Hi,
I have MySQL running on my firewall machine (MDK 8.2), not ideal but I don't have enough PCs to run it on a different box. When I try to connect to MySQL via JDBC it fails. So I tried pinging the gateway PC on 10.0.0.1, it times out. Here is my entire iptable script, the sections on lan-if and if-lan are the relevant ones for LAN to firewall machine.
It is passing everything from firewall/gateway to LAN
## $IPTABLES -A if-lan -j ACCEPT
and certain ports in the other direction, including that for MySQL (3306)
# MySQL JDBC - (3306/TCP) JDBC access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport 3306 -j ACCEPT
Any ideas?
Here is the whole script.
#!/bin/bash
#
# Startup script to setup iptables firewall.
#
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with iptables.
#
# Script Author: Gawain Lynch <gawain@felicity.net.au>
# Maurice van der Pot <griffn26@lycos.nl>
#
# To jump to different parts of this script, search for:
#
# EXTIF (traffic from the internet to the firewall)
# EXTLAN (traffic from the internet to the local network)
# IFEXT (traffic from the firewall to the internet)
# IFLAN (traffic from the firewall to the local network)
# LANEXT (traffic from the local network to the internet)
# LANIF (traffic from the local network to the firewall)
#
# ----------------------------------------------------------------------------
#
# ----------------------------------------------------------------------------
# General Declarations
#
IPTABLES="/sbin/iptables" # iptables binary location
#IPTABLES=echo
ECHO="echo Firewall -"
case "$1" in
stop)
$ECHO "Shutting down firewall..."
$IPTABLES -P FORWARD DROP
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t mangle -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -X
;;
status)
$ECHO "Status is not supported for firewall"
;;
restart|reload)
$0 stop
$0 start
;;
start)
$ECHO "Loading required modules"
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
#
# Support for NAT
#
/sbin/modprobe ip_nat_ftp
$ECHO "Defining script variables"
# ----------------------------------------------------------------------------
# Interface Declarations
#
LOOPBACK="127.0.0.0/8" # Loopback interface
LAN_IF="eth0" # First internal interface
EXT_IF="ppp0" # First external interface
LAN_IF_ADDR="10.0.0.1" # IP Address of internal interface
EXT_IF_ADDR="213.***.***.**" # Leave blank if dynamically obtained
LANSUBNET="10.0.0.0/8" # Local network address range
#
# ----------------------------------------------------------------------------
# IP Network Declarations
#
ANY="any/0" # anywhere
CLASS_A="10.0.0.0/8" # Class A Private Network
CLASS_B="172.16.0.0/12" # Class B Private Network
CLASS_C="192.168.0.0/16" # Class C Private Network
CLASS_D_MULTICAST="224.0.0.0/4" # Class D Multicast Network
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E Reserved Network
BROADCAST_SRC="0.0.0.0" # Broadcast Source Address
BROADCAST_DEST="255.255.255.255" # Broadcast Dest. Address
#
# ----------------------------------------------------------------------------
# External servers
#
SYSLOGHOST=""
#
# ----------------------------------------------------------------------------
# External servers
#
DNS1=""
DNS2=""
#
# ----------------------------------------------------------------------------
# Banned addresses
#
# Enter host or network addresses separated by a space. If you need to wrap
# around to a new line, then finish the existing line with a backslash "\".
#
# BANNED_ADDR="1.2.3.4 1.4.210.0/24 \
# 101.2.34.5"
#
BANNED_ADDR=""
#
# ----------------------------------------------------------------------------
# Set up IP address for external interface if the address setting is left
# blank in the variables section. Exit with 1 if address not found
#
if [ -z $EXT_IF_ADDR ] ; then
$ECHO "Determining external interface dynamic address"
export EXT_IF_ADDR_DYN="`ifconfig $EXT_IF 2>/dev/null | \
grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`/32"
#
if [ $EXT_IF_ADDR_DYN = "/32" ] ; then
$ECHO "External interface not active... Exiting without changes!"
exit 1
else
$ECHO "External interface dynamic address is: " $EXT_IF_ADDR_DYN
fi
fi
#
# We always flush the ruleset before starting so that we don't just add
# to the existing ruleset when the script is run.
#
$ECHO "Flushing rules"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -t mangle -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -X
#
#--------------------------------------------------------------------
$ECHO "Setting default filter policy"
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# ----------------------------------------------------------------------------
$ECHO "Blocking everything till configuration loaded... Pucker!"
# Still allow unlimited traffic on the loopback interface
# This allows local apps to function but denys all other
# traffic on all other interfaces
# Inserting these rules forcefully at rule #1 may be overkill,
# but how many previously theoretical exploits are now possible!
$IPTABLES --insert INPUT 1 -i ! lo -j DROP
$IPTABLES --insert OUTPUT 1 -j DROP
$IPTABLES --insert FORWARD 1 -j DROP
#
# ----------------------------------------------------------------------------
# Unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#
$ECHO "Creating Chains"
# ----------------------------------------------------------------------------
# Create Local Packet Filtering Chains
# We create one chain for each source/destination pair
$ECHO " Created Packet Filtering Chains for Local Packets"
$IPTABLES -N lan-if
$IPTABLES -N ext-if
$IPTABLES -N if-lan
$IPTABLES -N if-ext
#
# Create Packet Filtering Chains for Through Packets
# Split forward chain into various user chains depending on source/dest
# interfaces; this breaks the problem down into manageable chunks.
$ECHO " Created Packet Filtering Chains for Forward Packets"
$IPTABLES -N lan-ext
$IPTABLES -N ext-lan
#
# Create Packet Filtering Chain for ICMP Packets
# Accepting standard error ICMPs is a common thing to do,
# so we create a chain for it.
#
$ECHO " Created Packet Filtering Chains for Forward ICMP Packets"
$IPTABLES -N icmp-acc
#
# Create Packet Filtering Chain for permanently banned addresses
# Sometimes IP addresses can be identified as bad for what ever reason
# By adding rules to this chain you can block all traffic to and from
# an IP address of range. This is very useful for things like
# known sources for Trojans and some worms.
# Packets will flow through this chain and if they don't match any
# rules, they will be returned to the calling chain.
#
$ECHO " Created Packet Filtering Chains for Banned Addresses"
$IPTABLES -N banned
#
# Create Packet Sanity Chain
# This chains checks incoming packets to make sure they are valid
# Internet addresses. There are several ranges of IP addresses that
# have been set aside by IANA for use on private networks and
# therefore should NEVER be accepted as a source address from the
# Internet.
#
$ECHO " Created Packet Sanity Chain"
$IPTABLES -N sanity
#
# Create Attack Chain
# This chains drops and logs all incoming packets indicating
# several types of attacks/scans
$ECHO " Created Attack Chain"
$IPTABLES -N attack
# Create Blocked Traffic Chain
# This chains checks incoming packets to make sure they are valid
#
$ECHO " Created Blocked Traffic Chain"
$IPTABLES -N blocked
#
#
# Masquerading
NATENTRY="$IPTABLES -t nat -A PREROUTING -i $EXT_IF -d $EXT_IF_ADDR -j DNAT"
$ECHO "Enabling masquerading"
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j SNAT --to-source $EXT_IF_ADDR
#
$ECHO "Adding NAT rules"
#
# Example of a NAT entry
# $NATENTRY -p tcp --dport 2234 --to-destination 192.168.188.2
#
$ECHO "Jumps"
# ----------------------------------------------------------------------------
# Jumps From forward Chain
# Unfortunately, we only know (in the forward chain) the outgoing
# interface. Thus, to figure out what interface the packet came in on,
# we use the source address (the anti-spoofing prevents address faking).
#
# Note that we log anything which doesn't match any of these (obviously,
# this should never happen).
# ----------------------------------------------------------------------------
# INPUT jumps
$ECHO " Input Jumps"
#
# Check for packet sanity
$IPTABLES -A INPUT -i $EXT_IF -j sanity
#
# Check for banned addresses
$IPTABLES -A INPUT -j banned
#
# Check for attacks
$IPTABLES -A INPUT -j attack
#
# Local interface input
$IPTABLES -A INPUT -i $EXT_IF -d $EXT_IF_ADDR -j ext-if
$IPTABLES -A INPUT -i $LAN_IF -d $LAN_IF_ADDR -j lan-if
#
# A rule to allow INPUT from the LAN to get to the outside
$IPTABLES -A INPUT -i $LAN_IF -d $EXT_IF_ADDR -j lan-if
#
# Deny and log all other traffic
$IPTABLES -A INPUT -j blocked
#
# FORWARD jumps
# We don't care where inbound traffic is coming from,
# only that it is not from internal
$ECHO " Forward Jumps"
#
# Check for packet sanity on traffic from the Internet only
$IPTABLES -A FORWARD -s ! $LANSUBNET -j sanity
#
# Check for attack on traffic from the Internet only
$IPTABLES -A FORWARD -s ! $LANSUBNET -j attack
#
$IPTABLES -A FORWARD -s $LANSUBNET -o $EXT_IF -j lan-ext
$IPTABLES -A FORWARD -s $ANY -o $LAN_IF -j ext-lan
#
# Deny and log all other traffic
$IPTABLES -A FORWARD -j blocked
#
# OUTPUT jumps
$ECHO " Output Jumps"
# Check for banned addresses
$IPTABLES -A OUTPUT -j banned
#
# Local interface output
$IPTABLES -A OUTPUT -o $EXT_IF -s $EXT_IF_ADDR -j if-ext
$IPTABLES -A OUTPUT -o $LAN_IF -s $LAN_IF_ADDR -j if-lan
#
#
$IPTABLES -A OUTPUT -o $LAN_IF -s $EXT_IF_ADDR -j if-lan
#
# Reject and log all other traffic
$IPTABLES -A OUTPUT -j DROP
#
$ECHO "Building LAN to LAN Interface Chain"
# ----------------------------------------------------------------------------
#
# LANIF
#
# LAN to LAN interface restrictions:
# - ftp - File transfer from the LAN to the firewall
# - ssh - Secure shell access from the LAN to the firewall
# - telnet - Shell access from the LAN to the firewall
# - smtp - Shell access from the LAN to the firewall
# - pop - Shell access from the LAN to the firewall
# - sftp - Secure file transfer from the LAN to the firewall
#
# FTP - (21/TCP) Ftp access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport ftp -j ACCEPT
#
# SSH - (22/TCP) Secure shell access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport ssh -j ACCEPT
#
# TELNET - (23/TCP) Telnet access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport telnet -j ACCEPT
#
# SMTP - (25/TCP) SMTP access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport mail -j ACCEPT
#
# POP - (110/TCP) POP access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport pop-3 -j ACCEPT
#
# HTTP - (80) HTTP
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport www -j ACCEPT
#
# SMB - (137/UDP) Netbios NS access
$IPTABLES -A lan-if -p udp -s $LANSUBNET --dport 137 -j ACCEPT
#
# SMB - (137/TCP) Netbios NS access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport 137 -j ACCEPT
#
# SMB - (138/TCP) Netbios DGM access
$IPTABLES -A lan-if -p udp -s $LANSUBNET --dport 138 -j ACCEPT
#
# SMB - (138/TCP) Netbios DGM access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport 138 -j ACCEPT
#
# SMB - (139/TCP) Netbios SSN access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport 139 -j ACCEPT
#
# MySQL JDBC - (3306/TCP) JDBC access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport 3306 -j ACCEPT
#
# Servlet - (8080/TCP) Servlet access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport 8080 -j ACCEPT
#
# Servlet - (8081/TCP) Servlet access
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport 8081 -j ACCEPT
#
# SFTP - (115/TCP) Secure ftp (over ssh)
$IPTABLES -A lan-if -p tcp -s $LANSUBNET --dport sftp -j ACCEPT
#
# SYSLOG - (514/UDP) System and kernel logging to central logging host.
# This logging is done in case an attacker wipes the logs
# on your firewall machine.
#
# Remote logging helps to reconstruct what happens around the
# time of an attempted system/network compromise. This information
# can also be submitted to the DShield.org database for Internet
# nasties. See
www.dshield.org for more information.
#
# To achieve remote logging, add the following line to your
# /etc/syslog.conf on your firewall machine:
#
# ker.*;authpriv.*;*.warn;*.err @loghost.yourdomain
#
# And your Syslog host, change the script command that starts
# syslogd to include the -r switch, usually found in
# /etc/init.d/syslog. This tells syslog to accept remote logging
# from remote hosts
#
# NOTE: You must restart syslogd or reboot to make these changes
# work.
#
#$IPTABLES -A lan-if -p udp -s $LAN_IF_ADDR \
# -d $SYSLOGHOST syslog -j ACCEPT
#
# ICMP Chain Jump
$IPTABLES -A lan-if -j icmp-acc
#
# Allow related packets
$IPTABLES -A lan-if -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Reject remaining traffic
$IPTABLES -A lan-if -j blocked
#
$ECHO "Building LAN Interface to LAN Chain"
# ----------------------------------------------------------------------------
#
# IFLAN
#
# This chain handles all traffic from the firewall to the rest of the LAN
#
# Accept all traffic
$IPTABLES -A if-lan -j ACCEPT
#
$ECHO "Building Internet to External Interface Chain"
# ----------------------------------------------------------------------------
#
# EXTIF
#
# External interface restrictions:
# - ftp - File transfer from the internet to the firewall
# - ssh - Secure shell access from the internet to the firewall
# - telnet - Shell access from the internet to the firewall
# - smtp - Shell access from the internet to the firewall
# - pop - Shell access from the internet to the firewall
# - sftp - Secure file transfer from the internet to the firewall
#
# FTP - (21/TCP) Ftp access
$IPTABLES -A ext-if -p tcp --dport ftp -j ACCEPT
#
# SSH - (22/TCP) Secure shell access
$IPTABLES -A ext-if -p tcp --dport ssh -j ACCEPT
#
# TELNET - (23/TCP) Telnet access
$IPTABLES -A ext-if -p tcp --dport telnet -j ACCEPT
#
# SMTP - (25/TCP) SMTP access
$IPTABLES -A ext-if -p tcp --dport mail -j ACCEPT
#
# POP - (110/TCP) POP access
$IPTABLES -A ext-if -p tcp --dport pop-3 -j ACCEPT
#
# HTTP - (80/TCP) HTTP access
$IPTABLES -A ext-if -p tcp --dport www -j ACCEPT
#
# Servlet - (8080/TCP) Servlet access
$IPTABLES -A ext-if -p tcp --dport 8080 -j ACCEPT
#
# Servlet - (8081/TCP) Servlet access
$IPTABLES -A ext-if -p tcp --dport 8081 -j ACCEPT
#
# SFTP - (115/TCP) Secure ftp (over ssh)
$IPTABLES -A ext-if -p tcp --dport sftp -j ACCEPT
#
# eDonkey - (4661-4665/UDP-TCP)
$IPTABLES -A ext-if -p tcp --dport 4661:4665 -j ACCEPT
$IPTABLES -A ext-if -p udp --dport 4661:4665 -j ACCEPT
#
# Rules for outbound traceroute
$IPTABLES -A ext-if -p tcp --dport 61000:65095 -j ACCEPT
$IPTABLES -A ext-if -p udp --dport 61000:65095 -j ACCEPT
#
# ICMP Chain Jump
$IPTABLES -A ext-if -j icmp-acc
#
# Allow related packets
$IPTABLES -A ext-if -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A ext-if -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Reject remaining traffic
$IPTABLES -A ext-if -j blocked
#
$ECHO "Building External Interface to Internet Chain"
# ----------------------------------------------------------------------------
#
# IFEXT
#
# Accept all traffic
$IPTABLES -A if-ext -j ACCEPT
#
$ECHO "Building LAN -> External Chain"
# ----------------------------------------------------------------------------
#
# LANEXT
#
# This chain handles all forwarded traffic originating from the
# internal LAN destined for the Internet.
#
# Accept all traffic
$IPTABLES -A lan-ext -j ACCEPT
#
$ECHO "Building External -> LAN Chain"
# ----------------------------------------------------------------------------
#
# EXTLAN
#
# This chain handles all forwarded traffic originating from the
# External destined for the internal LAN
# External -> LAN restrictions:
#
# Accept all incoming traffic (non-masqueraded traffic will be
# blocked by the EXTIF chain.
$ECHO " Accepting all masqueraded traffic"
$IPTABLES -A ext-lan -j ACCEPT
#
$ECHO "Building ICMP Chain"
# ----------------------------------------------------------------------------
$IPTABLES -A icmp-acc -p icmp --icmp-type redirect -j blocked
$IPTABLES -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
#
$ECHO "Building Banned Chain"
# ----------------------------------------------------------------------------
for banned_addr in $BANNED_ADDR ; do
$IPTABLES -A banned -p tcp -d $banned_addr -j blocked
$IPTABLES -A banned -p tcp -s $banned_addr -j blocked
done
#
# Send valid packets back to the chain that they came from.
$IPTABLES -A banned -j RETURN
#
$ECHO "Building Attack Chain"
# ----------------------------------------------------------------------------
$IPTABLES -A attack -p tcp --dport 6670 -m limit -j LOG --log-level 6 --log-prefix "Deepthroat scan "
$IPTABLES -A attack -p tcp --dport 6670 -j DROP
$IPTABLES -A attack -p tcp --dport 6711 -m limit -j LOG --log-level 6 --log-prefix "Subseven scan "
$IPTABLES -A attack -p tcp --dport 6711 -j DROP
$IPTABLES -A attack -p tcp --dport 6712 -m limit -j LOG --log-level 6 --log-prefix "Subseven scan "
$IPTABLES -A attack -p tcp --dport 6712 -j DROP
$IPTABLES -A attack -p tcp --dport 6713 -m limit -j LOG --log-level 6 --log-prefix "Subseven scan "
$IPTABLES -A attack -p tcp --dport 6713 -j DROP
$IPTABLES -A attack -p tcp --dport 12345 -m limit -j LOG --log-level 6 --log-prefix "Netbus scan "
$IPTABLES -A attack -p tcp --dport 12345 -j DROP
$IPTABLES -A attack -p tcp --dport 12346 -m limit -j LOG --log-level 6 --log-prefix "Netbus scan "
$IPTABLES -A attack -p tcp --dport 12346 -j DROP
$IPTABLES -A attack -p tcp --dport 20034 -m limit -j LOG --log-level 6 --log-prefix "Netbus scan "
$IPTABLES -A attack -p tcp --dport 20034 -j DROP
$IPTABLES -A attack -p tcp --dport 31337 -m limit -j LOG --log-level 6 --log-prefix "Back orifice scan "
$IPTABLES -A attack -p tcp --dport 31337 -j DROP
$IPTABLES -A attack -p tcp --dport 6000 -m limit -j LOG --log-level 6 --log-prefix "X-Windows Port "
$IPTABLES -A attack -p tcp --dport 6000 -j DROP
$IPTABLES -A attack -j RETURN
$ECHO "Building Sanity Chain"
# ----------------------------------------------------------------------------
$IPTABLES -A sanity -s $CLASS_A -j blocked
$IPTABLES -A sanity -s $CLASS_B -j blocked
$IPTABLES -A sanity -s $CLASS_C -j blocked
$IPTABLES -A sanity -s $CLASS_D_MULTICAST -j blocked
$IPTABLES -A sanity -s $CLASS_E_RESERVED_NET -j blocked
$IPTABLES -A sanity -j RETURN
#
$ECHO "Building Blocked Traffic Chain"
# ----------------------------------------------------------------------------
# Block everything that enters this chain
$IPTABLES -A blocked -i ! $EXT_IF -j REJECT
# Only log everything that gets past the previous lines
$IPTABLES -A blocked -s ! $LANSUBNET -m limit -j LOG --log-level 6 --log-prefix "BLOCKED EXT PACKET: "
$IPTABLES -A blocked -s $LANSUBNET -m limit -j LOG --log-level 6 --log-prefix "BLOCKED SPOOFED PACKET: "
$IPTABLES -A blocked -j REJECT
#
$ECHO "Finishing configuration"
# ----------------------------------------------------------------------------
#
$ECHO " Remove initial fail-safe Blocking Rules"
$IPTABLES -D INPUT 1
$IPTABLES -D FORWARD 1
$IPTABLES -D OUTPUT 1
# For debugging
$IPTABLES -L -v
# ----------------------------------------------------------------------------
# Set security proc flags
$ECHO " Setting proc flags"
#
# Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Enable TCP SYN Cookie Protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
#
# Enable always defragging Protection
#echo 1 > /proc/sys/net/ipv4/ip_always_defrag
#
# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#
# Enable IP spoofing protection, turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
#
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
#
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
#
##############################################################################
# End of Script