LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-03-2005, 10:53 PM   #1
Kruncher
Member
 
Registered: Mar 2005
Distribution: Ubuntu
Posts: 61

Rep: Reputation: 15
NAT I guess


Hello,
I am stuck with dialup. haha laugh all you want. I have a computer on our home network that I've set up with apache, mysql, phpBB, etc just to try it all out. I would like to pass all the trafic from port 80 on THIS computer to the one on the network. I assume I would do it with iptables but I don't know how.

Also I would have to be able to start and stop it.

Thank you.
 
Old 11-04-2005, 05:03 AM   #2
runlevel0
Member
 
Registered: Mar 2005
Location: Hilversum/Holland
Distribution: Debian GNU/Linux 5.0 (“Lenny”)
Posts: 290

Rep: Reputation: 31
Re: NAT I guess

Quote:
Originally posted by Kruncher
Hello,
I am stuck with dialup. haha laugh all you want. I have a computer on our home network that I've set up with apache, mysql, phpBB, etc just to try it all out. I would like to pass all the traffic from port 80 on THIS computer to the one on the network. I assume I would do it with iptables but I don't know how.

Also I would have to be able to start and stop it.

Thank you.
Here's a little script, run it on the computer that connects to the Internet:
Code:
modprobe iptable_nat
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
In order to stop NAT you could use
Code:
echo 0 > /proc/sys/net/ipv4/ip_forward
That's enough to disable NAT.
I have this in an init script, but it's Gentoo syntax.

Good News are, that you can do automatic NAT and much more installing firestarter, this iptables front end is very versatile, powerful and easy to user and set up. The only thing you need to enable NAT is having a separate device for your internal network and one for the outbound connection (i.e. a LAN and your dial-up or DSL connection). With the script, however, you can do NAT even in this case.
Firestarter is a nice option, because it's fast to deploy and you can manage your firewall in real time; opening or closing ports, enabling particular IPs to connect to determined ports or even completely close your network from outbound connections.

You don't have to bother for what ports are exported, as NAT translate the IP in a way that for an outside connection the visible port 80 is the one on your NATted machine (just remember not to enable a web server on the box which does the NATting).

BTW, I can remember that Mandriva has an own way of dealing with NAT. Not sure because it's a long time since I last saw a Mandrake running, but I'm completely sure it's there.
 
Old 11-04-2005, 08:33 PM   #3
Kruncher
Member
 
Registered: Mar 2005
Distribution: Ubuntu
Posts: 61

Original Poster
Rep: Reputation: 15
I've run the script and everything looks good:
lsmod shows that the module is loaded, iptables shows something:
"Chain FORWARD (policy DROP)
target prot opt source destination"
and ip_forward is 1.

It doesn't work. What else do I have to do?
 
Old 11-05-2005, 06:30 AM   #4
runlevel0
Member
 
Registered: Mar 2005
Location: Hilversum/Holland
Distribution: Debian GNU/Linux 5.0 (“Lenny”)
Posts: 290

Rep: Reputation: 31
Quote:
Originally posted by Kruncher
I've run the script and everything looks good:
lsmod shows that the module is loaded, iptables shows something:
"Chain FORWARD (policy DROP)
target prot opt source destination"
and ip_forward is 1.
It doesn't work. What else do I have to do?
* Check in the machine that shall be NATted if the default route is set to the NAT 'server', if not set it:
Code:
route add default gw IP-OF-NAT-SERVER
And in the machine which does NAT ensure that port 80 is not closed by the firewall.

More potential troublemakers:

Check /etc/hosts.deny and /etc/hosts/allow

If your outbound connection is dial-up, ISDN or a DSL-modem (not a router), check that the default gateway of this machine is set to the outbound device (ppp0,ippp0 or pppoe0). To set this the command is the same as above, just change the IP with the device:


Code:
route add default gw ppp0
This is normally done from the network configuration wizards such as the one in the Mandrake Config Center, Yast, or Red Hat Network Config.

Try this and ask again if it still doesn't work, I can't stat right now, but there are more things which can hinder communication. Test also the connectivity pinging form one machine to the other, as ICMP packages are not bound to ports you will know if the physical connection is OK or whether there is a failure in wiring, connection or the LAN-cards.
 
Old 11-05-2005, 02:13 PM   #5
Kruncher
Member
 
Registered: Mar 2005
Distribution: Ubuntu
Posts: 61

Original Poster
Rep: Reputation: 15
Nope, still doesn't work.
route shows this on the NAT 'server':
default DIALUPCOMPUTER 0.0.0.0 UG 0 0 0 eth0
default ROUTER 0.0.0.0 UG 0 0 0 eth0
(changed to protect my privacy)
Could the problem be that there are 2 defaults?
 
Old 11-05-2005, 05:21 PM   #6
runlevel0
Member
 
Registered: Mar 2005
Location: Hilversum/Holland
Distribution: Debian GNU/Linux 5.0 (“Lenny”)
Posts: 290

Rep: Reputation: 31
Quote:
Originally posted by Kruncher
Nope, still doesn't work.
route shows this on the NAT 'server':
default DIALUPCOMPUTER 0.0.0.0 UG 0 0 0 eth0
default ROUTER 0.0.0.0 UG 0 0 0 eth0
(changed to protect my privacy)
Could the problem be that there are 2 defaults?
Very probably. The default route of the NAT box should be only the router.
It's the other boxes which has to set the NAT box as default route.

Check also your firewall, test settings disabling it.
 
Old 11-06-2005, 01:40 AM   #7
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,280

Rep: Reputation: 61
Re: NAT I guess

Quote:
Originally posted by Kruncher
Hello,
I am stuck with dialup. haha laugh all you want. I have a computer on our home network that I've set up with apache, mysql, phpBB, etc just to try it all out. I would like to pass all the trafic from port 80 on THIS computer to the one on the network. I assume I would do it with iptables but I don't know how.

Also I would have to be able to start and stop it.

Thank you.
I can post my iptables script that i'm working on that will forward traffic to your server behind the firewall.
 
Old 11-06-2005, 06:22 AM   #8
runlevel0
Member
 
Registered: Mar 2005
Location: Hilversum/Holland
Distribution: Debian GNU/Linux 5.0 (“Lenny”)
Posts: 290

Rep: Reputation: 31
Re: Re: NAT I guess

Quote:
Originally posted by fotoguy
I can post my iptables script that i'm working on that will forward traffic to your server behind the firewall.
Post it then !!! ^_^

Even better, you could post it in the Wiki in the Security section
 
Old 11-06-2005, 06:54 AM   #9
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,280

Rep: Reputation: 61
part 1

Do know if it will be good enough for the security section so I'll post it here. Because of it's size I will need to post it in 2 parts, there is a limit to the amount of characters with each post. All you need to do is create a file called rc.firewall and copy the contents into script and save it in the /etc/rc.d directory. Then make executable for everyone by:

chmod 755 /etc/rc.d/rc.firewall

You may need to edit a few things at the top of the script to suit your version of linux. I made this script to suit slackware 9 but is easy to use on other version like fedora core. Dialup uses ppp0 as the interface so I have made that the default for your external interface. Some of the comments in the script I have been making during it's testing so if they don't make any sense or match up to the rules, I haven't had time to go through and edit them properly but It should be easy to follow.

Ive tested it on a router on my network and have had no trouble with it, also have a modified version for my workstations as well that seem to work fine, if you have any questions don't hesitate to ask.

#!/bin/sh
##
## This is the location of the iptables command

echo "Starting iptables script"

IPTABLES="/usr/sbin/iptables"

############################################################################

############################################################################
## Declare some variables, this should be the only area you need to configure anything unless you need to forward to services
## on your internal network.
##
## Edit your interface types (eg... eth0 eth1 ppp0)
##
## Default external interface

DEFAULT_EXTIF="ppp0"

## Default internal interface

DEFAULT_INTIF="eth0"

## Loopback interface

LOOPBACK="lo"

## Do you get your external ip-address from DHCP server. (yes or no)

DHCP="no"

## ex. MAIL_SERVER="192.168.1.100"

# MAIL_SERVER=""
# WEB_SERVER="192.168.100.50"
# FTP_SERVER=""
DNS1="192.168.1.1"
# DNS2=""
# DNS3=""
TCPBLOCK="137,138,139"
UDPBLOCK="137,138,139,445"

echo "Setting Reserved Networks/Class Variables"

LOOPBACK_IP="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D="224.0.0.0/4" # class D multicast addresses
CLASS_E="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
echo "Finished setting Reserved Networks/Class Variables"

############################################################################

############################################################################
## Block ip addresses of problem hosts
##
## I use portsentry to automatically add ip addresses to a file when a scan is detected, when the firewall
## is loaded, it will load rules to block all ip addreses in this file. You may also add addresses maually,
## you can specify them either as indivisual host 165.222.222.234 or a whole network 165.222.222.0/16.
##
## Note, there can only be one entry per line. You may find this extremely useful if you run a server
## on this machine of one internally on your network, you can add the ip addresses of known problem hosts
## and block them from connecting at all your servers.

BLOCKED_IP="/etc/ipblock"
#BLOCKEDPERM_IP="/etc/ipblock.perm"

## Allowed ip addresses that are permitted to connect directly to the machine itself, mostly used for administrative
## purposes from remote networks or to servers running on the internal network.
##
## e.g. ALLOWED_IP="224.25.168.0/24" or ALLOWED_IP="224.25.168.85"
##

ALLOWED_IP=""

#################################################################################################### ##########

#################################################################################################### ############
##
## You do not need to edit anything here in this section, this will determine network paramenters from static or DHCP assigned
## network interfaces.
##
## Note: This will not set the parameters of the network interfaces, (eg. ip-address, gateway or network id)
## this is done during setup of the operating system this will only retrieve the information and load
## it to the variables for the script. If you wish to set the interfaces manually, for slackware 9.0 edit the
## /etc/rc.d/rc.inet1 file other versions on unix/linux maybe in the same place.
##
## External Interface:
## If no interface is specified then set $DEFAULT_EXTIF as EXTIF

if [ "x$2" != "x" ]; then
EXTIF=$2
else
EXTIF=$DEFAULT_EXTIF
fi
echo External Interface: $EXTIF

## Determine external IP

EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
if [ "$EXTIP" = '' ]; then
echo "Aborting: Unable to determine the IP-address of $EXTIF !"
exit 1
fi
echo External IP: $EXTIP

## Determine external gateway

EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW

## Internal Interface:
## If no interface is specified then set $DEFAULT_INTIF as INTIF

if [ "x$3" != "x" ]; then
INTIF=$3
else
INTIF=$DEFAULT_INTIF
fi
echo Internal Interface: $INTIF

## Determine internal IP

INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
if [ "$INTIP" = '' ]; then
echo "Aborting: Unable to determine the IP-address of $INTIF !"
exit 1
fi
echo Internal IP: $INTIP

## Determine internal netmask

INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`"
echo Internal Netmask: $INTMASK

## Determine network address of the internal network

INTLAN=$INTIP'/'$INTMASK
echo Internal LAN: $INTLAN

#################################################################################################### ##########

#################################################################################################### ##########
## Flood Variables
##
##
## Overall Limit for TCP-SYN-Flood detection

TCPSYNLIMIT="5/s"

## Burst Limit for TCP-SYN-Flood detection

TCPSYNLIMITBURST="10"

## Overall Limit for Loggging in Logging-Chains

LOGLIMIT="2/s"

## Burst Limit for Logging in Logging-Chains

LOGLIMITBURST="10"

## Overall Limit for Ping-Flood-Detection

PINGLIMIT="5/s"

## Burst Limit for Ping-Flood-Detection

PINGLIMITBURST="10"

#################################################################################################### ##########

#################################################################################################### ##########
## Load modules required by iptables
##
##
##
echo "Loading IPTABLES modules"

dmesg -n 1 ## Kill copyright display on module load
dmesg -n 6
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_TOS
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_mac
# /sbin/modprobe ipt_recent # This module has to be loaded manually, not included with the kernel

echo "Iptables modules loaded"

## Setting module options

echo "Setting module options"

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/tcp_ecn
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects
#128 MB of RAM -> 8192 possible entries, 256 MB of RAM --> 16376 possible entries, etc...
echo 8192 > /proc/sys/net/ipv4/ip_conntrack_max
echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 15 > /proc/sys/net/ipv4/ipfrag_time
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "2" > /proc/sys/net/ipv4/tcp_synack_retries

if [ $DHCP == "yes" ]; then
echo "IP-Address obtained from DHCP Server.....setting module 'ip_dynaddr' to '1' "
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
fi

## Reduce DoS'ing ability by reducing timeouts

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo "Module options set"

#################################################################################################### ##########

#################################################################################################### ##########
## Clear all IPTABLES-chains
##
##
## Flush everything, start from scratch

$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

## Set default policies to DROP

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT


#################################################################################################### ##########

#################################################################################################### ##########
## These are the logging-chains. They all have a certain limit of log-entries/sec to prevent log-flooding
##
##
##
echo "Start log and drop Rules"

## Invalid packets (not ESTABLISHED,RELATED or NEW)

$IPTABLES -N LOGINVALID
$IPTABLES -A LOGINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP "
$IPTABLES -A LOGINVALID -j DROP

## TCP-Packets with one ore more bad flags

$IPTABLES -N LOGBADFLAG
$IPTABLES -A LOGBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "
$IPTABLES -A LOGBADFLAG -j DROP

## Logging of possible TCP-SYN-Floods

$IPTABLES -N LOGSYNFLOOD
$IPTABLES -A LOGSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
$IPTABLES -A LOGSYNFLOOD -j DROP

## Logging of possible Ping-Floods

$IPTABLES -N LOGPINGFLOOD
$IPTABLES -A LOGPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
$IPTABLES -A LOGPINGFLOOD -j DROP

## All other dropped packets

$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP "
$IPTABLES -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP "
$IPTABLES -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP "
$IPTABLES -A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP "
$IPTABLES -A LOGDROP -j DROP

## TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in

$IPTABLES -N TCPACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -j LOGSYNFLOOD
$IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT

## UDPACCEPT - Check for UDP-Floods before letting UDP-Packets in (Experimental logging rules)

$IPTABLES -N UDPACCEPT
$IPTABLES -A UDPACCEPT -p udp -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
$IPTABLES -A UDPACCEPT -p udp -j LOGDROP

## CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)

$IPTABLES -N CHECKBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags FIN,RST FIN,RST -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ACK,FIN FIN -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ACK,PSH PSH -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ACK,URG URG -j LOGBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp -j TCPACCEPT

## RESNET - Log and drop Reservered Network addresses coming in from internet

$IPTABLES -N RESNET
$IPTABLES -A RESNET -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "Reserved Net violation: "
$IPTABLES -A RESNET -j DROP

## BLOCKED - Log and drop perm/temp banned ip addresss

$IPTABLES -N BLOCKED
$IPTABLES -A BLOCKED -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "Ban IP Violation: "
$IPTABLES -A BLOCKED -j DROP

# Inbound ICMP/Traceroute

$IPTABLES -N ICMPINBOUND
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LOGPINGFLOOD
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type host-precedence-violation -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type precedence-cutoff -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type source-quench -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type network-redirect -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type host-redirect -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type TOS-network-redirect -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type TOS-host-redirect -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type fragmentation-needed -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type router-advertisement -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type router-solicitation -j LOGDROP
$IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT

#Outbound ICMP/Traceroute

$IPTABLES -N ICMPOUTBOUND
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LOGDROP
$IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT
 
Old 11-06-2005, 06:55 AM   #10
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,280

Rep: Reputation: 61
Part 2

#################################################################################################### ##########

#################################################################################################### ##########

# icmp types
#
# 0 Echo Reply [RFC792]
# 1 Unassigned [JBP]
# 2 Unassigned [JBP]
# 3 Destination Unreachable [RFC792]
# 4 Source Quench [RFC792]
# 5 Redirect [RFC792]
# 6 Alternate Host Address [JBP]
# 7 Unassigned [JBP]
# 8 Echo [RFC792]
# 9 Router Advertisement [RFC1256]
# 10 Router Solicitation [RFC1256]
# 11 Time Exceeded [RFC792]
# 12 Parameter Problem [RFC792]
# 13 Timestamp [RFC792]
# 14 Timestamp Reply [RFC792]
# 15 Information Request [RFC792]
# 16 Information Reply [RFC792]
# 17 Address Mask Request [RFC950]
# 18 Address Mask Reply [RFC950]
# 19 Reserved (for Security) [Solo]
# 20-29 Reserved (for Robustness Experiment) [ZSu]
# 30 Traceroute [RFC1393]
# 31 Datagram Conversion Error [RFC1475]
# 32 Mobile Host Redirect [David Johnson]
# 33 IPv6 Where-Are-You [Bill Simpson]
# 34 IPv6 I-Am-Here [Bill Simpson]
# 35 Mobile Registration Request [Bill Simpson]
# 36 Mobile Registration Reply [Bill Simpson]
# 37 Domain Name Request [Simpson]
# 38 Domain Name Reply [Simpson]
# 39 SKIP [Markson]
# 40 Photuris [Simpson]
# 41-255 Reserved [JBP]

echo "Finished creating log and drop Rules"

#################################################################################################### ##########

#################################################################################################### ##########
##
## Drop and log Reserved Internal Networks coming in on the external interface

echo "Setting incoming drop rules for reservered networks and classes"

# Incoming from internet

$IPTABLES -A INPUT -i $EXTIF -s $CLASS_A -j RESNET
$IPTABLES -A INPUT -i $EXTIF -s $CLASS_B -j RESNET
$IPTABLES -A INPUT -i $EXTIF -s $CLASS_C -j RESNET
$IPTABLES -A INPUT -i $EXTIF -s $CLASS_D -j RESNET
$IPTABLES -A INPUT -i $EXTIF -s $CLASS_E -j RESNET
$IPTABLES -A INPUT -i $EXTIF -s $LOOPBACK_IP -j RESNET
$IPTABLES -A INPUT -i $EXTIF -s $BROADCAST_SRC -j RESNET
$IPTABLES -A INPUT -i $EXTIF -s $BROADCAST_DEST -j RESNET

# drop and log attemps to use our IP address assgined to our external interface

$IPTABLES -A INPUT -i $EXTIF -s $EXTIP -j DROP

#################################################################################################### ##########

#################################################################################################### ##########
## Log and drop connection attempts from explicitly blocked hosts.
##
## NOTICE: THIS IS WORK IN PROGRESS NOT TESTED FULLY AT THIS STAGE
##
echo "Loading Temp IP Blocklist Files"

if [ -f $BLOCKED_IP ]; then
while read BLOCKED; do
$IPTABLES -A INPUT -i $EXTIF -s $BLOCKED -j BLOCKED
done < $BLOCKED_IP
else
echo "firewall: Banned address/network file not found."
echo "0.0.0.0" > /etc/ipblock
fi

echo "Finished Temp Loading IP Blocklist Files..............."

# echo "Loading Permanent IP Blocklist Files"

# if [ -f $BLOCKEDPERM_IP ]; then
# while read BLOCKEDPERM; do
# $IPTABLES -A FORWARD -i $EXTIF -s $BLOCKEDPERM -j BLOCKED
# done < $BLOCKEDPERM_IP
# fi

# echo "Finished Permanent Loading IP Blocklist Files........."


#################################################################################################### ##########

#################################################################################################### ##########
## Allow for services running on this machine, or forward them to a specific server on your local network.
## Hosts in the /etc/ipblock list will not connect or be forwarded to any host on the local network. To allow
## a remote connection to the firewall itself, make sure place the ip-address of the allowed host in the
## /etc/hosts.allow file, please note that the /etc/hosts.deny file will not block a host from being accepted or
## forwarded throught the network by the net filter rules,only from connecting directly to the firewall machine
## itself. If running portsentry also place the ip address in the /usr/local/psionic/portsentry/portsentry.ignore file,
## otherwise you may be taken for a port scan and trigger an action that will place your ip address in the
## /etc/hosts.deny file and also add your ip address to /etc/ipblock and to iptables block rules, then you will be blocked by the firewall as well.
##
##
## Allow SSH access to firewall

# $IPTABLES -A INPUT -p tcp -i $EXTIF -s $ALLOWED_IP --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j CHECKBADFLAG

## Allow www to host behind firewall (change 192.168.1.1 to the ip-address of your server)

$IPTABLES -A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j CHECKBADFLAG
$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.1:80
$IPTABLES -A FORWARD -p tcp -o $INTIF -d 192.168.1.1 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#################################################################################################### ##########

#################################################################################################### ##########
## General Rules
##
## Now we need to add some rules to start filtering the packets entering the router from both interfaces
##
echo "Loading general rules......................"
##
## Lets kill and log any invalid packets to any interface, these are packets which are not NEW, ESTABLISHED or RELATED

echo "Dropping INVALID packets"

$IPTABLES -A INPUT -m state --state INVALID -j LOGINVALID
$IPTABLES -A FORWARD -m state --state INVALID -j LOGINVALID
$IPTABLES -A OUTPUT -m state --state INVALID -j LOGINVALID


#################################################################################################### ##########
## Lets drop some ports, these are ports which are not supposed to go beyond the network or to come in from the internet
## These usually are smb and netbios protocols.

$IPTABLES -A INPUT -p tcp -m multiport --dport $TCPBLOCK -j DROP
$IPTABLES -A INPUT -p udp -m multiport --dport $UDPBLOCK -j DROP

#################################################################################################### ##########
## Allow everything on the loopback interface

echo "Allowing loopback interface"

$IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT

#################################################################################################### ##########
## ICMP PACKETS

## ICMP Packets coming from the Internet

echo "ICMP Packets from Internet"

$IPTABLES -A INPUT -p icmp -i $EXTIF -d $EXTIP -j LOGDROP #---> drop local connections from internet

$IPTABLES -A FORWARD -p icmp -o $INTIF -d $INTLAN -m state --state ESTABLISHED,RELATED -j ICMPINBOUND

## ICMP Packets coming from our network going to the internet to increase security always have the source as your
## local network range, this will help to stop any bad activity leaving and going to the internet.

echo "ICMP Packets from Internal Network"

$IPTABLES -A INPUT -p icmp -i $INTIF -d $INTIP -j ICMPOUTBOUND # Allow pings from the internal network for testing connections

$IPTABLES -A FORWARD -p icmp -o $EXTIF -s $INTLAN -m state --state NEW,ESTABLISHED,RELATED -j ICMPOUTBOUND

#################################################################################################### ##########
## TCP PACKETS

## TCP Packets coming from the internet, first it will be sent to check for bad flags, if it passes that it must be
## ESTABLISHED or RELATED connections to then be passed to the TCPACCEPT chain, again it will be checked for SYN flooding
## before it can pass through to the FORWARD chain.

## TCP Packets from the internet

echo "TCP Packets from Internet"

$IPTABLES -A INPUT -p tcp -i $EXTIF -d $EXTIP -j LOGDROP #---> drop local connections

$IPTABLES -A FORWARD -p tcp -o $INTIF -d $INTLAN -m state --state ESTABLISHED,RELATED -j CHECKBADFLAG

## TCP Packets Now we do the same for our internal network allowing all to go out to the internet but still filtering it to make sure there
## is no flooding or any malicious activity going out.

## TCP Packets from our internal network

echo "TCP Packets from Internal Network"

$IPTABLES -A INPUT -p tcp -i $INTIF -s $INTLAN -j CHECKBADFLAG # Allow connection for the internal network to the firewall

$IPTABLES -A FORWARD -p tcp -o $EXTIF -s $INTLAN -m state --state NEW,ESTABLISHED,RELATED -j CHECKBADFLAG # Allow all internal traffic out to the internet

#################################################################################################### ##########
## UDP PACKETS

## UDP Packets from the internet

echo "UDP Packets from Internet"

$IPTABLES -A INPUT -p udp -i $EXTIF -d $EXTIP -j LOGDROP # Drop local connections from internet

$IPTABLES -A FORWARD -p udp -o $INTIF -d $INTLAN -m state --state ESTABLISHED,RELATED -j ACCEPT

## UDP from internal network

echo "UDP Packets from Internal Network"

$IPTABLES -A FORWARD -p udp -o $EXTIF -s $INTLAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

echo "Finished loading general rules......................"

##################################################################################
##
## Masquerading/SNAT
##
##

if [ $DHCP == "yes" ]; then
echo "DHCP Client enabled on External Interface.....set POSTROUTING to MASQUERADE"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
else
echo "Static IP-Address assigned to External Interface.....set POSTROUTING to SNAT"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source $EXTIP
fi


##################################################################################

echo "Finished loading rc.firewall script............Good Luck"
exit 0
 
Old 11-06-2005, 07:22 AM   #11
runlevel0
Member
 
Registered: Mar 2005
Location: Hilversum/Holland
Distribution: Debian GNU/Linux 5.0 (“Lenny”)
Posts: 290

Rep: Reputation: 31
THX!!
I printed the thread as a PDF file so I can extract the script and try it ou

I wouldn't be very difficult to build a KDE GUI for it using Kommander, so that the user dependant parameters can be selected by the user himself.
 
Old 11-06-2005, 10:57 PM   #12
Kruncher
Member
 
Registered: Mar 2005
Distribution: Ubuntu
Posts: 61

Original Poster
Rep: Reputation: 15
Wow, that's alot to go through.
Now I need to find a Bash tutorial and a Iptables tutorial.
I know only a little about bash and iptables.

I only have a very simple firewall running on my dailup pc:
iptables -F
iptables -X
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT

Is there a simple way to forward port 80? If not I will just walkthrough your iptables script.

Thank you.
 
Old 11-06-2005, 11:53 PM   #13
lqorg_user
LQ Newbie
 
Registered: Nov 2005
Distribution: debian sarge
Posts: 3

Rep: Reputation: 0
I believe using the fotoguy's script is an excellent idea.

However, you can configure bare minimum firewall by modifying your firewall script.

This is your original script=======================
iptables -F
iptables -X
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
===========================================

In your script, you don't have any ACCEPT target for FORWARD. Thus, everything forwarded by PREROUTING is directly sent to DROP target.
Thus, add the followings to your original script.


iptables -t nat -A PREROUTING -p tcp -m tcp -d $INET_IP --dport 80 -j DNAT --to $LAN_IP:80

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -d $LAN_IP --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -d $LAN_IP --dport 443 -j ACCEPT


In addition to this, you need to turn off rp_filter of the desination computer. (HOWEVER, you should keep rp_filter on for the forwarding computer, which holds the above firewall script and works as the firewall for your internal network).

You can turn rp_filter off by echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter.
 
Old 11-07-2005, 03:02 AM   #14
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,280

Rep: Reputation: 61
Quote:
Originally posted by Kruncher
Wow, that's alot to go through.
Now I need to find a Bash tutorial and a Iptables tutorial.
I know only a little about bash and iptables.

I only have a very simple firewall running on my dailup pc:
iptables -F
iptables -X
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT

Is there a simple way to forward port 80? If not I will just walkthrough your iptables script.

Thank you.
I know little about bash and iptables myself, just learning it. lqorg_user idea is your best bet if my script is a little over the top. But if you use mine I have already put the rules in to forward to a ip-address to your web server, you just have to change your ip-address to suit. The script is setup for a router only, if it's running on a machine that you are usingas a workstation you will need to change the INPUT rules from:

$IPTABLES -A INPUT -p udp -i $EXTIF -d $EXTIP -j LOGDROP # Drop local connections from internet
$IPTABLES -A INPUT -p tcp -i $EXTIF -d $EXTIP -j LOGDROP #---> drop local connections
$IPTABLES -A INPUT -p icmp -i $EXTIF -d $EXTIP -j LOGDROP #---> drop local connections from internet

to:

$IPTABLES -A INPUT -p udp -i $EXTIF -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $EXTIF -d $EXTIP -m state --state ESTABLISHED,RELATED -j CHECKBADFLAG
$IPTABLES -A INPUT -p icmp -i $EXTIF -d $EXTIP --m state --state ESTABLISHED,RELATED -j ICMPINBOUND

Hope this helps
 
Old 11-07-2005, 10:56 PM   #15
Kruncher
Member
 
Registered: Mar 2005
Distribution: Ubuntu
Posts: 61

Original Poster
Rep: Reputation: 15
iptables v1.3.3: Unknown arg `-j'
Try `iptables -h' or 'iptables --help' for more information.
./nat-up: line 15: DNAT: command not found
./nat-up: line 16: --to: command not found
iptables v1.3.3: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
./nat-up: line 20: 80: command not found
./nat-up: line 21: ACCEPT: command not found
iptables v1.3.3: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
./nat-up: line 23: 443: command not found
./nat-up: line 24: ACCEPT: command not found


Not sure why it gives me those errors.
I can find --dport in the man page.
Any more help would be nice, thank you.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best Guess on Gnome 2.8? 2Gnu Slackware 3 09-16-2004 06:06 PM
Susefirewall2 Nat Problem / nat 1:1 trubi Linux - Distributions 0 07-20-2004 05:50 AM
Guess who's going to be on Enterprise? carrja99 General 18 03-11-2003 05:19 PM
What's the difference between Linux-NAT and Sygate-NAT? yuzuohong Linux - Networking 0 08-07-2002 04:07 AM
So guess what Cichlid Linux - Networking 0 03-16-2002 05:22 PM


All times are GMT -5. The time now is 05:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration