LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-01-2005, 02:37 AM   #1
mikz
Member
 
Registered: Sep 2004
Distribution: Slackware current
Posts: 109

Rep: Reputation: 15
simple NAT firewall


I'm new to IPtables and am attempting to configure a firewall for a home lan.
I have a linux server and 2 workstations. The server has 2 nics eth0 to the internet and eth1 as the internal LAN. The workstations receive there IP's from DHCPd on the server.

I want to allow all workstations to have access to the internet via eth0 on the server.
I want to allow access FROM the internet to port XXX on workstation 192.168.1.50.
I want to enable NAT

My current iptables looks like this:
#!/bin/sh
# Cleanup old rules # All the time firewall is in a secure, closed state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables --flush # Flush all rules, but keep policies
iptables --delete-chain
## Workstation###
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT
####### HOLES #######
##Allow access from LAN
iptables -A INPUT -i lo -j ACCEPT #local loopback device.
iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j ACCEPT #Allow any ip address in the 192.168.1.0 subnet.
### Allow external access to SAMBA
iptables -I INPUT -i eth0 -p tcp --dport 139 -s xx.xx.xxx.227 -j ACCEPT
iptables -I INPUT -i eth0 -p tcp --dport 445 -s xx.xx.xxx.227 -j ACCEPT
iptables -I INPUT -i eth0 -p udp --dport 138 -s xx.xx.xxx.227 -j ACCEPT
iptables -I INPUT -i eth0 -p udp --dport 137 -s xx.xx.xxx.227 -j ACCEPT
echo "External access to SAMBA for xx.xx.xxx.227"
###Allow external access to SQL on port 3306 from xx.xx.xx.xxx
iptables -I INPUT -i eth0 -p tcp --dport 3360 -s xx.xx.xxx.227 -j ACCEPT
iptables -I INPUT -i eth0 -p udp --dport 3360 -s xx.xx.xxx.227 -j ACCEPT
echo "MySQL granted for xx.xx.xxx.227"
## Stop Ping ##
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP
#echo "Ping stopped"
## Stop Ping end ##
##################### Edit above
iptables -A INPUT -j LOG -m limit --limit 40/minute
iptables -A INPUT -j DROP
# Save
iptables-save > /etc/sysconfig/iptables
echo "$0: Done."
 
Old 02-01-2005, 04:26 AM   #2
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
Code:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -i eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.1.50 -p tcp --dport xxx -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -d $ip_of_eth0 -p tcp --dport xxx -j DNAT --to 192.168.1.50
good luck

Last edited by maxut; 02-01-2005 at 04:27 AM.
 
Old 02-01-2005, 04:43 AM   #3
mikz
Member
 
Registered: Sep 2004
Distribution: Slackware current
Posts: 109

Original Poster
Rep: Reputation: 15
After running the script I lose connection with my workstations. I think the problem is in my own:

##Allow access from LAN
iptables -A INPUT -i lo -j ACCEPT #local loopback device.
iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j ACCEPT #Allow any ip address in the 192.168.1.0 subnet.

If I write ' iptables -A INPUT -i eth1 -j ACCEPT ' then its OK. So the problem must be with the '192.168.1.0/24'. My subnet info in dhcpd.conf is:

ddns-update-style ad-hoc;

subnet 192.168.1.0 netmask 255.255.255.128 {
range 192.168.1.11 192.168.1.50;
option routers 192.168.1.1;
option domain-name-servers 193.xxx.xxx.xxx, 194.xxx.xxx.xxx;
max-lease-time 86400000;
min-lease-time 900;
default-lease-time 864000;
}

So I'm missing the problem here.? How do I allow the subnet 192.168.1.0?
 
Old 02-01-2005, 06:17 AM   #4
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
Quote:
Originally posted by mikz

iptables -A INPUT -i eth1 -j ACCEPT


subnet 192.168.1.0 netmask 255.255.255.128 {

So I'm missing the problem here.? How do I allow the subnet 192.168.1.0?
sorry im -edit- NOT good at dhcpd thing. actually u can check /etc/services file to see ports of dhcp and allow dhcpd ports. if i remeber correctly those ports are tcp/udp 67 . so u can try :

iptables -A INPUT -i eth1 -p tcp --dport 67 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 67 -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.1.0/255.255.255.0 -j ACCEPT

and what about the POSTROUTING/PREROUTING rules that i suggested, do they work?

good luck.

Last edited by maxut; 02-01-2005 at 09:47 AM.
 
Old 02-01-2005, 07:59 AM   #5
mikz
Member
 
Registered: Sep 2004
Distribution: Slackware current
Posts: 109

Original Poster
Rep: Reputation: 15
Is'nt there an allow all input/output between eth0 and eth1?
 
Old 02-01-2005, 08:31 AM   #6
michaelk
Moderator
 
Registered: Aug 2002
Posts: 11,985

Rep: Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753
I do not suggest allowing samba external access. Windows networking is very insecure and could be a avenue to nasty stuff.
 
Old 02-01-2005, 08:34 AM   #7
mikz
Member
 
Registered: Sep 2004
Distribution: Slackware current
Posts: 109

Original Poster
Rep: Reputation: 15
I've compiled SAMBA with SSL and use ALLOW/DENY hosts.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Simple NAT/DNS Problem whohasit Linux - Networking 4 07-19-2005 03:08 PM
a simple (?) NAT question Sarinyo Linux - Security 2 10-20-2004 02:50 AM
firewall and nat nakkaya Linux - Networking 3 02-25-2004 08:58 AM
Simple NAT question Obscure Linux - Networking 7 01-28-2004 11:56 AM
simple routing between subnets without NAT iggymac Linux - Newbie 2 03-24-2003 04:38 PM


All times are GMT -5. The time now is 12:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration