LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-08-2004, 11:52 AM   #1
shadowvyce
LQ Newbie
 
Registered: Nov 2004
Location: Colorado
Distribution: Fedora
Posts: 5

Rep: Reputation: 0
Nother iptables issue


OK, I'm trying to set up my iptables but Im coming across a few difficutlies. The configuration Im looking for is to allow everything under port 22, 80, 81, and 443 to come from my outside device (eth0) then back out my internal network (eth1) without the firewall box itself accepting any connections. I've included the below script to show you what I've been messing with. As you can tell I've been using LinWiz a little to assist me.

Any help would be GREATLY appreciated.

Thanks

Shadowvyce

Script

LAN_IP_NET='321.3.2.1/24'
LAN_NIC='eth1'
WAN_IP='123.1.2.3'
WAN_NIC='eth0'
# FORWARD_IP='321.3.2.3'

IPTABLES=/sbin/iptables

# Flush
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F OUTPUT
$IPTABLES -F INPUT; $IPTABLES -P INPUT DROP; $IPTABLES -Z INPUT
$IPTABLES -F FORWARD; $IPTABLES -P FORWARD DROP; $IPTABLES -Z FORWARD
$IPTABLES -F OUTPUT; $IPTABLES -P OUTPUT ACCEPT; $IPTABLES -Z OUTPUT
$IPTABLES -F

$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
$IPTABLES -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -X
$IPTABLES -N LINWIZ-INPUT;
$IPTABLES -N REJECT-PKT;
$IPTABLES -N SYN-FLOOD;

$IPTABLES -A INPUT -j LINWIZ-INPUT

$IPTABLES -A LINWIZ-INPUT -i lo -j ACCEPT

$IPTABLES -A LINWIZ-INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A LINWIZ-INPUT -d 127.0.0.0/8 -j DROP

$IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --syn -j SYN-FLOOD

$IPTABLES -A LINWIZ-INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A LINWIZ-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# $IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# $IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --dport 80:81 -j ACCEPT
# $IPTABLES -A LINWIZ-INPUT -p tcp -m tcp --dport 443 -j ACCEPT

# $IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 22
# $IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 80
# $IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 81
# $IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 443
# $IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 22

$IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 81 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 443 -j ACCEPT






$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 22,80 -j DNAT --to 321.3.2.3:80
# $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 321.3.2.3:80
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 22,80,81,443 -j DNAT --to 321.3.2.8:80
# $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 321.3.2.8:80

$IPTABLES -A LINWIZ-INPUT -j REJECT-PKT

$IPTABLES -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A SYN-FLOOD -j DROP

$IPTABLES -A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A REJECT-PKT -p icmp -m icmp --icmp-type ping -j REJECT --reject-with icmp-host-unreachable

# $IPTABLES -L
# $IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -m multiport --dport 22,80,81,443 -m multiport -m state --state NEW -j ACCEPT

# $IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 321.3.2.3 -m multiport --dport 22,80,81,443 -m multiport --sport 1024:65535 -m state --state NEW -j ACCEPT
 
Old 11-08-2004, 01:01 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dport 22,80 -j DNAT --to 321.3.2.3:80
With this rule you're taking traffic to ports 22 and 80 and then sending them to only port 80 of the internal address which will immediately lose your ssh traffic and send garbage to the webserver. Instead, just make a PREROUTING rule for each type of traffic you need like this:
Code:
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 321.3.2.3:80
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j DNAT --to 321.3.2.3:81
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 321.3.2.3:22
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 321.3.2.3:443
Note that you can probably use one rule with the multiport match and just remove the port number at the end of the rule, but I think it's easier to troubleshoot this way

Also, the IP address you're using for the LAN IP isn't a valid address, so I hope you're just using that as an example, not as the real LAN address.
 
Old 11-08-2004, 01:17 PM   #3
shadowvyce
LQ Newbie
 
Registered: Nov 2004
Location: Colorado
Distribution: Fedora
Posts: 5

Original Poster
Rep: Reputation: 0
Thanks Caveman for your help. Thanks also for the IP range mentioned, just trying to avoid posting my IP . I went ahead and commented out the two lines mentioned and added the additional 4 but now Im not getting a response from any port. Here's what I got from my iptable -L.

Chain INPUT (policy DROP)
target prot opt source destination
LINWIZ-INPUT all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 321.3.2.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain LINWIZ-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- 127.0.0.0/8 anywhere
DROP all -- anywhere 127.0.0.0/8
SYN-FLOOD tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT-PKT all -- anywhere anywhere

Chain REJECT-PKT (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp reject-with tcp-reset
REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere icmp echo-request reject-with icmp-host-unreachable

Chain SYN-FLOOD (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 1/sec burst 4
DROP all -- anywhere anywhere
 
Old 11-08-2004, 02:12 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
For some reason you're short a few forwarding rules. The iptables -L output shows rules allowing traffic from the LAN and ESTABLISHED connections, but there aren't any forwarding traffic from outside into the LAN. Your firewall rules in the first post had them:
Code:
$IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 81 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 443 -j ACCEPT
But those don't appear in the iptables -L output. Also, could you post iptables -t nat -vnL
 
Old 11-08-2004, 03:23 PM   #5
shadowvyce
LQ Newbie
 
Registered: Nov 2004
Location: Colorado
Distribution: Fedora
Posts: 5

Original Poster
Rep: Reputation: 0
Here ya go

Chain PREROUTING (policy ACCEPT 368 packets, 36432 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 65 packets, 2652 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 321.3.2.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1 packets, 92 bytes)
pkts bytes target prot opt in out source destination
 
Old 11-08-2004, 04:34 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Looks like none of your PREROUTING DNAT rules are getting loaded either. Maybe an issue with the script itself (though the last rule in the script is loaded). Try entering the each other rules manually and then verify that they have loaded properly. Post any error msgs.
 
Old 11-08-2004, 05:26 PM   #7
shadowvyce
LQ Newbie
 
Registered: Nov 2004
Location: Colorado
Distribution: Fedora
Posts: 5

Original Poster
Rep: Reputation: 0
I didnt receive a error and I have iptables 1.2.8 installed which I think is the most current.
 
Old 11-08-2004, 05:38 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
When you manually enter the rules, do you see the prerouting and forwarding rules appear in the output of iptables -vnL ?

Just to clarify, when I say manually enter them, I mean enter them one by one in the command line like:
Code:
root@linux# iptables -t nat -F POSTROUTING
root@linux# iptables -t nat -F PREROUTING
root@linux# iptables -t nat -F OUTPUT
root@linux# iptables -F INPUT
root@linux# iptables -P INPUT DROP
root@linux# iptables -Z INPUT
root@linux# iptables -F FORWARD
....etc...etc...etc

Last edited by Capt_Caveman; 11-08-2004 at 05:39 PM.
 
Old 11-11-2004, 12:34 PM   #9
shadowvyce
LQ Newbie
 
Registered: Nov 2004
Location: Colorado
Distribution: Fedora
Posts: 5

Original Poster
Rep: Reputation: 0
I manually went through each step but I was unable to resolve my issues.
Interestingly enough, I got frustrated and started editing the iptables directly.
From what I understand did is NOT what is expected to done to fix the issue but I was able to get
it work. I added my iptables for future reference in case any one


#iptables-save v1.2.8 on Fri Nov 5 17:58:50 2004
*nat
:PREROUTING ACCEPT [1:229]
:POSTROUTING ACCEPT [3:320]
:OUTPUT ACCEPT [3:320]
-A PREROUTING -p tcp -d 123.1.2.3 --dport 22 -j DNAT --to-destination 321.3.2.1:22
-A PREROUTING -p tcp -d 123.1.2.3 --dport 80 -j DNAT --to-destination 321.3.2.1:80
-A PREROUTING -p tcp -d 123.1.2.4 --dport 80 -j DNAT --to-destination 321.3.2.2:80
-A PREROUTING -p tcp -d 123.1.2.4 --dport 81 -j DNAT --to-destination 321.3.2.2:81
-A PREROUTING -p tcp -d 123.1.2.4 --dport 443 -j DNAT --to-destination 321.3.2.2:443
-A PREROUTING -p tcp -d 123.1.2.5 --dport 22 -j DNAT --to-destination 321.3.2.3:22
-A PREROUTING -p tcp -d 123.1.2.5 --dport 6000 -j DNAT --to-destination 321.3.2.3:6000
-A POSTROUTING -s 321.3.2..0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 5 17:58:50 2004
# Generated by iptables-save v1.2.8 on Fri Nov 5 17:58:50 2004
*filter
:INPUT DROP [19:1748]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [157:17828]
:LINWIZ-INPUT - [0:0]
:REJECT-PKT - [0:0]
:SYN-FLOOD - [0:0]
-A INPUT -j LINWIZ-INPUT
-A FORWARD -s 321.3.2.0/255.255.255.0 -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 81 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
-A LINWIZ-INPUT -i lo -j ACCEPT
-A LINWIZ-INPUT -s 127.0.0.0/255.0.0.0 -j DROP
-A LINWIZ-INPUT -d 127.0.0.0/255.0.0.0 -j DROP
-A LINWIZ-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j SYN-FLOOD
-A LINWIZ-INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A LINWIZ-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A LINWIZ-INPUT -j REJECT-PKT
-A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
-A REJECT-PKT -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-host-unreachable
-A SYN-FLOOD -m limit --limit 1/sec --limit-burst 4 -j RETURN
-A SYN-FLOOD -j DROP
COMMIT
# Completed on Fri Nov 5 17:58:50 2004



I would love to figure out the script for this that works but thats what I got to do what I needed.

Thanks alot for your help Caveman, I appreciate it

Shadowvyce
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
'Nother ATI Thread alienzero Linux - Hardware 1 05-30-2004 01:13 PM
'nother one of my JS questions Squall Programming 4 02-04-2004 12:25 AM
iptables issue rkemp Linux - Networking 3 11-29-2003 07:50 PM
nother blackbox question SnowSurfAir Linux - Software 49 08-23-2003 04:26 AM
a nother sound problem schatoor Linux - General 4 09-27-2002 06:46 AM


All times are GMT -5. The time now is 10:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration