Ubuntu ICS Cut Off by Firewall
Extreme Newb here so please be kind. My office is full of Macs and Windows boxes. My IT staff and I only "dabble" in Linux when we get a chance.
So, we're trying to build a simple Firewall/Gateway out of Ubuntu. We have a machine with 2 NICs running the latest version: 10.04. We have been able to set up the gateway/routing fine using both the built in Internet Connection Sharing as well as using Guidedog. The current setup we are testing is using Guidedog. For the NICs we have set eth0 as our internet connection and eth1 connects to the LAN. We've manually set all IPs...no DHCP at this time. Next we try to install a firewall. We have tried both Firestarter and Guarddog. After setup with either, the Ubuntu box is still able to get online and access web sites but the LAN gets cut off. No access at all. We are currently running Guarddog and have set the proper protocols (DNS, HTTP, HTTPS) and have also followed the tutorial found here. However, no matter what settings we make as soon as we re-enable the firewall the LAN is cut off. Disable the FW...LAN is back online. We even set up an "Allow All" protocol allowing all ports from 1:65535 and still we get cut off as soon as the FW is enabled. We saw this same thing happen with Firestarter and my understanding is they're using the same basic Linux FW underneath? SO, what is it we're neglecting to do? Why does the FW completely seal off our LAN connection no matter what we've told it to allow? Ultimately, here's the layout we're after: Internet (T1) <> Firewalled Ubuntu <> LAN Thanks in advance! |
Quote:
You're quite right - all (well, almost) firewalling programs for Linux are merely front-ends to iptables. At the end of the day the rule-set your tool creates will be translated into iptables rules, which then enforces them. To assess what's happening with your config I suggest you run Code:
iptables -L Cheers, Tink |
Results of iptables -L
Chain INPUT (policy DROP)
target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- sdsinc-sightmax 10.55.1.255 ACCEPT all -- 10.42.43.1 10.42.43.255 logaborted tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp flags:RST/RST ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem nicfilt all -- anywhere anywhere srcfilt all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem srcfilt all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem s1 all -- anywhere anywhere Chain f0to1 (5 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW logdrop all -- anywhere anywhere Chain f0to2 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW logdrop all -- anywhere anywhere Chain f1to0 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:https state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:ftp state NEW ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:www state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:http-alt state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8008 state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8000 state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8888 state NEW logdrop all -- anywhere anywhere Chain f1to2 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW logdrop all -- anywhere anywhere Chain f2to0 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:https state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:www state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:http-alt state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:8008 state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:8000 state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:8888 state NEW logdrop all -- anywhere anywhere Chain f2to1 (5 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW ACCEPT tcp -- anywhere anywhere tcp dpts:tcpmux:65535 state NEW logdrop all -- anywhere anywhere Chain logaborted (1 references) target prot opt source destination logaborted2 all -- anywhere anywhere limit: avg 1/sec burst 10 LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED ' Chain logaborted2 (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED ' ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain logdrop (8 references) target prot opt source destination logdrop2 all -- anywhere anywhere limit: avg 1/sec burst 10 LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED ' DROP all -- anywhere anywhere Chain logdrop2 (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROPPED ' DROP all -- anywhere anywhere Chain logreject (0 references) target prot opt source destination logreject2 all -- anywhere anywhere limit: avg 1/sec burst 10 LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED ' REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable DROP all -- anywhere anywhere Chain logreject2 (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `REJECTED ' REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable DROP all -- anywhere anywhere Chain nicfilt (1 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere logdrop all -- anywhere anywhere Chain s0 (1 references) target prot opt source destination f0to1 all -- anywhere alien-ubuntu.sds.local f0to1 all -- anywhere 10.55.1.255 f0to1 all -- anywhere 10.42.43.1 f0to1 all -- anywhere 10.42.43.255 f0to1 all -- anywhere localhost f0to2 all -- anywhere 192.168.1.0/24 logdrop all -- anywhere anywhere Chain s1 (1 references) target prot opt source destination f1to2 all -- anywhere 192.168.1.0/24 f1to0 all -- anywhere anywhere Chain s2 (1 references) target prot opt source destination f2to1 all -- anywhere sdsinc-sightmax f2to1 all -- anywhere 10.55.1.255 f2to1 all -- anywhere 10.42.43.1 f2to1 all -- anywhere 10.42.43.255 f2to1 all -- anywhere localhost f2to0 all -- anywhere anywhere Chain srcfilt (2 references) target prot opt source destination s2 all -- 192.168.1.0/24 anywhere s0 all -- anywhere anywhere |
All times are GMT -5. The time now is 05:27 AM. |