iptables: about FORWADING and nat

win32sux · 05-13-2005, 04:17 AM

you can test the wall by adding a LOG rule to the end of the FORWARD chain and then monitoring the logfile when you attempt to SSH to the outside from within the LAN...

fei · 05-13-2005, 04:19 AM

Output for iptables -L:

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             ralf.localdomain    udp dpts:bootps:bootpc
ACCEPT     udp  --  anywhere             ralf.localdomain    udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:ssh state NEW
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
ACCEPT     udp  --  ralf.localdomain     anywhere            udp spts:bootps:bootpc
ACCEPT     udp  --  ralf.localdomain     anywhere            udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:http

output for iptables -t nat -L

Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  anywhere             anywhere            to:172.16.0.1
SNAT       all  --  anywhere             anywhere            to:192.168.1.1
SNAT       all  --  anywhere             anywhere            to:172.16.0.1
SNAT       all  --  anywhere             anywhere            to:172.16.0.1
SNAT       all  --  anywhere             anywhere            to:172.16.0.1

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

win32sux · 05-13-2005, 04:24 AM

Quote:

Originally posted by fei
Just realised the "echo 1 > /proc/sys/net/ipv4/ip_forward" didn't work in rc.firewall script, I had to type on command prompt to enable ip_forward.

are you using slackware?? let me know if you are...

Quote:

After that, the output of ssh 172.16.0.2 is :
ssh: connect to host 172.16.0.2 port 22: Connection refused

this means you are getting a REJECT from 172.16.0.2, and since the policy on the wall is DROP it would seem the packet isn't getting stopped by the wall but by whatever is at 172.16.0.2, which would be beyond me... if the wall was giving a DROP to the 22/TCP packets then you'd get a "Connection timed out" instead of a "Connection refused" AFAIK...

Quote:

have any idea what's wrong?

not yet, i'm looking at the output you just posted...

fei · 05-13-2005, 04:27 AM

YES, I'm using slackware for doing the firewall. IS this a problem of slackware.

win32sux · 05-13-2005, 04:29 AM

Quote:

Originally posted by fei
YES, I'm using slackware for doing the firewall. IS this a problem of slackware.

no, it's not a slackware issue... please post your rc.firewall...

win32sux · 05-13-2005, 04:32 AM

Quote:

Originally posted by fei
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:172.16.0.1
SNAT all -- anywhere anywhere to:192.168.1.1
SNAT all -- anywhere anywhere to:172.16.0.1
SNAT all -- anywhere anywhere to:172.16.0.1
SNAT all -- anywhere anywhere to:172.16.0.1

there shouldn't be multiple "172.16.0.1" lines here... but mainly i'm boggled by the "192.168.1.1" in your POSTROUTING chain... it doesn't make any sense, AFAIK...

i'd like to look at your rc.firewall to see what's going on here...

fei · 05-13-2005, 04:32 AM

my rc.firewall

Code:

#!/bin/sh

# Abort execution on error
set -e

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# You can use this version if you don't want logging
#IPTABLES="/sbin/iptables"
# Use this version to log firewall startup output
IPTABLES=iptables_log

fwlog=/var/log/firewall_start.log
# Clear out the contents of the log file
> $fwlog
iptables_log() {
    # Append IPTables command (arguments) to the log
    echo "$*" >> $fwlog
    # Run the command and log any output
    /usr/sbin/iptables $* 2>&1 | tee -a $fwlog 
}



# You should always refer to useful names. It eases verification.
EthernetIface=eth0
WirelessIface=eth1
InternetIface=eth2

# IP range
EthernetIPs="192.168.1.1/24"
WirelessIPs="192.168.2.1/24"
InternetIPs="172.16.0.1/30"

#
# Bring up the firewall
#
start() {
    # Flush the chains
    $IPTABLES -F
    $IPTABLES -X

    # Turn on packet forwarding
    echo "1" > /proc/sys/net/ipv4/ip_forward

    # Accept lo interface always
    $IPTABLES -A OUTPUT -o lo -j ACCEPT
    $IPTABLES -A INPUT -i lo -j ACCEPT

    # Set default policies for major chains
    # TODO Are these suitable policies?
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P INPUT DROP
    $IPTABLES -P FORWARD DROP

    # accept icmp, so ping can work
    $IPTABLES -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


    # Ethernet to Internet -> This is FORWARDING using nat
    $IPTABLES -P FORWARD DROP

    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j LOG

    $IPTABLES -A FORWARD -p TCP -i eth0 -o eth2 --dport 22 -s 192.168.1.1/24 -m state --state NEW -j LOG

    $IPTABLES -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 172.16.0.1


    # Ethernet to Router
    # allow DHCP from Ethernet to Ralph
    $IPTABLES -A INPUT -i $EthernetIface -p udp -d 192.168.1.1 --dport 67:68 -j ACCEPT
    # allow DHCP from Ralph to Ethernet
    $IPTABLES -A OUTPUT -o $EthernetIface -p udp -s 192.168.1.1 --sport 67:68 -j ACCEPT    
    # allow DNS from Ethernet to Ralph
    $IPTABLES -A INPUT -i $EthernetIface -p udp -d 192.168.1.1 --dport 53 -j ACCEPT
    # allow DNS from Ralph to Ethernet
    $IPTABLES -A OUTPUT -o $EthernetIface -p udp -s 192.168.1.1 --sport 53 -j ACCEPT
    # allow ssh from ralf to client1
    $IPTABLES -A INPUT -i $EthernetIface -p tcp --sport 22 -j ACCEPT
    $IPTABLES -A OUTPUT -o $EthernetIface -p tcp --dport 22 -j ACCEPT
    # allow ssh from client1 to ralf
    $IPTABLES -A INPUT -i $EthernetIface -p tcp --dport 22  -j ACCEPT
    $IPTABLES -A OUTPUT -o $EthernetIface -p tcp --sport 22 -j ACCEPT
    # allow www from client1 to ralf
    $IPTABLES -A INPUT -i $EthernetIface -p tcp --dport 80  -j ACCEPT
    $IPTABLES -A OUTPUT -o $EthernetIface -p tcp --sport 80 -j ACCEPT
        

    

    # Set up NAT - SNAT outgoing connections
    # TODO
    
    # Port forwarding - DNAT incoming connections
    # TODO

    # Set up connection tracking
    # TODO

    # Create chains
    # TODO

    # Link chains together
    # TODO

    # Fill in each chain
    # TODO

    # FORWARD chain
    echo 0 > /proc/sys/net/ipv4/ip_forward
    $IPTABLES -A FORWARD -j REJECT
    $IPTABLES -P FORWARD DROP
}

#
# Take down the firewall, throwing the system wide open
#
stop() {
    $IPTABLES -F
    $IPTABLES -X
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT
}

case "$1" in
  start|restart)
	echo -n "Starting IPTables firewall"
	start
	echo "."
	;;
  stop)
	echo -n "Stopping IPTables firewall"
	stop
	echo "."
	;;
  *)
	echo "Usage: /etc/rc.d/rc.firewall {start|stop|restart}" >&2
	exit 1
	;;
esac

exit 0

fei · 05-13-2005, 04:37 AM

Found one thing: I should disable "echo 0 > /proc/sys/net/ipv4/ip_forward" at the end. That's why "echo 1 > ..." didn't work

win32sux · 05-13-2005, 05:02 AM

try this cleaned-up version i made of your script

:

Code:

#!/bin/sh

IPTABLES="/usr/sbin/iptables"

EthernetIface="eth0"
WirelessIface="eth1"
InternetIface="eth2"

EthernetIPs="192.168.1.1/24"
WirelessIPs="192.168.2.1/24"
InternetIP="172.16.0.1"

echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle

$IPTABLES -X
$IPTABLES -X -t nat
$IPTABLES -X -t mangle

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j DROP

$IPTABLES -A INPUT -p ICMP --icmp-type 8 \
-m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -p UDP -i $EthernetIface \
--dport 67 --sport 68 -j ACCEPT
   
$IPTABLES -A INPUT -p UDP -i $EthernetIface -s $EthernetIPs --dport 53 \
-m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -p TCP -i $EthernetIface -s $EthernetIPs --dport 22 \
-m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -p TCP -i $EthernetIface -s $EthernetIPs --dport 80 \
-m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -p TCP -i $EthernetIface -o $InternetIface \
--dport 22 -s $EthernetIPs -m state --state NEW -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $InternetIface \
-j SNAT --to-source $InternetIP

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "So let it be written. So let it be done."

fei · 05-13-2005, 05:04 AM

Quote:

Originally posted by win32sux
there shouldn't be multiple "172.16.0.1" lines here... but mainly i'm boggled by the "192.168.1.1" in your POSTROUTING chain... it doesn't make any sense, AFAIK...

i'd like to look at your rc.firewall to see what's going on here...

Actually, to remove multiple "172.16.0.1" lines, I need to flush the net table every time I start firewall again. so is:

Code:

iptables -t nat -F

win32sux · 05-13-2005, 05:08 AM

i had missed the ESTABLISHED,RELATED rule in the FORWARD chain of the script i just posted and i just added it so please make sure you are using the latest one when you try...

fei · 05-13-2005, 05:10 AM

sorry. Can you post the latest version again. Just want to make sure I'm using the right one

win32sux · 05-13-2005, 05:11 AM

http://www.linuxquestions.org/questi...70#post1640370

fei · 05-13-2005, 05:14 AM

sorry still the same, connection refused

Code:

root@client1:~# ssh 172.16.0.2
ssh: connect to host 172.16.0.2 port 22: Connection refused

fei · 05-13-2005, 05:17 AM

I think some thing wrong the the server 172.16.0.2, not your fault. I'll try to fix it.

Seriously, Thanks for your help. It might took me forever to do it. It's so hard to understand how iptables works. Especially, FORWARD and nat.