Can someone tell me why these rules don't work? I am lost.
Edit: I Got It!!
It turned out the packet spoofing protection in the firewall on the squid server was dropping the incoming connections from this machine due to the 192.168.10.1 source address on the connections being made to the squids external interface. original post: I am working on this router/firewall and although I am using the same sytax as supposedly "working" routers, my client machine has no access to the internet. Have I forgotten something? I don't know where to begin to look for my mistake on this one. Please help.. My goal is to have internet and ports 25,80,1352,5631,5632 forwarded to the squid server "Raptor" who is the only client. #!/bin/sh # # This is the firewall generator for the Vulture I router. # It only needs to be run once unless changes to the script are made. # #--------------------------------------------------------------------------------------------------------------------------- # Variable definitions go here EXTINT="eth1" EXTIP="XX.XXX.XX.XXX" # Hidden for security purposes INTINT="eth0" INTIP="192.168.10.1" LOOP="lo" LAN="192.168.10.0/24" INTRA="192.168.10.0/24" RAPTOR="192.168.10.2" INTBC="192.168.10.255/32" BROADCAST="255.255.255.255" LOCALHOST="127.0.0.1/32" #---------------------------------------------------------------------------------------------------------------------------- # Pre-firewall set up happens here #---------------------------------- # Shutting down the firewall!!! /etc/init.d/iptables stop # Deleting the old rule script from /etc/sysconfig rm -f /etc/sysconfig/iptables # Enabling port forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Clear old rules from memory iptables -F iptables -t nat -F iptables -X #---------------------------------------Firewall Rules Start Here------------------------------------------------------------ # # Create new table for allowed tcp connections coming in from the Internet. iptables -N tcp_allow iptables -A tcp_allow -p tcp --syn -j ACCEPT iptables -A tcp_allow -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A tcp_allow -p tcp -j DROP #--------------------------------------------------------------------------------------------- # Set up Destination Network Address Translation for port forwarding to Raptor II #--------------------------------------------------------------------------------------------- # Prerouting table instructions iptables -A PREROUTING -t nat -p tcp -i $EXTINT --dport 25 -j DNAT --to $RAPTOR:25 iptables -A PREROUTING -t nat -p tcp -i $EXTINT --dport 80 -j DNAT --to $RAPTOR:80 iptables -A PREROUTING -t nat -p tcp -i $EXTINT --dport 1352 -j DNAT --to $RAPTOR:1352 iptables -A PREROUTING -t nat -p tcp -i $EXTINT --dport 5631 -j DNAT --to $RAPTOR:5631 iptables -A PREROUTING -t nat -p udp -i $EXTINT --dport 5632 -j DNAT --to $RAPTOR:5632 # Forwarding table instructions iptables -A FORWARD -i $EXTINT -o $INTINT -d $RAPTOR -p tcp --dport 25 -j tcp_allow iptables -A FORWARD -i $EXTINT -o $INTINT -d $RAPTOR -p tcp --dport 80 -j tcp_allow iptables -A FORWARD -i $EXTINT -o $INTINT -d $RAPTOR -p tcp --dport 1352 -j tcp_allow iptables -A FORWARD -i $EXTINT -o $INTINT -d $RAPTOR -p tcp --dport 5631 -j tcp_allow iptables -A FORWARD -i $EXTINT -o $INTINT -d $RAPTOR -p udp --dport 5632 -j ACCEPT # The following are for masquerading iptables -A FORWARD -i $INTINT -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A FORWARD -m limit --limit 10/minute --limit-burst 10 -j LOG \ --log-level DEBUG --log-prefix "FORWARD :" # Postrouting table instructions for Masquerading iptables -t nat -A POSTROUTING -o $EXTINT -s $INTRA -j MASQUERADE #----------------------------------DNAT DONE------------------------------------------------------ # Establish default policies for the various tables iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #----------------------------------------------------------------------- # Now to set up the tables for incoming tcp, udp, and icmp packets. #----------------------------------------------------------------------- # Create seperate tables for tcp,udp, and icmp packets to traverse. iptables -N icmp_packets iptables -N tcp_packets iptables -N udp_packets # Done # ICMP rules # Comment out to drop pings cold. iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # Done # TCP Rules # Allow incoming mail connections iptables -A tcp_packets -p TCP -s 0/0 --dport 25 -j tcp_allow iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j tcp_allow iptables -A tcp_packets -p TCP -s 0/0 --dport 1352 -j tcp_allow iptables -A tcp_packets -p TCP -s 0/0 --dport 5631 -j tcp_allow # The line below is temporary iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j tcp_allow # Done # UDP Rules iptables -A udp_packets -p UDP -s 0/0 --source-port 67 -j ACCEPT iptables -A udp_packets -p UDP -s 0/0 --source-port 68 -j ACCEPT iptables -A udp_packets -p UDP -s 0/0 --source-port 5632 -j ACCEPT # Done------------------------------------------------------------------------- # Protect against obviously spoofed packets iptables -t nat -A PREROUTING -i $EXTINT -s 192.168.0.0/16 -j DROP iptables -t nat -A PREROUTING -i $EXTINT -s 10.0.0.0/8 -j DROP iptables -t nat -A PREROUTING -i $EXTINT -s 172.16.0.0/12 -j DROP # Done-------------------------------------------------------------------------- #---------------------------------------- # Setting up the three primary tables #---------------------------------------- #------------------- # Input Table Rules #------------------- # Rerouting packets to their associated tables iptables -A INPUT -p ICMP -i $EXTINT -j icmp_packets iptables -A INPUT -p TCP -i $EXTINT -j tcp_packets iptables -A INPUT -p UDP -i $EXTINT -j udp_packets # Done iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p all -i $INTINT -d $INTBC -j ACCEPT iptables -A INPUT -p all -i $INTINT -d $BROADCAST -j ACCEPT iptables -A INPUT -p all -d $LOCALHOST -j ACCEPT iptables -A INPUT -p all -d $INTIP -j ACCEPT #iptables -A INPUT -m limit --limit 10/minute --limit-burst 10 -j LOG \ --log-level DEBUG --log-prefix "INPUT :" # Done #-------------------------- Input Done-------------------------------------------------------------------------- #------------------------- # Output Tables Rules #------------------------- iptables -A OUTPUT -p all -s $LOCALHOST -j ACCEPT iptables -A OUTPUT -p all -s $INTIP -j ACCEPT iptables -A OUTPUT -p all -d $LOCALHOST -j ACCEPT iptables -A OUTPUT -p all -d $INTIP -j ACCEPT iptables -A OUTPUT -p all -o $EXTINT -j ACCEPT #iptables -A OUTPUT -m limit --limit 10/minute --limit-burst 10 -j LOG \ --log-level DEBUG --log-prefix "OUTPUT :" # Done #--------------------------Output Done--------------------------------------------------------------------------- # Logging rules begin here iptables -A INPUT -j LOG --log-prefix "INPUT_DROP:" iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP:" iptables -A FORWARD -j LOG --log-prefix "FORWARD_DROP:" # Done #--------------------------------------RULE GENERATION IS COMPLETE---------------------------------------------- # Saving new rules to a newly created iptables rules file in /etc/sysconfig iptables-save > /etc/sysconfig/iptables # Starting the new and improved firewall /etc/init.d/iptables start # Firewall is now running. |
All times are GMT -5. The time now is 10:48 AM. |