LinuxQuestions.org
Visit Jeremy's Blog.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page Firewall lets ips which are not in the firewall ... why ?
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-27-2005, 05:20 AM   #1
sys7em
Member
 
Registered: Oct 2004
Location: Germany
Distribution: Slackware
Posts: 158

Rep: Reputation: 30
Firewall lets ips which are not in the firewall ... why ?

Well I have setuped a small firewall for a local network. Here it is:

Code:
#!/bin/sh
FWVER=0.73
IPTABLES=/usr/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
EXTIF="eth1"
INTIF="eth0"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"
echo "----------------------------------------------------------------------"
echo "   Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "   Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#echo "   Disabling ICMP Requests.."
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "   Clearing any existing rules and setting default policy.."

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -t nat -F

echo "   Setting the default FORWARD policy to DROP"

$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD

echo "   Setting the FORWARD policy to 'DROP' all incoming / unrelated traffic"

$IPTABLES -A INPUT -i $EXTIF -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.9 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.20 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.21 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.22 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.23 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.24 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.25 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.26 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.27 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.28 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.29 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.30 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.31 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.32 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.33 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.34 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.53.35 -j ACCEPT



#$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s 192.168.0.9/32 -j ACCEPT
$IPTABLES -A FORWARD -j LOG

################
echo "  PREROUTING CHAIN... Redirect HTTP for a transparent proxy "
#
#$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --destination-port 80 \
#     -j REDIRECT --to-ports 3128



###############




echo "   Enabling SNAT (IPMASQ) functionality on $EXTIF"

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.9 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.20 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.21 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.22 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.23 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.24 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.25 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.26 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.27 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.28 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.29 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.30 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.31 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.32 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.33 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.34 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.53.35 -j MASQUERADE
But when some asignes with ip for example .... 200 is gettin it through and has access to the internet. I have also transperant proxy ... where's the problem ?
 
Old 06-27-2005, 02:16 PM   #2
Ipolit
Member
 
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 321

Rep: Reputation: 33
your default policy FORWARD is ACCEPT
u are setting it to DROP and after u're flushing it to ACCEPT.
try iptables -L an see
 
Old 06-30-2005, 12:50 PM   #3
sys7em
Member
 
Registered: Oct 2004
Location: Germany
Distribution: Slackware
Posts: 158

Original Poster
Rep: Reputation: 30
what are you talking about ... the deafult policy to forward is DROP

Code:
root@nikem:~/firewall# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  emo.nikem.lan        anywhere
ACCEPT     all  --  192.168.53.20        anywhere
ACCEPT     all  --  192.168.53.21        anywhere
ACCEPT     all  --  192.168.53.22        anywhere
ACCEPT     all  --  192.168.53.23        anywhere
ACCEPT     all  --  192.168.53.24        anywhere
ACCEPT     all  --  192.168.53.25        anywhere
ACCEPT     all  --  192.168.53.26        anywhere
ACCEPT     all  --  192.168.53.27        anywhere
ACCEPT     all  --  192.168.53.28        anywhere
ACCEPT     all  --  192.168.53.29        anywhere
ACCEPT     all  --  192.168.53.30        anywhere
ACCEPT     all  --  192.168.53.31        anywhere
ACCEPT     all  --  192.168.53.32        anywhere
ACCEPT     all  --  192.168.53.33        anywhere
ACCEPT     all  --  192.168.53.34        anywhere
ACCEPT     all  --  192.168.53.35        anywhere
ACCEPT     all  --  192.168.53.36        anywhere
ACCEPT     all  --  192.168.53.37        anywhere
ACCEPT     all  --  192.168.53.38        anywhere
ACCEPT     all  --  192.168.53.39        anywhere
ACCEPT     all  --  192.168.53.40        anywhere
ACCEPT     all  --  192.168.53.41        anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@nikem:~/firewall#
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
BSD Firewall vs Linux Firewall ? rootlinux Linux - Security 5 08-29-2007 07:38 AM
slackware's /etc/rc.d/rc.firewall equivalent ||| firewall script startup win32sux Debian 1 03-06-2004 09:15 PM
Firewall - filter for public IPs caremaker Linux - Networking 6 01-09-2004 12:17 PM
Firewall Builder sample firewall policy file ? (.xml) nuwanguy Linux - Networking 0 09-13-2003 12:32 PM
Linux firewall that supports USB ADSL & multiple public IPs? Smoothieu Linux - Security 1 08-21-2002 06:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:33 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration