IP tables and newly release 98.x.x.x addresses

patpawlowski · 03-17-2008, 01:47 PM

Hi all,

It has been several years since I have done much work with Linux. We have and old Linux box that has been serving as our firewall/router for the past 4 years. We are running IPTables on it and recently one of our remote users became unable to connect to it. One of the techs I was working with on this realized that she had one of the newly released 98.x.x.x IP addresses and thought some older equipment was droping these packets since previously the were unroutable. So, after blaming her ISP and then our ISP I finally bypassed the IPTables box and was able to get through.

I can't see where any of my rules are causing this so I figure it might be hardcoded. Has anybody else run into this and found a solution? I suspect maybe just upgrading iptables might be an answer but I am a little hesitant. Like I said, other than cutting and pasting rules in the iptables script I have not touched a Linux box for 2 years.

Thanks in advance for any help,

-pat

Brian1 · 03-17-2008, 05:41 PM

Look for something like this.
$IPTABLES -A SRC_EGRESS -s 98.0.0.0/8 -j DROP

Now in my iptables script I had all the not routable IPs in a list and used a command like above to disable all of them.

If you type the command ' /sbin/iptables -L ' see if it list say
DST_EGRES
DROP 98.0.0.0/8 ********

Posting iptables script may help us to find the problem for you.

Brian

patpawlowski · 03-17-2008, 08:23 PM

You asked for it:

Code:

#!/bin/bash
# begin initialization
insmod ip_conntrack_ftp
insmod ip_nat_ftp
# flush all rules from the the default chains
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# delete all user defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
# establish default policies, if packets do not match any of the rules they will be droped
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# allow all loopback connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# allow ssh connection to firewall from outside 
iptables -A INPUT -p tcp -i eth1 -d 98.172.22.98 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -p tcp -o eth1 -s 98.172.22.99 --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow ftp connection to the firewall
iptables -A INPUT -j ACCEPT -p tcp -i eth1 -d 98.172.22.98 
iptables -A OUTPUT -j ACCEPT -p tcp -o eth1 -s 98.172.22.98 
# allow DNS queries to and from the firewall
iptables -A OUTPUT -p udp -o eth1 --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p icmp -o eth1 -j ACCEPT
iptables -A INPUT -p icmp -i eth1 -j ACCEPT
# allow the firewall to access the internet
iptables -A INPUT -j ACCEPT -d 98.172.22.98 -p tcp -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -s 98.172.22.98 -p tcp --dport 80 -m state --state NEW
#iptables -A OUTPUT -j ACCEPT  -o eht1 -p all
#iptables -A INPUT -j ACCEPT  -i eth1 -p all
# allow all machines on the LAN to access the firewall
iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth0
iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth0
# configure NAT
iptables -t nat -A POSTROUTING -j SNAT -o eth1 --to-source 98.172.22.98
iptables -A FORWARD -t filter -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# salesteam.com 98.172.22.98 
# port 25 = smtp
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.98 --dport 25 --sport 1024:65535 -j DNAT --to 192.168.1.73:25
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.73 --dport 25 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 80 http
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.98 --dport 80 --sport 1024:65535 -j DNAT --to 192.168.1.59:80
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.59 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT

# vermar.com 98.172.22.99
# port 20, 21, 1010-1020 = ftp
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 21 --sport 1024:65535 -j DNAT --to 192.168.1.230:21
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.230 --dport 21 --sport 1024:65535 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 20 --sport 1024:65535 -j DNAT --to 192.168.1.230:20
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.230 --dport 20 --sport 1024:65535 -m state --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 1010:1020 --sport 1024:65535  -j DNAT --to 192.168.1.230
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.230 --dport 1010:1020 --sport 1024:65535  -j ACCEPT
# vmi-exchange 192.168.1.73
# port 25 = smtp
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 25 --sport 1024:65535 -j DNAT --to 192.168.1.73:25
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.73 --dport 25 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 2500 = smtp
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 2500 --sport 1024:65535 -j DNAT --to 192.168.1.73:25
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.73 --dport 25 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 80 = http
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 80 --sport 1024:65535 -j DNAT --to 192.168.1.73
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.73 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 110 = pop3
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 110 --sport 1024:65535 -j DNAT --to 192.168.1.73:110
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.73 --dport 110 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 143 = imap
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 143 --sport 1024:65535 -j DNAT --to 192.168.1.73
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.73 --dport 143 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 5993 = sync
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 5993 --sport 1024:65535 -j DNAT --to 192.168.1.230
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.230 --dport 5993 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 5900 RDP to vmi-deepti
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 5900 --sport 1024:65535 -j DNAT --to 192.168.1.46:3389
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.46 --dport 3389 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 5901 RDP to vmi-ben
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 5901 --sport 1024:65535 -j DNAT --to 192.168.1.47:3389
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.47 --dport 3389 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 5902 RDP to vmi-pat
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 5902 --sport 1024:65535 -j DNAT --to 192.168.1.38:3389
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.38 --dport 3389 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 5903 RDP to vmi-ed
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 5903 --sport 1024:65535 -j DNAT --to 192.168.1.68:3389
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.68 --dport 3389 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 5904 RDP to vmi-bruce
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 5904 --sport 1024:65535 -j DNAT --to 192.168.1.233:3389
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.233 --dport 3389 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 5905 RDP to vmi-india
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 5905 --sport 1024:65535 -j DNAT --to 192.168.1.92:3389
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.92 --dport 3389 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 5906 RDP to vmi-india
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.99 --dport 5906 --sport 1024:65535 -j DNAT --to 192.168.1.8:3389
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.8 --dport 3389 --sport 1024:65535 -m state --state NEW -j ACCEPT

# crmez.net 98.172.22.100
# port 80 http to vmi-crmez
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.100 --dport 80 --sport 1024:65535 -j DNAT --to 192.168.1.12
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.12 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 8080 http to vmi-sharepoint
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.100 --dport 8080 --sport 1024:65535 -j DNAT --to 192.168.1.67
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.67 --dport 8080 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 3389 RDP to vmi-crmez
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.100 --dport 3389 --sport 1024:65535 -j DNAT --to 192.168.1.12
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.12 --dport 3389 --sport 1024:65535 -m state --state NEW -j ACCEPT

# # demo.crmez.net 98.172.22.101
# # port 80 http to vmi-crmez-demo
# iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.101 --dport 80 --sport 1024:65535 -j DNAT --to 192.168.1.39
# iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.39 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
# # port 3389 RDP to vmihs-dc01
# iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.101 --dport 3389 --sport 1024:65535 -j DNAT --to 192.168.1.39
# iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.39 --dport 3389 --sport 1024:65535 -m state --state NEW -j ACCEPT

# dev.crmez.net 98.172.22.102 (using temporarily for walker companies)
# port 80 http to vmi-walker
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.102 --dport 80 --sport 1024:65535 -j DNAT --to 192.168.1.14
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.14 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 3389 RDP to vmi-walker
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.102 --dport 3389 --sport 1024:65535 -j DNAT --to 192.168.1.14
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.14 --dport 3389 --sport 1024:65535 -m state --state NEW -j ACCEPT

# test.crmez.net 98.172.22.103
# port 80 http to vmihs-dc01
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.103 --dport 80 --sport 1024:65535 -j DNAT --to 192.168.1.3
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.3 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 3389 RDP to vmihs-dc01
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.103 --dport 3389 --sport 1024:65535 -j DNAT --to 192.168.1.3
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.3 --dport 3389 --sport 1024:65535 -m state --state NEW -j ACCEPT

# marriott 98.172.22.104
# port 443 https to vmihs-goglobal
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.104 --dport 443 --sport 1024:65535 -j DNAT --to 192.168.1.29:491
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.29 --dport 491 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 80 http to vmihs-dc01
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.104 --dport 80 --sport 1024:65535 -j DNAT --to 192.168.1.29
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.29 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 81 http to vmihs-sharepoin
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.104 --dport 81 --sport 1024:65535 -j DNAT --to 192.168.1.13
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.13 --dport 81 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 21 FTP to vmihs-dc01
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.104 --dport 21 --sport 1024:65535 -j DNAT --to 192.168.1.29
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.29 --dport 21 --sport 1024:65535 -m state --state NEW -j ACCEPT
# port 3389 RDP to vmihs-dc01
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 98.172.22.104 --dport 3389 --sport 1024:65535 -j DNAT --to 192.168.1.29
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.29 --dport 3389 --sport 1024:65535 -m state --state NEW -j ACCEPT

patpawlowski · 03-17-2008, 08:26 PM

I realize that:

iptables -A INPUT -j ACCEPT -p tcp -i eth1 -d 98.172.22.98

renders about half of the rest of the script useless but I haven't been able to get out ftp to work without it.

patpawlowski · 03-17-2008, 09:38 PM

Here are the results of the: iptables -L

Code:

[root@vmi-router root]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             98.172.22.98       tcp spts:1024:65535 dpt:ssh state NEW
ACCEPT     tcp  --  anywhere             98.172.22.98
ACCEPT     udp  --  anywhere             anywhere           udp spt:domain dpts:1024:65535
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             98.172.22.98       state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.1.0/24          anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW,RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.1.73          tcp spts:1024:65535 dpt:smtp state NEW
ACCEPT     tcp  --  anywhere             192.168.1.59          tcp spts:1024:65535 dpt:http state NEW
ACCEPT     tcp  --  anywhere             192.168.1.230         tcp spts:1024:65535 dpt:ftp state NEW
ACCEPT     tcp  --  anywhere             192.168.1.230         tcp spts:1024:65535 dpt:ftp-data state NEW
ACCEPT     tcp  --  anywhere             192.168.1.230         tcp spts:1024:65535 dpts:1010:1020
ACCEPT     tcp  --  anywhere             192.168.1.73          tcp spts:1024:65535 dpt:smtp state NEW
ACCEPT     tcp  --  anywhere             192.168.1.73          tcp spts:1024:65535 dpt:smtp state NEW
ACCEPT     tcp  --  anywhere             192.168.1.73          tcp spts:1024:65535 dpt:http state NEW
ACCEPT     tcp  --  anywhere             192.168.1.73          tcp spts:1024:65535 dpt:pop3 state NEW
ACCEPT     tcp  --  anywhere             192.168.1.73          tcp spts:1024:65535 dpt:imap state NEW
ACCEPT     tcp  --  anywhere             192.168.1.230         tcp spts:1024:65535 dpt:5993 state NEW
ACCEPT     tcp  --  anywhere             192.168.1.46          tcp spts:1024:65535 dpt:3389 state NEW
ACCEPT     tcp  --  anywhere             192.168.1.47          tcp spts:1024:65535 dpt:3389 state NEW
ACCEPT     tcp  --  anywhere             192.168.1.38          tcp spts:1024:65535 dpt:3389 state NEW
ACCEPT     tcp  --  anywhere             192.168.1.68          tcp spts:1024:65535 dpt:3389 state NEW
ACCEPT     tcp  --  anywhere             192.168.1.233         tcp spts:1024:65535 dpt:3389 state NEW
ACCEPT     tcp  --  anywhere             192.168.1.92          tcp spts:1024:65535 dpt:3389 state NEW
ACCEPT     tcp  --  anywhere             192.168.1.8           tcp spts:1024:65535 dpt:3389 state NEW
ACCEPT     tcp  --  anywhere             192.168.1.12          tcp spts:1024:65535 dpt:http state NEW
ACCEPT     tcp  --  anywhere             192.168.1.67          tcp spts:1024:65535 dpt:webcache state NEW
ACCEPT     tcp  --  anywhere             192.168.1.12          tcp spts:1024:65535 dpt:3389 state NEW
ACCEPT     tcp  --  anywhere             192.168.1.39          tcp spts:1024:65535 dpt:http state NEW
ACCEPT     tcp  --  anywhere             192.168.1.39          tcp spts:1024:65535 dpt:3389 state NEW
ACCEPT     tcp  --  anywhere             192.168.1.14          tcp spts:1024:65535 dpt:http state NEW
ACCEPT     tcp  --  anywhere             192.168.1.14          tcp spts:1024:65535 dpt:3389 state NEW
ACCEPT     tcp  --  anywhere             192.168.1.3           tcp spts:1024:65535 dpt:http state NEW
ACCEPT     tcp  --  anywhere             192.168.1.3           tcp spts:1024:65535 dpt:3389 state NEW
ACCEPT     tcp  --  anywhere             192.168.1.29          tcp spts:1024:65535 dpt:491 state NEW
ACCEPT     tcp  --  anywhere             192.168.1.29          tcp spts:1024:65535 dpt:http state NEW
ACCEPT     tcp  --  anywhere             192.168.1.13          tcp spts:1024:65535 dpt:81 state NEW
ACCEPT     tcp  --  anywhere             192.168.1.29          tcp spts:1024:65535 dpt:ftp state NEW
ACCEPT     tcp  --  anywhere             192.168.1.29          tcp spts:1024:65535 dpt:3389 state NEW

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  98.172.22.98         anywhere
ACCEPT     udp  --  anywhere             anywhere           udp spts:1024:65535 dpt:domain
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  98.172.22.98         anywhere           tcp dpt:http state NEW
ACCEPT     all  --  anywhere             192.168.1.0/24
[root@vmi-router root]#

Brian1 · 03-18-2008, 04:01 PM

I don't really see anything stopping it. So if you flush the iptables then the user in 98.0.0.0/8 can connect to the system. I just don't see anything. I will give it some thought though.

Brian

patpawlowski · 03-18-2008, 08:28 PM

We are talking a 10+ year old Compaq workstation machine wiht probably 2 10 year old NICs running Red Hat 8.0. That's why I thought something must be hardcoded. But that doesn't make much sense either because none of the hardware really has any idea what the IP addresses are of the packets flying through. Iptables doesn't really seem to be that "smart" i.e. it does what you tell it to. Perhaps the network stack on that old version of Red Hat has something built in. But that doesn't even make sense, it works with our internal addresses without any special configuration. Baffling.

Brian1 · 03-19-2008, 05:13 PM

Its running Redhat 8. What kernel is it using? use the command ' uname -r '.
Its been a while but I thought 2.4 kernels used ipchains. There might be a second set of firewall rules using ipchains. Been a long time messing with ipchains. Seems just as I got use to ipchains then iptables came along. If I remember some commands to try I will post. But I would probably end up googling for ipchains help. Now this is just a guess.

Brian

patpawlowski · 03-19-2008, 08:31 PM

2.4.18-14

When I took over the network they were using the linux router project floppy disk which used ipchains. I installed Red Hat 8 on the box mostly so I could access it remotely and not have to visit the server room every time I need to make changes. I started using iptables because that was what the Red Hat Bible suggested. I have been very happy with it for the past 3 years but have feared the death of that box. We bought a SonicWall to replace it (which probaly runs the Linux kernal and iptables with a pretty web interface). We got the SonicWall mostly for VPN functionality but have yet to get it implemented. Anyway back to the Linux box.

Ipchains does not appear to be installed although I'm not exactly sure how to check. Typing ipchains at the command line returnd command not found.