LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Can someone tell me why these rules don't work? I am lost. (https://www.linuxquestions.org/questions/linux-networking-3/can-someone-tell-me-why-these-rules-dont-work-i-am-lost-49300/)

Pcghost 03-11-2003 12:43 PM
Can someone tell me why these rules don't work? I am lost.
 
Edit: I Got It!!

It turned out the packet spoofing protection in the firewall on the squid server was dropping the incoming connections from this machine due to the 192.168.10.1 source address on the connections being made to the squids external interface.

original post:
I am working on this router/firewall and although I am using the same sytax as supposedly "working" routers, my client machine has no access to the internet. Have I forgotten something? I don't know where to begin to look for my mistake on this one. Please help..

My goal is to have internet and ports 25,80,1352,5631,5632 forwarded to the squid server "Raptor" who is the only client.


#!/bin/sh
#
# This is the firewall generator for the Vulture I router.
# It only needs to be run once unless changes to the script are made.
#
#---------------------------------------------------------------------------------------------------------------------------
# Variable definitions go here
EXTINT="eth1"
EXTIP="XX.XXX.XX.XXX" # Hidden for security purposes
INTINT="eth0"
INTIP="192.168.10.1"
LOOP="lo"
LAN="192.168.10.0/24"
INTRA="192.168.10.0/24"
RAPTOR="192.168.10.2"
INTBC="192.168.10.255/32"
BROADCAST="255.255.255.255"
LOCALHOST="127.0.0.1/32"
#----------------------------------------------------------------------------------------------------------------------------
# Pre-firewall set up happens here
#----------------------------------
# Shutting down the firewall!!!
/etc/init.d/iptables stop

# Deleting the old rule script from /etc/sysconfig
rm -f /etc/sysconfig/iptables

# Enabling port forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Clear old rules from memory
iptables -F
iptables -t nat -F
iptables -X

#---------------------------------------Firewall Rules Start Here------------------------------------------------------------
#
# Create new table for allowed tcp connections coming in from the Internet.
iptables -N tcp_allow
iptables -A tcp_allow -p tcp --syn -j ACCEPT
iptables -A tcp_allow -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A tcp_allow -p tcp -j DROP

#---------------------------------------------------------------------------------------------
# Set up Destination Network Address Translation for port forwarding to Raptor II
#---------------------------------------------------------------------------------------------

# Prerouting table instructions
iptables -A PREROUTING -t nat -p tcp -i $EXTINT --dport 25 -j DNAT --to $RAPTOR:25
iptables -A PREROUTING -t nat -p tcp -i $EXTINT --dport 80 -j DNAT --to $RAPTOR:80
iptables -A PREROUTING -t nat -p tcp -i $EXTINT --dport 1352 -j DNAT --to $RAPTOR:1352
iptables -A PREROUTING -t nat -p tcp -i $EXTINT --dport 5631 -j DNAT --to $RAPTOR:5631
iptables -A PREROUTING -t nat -p udp -i $EXTINT --dport 5632 -j DNAT --to $RAPTOR:5632

# Forwarding table instructions
iptables -A FORWARD -i $EXTINT -o $INTINT -d $RAPTOR -p tcp --dport 25 -j tcp_allow
iptables -A FORWARD -i $EXTINT -o $INTINT -d $RAPTOR -p tcp --dport 80 -j tcp_allow
iptables -A FORWARD -i $EXTINT -o $INTINT -d $RAPTOR -p tcp --dport 1352 -j tcp_allow
iptables -A FORWARD -i $EXTINT -o $INTINT -d $RAPTOR -p tcp --dport 5631 -j tcp_allow
iptables -A FORWARD -i $EXTINT -o $INTINT -d $RAPTOR -p udp --dport 5632 -j ACCEPT
# The following are for masquerading
iptables -A FORWARD -i $INTINT -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -m limit --limit 10/minute --limit-burst 10 -j LOG \ --log-level DEBUG --log-prefix "FORWARD :"

# Postrouting table instructions for Masquerading
iptables -t nat -A POSTROUTING -o $EXTINT -s $INTRA -j MASQUERADE

#----------------------------------DNAT DONE------------------------------------------------------
# Establish default policies for the various tables
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#-----------------------------------------------------------------------
# Now to set up the tables for incoming tcp, udp, and icmp packets.
#-----------------------------------------------------------------------

# Create seperate tables for tcp,udp, and icmp packets to traverse.
iptables -N icmp_packets
iptables -N tcp_packets
iptables -N udp_packets
# Done

# ICMP rules
# Comment out to drop pings cold.
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# Done

# TCP Rules

# Allow incoming mail connections
iptables -A tcp_packets -p TCP -s 0/0 --dport 25 -j tcp_allow
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j tcp_allow
iptables -A tcp_packets -p TCP -s 0/0 --dport 1352 -j tcp_allow
iptables -A tcp_packets -p TCP -s 0/0 --dport 5631 -j tcp_allow
# The line below is temporary
iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j tcp_allow
# Done

# UDP Rules
iptables -A udp_packets -p UDP -s 0/0 --source-port 67 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --source-port 68 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --source-port 5632 -j ACCEPT
# Done-------------------------------------------------------------------------

# Protect against obviously spoofed packets
iptables -t nat -A PREROUTING -i $EXTINT -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i $EXTINT -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i $EXTINT -s 172.16.0.0/12 -j DROP
# Done--------------------------------------------------------------------------

#----------------------------------------
# Setting up the three primary tables
#----------------------------------------
#-------------------
# Input Table Rules
#-------------------

# Rerouting packets to their associated tables
iptables -A INPUT -p ICMP -i $EXTINT -j icmp_packets
iptables -A INPUT -p TCP -i $EXTINT -j tcp_packets
iptables -A INPUT -p UDP -i $EXTINT -j udp_packets
# Done

iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p all -i $INTINT -d $INTBC -j ACCEPT
iptables -A INPUT -p all -i $INTINT -d $BROADCAST -j ACCEPT
iptables -A INPUT -p all -d $LOCALHOST -j ACCEPT
iptables -A INPUT -p all -d $INTIP -j ACCEPT
#iptables -A INPUT -m limit --limit 10/minute --limit-burst 10 -j LOG \ --log-level DEBUG --log-prefix "INPUT :"
# Done

#-------------------------- Input Done--------------------------------------------------------------------------

#-------------------------
# Output Tables Rules
#-------------------------
iptables -A OUTPUT -p all -s $LOCALHOST -j ACCEPT
iptables -A OUTPUT -p all -s $INTIP -j ACCEPT
iptables -A OUTPUT -p all -d $LOCALHOST -j ACCEPT
iptables -A OUTPUT -p all -d $INTIP -j ACCEPT
iptables -A OUTPUT -p all -o $EXTINT -j ACCEPT
#iptables -A OUTPUT -m limit --limit 10/minute --limit-burst 10 -j LOG \ --log-level DEBUG --log-prefix "OUTPUT :"
# Done

#--------------------------Output Done---------------------------------------------------------------------------

# Logging rules begin here
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP:"
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP:"
iptables -A FORWARD -j LOG --log-prefix "FORWARD_DROP:"
# Done

#--------------------------------------RULE GENERATION IS COMPLETE----------------------------------------------

# Saving new rules to a newly created iptables rules file in /etc/sysconfig
iptables-save > /etc/sysconfig/iptables

# Starting the new and improved firewall
/etc/init.d/iptables start

# Firewall is now running.


All times are GMT -5. The time now is 10:48 AM.