LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-06-2006, 02:13 PM   #1
pdeman2
Member
 
Registered: Jul 2005
Location: Maine, USA
Distribution: OpenSUSE, Gentoo, Fedora, Ubuntu, Mandriva, others
Posts: 413

Rep: Reputation: 30
iptables errors after running a setup script.


Today I just got a setup script to configure my firewall. I don't know anything much about iptables, so bare with me. The script I am using is based on a script here. Here it is:
Code:
#!/bin/bash

echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables location
ipt=/sbin/iptables
#
# interfaces
lo=lo
ext=eth0
int=eth1
#
# Spoof protection.  All networks & IP's that should not exist
#
spoofed="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 255.255.255.255"
#
# All ports to open
#
tcp_ports="21 22 25 80 139 443 445 10000 20000"
udp_ports="137 138"
#
# Logging options for all logged packets
#
logops="--log-level=3 -m limit --limit 1/second --limit-burst=3"
#
#
# Set policies and delete, flush and zero chains
#
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
for table in filter nat mangle
do
$ipt -t $table -F #flush
$ipt -t $table -X #delete
$ipt -t $table -Z #zero
done
#
# Check and log all spoofed IP's from external hosts.
#
$ipt -N BAD_IP
$ipt -A BAD_IP -j LOG --log-prefix "IPT: BAD IP: " $logops
$ipt -A BAD_IP -j DROP
$ipt -N SPOOF
for spf in $spoofed
do
$ipt -A SPOOF -s $spf -j BAD_IP
done
#
# Allow these packets into network
# 1. Allow related and established connections
# 2. Allow ICMP packets
# 3. Deny everything else
#
$ipt -N IN_NETWORK
$ipt -A IN_NETWORK -m state --state INVALID -j DROP
$ipt -A IN_NETWORK -j SPOOF
$ipt -A IN_NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p icmp -j ACCEPT
$ipt -A IN_NETWORK -j LOG --log-prefix "IPT: IN_NETWORK: " $logops
$ipt -A IN_NETWORK -j DROP
#
# Allow these packets out
# Trust users, inernatl routers will take care of others
#
$ipt -N OUT_NETWORK
$ipt -A OUT_NETWORK
$ipt -A OUT_NETWORK -i $int -j ACCEPT
$ipt -A OUT_NETWORK -j DROP
#
# Filter incoming to firewall
# 1. Allow established and related connections
# 2. Allow new connections on specific ports
# 3. Log and Drop everything else
#
$ipt -N EXT_FIREWALL
$ipt -A EXT_FIRWALL -m state --state INVALID -j DROP
$ipt -A EXT_FIRWALL -j SPOOF
$ipt -A EXT_FIRWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A EXT_FIREWALL -p icmp -j ACCEPT
#
# Open ports
#
for tcp_p in $tcp_ports
do
$ipt -A EXT_FIREWALL -p tcp --dport $tcp_p -m state --state NEW -j ACCEPT
done
for udp_p in $udp_port
do
$ipt -A EXT_FIREWALL -p udp --dport $udp_p -m state --state NEW -j ACCEPT
done
$ipt -A EXT_FIREWALL -j LOG --log-prefix "IPT: EXT_FIREWALL: " $logops
$ipt -A EXT_FIREWALL -j DROP
#
# Connections from green, blue, yellow sides
# 1. Allow connections form all internal.  Internal routers will take care of others
#
$ipt -N INT_FIREWALL
$ipt -A INT_FIREWALL -m state --state INVALID -j DROP
$ipt -A INT_FIREWALL -j ACCEPT
#
# Primary Rules
# 1. Allow all loopback traffic.
# 2. Send internal connections to INT_FIREWALL chain
# 3. Send external connections to EXT_FIREWALL chain
# 4. Send connections entering LAN to IN_NETWORK
# 5. Send connections leaving LAN to OUT_NETWORK
# 6. Do not modify packets leaving computer to improve performance.
#
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i $int -j INT_FIREWALL
$ipt -A INPUT -i $ext -j EXT_FIREWALL
$ipt -A FORWARD -i $ext -j IN_NETWORK
$ipt -A FORWARD -i $int -j OUT_NETWORK
# $ipt -A OUTPUT -i lo -j ACCEPT
# $ipt -A OUTPUT -i $int -j ACCEPT
# $ipt -A OUTPUT -i $ext -J ACCEPT
#
# Turn on Masquerading and port forwarding
#
$ipt -t nat -A POSTROUTING -o $ext -j MASQUERADE
#
When I run it on the firewall, it gives me a couple of "iptables: No chain/target/match by that name" and then all connections to the machine get cut off. I don't know what I'm doing wrong, but I imagine it's something simple. Thanks.
 
Old 05-06-2006, 03:01 PM   #2
b0uncer
LQ Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
Have you created the chains IN_NETWORK and OUT_NETWORK ? I read that only quickly so sorry if that's not the case..
 
Old 05-06-2006, 04:02 PM   #3
pdeman2
Member
 
Registered: Jul 2005
Location: Maine, USA
Distribution: OpenSUSE, Gentoo, Fedora, Ubuntu, Mandriva, others
Posts: 413

Original Poster
Rep: Reputation: 30
I just created the chains IN_NETWORK, OUT_NETWORK, BAD_IP, SPOOF, EXT_FIREWALL, INT_FIREWALL, POSTROUTING, and MASQUERADE. It gave the same output.
 
Old 05-06-2006, 09:17 PM   #4
pdeman2
Member
 
Registered: Jul 2005
Location: Maine, USA
Distribution: OpenSUSE, Gentoo, Fedora, Ubuntu, Mandriva, others
Posts: 413

Original Poster
Rep: Reputation: 30
OK, I've sorted it out. First off, the do loops for flushing were not working properly on my system (Fedora 5). I tried other methods with no luck. In the new script these loops are commented out. After that there was one small problem: the $udp_ports variable was called $udp_port in one place. Now I just have to manually flush the rules. Thanks for the help anyway.

Here is the new script:
Code:
#!/bin/bash

echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables location
ipt=/sbin/iptables
#
# interfaces
lo=lo
ext=eth0
int=eth1
#
# Spoof protection.  All networks & IP's that should not exist
#
spoofed="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 255.255.255.255"
#
# All ports to open
#
tcp_ports="21 22 25 80 139 443 445 10000 20000"
udp_ports="137 138"
#
# Logging options for all logged packets
#
logops="--log-level=3 -m limit --limit 1/second --limit-burst=3"
#
#
# Set policies and delete, flush and zero chains
#
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
#for table in filter nat mangle
#do
#$ipt -t $table -F #flush
#$ipt -t $table -X #delete
#$ipt -t $table -Z #zero
#done
#
# Check and log all spoofed IP's from external hosts.
#
$ipt -N BAD_IP
$ipt -A BAD_IP -j LOG --log-prefix "IPT: BAD IP: " $logops
$ipt -A BAD_IP -j DROP
$ipt -N SPOOF
for spf in $spoofed
do
$ipt -A SPOOF -s $spf -j BAD_IP
done
#
# Allow these packets into network
# 1. Allow related and established connections
# 2. Allow ICMP packets
# 3. Deny everything else
#
$ipt -N IN_NETWORK
$ipt -A IN_NETWORK -m state --state INVALID -j DROP
$ipt -A IN_NETWORK -j SPOOF
$ipt -A IN_NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p icmp -j ACCEPT
$ipt -A IN_NETWORK -j LOG --log-prefix "IPT: IN_NETWORK: " $logops
$ipt -A IN_NETWORK -j DROP
#
# Allow these packets out
# Trust users, inernatl routers will take care of others
#
$ipt -N OUT_NETWORK
$ipt -A OUT_NETWORK
$ipt -A OUT_NETWORK -i $int -j ACCEPT
$ipt -A OUT_NETWORK -j DROP
#
# Filter incoming to firewall
# 1. Allow established and related connections
# 2. Allow new connections on specific ports
# 3. Log and Drop everything else
#
$ipt -N EXT_FIREWALL
$ipt -A EXT_FIRWALL -m state --state INVALID -j DROP
$ipt -A EXT_FIRWALL -j SPOOF
$ipt -A EXT_FIRWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A EXT_FIREWALL -p icmp -j ACCEPT
#
# Open ports
#
for tcp_p in $tcp_ports
do
$ipt -A EXT_FIREWALL -p tcp --dport $tcp_p -m state --state NEW -j ACCEPT
done
for udp_p in $udp_ports
do
$ipt -A EXT_FIREWALL -p udp --dport $udp_p -m state --state NEW -j ACCEPT
done
$ipt -A EXT_FIREWALL -j LOG --log-prefix "IPT: EXT_FIREWALL: " $logops
$ipt -A EXT_FIREWALL -j DROP
#
# Connections from green, blue, yellow sides
# 1. Allow connections form all internal.  Internal routers will take care of others
#
$ipt -N INT_FIREWALL
$ipt -A INT_FIREWALL -m state --state INVALID -j DROP
$ipt -A INT_FIREWALL -j ACCEPT
#
# Primary Rules
# 1. Allow all loopback traffic.
# 2. Send internal connections to INT_FIREWALL chain
# 3. Send external connections to EXT_FIREWALL chain
# 4. Send connections entering LAN to IN_NETWORK
# 5. Send connections leaving LAN to OUT_NETWORK
# 6. Do not modify packets leaving computer to improve performance.
#
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i $int -j INT_FIREWALL
$ipt -A INPUT -i $ext -j EXT_FIREWALL
$ipt -A FORWARD -i $ext -j IN_NETWORK
$ipt -A FORWARD -i $int -j OUT_NETWORK
# $ipt -A OUTPUT -i lo -j ACCEPT
# $ipt -A OUTPUT -i $int -j ACCEPT
# $ipt -A OUTPUT -i $ext -J ACCEPT
#
# Turn on Masquerading and port forwarding
#
$ipt -t nat -A POSTROUTING -o $ext -j MASQUERADE
#
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables (with masq) troubleshooting, very simple script attached script and logs. xinu Linux - Networking 13 11-01-2007 05:19 AM
Errors When Running My Backup Script cdurante Red Hat 4 12-28-2005 12:45 PM
Running setup.exe, but another already running? erisco Linux - Software 2 08-08-2005 06:45 PM
network errors maybe by iptables ethernet Linux - Networking 0 02-17-2004 05:34 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration