LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-14-2005, 10:27 AM   #1
funkymunky
Member
 
Registered: Jun 2003
Location: Austin, Texas
Distribution: Fedora Core 8, 32-bit
Posts: 126

Rep: Reputation: 15
iptables: restricting forwarding??


Hi,

We have shared our dialup internet connection accross 4 users on our network of 30 guys. One user, who is acting as the gateway, is running Fedora Core3. Using an iptables config script, we have restricted access to the four of us..but that doesnt seem to be working..everyone can acces the net :-( .the script is below, please point out the errors..

also, how do i determine which users are being forwarded (i mean, which of them are accessing the net thru the gateway )at a particular instant? and then, how do i bump them off? which commands do i use?

heres my iptables config script::
========================================

Code:
#!/bin/bash
/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain

## enable local network services 
/sbin/iptables --append INPUT	--in-interface  eth1 -p all -j ACCEPT
/sbin/iptables --append OUTPUT	--out-interface eth1 -p all -j ACCEPT

## enable local network services 
#/sbin/iptables --append INPUT	--in-interface  eth2 -p udp --dport 53 -j ACCEPT
#/sbin/iptables --append INPUT	--in-interface  eth2 -p tcp --dport 22 -j ACCEPT
##/sbin/iptables --append INPUT	--in-interface  eth2 -p tcp -j ACCEPT
/sbin/iptables -A OUTPUT -o eth2 -p all -j ACCEPT
/sbin/iptables -A INPUT -i eth2 -p all -j ACCEPT

## local loopback interface
/sbin/iptables --append INPUT	--in-interface lo -p all -j ACCEPT
/sbin/iptables --append OUTPUT	--out-interface lo -p all -j ACCEPT

##public service
#/sbin/iptables --append INPUT	--in-interface  eth0 -p tcp --dport 80 -j ACCEPT
/sbin/iptables --append INPUT	--in-interface  eth0 -p tcp --dport 8342:8345 -j ACCEPT

/sbin/iptables --append INPUT	--in-interface  eth0 -p tcp --dport 24716 -j ACCEPT
## Set up IP FORWARDing and Masquerading
/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
/sbin/iptables --append FORWARD 	--in-interface eth2 -j ACCEPT
/sbin/iptables --append FORWARD 	--in-interface eth1 -j ACCEPT
/sbin/iptables --append INPUT		--in-interface eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

## reject others
/sbin/iptables --append INPUT		--in-interface eth0 -m state --state NEW -j DROP
/sbin/iptables --append INPUT -j DROP
/sbin/iptables --append OUTPUT -p icmp -d 0/0 -j DROP

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/ip_forward

#---------------------------------------------------------------

# Disable routing triangulation. Respond to queries out

# the same interface, not another. Helps to maintain state

# Also protects against IP spoofing

#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
#---------------------------------------------------------------

# Enable logging of packets with malformed IP addresses

#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#---------------------------------------------------------------

# Disable redirects

#---------------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
#---------------------------------------------------------------

# Disable source routed packets

#---------------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#---------------------------------------------------------------

# Disable acceptance of ICMP redirects

#---------------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#---------------------------------------------------------------

# Turn on protection from Denial of Service (DOS) attacks

#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#---------------------------------------------------------------

# Disable responding to ping broadcasts

#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
============================================

Thanx in advance,

Mayank

Last edited by funkymunky; 03-15-2005 at 04:26 PM.
 
Old 03-14-2005, 02:01 PM   #2
popm
LQ Newbie
 
Registered: Mar 2005
Posts: 4

Rep: Reputation: 0
Thank you kindly. This information is very usefull for me. Great site! Thanks again!


<link removed by moderator>

Last edited by Capt_Caveman; 03-14-2005 at 11:11 PM.
 
Old 03-14-2005, 10:50 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Anything that is being forwarded by the FC gateway is going to use the FORWARD chain. Looking at your script, I don't see how you are restricting forwarding at all. I also don't see any default policies for any of the chains, so if you aren't setting the policy, it automagically becomes 'ACCEPT'. Therefore anything that doesn't specifically match a rule will reach the default policy (ACCEPT) and get forwarded. Maybe if you described how you would like to restrict access (by IP address, MAC address, etc) we can come up with a solution. It might also help top give a brief description of you network and what eth0/1/2 are connected to.
 
Old 03-14-2005, 10:59 PM   #4
funkymunky
Member
 
Registered: Jun 2003
Location: Austin, Texas
Distribution: Fedora Core 8, 32-bit
Posts: 126

Original Poster
Rep: Reputation: 15
Sorry, i have posted a clean script, the was we got it off the net..unfortunately, the edited script got lost,,hope u can still help..:-(

The FC gateway has the dialup interface connected to ppp0, so all FORWARD requests should be routed to it. The only NIC present in it is connected to eth0, so all the requests come from there.

One unpleasant thing we had noticed was that people would change their IP to one of the four that were allowed, and would thus fool the firewall...thus MAC level authentication would be better..but i suppose that can be spoofed too..

Thanx in anticipation,

Mayank
 
Old 03-14-2005, 11:52 PM   #5
funkymunky
Member
 
Registered: Jun 2003
Location: Austin, Texas
Distribution: Fedora Core 8, 32-bit
Posts: 126

Original Poster
Rep: Reputation: 15
Another query i had was:
How do i determine which users are being forwarded to ppp0 at a particular instant? "netstat -an" does show all of them , how do i determine which ones are simply accessing my LAN shares, and which ones are being forwarded? And then, how do i drop their connections?
 
Old 03-15-2005, 03:22 AM   #6
funkymunky
Member
 
Registered: Jun 2003
Location: Austin, Texas
Distribution: Fedora Core 8, 32-bit
Posts: 126

Original Poster
Rep: Reputation: 15
Heres the actual script we`re using, with the rules etc set


==============================================
Code:
#!/bin/bash
/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain

## enable local network services 
/sbin/iptables --append INPUT	--in-interface  eth0 -p all -j ACCEPT
/sbin/iptables --append OUTPUT	--out-interface eth0 -p all -j ACCEPT

## enable local network services 
#/sbin/iptables --append INPUT	--in-interface  eth0 -p udp --dport 53 -j ACCEPT
#/sbin/iptables --append INPUT	--in-interface  eth0 -p tcp --dport 22 -j ACCEPT
##/sbin/iptables --append INPUT	--in-interface  eth0 -p tcp -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -p all -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p all -j ACCEPT

## local loopback interface
/sbin/iptables --append INPUT	--in-interface lo -p all -j ACCEPT
/sbin/iptables --append OUTPUT	--out-interface lo -p all -j ACCEPT

##public service
#/sbin/iptables --append INPUT	--in-interface  ppp0 -p tcp --dport 80 -j ACCEPT
/sbin/iptables --append INPUT	--in-interface  ppp0 -p tcp --dport 8342:8345 -j ACCEPT

/sbin/iptables --append INPUT	--in-interface  ppp0 -p tcp --dport 24716 -j ACCEPT
## Set up IP FORWARDing and Masquerading
/sbin/iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
/sbin/iptables --append FORWARD 	--in-interface eth0 -j ACCEPT -s 192.168.3.17
/sbin/iptables --append FORWARD 	--in-interface eth0 -j ACCEPT -s 192.168.3.20
/sbin/iptables --append FORWARD 	--in-interface eth0 -j ACCEPT -s 192.168.2.11
/sbin/iptables --append FORWARD 	--in-interface ppp0 -j ACCEPT
/sbin/iptables --append INPUT		--in-interface ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

## reject others
/sbin/iptables --append INPUT		--in-interface ppp0 -m state --state NEW -j DROP
/sbin/iptables --append INPUT -j DROP
/sbin/iptables --append OUTPUT -p icmp -d 0/0 -j DROP

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/ip_forward

#---------------------------------------------------------------

# Disable routing triangulation. Respond to queries out

# the same interface, not another. Helps to maintain state

# Also protects against IP spoofing

#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
#---------------------------------------------------------------

# Enable logging of packets with malformed IP addresses

#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#---------------------------------------------------------------

# Disable redirects

#---------------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
#---------------------------------------------------------------

# Disable source routed packets

#---------------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#---------------------------------------------------------------

# Disable acceptance of ICMP redirects

#---------------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#---------------------------------------------------------------

# Turn on protection from Denial of Service (DOS) attacks

#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#---------------------------------------------------------------

# Disable responding to ping broadcasts

#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
==================================================


regards

Mayank

Last edited by funkymunky; 03-15-2005 at 04:24 PM.
 
Old 03-15-2005, 10:41 AM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Set your default policy for the FORWARD chain to DROP at the beginning of the script. So any packets which don't match any of the forwarding rules will get dropped:
Code:
==============================================
#!/bin/bash
/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain
/sbin/iptables -P FORWARD DROP
Your forwarding rules are ok, but you should limit traffic being forwarded into the LAN to established or related states. Otherwise it might be possible for someone to remotely access the LAN.
Code:
## Set up IP FORWARDing and Masquerading
/sbin/iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
/sbin/iptables --append FORWARD 	--in-interface eth0 -j ACCEPT -s 192.168.3.17
/sbin/iptables --append FORWARD 	--in-interface eth0 -j ACCEPT -s 192.168.3.20
/sbin/iptables --append FORWARD 	--in-interface eth0 -j ACCEPT -s 192.168.2.11
/sbin/iptables --append FORWARD 	--in-interface ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables --append INPUT		--in-interface ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
If you wish to restrict access by MAC address, simply find the MAC addresses from the clients and replace the forwarding rules above with:
Code:
## Set up IP FORWARDing and Masquerading
/sbin/iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
/sbin/iptables --append FORWARD 	--in-interface eth0 -j ACCEPT -m mac --mac-source AA:AA:AA:AA:AA:AA
/sbin/iptables --append FORWARD 	--in-interface eth0 -j ACCEPT --m mac --mac-source BB:BB:BB:BB:BB:BB
/sbin/iptables --append FORWARD 	--in-interface eth0 -j ACCEPT -m mac --mac-source CC:CC:CC:CC:CC:CC
/sbin/iptables --append FORWARD 	--in-interface eth0 -j ACCEPT -m mac --mac-source EE:EE:EE:EE:EE;EE
/sbin/iptables --append FORWARD 	--in-interface ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
To find the clients mac addresses quickly, just use the arp command to display the current IP<->MAC mappings. Also, remember that restricting by MAC addresses only works for systems on the same physical network. It is possible to spoof MAC addresses fairly easily, so you might want to take a look at arpstar or arpwatch.
 
Old 03-15-2005, 12:06 PM   #8
funkymunky
Member
 
Registered: Jun 2003
Location: Austin, Texas
Distribution: Fedora Core 8, 32-bit
Posts: 126

Original Poster
Rep: Reputation: 15
Thanx to Capt_Caveman, it seems to be working fine now. However, theres a peculiar problem we`re facing:
From the clients, no browser is able to open rediffmail.com, google images, or get to their yahoo mail inbox..the browsers time out while connecting to these sites. (there may be other such sites that are unreachable) Other sites work fine.

Among the 4 people sharing the Internet connection, two are running Fedore Core 3, while the others run Windoze. This behavious comes up only in the Linux *client*, the gateway linux box and the windoz clients work fine. One of theLinux boxes is acting as the server.

Further, this behavious is replicated if either of the Fedora Core boxes are made the gateway. And like i sed, only the linux *client * has this problem..ive even tried reinstalling Linux on both the Linux boxes, to no avail!

Does anyone here have a clue?

Regards,
Mayank
 
Old 03-15-2005, 12:46 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Make sure that ecn is off:
cat /proc/sys/net/ipv4/tcp_ecn (make sure it's 0)

Also linux clients can occasionally have problems with mtu size and DF flag. Try adding:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
Old 03-15-2005, 01:36 PM   #10
funkymunky
Member
 
Registered: Jun 2003
Location: Austin, Texas
Distribution: Fedora Core 8, 32-bit
Posts: 126

Original Poster
Rep: Reputation: 15
Hi, Capt_Caveman
That did not seem to have any effect on the linux client, As you instructed, i tried this on the gateway:

Code:
[root@mayank ~]# cat /proc/sys/net/ipv4/tcp_ecn
0
[root@mayank ~]#
Also, i typed in the rule you had mentioned on the bash prompt..no change in the clienf`s problem

Regards
Mayank
 
Old 03-15-2005, 02:12 PM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Try turning ICMP back on:
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
iptables forwarding... AnalyticaL Linux - Networking 5 09-28-2004 08:55 AM
Restricting XWindows remote connections (iptables) Harpune Linux - Networking 4 02-17-2004 06:03 AM
Iptables Forwarding Help!! jglazner Linux - Networking 2 10-20-2003 05:04 PM
IP forwarding through iptables harshalupatel Linux - Networking 0 06-18-2003 01:29 PM


All times are GMT -5. The time now is 10:49 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration