wiyosaya |
10-03-2018 09:06 PM |
iptables firewall script - Attached router to eth0 that had internet IP and cannot communicate with router
I went from
Internet -- > eth0 iptables firewall/NAT - eth1 local lan 192.168.1.*
to
Internet --> router --> eth0 iptables firewall/NAT - eth1 local lan 192.168.1.*
the address of eth1 is 192.168.1.201
eth0 now connects to the router and gets a DHCP address in the range 192.168.100.* when it used to get an ipaddress that was a valid internet address.
The router itself is at 192.168.100.1
I cannot ping/browse to/traceroute the router from anywhere on my local lan including the linux PC running the iptables firewall.
I am wondering what I need to add to my firewall script to allow traffic to/from my local lan to the router.
If anyone is able to help, it would be greatly appreciated.
My skill level is not all that high. I would not consider myself a complete newbie, but I am definitely not an expert. I wrote some of my firewall script myself with bits that I got in various postings elsewhere.
Here is my iptables script: (NOTE that I am not running IPV6, therefore, the ip6tables lines in the script are irrelevant.)
Thanks in advance!
Code:
#! /bin/sh
# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany.
#
# Author: Kurt Garloff <feedback@suse.de>
#
# /etc/init.d/firewall
#
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $local_fs $dummy
# Required-Stop: network
# Default-Start: 2 3 5
# Default-Stop:
# Description: Provides a packet filtering firewall at startup.
### END INIT INFO
IPTABLES=`which iptables`
test -x $IPTABLES || exit 5
IP6TABLES=`which ip6tables`
test -x $IPTABLES || exit 5
# Set IPT_DBG to 1 to log all incoming packets accepted and all drops
IPT_DBG="0"
LAN_IP="192.168.1.201"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IFACE="eth0"
#INET_IFACE="ppp0"
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v ditto but be verbose in local rc status
# rc_status -v -r ditto and clear the local rc status
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num><num>
# rc_reset clear local rc status (overall remains)
# rc_exit exit appropriate to overall rc status
. /etc/rc.status
# First reset status of this service
rc_reset
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signalling is not supported) are
# considered a success.
case "$1" in
start)
echo "Starting IPTables and IP6TABLES"
#if test $IPT_DBG="1"; then
# echo "Firewall script set to log debug info."
# echo "All accepted and dropped packets will be logged."
#fi
# rc.firewall - DHCP IP Firewall script for 2.4.x
#
# Author: Oskar Andreasson <blueflux@koffein.net>
# (c) of BoingWorld.com, use at your own risk, do whatever you please with
# it as long as you don't distribute this without due credits to
# BoingWorld.com
#
# load OS footprints
/usr/sbin/nfnl_osf -f /usr/share/xtables/pf.os
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_nat_ftp
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP
# POSTROUTING chain in the nat table
#
#$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
#-j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
$IP6TABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
#
# Bad TCP packets we don't want
#
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New pkt dropped FORWARD ch: "
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
$IP6TABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New ipv6 pkt dropped FORWARD ch: "
$IP6TABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#
# Accept the packets we actually want to forward
#
#if test $IPT_DBG="1"; then
# $IPTABLES -A FORWARD -i $LAN_IFACE -j LOG \
# --log-prefix "Accepted FORWARD ch packet: "
#fi
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IP6TABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
#if test $IPT_DBG="1"; then
# $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j LOG \
# --log-prefix "Accepted est,rel FWD pkt: "
#fi
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level 2 --log-prefix "FORWARD packet died: "
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level 2 --log-prefix "FORWARD packet died: "
if test $IPT_DBG="1"; then
$IPTABLES -A FORWARD -j LOG --log-prefix \
"Default, dropped FWD ch pkt: "
fi
#rules for accounting
$IPTABLES -N INET_IN
$IPTABLES -N INET_OUT
$IPTABLES -A INET_IN -i $INET_IFACE
$IPTABLES -A INET_OUT -o $INET_IFACE
$IPTABLES -I FORWARD -j INET_IN
$IPTABLES -I FORWARD -j INET_OUT
$IPTABLES -I INPUT -j INET_IN
$IPTABLES -I OUTPUT -j INET_OUT
$IP6TABLES -N INET_IN
$IP6TABLES -N INET_OUT
$IP6TABLES -A INET_IN -i $INET_IFACE
$IP6TABLES -A INET_OUT -o $INET_IFACE
$IP6TABLES -I FORWARD -j INET_IN
$IP6TABLES -I FORWARD -j INET_OUT
$IP6TABLES -I INPUT -j INET_IN
$IP6TABLES -I OUTPUT -j INET_OUT
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
$IP6TABLES -N icmp_packets
$IP6TABLES -N tcp_packets
$IP6TABLES -N udpincoming_packets
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IP6TABLES -N allowed
#if test $IPT_DBG="1"; then
# $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j LOG \
# --log-prefix "Acpt est,rel TCP alwd pkt: "
#fi
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -d 192.168.100.0/24 -j ACCEPT
$IP6TABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
if test $IPT_DBG="1"; then
$IPTABLES -A allowed -p TCP -s 0/0 -j LOG \
--log-prefix "Dropped TCP alwd chain pkt: "
fi
$IPTABLES -A allowed -p TCP -s 0/0 -j DROP
$IP6TABLES -A allowed -p TCP -s 0/0 -j DROP
#
# ICMP rules
#
#if test $IPT_DBG="1"; then
# $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j LOG \
# --log-prefix "Accepted ICMP type 0: "
#fi
# Destination unreachable
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IP6TABLES -A icmp_packets -p ICMP -s 0/0 -j DROP
#if test $IPT_DBG="1"; then
# $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j LOG \
# --log-prefix "Accepted ICMP type 3: "
#fi
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
#if test $IPT_DBG="1"; then
# $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j LOG \
# --log-prefix "Accepted ICMP type 5: "
#fi
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
#if test $IPT_DBG="1"; then
# $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j LOG \
# --log-prefix "Accepted ICMP type 11: "
#fi
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
if test $IPT_DBG="1"; then
$IPTABLES -A icmp_packets -p ICMP -s 0/0 -j LOG \
--log-prefix "Unallowed ICMP: "
fi
$IPTABLES -A icmp_packets -p ICMP -s 0/0 -j DROP
#
# TCP rules
#
# These have been commented out and are left for example just in case
# something similar is ever needed.
# $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
# $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
# $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
# $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
# Send all tcp packets that get this far to the allowed chain for
# further filtering.
$IPTABLES -A tcp_packets -p TCP -s 0/0 -j allowed
#
# UDP ports
#
# These lines allow a response to any outgoing DNS query to get through.
# Queries on port 53 are dropped if the incoming packet does not have an
# established connection by virtue of the line with the "NEW" state.
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 -m state --state NEW \
--source-port 53 -j LOG \
--log-prefix "Unallowed DNS: "
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 -m state --state NEW \
--source-port 53 -j DROP
#if test $IPT_DBG="1"; then
# $IPTABLES -A udpincoming_packets -p UDP -s 0/0 -m state --state ESTABLISHED,RELATED \
# --source-port 53 -j LOG --log-prefix \
# "Accepted est,rel UDP DNS: "
#fi
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 -m state --state ESTABLISHED,RELATED \
--source-port 53 -j ACCEPT
if test $IPT_DBG="1"; then
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 -j LOG --log-prefix \
"Dropped UDP packet: "
fi
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 -j DROP
#
# PREROUTING chain.
#
# Do some checks for obviously spoofed IP's
#
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
#
# INPUT chain
#
# Take care of bad TCP packets that we don't want
#
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#
# Special rule for Samba
#
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -j ACCEPT
#if test $IPT_DBG="1"; then
# $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state \
# --state ESTABLISHED,RELATED -j LOG --log-prefix \
# "Accepted est,rel pkt: "
#fi
$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
#
# Rules for incoming packets from the internet
#
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
if test $IPT_DBG="1"; then
$IPTABLES -A INPUT -p ALL -j LOG --log-prefix \
"Dropped INPUT chain packet: "
fi
#
# OUTPUT chain
#
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "Ouput chain - New not syn: "
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p UDP -o $INET_IFACE --source-port 137:139 -j \
LOG --log-prefix "Outgoing netbios: "
$IPTABLES -A OUTPUT -p TCP -o $INET_IFACE --source-port 137:139 -j \
LOG --log-prefix "Outgoing netbios: "
$IPTABLES -A OUTPUT -p UDP -o $INET_IFACE --source-port 445 -j \
LOG --log-prefix "Outgoing netbios: "
$IPTABLES -A OUTPUT -p TCP -o $INET_IFACE --source-port 445 -j \
LOG --log-prefix "Outgoing netbios: "
$IPTABLES -A OUTPUT -p UDP -o $INET_IFACE --source-port 137:139 -j DROP
$IPTABLES -A OUTPUT -p TCP -o $INET_IFACE --source-port 137:139 -j DROP
$IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
#
# Special rules for Samba
#
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -d $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -d $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 192.168.100.0/24 -d $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -d 192.168.1/24 -j ACCEPT
if test $IPT_DBG="1"; then
$IPTABLES -A OUTPUT -p ALL -j LOG --log-prefix \
"Dropped OUTPUT chain packet: "
fi
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down IPTables and IP6Tables"
/usr/sbin/nfnl_osf -f /usr/share/xtables/pf.os -d
/bin/date >> /export/net1/Accounting/inet_accounting.log
$IPTABLES -L INET_IN -v -x >> /export/net1/Accounting/inet_accounting.log
$IPTABLES -L INET_OUT -v -x >> /export/net1/Accounting/inet_accounting.log
$IP6TABLES -L INET_IN -v -x >> /export/net1/Accounting/inet_accounting.log
$IP6TABLES -L INET_OUT -v -x >> /export/net1/Accounting/inet_accounting.log
#Flush all rules from IPTables memory
$IPTABLES -F
$IP6TABLES -F
#Delete chains added during startup.
$IPTABLES -X icmp_packets
$IPTABLES -X tcp_packets
$IPTABLES -X udpincoming_packets
$IPTABLES -X allowed
$IPTABLES -X INET_IN
$IPTABLES -X INET_OUT
$IP6TABLES -X icmp_packets
$IP6TABLES -X tcp_packets
$IP6TABLES -X udpincoming_packets
$IP6TABLES -X allowed
$IP6TABLES -X INET_IN
$IP6TABLES -X INET_OUT
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP
# Remember status and be verbose
rc_status -v
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit
|