahoo use...
maybe you can google them or maybe someone else knows...
Oh, i forgot to tell you that the domain which user access to POP3 protocol
- i configure DNS in my linux gateway: abc.com
- my domain is hosted from outside Internet: abc.com (the same with my current DNS)
- This is my abc.zone
================================
$TTL 86400
@ IN SOA ns.abc.com hostmaster.abc.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
;
IN A 192.168.1.1
NS www ; Inet Address of nameserver
abc.com MX 10 mail ; Primary Mail Exchanger
;
localhost A 127.0.0.1
mail CNAME localhost
;
ns CNAME localhost
;
www CNAME localhost
;
qa IN A 192.168.1.1
;
pop A 203.194.234.123
smtp A 203.194.234.123
mbox A 203.194.234.123
============================================
It can work before i apply the firewall script.
Please help me solve the problem.
Thanks so much.
No, i don't have POP3 server on LAN, we use POP3 server from another hosting, and i have configure my DNS on Linux gateway the same as domain 'abc.com' hosted from outside Internet.
However, it can work before i applied the script
Please help me. Thanks so much.
okay, are you saying that you have a DNS server on the firewall and you need machines on the LAN to connect to that DNS server?? if that's the case then stick this in the INPUT section of the script:
Code:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_IP_RANGE \
--dport 53 -m state --state NEW -j ACCEPT
it should look like this in the script:
Code:
$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -j BAD_PACKETS
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE \
--dport 3128 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_IP_RANGE \
--dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "INPUT DROP: "
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Linux gateway with iptables - Everybody help me, please
.
