Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 03-11-2003, 12:43 PM   #1
Senior Member
Registered: Feb 2003
Location: The Real Washington
Distribution: Debian, Android
Posts: 1,819

Rep: Reputation: 46
Question Can someone tell me why these rules don't work? I am lost.

Edit: I Got It!!

It turned out the packet spoofing protection in the firewall on the squid server was dropping the incoming connections from this machine due to the source address on the connections being made to the squids external interface.

original post:
I am working on this router/firewall and although I am using the same sytax as supposedly "working" routers, my client machine has no access to the internet. Have I forgotten something? I don't know where to begin to look for my mistake on this one. Please help..

My goal is to have internet and ports 25,80,1352,5631,5632 forwarded to the squid server "Raptor" who is the only client.

# This is the firewall generator for the Vulture I router.
# It only needs to be run once unless changes to the script are made.
# Variable definitions go here
EXTIP="XX.XXX.XX.XXX" # Hidden for security purposes
# Pre-firewall set up happens here
# Shutting down the firewall!!!
/etc/init.d/iptables stop

# Deleting the old rule script from /etc/sysconfig
rm -f /etc/sysconfig/iptables

# Enabling port forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Clear old rules from memory
iptables -F
iptables -t nat -F
iptables -X

#---------------------------------------Firewall Rules Start Here------------------------------------------------------------
# Create new table for allowed tcp connections coming in from the Internet.
iptables -N tcp_allow
iptables -A tcp_allow -p tcp --syn -j ACCEPT
iptables -A tcp_allow -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A tcp_allow -p tcp -j DROP

# Set up Destination Network Address Translation for port forwarding to Raptor II

# Prerouting table instructions
iptables -A PREROUTING -t nat -p tcp -i $EXTINT --dport 25 -j DNAT --to $RAPTOR:25
iptables -A PREROUTING -t nat -p tcp -i $EXTINT --dport 80 -j DNAT --to $RAPTOR:80
iptables -A PREROUTING -t nat -p tcp -i $EXTINT --dport 1352 -j DNAT --to $RAPTOR:1352
iptables -A PREROUTING -t nat -p tcp -i $EXTINT --dport 5631 -j DNAT --to $RAPTOR:5631
iptables -A PREROUTING -t nat -p udp -i $EXTINT --dport 5632 -j DNAT --to $RAPTOR:5632

# Forwarding table instructions
iptables -A FORWARD -i $EXTINT -o $INTINT -d $RAPTOR -p tcp --dport 25 -j tcp_allow
iptables -A FORWARD -i $EXTINT -o $INTINT -d $RAPTOR -p tcp --dport 80 -j tcp_allow
iptables -A FORWARD -i $EXTINT -o $INTINT -d $RAPTOR -p tcp --dport 1352 -j tcp_allow
iptables -A FORWARD -i $EXTINT -o $INTINT -d $RAPTOR -p tcp --dport 5631 -j tcp_allow
iptables -A FORWARD -i $EXTINT -o $INTINT -d $RAPTOR -p udp --dport 5632 -j ACCEPT
# The following are for masquerading
iptables -A FORWARD -i $INTINT -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -m limit --limit 10/minute --limit-burst 10 -j LOG \ --log-level DEBUG --log-prefix "FORWARD :"

# Postrouting table instructions for Masquerading

#----------------------------------DNAT DONE------------------------------------------------------
# Establish default policies for the various tables
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Now to set up the tables for incoming tcp, udp, and icmp packets.

# Create seperate tables for tcp,udp, and icmp packets to traverse.
iptables -N icmp_packets
iptables -N tcp_packets
iptables -N udp_packets
# Done

# ICMP rules
# Comment out to drop pings cold.
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# Done

# TCP Rules

# Allow incoming mail connections
iptables -A tcp_packets -p TCP -s 0/0 --dport 25 -j tcp_allow
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j tcp_allow
iptables -A tcp_packets -p TCP -s 0/0 --dport 1352 -j tcp_allow
iptables -A tcp_packets -p TCP -s 0/0 --dport 5631 -j tcp_allow
# The line below is temporary
iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j tcp_allow
# Done

# UDP Rules
iptables -A udp_packets -p UDP -s 0/0 --source-port 67 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --source-port 68 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --source-port 5632 -j ACCEPT
# Done-------------------------------------------------------------------------

# Protect against obviously spoofed packets
iptables -t nat -A PREROUTING -i $EXTINT -s -j DROP
iptables -t nat -A PREROUTING -i $EXTINT -s -j DROP
iptables -t nat -A PREROUTING -i $EXTINT -s -j DROP
# Done--------------------------------------------------------------------------

# Setting up the three primary tables
# Input Table Rules

# Rerouting packets to their associated tables
iptables -A INPUT -p ICMP -i $EXTINT -j icmp_packets
iptables -A INPUT -p TCP -i $EXTINT -j tcp_packets
iptables -A INPUT -p UDP -i $EXTINT -j udp_packets
# Done

iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p all -i $INTINT -d $INTBC -j ACCEPT
iptables -A INPUT -p all -i $INTINT -d $BROADCAST -j ACCEPT
iptables -A INPUT -p all -d $LOCALHOST -j ACCEPT
iptables -A INPUT -p all -d $INTIP -j ACCEPT
#iptables -A INPUT -m limit --limit 10/minute --limit-burst 10 -j LOG \ --log-level DEBUG --log-prefix "INPUT :"
# Done

#-------------------------- Input Done--------------------------------------------------------------------------

# Output Tables Rules
iptables -A OUTPUT -p all -s $LOCALHOST -j ACCEPT
iptables -A OUTPUT -p all -s $INTIP -j ACCEPT
iptables -A OUTPUT -p all -d $LOCALHOST -j ACCEPT
iptables -A OUTPUT -p all -d $INTIP -j ACCEPT
iptables -A OUTPUT -p all -o $EXTINT -j ACCEPT
#iptables -A OUTPUT -m limit --limit 10/minute --limit-burst 10 -j LOG \ --log-level DEBUG --log-prefix "OUTPUT :"
# Done

#--------------------------Output Done---------------------------------------------------------------------------

# Logging rules begin here
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP:"
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP:"
iptables -A FORWARD -j LOG --log-prefix "FORWARD_DROP:"
# Done

#--------------------------------------RULE GENERATION IS COMPLETE----------------------------------------------

# Saving new rules to a newly created iptables rules file in /etc/sysconfig
iptables-save > /etc/sysconfig/iptables

# Starting the new and improved firewall
/etc/init.d/iptables start

# Firewall is now running.

Last edited by Pcghost; 03-11-2003 at 04:09 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Lost Linux boot and boot floppy doesn't work marquedios Linux - Newbie 9 05-22-2005 02:21 PM
Iptables keeps changing the order of the rules –will this still work? dholingw Linux - Security 11 06-22-2004 12:01 AM
iptables rules lost upon rebooting tigerflag Slackware 4 10-13-2003 12:43 AM
Pf rules don't work with bridging mylesridgely Linux - Security 3 08-14-2003 07:42 PM
Viruses, ipchains, dynamic rules, rules with regular expressions marktaff Linux - Security 2 09-25-2001 04:01 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:28 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration