LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-28-2009, 12:23 PM   #1
fruitwerks
Member
 
Registered: Apr 2009
Posts: 74

Rep: Reputation: 15
Redirect port80 request from internal network?


ok so i thought I had it all working out! I am trying to do a transparent proxy (is working..) but the rule that made that work, blocked public access to my webserver. You can see the line that made this happen commented out at the bottom. I need request for port 80 on public to go to port 80 - but internal requests for port 80 rerouted to squid.

Code:
#!/bin/bash

SYSCTL="/sbin/sysctl -w" 
IPT="/sbin/iptables"
INET_IFACE="eth1"
LOCAL_IFACE="eth0"
LOCAL_IP="172.24.0.8"
LOCAL_NET="172.24.0.0/24"
LOCAL_BCAST="172.24.0.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe xt_state

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound

$IPT -N SSH_MONITOR
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_MONITOR
$IPT -A SSH_MONITOR -m recent --set --name SSH
$IPT -A SSH_MONITOR -m recent --update --seconds 60 --hitcount 3 --name SSH -j DROP

$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN

$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "fp=bad_tcp_packets:2 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "fp=bad_tcp_packets:3 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "fp=bad_tcp_packets:4 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "fp=bad_tcp_packets:5 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "fp=bad_tcp_packets:6 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "fp=bad_tcp_packets:7 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN

$IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "fp=icmp_packets:1 a=DROP "
$IPT -A icmp_packets --fragment -p ICMP -j DROP

$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG --log-prefix "fp=icmp_packets:2 a=ACCEPT "
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP -j RETURN

$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 161 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 4779 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 4780 -j ACCEPT

$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT
$IPT -A udp_inbound -p UDP -j RETURN
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT
#$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 900:901 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 4776 -j ACCEPT
$IPT -A tcp_inbound -p TCP -j RETURN
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
$IPT -I INPUT -s 81.157.0.0/16 -j DROP
$IPT -I INPUT -s 220.191.0.0/16 -j DROP
$IPT -I INPUT -s 60.12.0.0/16 -j DROP
$IPT -I INPUT -s 219.142.0.0/16 -j DROP
$IPT -I INPUT -s 202.205.0.0/16 -j DROP
$IPT -I INPUT -s 211.140.0.0/16 -j DROP
$IPT -I INPUT -s 84.38.0.0/16 -j DROP
$IPT -I INPUT -s 10.0.0.0/8 -j DROP
$IPT -I INPUT -s 192.0.0.0/8 -j DROP
$IPT -I INPUT -s 85.255.0.0/8 -j DROP
$IPT -I INPUT -s 212.2.125.64/16 -j DROP
$IPT -I INPUT -s 212.6.198.0/24 -j DROP
$IPT -I INPUT -s 79.172.205.0/8 -j DROP
$IPT -I INPUT -m iprange --src-range 221.12.36.232-221.12.59.239 -j DROP
$IPT -I INPUT -s 190.158.230.0/24 -j DROP
$IPT -I INPUT -s 77.79.70.0/24 -j DROP
$IPT -I INPUT -s 82.207.66.0/24 -j DROP

#cat /root/cidr_block.log | while read address; do
#  $IPT -I INPUT -s "$address" -j REJECT
#done

$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 -j ACCEPT
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

$IPT -A FORWARD -p ALL -j bad_packets

$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "

$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "

#$IPT -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 3128
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
$IPT -t mangle -A OUTPUT -o $INET_IFACE -j TTL --ttl-set 128
 
Old 04-28-2009, 06:39 PM   #2
fruitwerks
Member
 
Registered: Apr 2009
Posts: 74

Original Poster
Rep: Reputation: 15
-i eth0

interface was not specified so web request from the outside went to a black hole
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Redirect all traffic to IP nn to internal IP xx Red Squirrel Linux - Networking 1 03-17-2009 05:20 PM
redirect https request to http after user authentication r.r.vishwanath@gmail.com Linux - Newbie 1 01-31-2009 11:42 AM
IPTABLES redirect to a different port on another device on the same internal network. jsurles Linux - Networking 1 04-07-2008 07:01 PM
apache: http redirect for any request going to www.foo.com/* psychobyte Linux - Software 1 04-11-2005 05:57 PM
Apache2 internal redirect? WopMaster8 Linux - Software 2 03-28-2005 01:25 AM


All times are GMT -5. The time now is 06:48 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration