Iptables------help

joseph · 10-09-2003, 01:27 AM

Hi, everyone,

I got this script from the network specialist whom setup our network in other country?

I am not familiar with IPTABLES and i want to understand it so i can modify something, and i hope you guys can give the directions and explanations of this scripts, really i need your guys help

here is the scripts that i got in /etc/rc.d/firewall.fw

firewall.fw

#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v1.0.7-
#
# Generated Sun Apr 6 20:53:36 2003 MYT by root
#
#
#
#
check() {
if test ! -x "$1"; then
echo "$1 not found or is not executable"
exit 1
fi
}

log() {
if test -x "$LOGGER"; then
logger -p info "$1"
fi
}

MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
LOGGER="/usr/bin/logger"

check $MODPROBE
check $IPTABLES
check $IP

cd /etc || exit 1

log "Activating firewall script generated Sun Apr 6 20:53:36 2003 MYT by root"

MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_conntrack_* *_nat_* | sed 's/\.o.*$//')`

for module in $(echo $MODULES); do

if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz" ]; then
$MODPROBE -k ${module} || exit 1
fi

done

FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl

$IP -4 neigh flush dev eth0
$IP -4 addr flush dev eth0 label "eth0:FWB*"
$IP -4 neigh flush dev eth1
$IP -4 addr flush dev eth1 label "eth1:FWB*"

$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP

cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done

#
# Rule 0(NAT)
#
#
$IPTABLES -t nat -A PREROUTING -s 192.168.xxx.0/24 -d xxx.xxx.xx.xxx -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s 192.168.xxx.0/24 -d 192.168.xxx.2 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.xxx.0/24 -d xxx.xxx.xx.xxx -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.xxx.0/24 -d 192.168.xxx.2 -j ACCEPT
#
# Rule 1(NAT)
#
#
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.xxx.0/24 -j SNAT --to-source xxx.xxx.xx.xxx
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.xxx.0/24 -j SNAT --to-source 192.168.xxx.2
#
#

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Rule 0(eth0)
#
#
#
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -s xxx.xxx.xx.zzz/32 -j ACCEPT
#
# Rule 0(eth1)
#
#
#
$IPTABLES -A INPUT -i eth1 -p icmp -s 192.168.xxx.0/24 --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p icmp -s 192.168.xxx.0/24 -d xxx.xxx.xx.xxx --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p icmp -s 192.168.xxx.0/24 -d 192.168.xxx.2 --icmp-type 0/0 -m state --state NEW -j ACCEPT
#
# Rule 0(global)
#
#
#
$IPTABLES -N RULE_0
$IPTABLES -A INPUT -p tcp -m multiport -s 192.168.xxx.0/24 --destination-port 110,25 -m state --state NEW -j RULE_0
$IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A RULE_0 -j ACCEPT
#
# Rule 1(global)
#
#
#
$IPTABLES -A INPUT -s 192.168.xxx.90 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 192.168.xxx.89 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 192.168.xxx.88 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.xxx.90 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.xxx.89 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.xxx.88 -m state --state NEW -j ACCEPT
#
# Rule 2(global)
#
#
#
$IPTABLES -N RULE_2
$IPTABLES -A OUTPUT -j RULE_2
$IPTABLES -A INPUT -j RULE_2
$IPTABLES -A FORWARD -j RULE_2
$IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DROP "
#IPTABLES -A RULE_2 -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward

it is look like block every connections right?
Thanks in advance

gpagedar · 10-09-2003, 06:28 AM

Hi joseph,
i won't say anything about your shell script in begining but only about the iptables stuff.

#
# Rule 0(NAT)
#
#
$IPTABLES -t nat -A PREROUTING -s 192.168.xxx.0/24 -d xxx.xxx.xx.xxx -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s 192.168.xxx.0/24 -d 192.168.xxx.2 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.xxx.0/24 -d xxx.xxx.xx.xxx -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.xxx.0/24 -d 192.168.xxx.2 -j ACCEPT

This adds the natting rules to your network there are two types of natting source and destination. but frankly speaking these lined does not do any natting only adds these rules to your natting tables. (lots of natting)

#
# Rule 1(NAT)
#
#
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.xxx.0/24 -j SNAT --to-source xxx.xxx.xx.xxx
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.xxx.0/24 -j SNAT --to-source 192.168.xxx.2
#
#

(above) this is where you are doing source natting with that SNAT option.

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

accepting all connections that are established on this gateway or router
#
# Rule 0(eth0)
#
#
#
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT

accept packets from eth0 protocol icmp of type 0/0 (look for these types on netfilter website)

$IPTABLES -A INPUT -i eth0 -s xxx.xxx.xx.zzz/32 -j ACCEPT
#
# Rule 0(eth1)
#
#
#
$IPTABLES -A INPUT -i eth1 -p icmp -s 192.168.xxx.0/24 --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p icmp -s 192.168.xxx.0/24 -d xxx.xxx.xx.xxx --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p icmp -s 192.168.xxx.0/24 -d 192.168.xxx.2 --icmp-type 0/0 -m state --state NEW -j ACCEPT
#
# Rule 0(global)
#
#
#
$IPTABLES -N RULE_0
$IPTABLES -A INPUT -p tcp -m multiport -s 192.168.xxx.0/24 --destination-port 110,25 -m state --state NEW -j RULE_0
$IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A RULE_0 -j ACCEPT
#
# Rule 1(global)
#
#
#
$IPTABLES -A INPUT -s 192.168.xxx.90 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 192.168.xxx.89 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 192.168.xxx.88 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.xxx.90 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.xxx.89 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.xxx.88 -m state --state NEW -j ACCEPT
#
# Rule 2(global)
#
#
#
$IPTABLES -N RULE_2
$IPTABLES -A OUTPUT -j RULE_2
$IPTABLES -A INPUT -j RULE_2
$IPTABLES -A FORWARD -j RULE_2
$IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DROP "
#IPTABLES -A RULE_2 -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward

this last statement would enable your p forwarding generally used when one uses a gateway for internal and external network

some option which can clear most of your doubts.

-s : source address
-d : destination address
-p : protocol used
-j : jump to that chain i.e ACCEPT, DROP or REJECT
-A : add a rule to the chain
-N : to create a new chain.
-X :To delete a chain.

I am sorry if this information does to help you in anyway. Please let me know if you want to know more about this gpagedar@yahoo.com.

Regards,
Gautam Pagedar.

joseph · 10-09-2003, 09:39 PM

Dear gpagedar,

Do you know which the rules that blocked every connection (in coming and outgoing).

Right now i want to open port 53 (domain name server), do you know how i should add rules there?

This scripts only allowing incoming and outgoing on port 25 (SMTP) and port 110 (POP3).

NB. I cannot do nslookup in that server, maybe becoz the script that blocked every connections.

Thanks in advance

/bin/bash · 10-10-2003, 06:11 PM

Well your OUTPUT is set to DROP here:
$IPTABLES -P OUTPUT DROP
Then it is set to accept ESTABLISHED,RELATED traffic here:
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
There is a problem with that. You will never allow any OUTPUT because you must first accept a NEW connection to get an ESTABLISHED,RELATED connection.
Basically your machine is in a vacuum lock.

IMO there is no reason to block OUTPUT at all unless you are restricting a childs computer, or are blocking Trojan activity.

My solution would be to delete the OUTPUT rules and let the default ACCEPT.

jayjwa · 10-10-2003, 06:54 PM

You only need open 53 if you're RUNNING a name server, not simply using one.I don't think that's what you intend to do here? Think of it like this: The services you GIVE to other people need an open port on your machine to get out.( That's cheezy I know, but it's easy to remember!)

-jayjwa

joseph · 10-11-2003, 10:47 AM

Quote:

Originally posted by /bin/bash
Well your OUTPUT is set to DROP here:
$IPTABLES -P OUTPUT DROP
Then it is set to accept ESTABLISHED,RELATED traffic here:
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
There is a problem with that. You will never allow any OUTPUT because you must first accept a NEW connection to get an ESTABLISHED,RELATED connection.
Basically your machine is in a vacuum lock.

IMO there is no reason to block OUTPUT at all unless you are restricting a childs computer, or are blocking Trojan activity.

My solution would be to delete the OUTPUT rules and let the default ACCEPT.

I am not sure too about the scripts coz that script was set by the network specialist in that country not by me, and now i would like to change the conf, but it really hard, i only menage to understand 5 or 6 lines only.

Now i want to setup a name server, how i should the rules in the scripts above?

also i need to do an lookup, how to do that?

Can anyone help me with that script above , please?