port forwarding problems
I've been having problems with my port forwarding (via IPTABLES). I load into IPTABLES my config via a script slightly modified from one I found on expert exchange.
I have two systems that are involved in this problem. my REDHAT9 box, and my W2K3 box. The redhat box does most everything important for me, but I need the W2K3 box for IIS. My W2k3 box has an ip of 192.168.0.2, and is connected directly to ETH1 on the RH9 box (via Xover cable). My RH9 box is connected to the world via ETH0. My IP table script follows: #$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 192.168.0.2 #$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 192.168.0.2 #$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 192.168.0.2 # # These are all TCP flag combinations that should never, ever, occur in the # wild. All of these are illegal combinations that are used to attack a box # in various ways. # $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags # # Allow selected ICMP types and drop the rest. # $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT $IPTABLES -A INPUT -p icmp -j firewalled # # The loopback interface is inheritly trustworthy. Don't disable it or # a number of things on the firewall will break. Uncomment the line following # if the inside machines are trustworthy and there are services on the firewall, # like DNS, web, DHCP etc., that they need to access. And remember to change the # IP to be that of the INSIDE interface of the firewall. # $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i $INSIDE -d 192.168.1.1 -j ACCEPT # # Allow packets that are part of an established connection to pass # through the firewall. This is required for normal Internet activity # by inside clients. # $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # # Silently drop and SMB traffic. We've slipped the surly bonds of windows # and are dancing on the silvery wings of Linux, so block that windows trash. # $IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent # # If you want to be able to connect via SSH from the Internet # uncomment the next line. # #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT # # Examples of allowing inbound for the port forwarding examples above. # #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT # # Anything that hasn't already matched gets logged and then dropped. # $IPTABLES -A INPUT -j firewalled |
From what you have you should just need to add:
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.0.2 $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT Just out of interest - why do you want to use IIS over apache? |
I really really really don't want to use IIS. I have to run active server pages (ASP), and don't want to pay sun thousands of dollars for a license to their linux based ASP support.
I'll try that out. Now I have another problem- something in my script is keeping the system from booting properly, so I have to boot in interactive mode and deny IPtables. GRRR. |
I can't see anything wrong in that bit - maybe you should post the whole thing.
|
the system dies on 'bringing up loopback interface'. hmm...
|
based on my log all i did between working condition and now was:
-enable ip packet forwarding (echo "1" > /proc/sys/net/ipv4/ip_forward) -replace (completely) my current IPtables with the one i listed above (entirely). |
I just added "LOOPBACK=lo" to the begining of my IPTABLES.
Wish me luck! |
still having problems when it comes to reloading IPtables. the error repeats until it kills the system. I'll grab it in a sec (and edit this post rather than being spam monkey).
here it is: /bin/sh: error while loading shared libraries: libc.so.6: cannot open shared object file: Error 23 |
alright, my system works again, but the IP table/s is still not doing it's job. any thoughts?
|
Can you post the WHOLE script. You have only posted some of it before.
|
sorry, i hadn't realized I clipped it.
#!/bin/sh # # Set an absolute path to IPTABLES and define the interface # # OUTSIDE is the outside or untrusted interface that connects to the Internet # and INSIDE is, well that ought to be obvious. # # For a system to function as a firewall the kernel has to be told to forward # packets between interfaces, i.e., it needs to be a router. Since # you'll save the running config with 'iptables-save' for RedHat to reinstate # at the next boot IP fordarding must be enabled by other than this script for # production use. That's best done by editing /etc/sysctl.comf and setting # 'net.ipv4.ip_forward = 1'. # # Once the rule sets are to your liking you can easily arrainge to have them # installed at boot on a Redhat box (7.1 or later). Save the rules with: # # iptables-save >/etc/sysconfig/iptables # # When /etc/init.d/iptables executes it will see the file and restore the rules. # # Since that file will only be read at boot, you can uncomment the following # line to enable forwarding on the fly for initial testing. Just remember that # the saved iptables data won't include the command. # echo 1 > /proc/sys/net/ipv4/ip_forward IPTABLES="/sbin/iptables" OUTSIDE=eth0 INSIDE=eth1 LOOPBACK=lo # # Clear out any existing firewall rules, and any chains that might have # been created. Then set the default policies. # $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT # # Begin setting up the rulesets. First define some rule chains to handle # exception conditions. These chains will receive packetsthat we aren't # willing to pass. Limiters on logging are used so as to not to swamp the # firewall in a DOS scenario. # # silent - Just dop the packet # tcpflags - Log packets with bad flags, most likely an attack # firewalled - Log packets that that we refuse, possibly from an attack # $IPTABLES -N silent $IPTABLES -A silent -j DROP $IPTABLES -N tcpflags $IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags: $IPTABLES -A tcpflags -j DROP $IPTABLES -N firewalled $IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled: $IPTABLES -A firewalled -j DROP #Use up NPAT if you have a dynamic IP. Otherwise comment out the following # line and use the Source NAT below. # $IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE # # Use Source NAT if to do the NPAT you have a static IP or netblock. # Remember to change the IP to be that of your OUTSIDE NIC. # #$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4 # # Examples of Port forwarding. # # The first forwards HTTP traffic to 10.1.0.1 (edit: 192.168.0.2) # The second forwards SSH to 10.1.0.1 # The third forwards a block of tcp and udp ports (2300-2400) to 10.1.0.1 # # Remember that if you intend to forward something that you'll also # have to add a rule to permit the inbound traffic. # $IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.0.2 $IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 192.168.0.2 $IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 192.168.0.2 $IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 192.168.0.2 # # These are all TCP flag combinations that should never, ever, occur in the # wild. All of these are illegal combinations that are used to attack a box # in various ways. # $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags # # Allow selected ICMP types and drop the rest. # $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT $IPTABLES -A INPUT -p icmp -j firewalled # # The loopback interface is inheritly trustworthy. Don't disable it or # a number of things on the firewall will break. Uncomment the line following # if the inside machines are trustworthy and there are services on the firewall, # like DNS, web, DHCP etc., that they need to access. And remember to change the # IP to be that of the INSIDE interface of the firewall. # $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i $INSIDE -d 192.168.1.1 -j ACCEPT # # Allow packets that are part of an established connection to pass # through the firewall. This is required for normal Internet activity # by inside clients. # $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # # Silently drop and SMB traffic. We've slipped the surly bonds of windows # and are dancing on the silvery wings of Linux, so block that windows trash. # #$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent # # If you want to be able to connect via SSH from the Internet # uncomment the next line. # #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT # # Examples of allowing inbound for the port forwarding examples above. # $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT # #Anything that hasn't already matched gets logged and then dropped. # #my own additions based on comments from linuxquestions.org # $IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.0.2 $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT # #$IPTABLES -A INPUT -j firewalled |
Your own additions section could probably go because those rules are already in the script prior to that.
Try adding these forwarding rules too: $IPTABLES -A FORWARD -m state --state NEW -i $OUTSIDE -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Also make sure that iptables is running: service iptables status And that the rules are in place: iptables -F iptables -L (you should see no rules - just empty tables) Run your script iptables -L (you should now see your rules) |
did all of that, still does not work. If it means anything, upon reboot the IPtables gets reset to the following: Thanks for all of your help!
Table: filter Chain INPUT (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Lokkit-0-50-INPUT (2 references) target prot opt source destination ACCEPT udp -- boston2-qwest.bellatlantic.net anywhere udp spt:domain dpts:1025:65535 ACCEPT udp -- boston1-qwest.bellatlantic.net anywhere udp spt:domain dpts:1025:65535 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere REJECT tcp -- anywhere anywhere tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp dpts:0:1023 reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp dpt:nfs reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable |
Is that after runing your firewall script?
|
that is after running my firewall script AND then a reboot. Directly after I run my script, service iptables status does indeed show that everything in my script loaded.
|
What does your nat table look like:
iptables -t nat -n -L |
Chain PREROUTING (policy ACCEPT)
target prot opt source destination DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:192.168.0.2 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:2300:2400 to:192.168.0.2 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:2300:2400 to:192.168.0.2 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination |
FYI i've checked the actual connectivity. The windows system can talk to eth1, but not to eth0 or the world. The linux system via eth1 can talk to the windows system, but the world can't talk to the windows system.
|
Ah - sorry I assumed that your server had access to the net through linux already.
What happens when you run: cat /proc/sys/net/ipv4/ip_forward If it returns 0 then: echo 1 > /proc/sys/net/ipv4/ip_forward and try again. Oh - and when you say windows has no access to the net - I take it that was after making sure that the default gateway was set to the ip of the linux box - yes? |
IP_Forward is already set to 1. I also added a line to sysctl.conf reading net.ipv4.ip_forward = 1
Yes, the gateway on the windows system is set to 192.168.0.1 |
Ok - something is odd here - what do the routing tables look like?
|
route returns:
Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 10.255.255.0 * 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth1 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 10.255.255.1 0.0.0.0 UG 0 0 0 eth0 /etc/iproute2/rt_tables contains: # # reserved values # #255 local #254 main #253 default #0 unspec # # local # #1 inr.ruhep ip route returns: 192.168.0.0/24 dev eth1 scope link 10.255.255.0/24 dev eth0 proto kernel scope link src 10.255.255.5 169.254.0.0/16 dev eth1 scope link 127.0.0.0/8 dev lo scope link default via 10.255.255.1 dev eth0 |
when i do serivice --status-all one of the lines returned is:
ipchains: Incompatible with this kernel I think i'm going to do a reinstall... |
ipchains? why are you using ipchains?
|
I'm not using IP chains. That was just erroneous information.
|
Ah sorry I see it was a query to ipchains. That is just because it is installed. No need to worry.
I just can't figure this one out though. Your routing is fine. Forwarding is enabled and an iptables rule is in place and yet you still can't masq out or forward in. How about trying to get this working one bit at a time. With the windows server's gateway set to the linux boxes ip what happens if you: ping www.linuxquestions.org ping 64.179.4.146 |
I can't ping linuxquestions.org from the windows box. I'll have my system setup later tonight on a T1 with a static+public IP. Maybe life will get simpler... and I'll reinstall more carefully.
|
Does that mean you can ping the ip address?
|
I can ping the IP address from the linux machine. However, I cannot ping the IP from the windows machine. The reinstall's going to have to wait till tommorow. I forgot my CD-Rs [:)]
|
Just an additional question...
How can oen test if IPTABLES rules actually work properly, besides noticing that a particualr service doesn't work. Thanks |
with
iptables --check <rule> |
Now it's a windows problem;)
But don't forget to set the gateway in windows. |
When I do: iptables --check
I get: iptables v1.2.7a: Unkown arg '--check' Also coudl you provide me with the necessary iptable commands to forward port 3128 from firewall to internal client? Please help |
still nothing
fresh redhat 9 install off of 3 fresh, verrified disks. Still nothing works. I can lynx into the web server on the w2k3 machine, so in addition to knowing it's on the network, i know i should be able to get to its webserver (running on port 80)
any thoughts!? |
Have you made sure you have enabled ip forwarding:
echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr What rules have you added to your iptables now? |
I haven't added anything. Just changed the order. I set the first one you listed to 1, but not the second.
"dynaddr"? huh? I haven't messed with this. FYI i'm now running a static IP. |
adding services
Quote:
mods it solved my initial problem (lokkit was producing a firewall that wouldn't let anything on my home network out of the gateway). Now it's working for people to use browsers and pop mailers, with the dialup connection being brought up on demand-dial with pppd. The remaining problems are: a) what do I need to add to allow specific ports to be opened, eg I need to allow any computer on the local (trusted) eth0 to be able to send the server NTP(123) LPD(515) X11(6000) and IRC(194/6667) packets. Right now these don't seem to get thru. My problem is working out how to phrase the iptables command. b) something, somewhere, in your script is defeating pppd timeout. I have it set to die after 900 secs inactivity (my telco's charge period), but it's staying up. Is there anything in there which might account for it? ///Peter |
Post a copy of your script first so we can see if there's any reason why it's not getting through.
|
repost of the firewall script with request for help
Quote:
and INSIDE set to eth0, but here it is again. My only problem is I cannot understand either the syntax or the iptables man page, so I can't work out how to open up additional ports. If there was a more sensible syntax, like allow incoming tcp 515 eth0 it might make it easier to set up. #!/bin/sh # From http://www.linuxquestions.org/questi...103#post482103 # Set an absolute path to IPTABLES and define the interface # # OUTSIDE is the outside or untrusted interface that connects to the Internet # and INSIDE is, well that ought to be obvious. # # For a system to function as a firewall the kernel has to be told to forward # packets between interfaces, i.e., it needs to be a router. Since # you'll save the running config with 'iptables-save' for RedHat to reinstate # at the next boot IP fordarding must be enabled by other than this script for # production use. That's best done by editing /etc/sysctl.comf and setting # 'net.ipv4.ip_forward = 1'. # # Once the rule sets are to your liking you can easily arrainge to have them # installed at boot on a Redhat box (7.1 or later). Save the rules with: # # iptables-save >/etc/sysconfig/iptables # # When /etc/init.d/iptables executes it will see the file and restore the rules. # # Since that file will only be read at boot, you can uncomment the following # line to enable forwarding on the fly for initial testing. Just remember that # the saved iptables data won't include the command. # # echo 1 > /proc/sys/net/ipv4/ip_forward IPTABLES="/sbin/iptables" OUTSIDE=ppp0 INSIDE=eth0 LOOPBACK=lo # # Clear out any existing firewall rules, and any chains that might have # been created. Then set the default policies. # $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT # # Begin setting up the rulesets. First define some rule chains to handle # exception conditions. These chains will receive packetsthat we aren't # willing to pass. Limiters on logging are used so as to not to swamp the # firewall in a DOS scenario. # # silent - Just drop the packet # tcpflags - Log packets with bad flags, most likely an attack # firewalled - Log packets that that we refuse, possibly from an attack # $IPTABLES -N silent $IPTABLES -A silent -j DROP $IPTABLES -N tcpflags $IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags: $IPTABLES -A tcpflags -j DROP $IPTABLES -N firewalled $IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled: $IPTABLES -A firewalled -j DROP # Use up NPAT if you have a dynamic IP. Otherwise comment out the following # line and use the Source NAT below. # $IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE # # Use Source NAT if to do the NPAT you have a static IP or netblock. # Remember to change the IP to be that of your OUTSIDE NIC. # #$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4 # # Examples of Port forwarding. # # The first forwards HTTP traffic to 10.1.0.1 (edit: 192.168.0.2) (author's local machine, not gateway) # The second forwards SSH to 10.1.0.1 # The third forwards a block of tcp and udp ports (2300-2400) to 10.1.0.1 # # Remember that if you intend to forward something that you'll also # have to add a rule to permit the inbound traffic. # #$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.0.2 #$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 192.168.0.2 #$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 192.168.0.2 #$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 192.168.0.2 # # These are all TCP flag combinations that should never, ever, occur in the # wild. All of these are illegal combinations that are used to attack a box # in various ways. # $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags # # Allow selected ICMP types and drop the rest. # $IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT $IPTABLES -A INPUT -p icmp -j firewalled # # The loopback interface is inheritly trustworthy. Don't disable it or # a number of things on the firewall will break. Uncomment the line following # if the inside machines are trustworthy and there are services on the firewall, # like DNS, web, DHCP etc., that they need to access. And remember to change the # IP to be that of the INSIDE interface of the firewall. # $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i $INSIDE -d 192.168.42.1 -j ACCEPT # # Allow packets that are part of an established connection to pass # through the firewall. This is required for normal Internet activity # by inside clients. # $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # # Silently drop any SMB traffic. We've slipped the surly bonds of windows # and are dancing on the silvery wings of Linux, so block that windows trash. # $IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent # # If you want to be able to connect via SSH from the Internet # uncomment the next line. # $IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT # # Examples of allowing inbound for the port forwarding examples above. # #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT # #Anything that hasn't already matched gets logged and then dropped. # #my own additions based on comments from linuxquestions.org # #$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.0.2 #$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT # $IPTABLES -A INPUT -j firewalled [eof] |
I can see several large mistakes there...
1st. It looks like you still have the iptables and ipchains services starting at boot... The Lokkit rules came from that service file. Can't do both if you have a script, only one or the other... do chkconfig --del iptables and chkconfig --del ipchains, OR make sure your script never starts but do service iptables save once the rules are loaded, to make sure iptables reads your rules from /etc/sysconfig/iptables when it boots In either case make sure ipchains is deleted. 2nd. INPUT chain only controls packets which stop on the RH box. FORWARD chain controls what is passed to/from the LAN behind the box, so your last post didn't show any of the FORWARD rules david_ross mentioned a long time ago. 3rd. You MUST do either "echo 1 > proc/sys/net/ipv4/ip_forward" OR add the comment to /etc/sysctl.conf OR both. It is commented out in your script... (I hope it is an oversight) 4th. The rules for tcp flags and icmp types need to be duplicated for the FORWARD chain to protect the LAN machines. 5th. Please post the rules once they are loaded. This is the crunch information and will say what is required. do iptables-save and they will be printed on the screen, do iptables-save > filename and they will be written to that file. A last comment, there is a good tutorial for iptables at http://www.linuxquestions.org/questi...n=jump&bmid=10 I recommend you read this to explain how the rule sets work together and you can use the example scripts at the end to base your work on. :) |
Quote:
Quote:
This script is run from rc.local. ipchains is not installed. Quote:
aware of. Quote:
Quote:
Quote:
I have no idea how to do this. Quote:
# service iptables status Table: nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Table: mangle Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Table: filter Chain INPUT (policy DROP) target prot opt source destination tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE tcpflags tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST tcpflags tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 firewalled icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere salem.silmaril.ie ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED silent udp -- anywhere anywhere udp spt:netbios-ns dpt:netbios-ns ACCEPT tcp -- anywhere anywhere tcp dpt:ssh firewalled all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain firewalled (2 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 15/min burst 5 LOG level warning prefix `Firewalled:' DROP all -- anywhere anywhere Chain silent (1 references) target prot opt source destination DROP all -- anywhere anywhere Chain tcpflags (6 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 15/min burst 5 LOG level warning prefix `TCPflags:' DROP all -- anywhere anywhere Quote:
command which will allow bidirectional tcp traffic on port 515? |
My mistake, they were references to robiewp.
He posted a listing with Lokkit chain names, which shows he is using the /etc/init.d/iptables boot script called service iptables start hence my comments about chosing either the init.d startup OR his script, not BOTH. And yes, you have inherited the other mistakes... To print a listing, do iptables-save rather than iptables -L It gives much more information ... And as far as port 515 is concerned, where do you want the traffic to go? just to the firewall or to the LAN behind? The rules are quite different... |
Quote:
Quote:
allow all machines on the [trusted] eth0 LAN to send jobs to the printer which is physically attached to the gateway machine where the firewall is. No requirement to go outside the LAN. In the cases of half a dozen other ports/protocols, some I need to be able to take in from the outside, some I need to be able to initiate from the inside, and some just need to go to the firewall machine and no further. I've read half a dozen docs on iptables syntax but they all seem to deal with borderline cases and special parameters rather than with bog-standard everyday needs like ssh, lpd, pop3, etc. P |
Sorry for the extended break...
Usually, the LAN segment doesn't need to have rules allowing services. If it does, that's a really tight Policy... Try... iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 515 -j REDIRECT iptables -I INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 515 -j ACCEPT Anything coming to port 515 from the lan will be redirected to 127.0.0.1 Anything related or connected from the lan will be allowed to stay connected. This allows the lpd service to generate dns queries etc before connecting the stream. Anything coming into the firewall itself to port 515 from the lan will be accepted. |
All times are GMT -5. The time now is 01:33 PM. |