Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Iīd like to ask a question related to IPTables, because Iīve tried to find the solution in google, making a research, but Iīm kind of new in IPTables and I donīt know what Iīm doing wrong.
I read about how IPtables works better with a DROP default rule, denying all the traffic and then, you have to allow the traffic you want to. I have seen many websites with examples of iptables scripts, but mostly with ACCEPT as the default rule for INPUT, OUTPUT AND FORWARD.
My script is made with DROP, and it works except for the prerouting rules:
I made three of them so people from the WAN could access to a HTTPS Server, a SMTP Server and a Terminal Server , so , 443, 25 and 3389 must be opoened.
When I try Wireshark, I see how incoming packets are trying to access but only the SYN Packets appear.
Iīm nearly sure I need another rule to make the traffic from the port 25 TCP out from my LAN to the WAN, but I tried that to with an output rule and even with a forward rule, but noone of them worked.
ok, so it sounds like you are hitting the default DROP, you don't say you've done anything to prevent that happening... Note that PREROUTING happens BEFORE FORWARD, so it's how the traffic looks after the DNAT, not before.
Thanks Acid for your early reply.
Iīm new on this, I used to work with ISA 2006 , Microsoft.
I quote your reply:
"ok, so it sounds like you are hitting the default DROP, you don't say you've done anything to prevent that happening... Note that PREROUTING happens BEFORE FORWARD, so it's how the traffic looks after the DNAT, not before"
Do you mean i have to put the Prerouting senteces before the Forward ones ? . Iīm a newbie in this matters , sorry if I ask silly things !
I have to learn a lot about Prerouting, Postrouting, Forward... and it seems not that difficult but, for some reason Iīm not seeing, I canīt reach my internal servers from the WAN. Your reply is difficult for me, but even though Iīll re-read it as many times as necessary in order to understand it.
Could I paste here my script ? Itīs long but I would shorten so that I could have assistance because as I said, all or nearly all the example I see have the ACCEPT rule by defualt, instead DROP, donīt know why because in ISA Server 2004 and 2006 has the Deny policy as the defult one, and it should be like that I think.
Thanks again in advance !
Last edited by loureed4; 08-10-2011 at 09:09 AM.
Reason: Addition
Going off of what acid said, I don't think you really need a NAT table set up here, I could be wrong...I had to set up a NAT table due to the port re-routing I had going on. However, and I ran into this issue myself, you have to also look at the FILTER table as well.
Running iptables -nvL, what does it say? If the policy is DROP then that's where your issue is right there.
Also, if you're unsure of something, something I found quite useful is logging at the end of a chain: iptables -t <table name> -j LOG --log-prefix "<table name> DROP: "
Replacing <table name> with the name of the table you're setting up.
After that, run a test and monitor syslog (dmesg | tail usually suffices).
I followed the HasCīs advices because, for some reason, I only saw that one in my email as a reply, but I will follow the other advices because even though it worked , I donīt know why, I mean:
Then, I supposed I didnīt need any other rule with Masquerade because as far as I know what masquerade does is just hide local IPīs to turn them into the Public IP of the router.
Another thing I canīt understand due to my lack of knowledge on Iptables, is why the rule you told me to add is:
iptables -I FORWARD -i eth2 ..... I focus on the parameter "-I" . But this is my fault because I hadnīt read that much about parameters in IPTables, I just took a lot of examples and I studied them to understand IPtables, but I clearly must study much about this still.
It worked but I donīt know exactly why, hehe, I hate that, so Iīll see why it worked.
It seemed a good link this one http://wiki.ubuntu.org.cn/images/f/f0/Iptables.gif , so, Iīll check it out because things are not clear enoguh for me about IPTables, though there are quite a few examples on the net.
Thanks a lot for your time, all of you (sorry for my English, I hope to be understood, cause Iīm Spanish ! )
Last edited by loureed4; 08-10-2011 at 03:12 PM.
Reason: Addition
I followed the HasCīs advices because, for some reason, I only saw that one in my email as a reply, but I will follow the other advices because even though it worked , I donīt know why, I mean:
I have yet to understand the MASQUERADE job option, but the two FORWARDING rules are there for this:
If you have traffic coming in on port 25, it will redirect the traffic from eth2 to eth1, and if it's leaving on port 25, it'll redirect from eth1 to eth2. Basically mail traffic coming in from the Intranet will be sent out to the world via the WAN interface, and vice-versa.
I believe this is how to interpret the rules, anyways.
1.- I took off the line "iptables -t nat -I POSTROUTING -p all -s 192.168.93.4 -o $WAN_IF -j MASQUERADE" and it works perfectly without it. I think this is because I already have the line "iptables -t NAT -A POSTROUTING -s 192.168.93.0/24 -o eth2 -j MASQUERADE" , which I think makes all the computers in my LAN hidding their local IP and showing the Public IP of the router, as I said in my previous post.
2.- I took off the line " iptables -I FORWARDING -i eth2-o eth1 --dport 25 -j ACCEPT (eth2 = interface WAN)" but it didnīt work. I thought it would work because with the Prerouting rule the incoming traffic would reach the destination (the smtp server) and then, I would only need a rule to forward the traffic to the WAN, but it seems itīs not like that.
In short, the masquerade option is not necessary, this is good to know in order to understand IPTables but I canīt understand why I need the second line.
Thanks for your time !!
By the way, the "masquerade" line HasC suggested was like this:
# iptables -t nat -I POSTROUTING -p all -s 192.168.93.4 -o $WAN_IF -j MASQUERADE
And mine was just the same but with an "-A" parameter before the key word "POSTROUTING"
Do you know why it is like that? Does it make any difference?
Thanks once more !
Last edited by loureed4; 08-11-2011 at 01:22 AM.
Reason: Addition
Distribution: Debian 5 - Slackware 13.1 - Arch - Some others linuxes/*BSDs through KVM and Xen
Posts: 329
Rep:
Quote:
Originally Posted by loureed4
Hi, Thanks a lot for your replies,
I followed the HasCīs advices because, for some reason, I only saw that one in my email as a reply, but I will follow the other advices because even though it worked , I donīt know why
Quote:
Originally Posted by HasC
If that's the case you should:
Write DNAT rules so WAN can reach your internal services, as you already did
Write rules to allow FORWARDing of packets, between WAN and LAN, to/from your internal services. You should allow forwarding in both ways.
Write a rule to allow your internal servers to reach the WAN, maybe some MASQUERADE rules will suffice, but that's your choice.
Thought my explanations were clear enough
Well, another quick-and-dirty try: when using DROP policy, *everything* gets DROPped, except the packets that you explicitly accept.
So you must write the rules to:
DNAT from WAN to internal server - you already did that
ACCEPT forwarding from WAN to internal server
ACCEPT forwarding from internal server to WAN
Let the internal server access the Internet - that's the reason of the MASQUERADE rule. You could use a SNAT rule, too.
HasC, your reply was clear but not enough for me, due, as I said, to my lack of experience in IPTables , I appreciate quit much your time !
By the way, this last reply of yours clarifies many things to me, itīs a very good "guideline" .
I knew with the DROP Polocy as the default, everything is dropped, and thatīs how I like it, but on the internet there are a lot of examles with the ACCEPT policy as the default, which seems to me a very bad thing, because when I worked with ISA Server 2006, the default was too "drop it everything except the traffic I tell you to accept" , thatīs much better in my opinion.
Very very useful this last post of yours, I mean it, thanks again !!
well one reason to do this (or rather, not care what the policy is) is that you can't log on the default policy, so you explicitly put a drop rule at the bottom with a log before it for clarity.
well one reason to do this (or rather, not care what the policy is) is that you can't log on the default policy, so you explicitly put a drop rule at the bottom with a log before it for clarity.
What do you mean you can't log on the default policy? Not trying to wrong you or anything, I just thought that this was the purpose of the LOG job. o.o
well yes, (and tbh I'm slightly thinking of Cisco ASA policy...) but you get a lot more clarity being able to see the LOG and then the DROP at the bottom of the less. Much less risk of ambiguity.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.