LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables firewall script - Attached router to eth0 that had internet IP and cannot communicate with router (https://www.linuxquestions.org/questions/linux-networking-3/iptables-firewall-script-attached-router-to-eth0-that-had-internet-ip-and-cannot-communicate-with-router-4175639690/)

wiyosaya 10-03-2018 09:06 PM
iptables firewall script - Attached router to eth0 that had internet IP and cannot communicate with router
 
I went from

Internet -- > eth0 iptables firewall/NAT - eth1 local lan 192.168.1.*

to

Internet --> router --> eth0 iptables firewall/NAT - eth1 local lan 192.168.1.*

the address of eth1 is 192.168.1.201

eth0 now connects to the router and gets a DHCP address in the range 192.168.100.* when it used to get an ipaddress that was a valid internet address.

The router itself is at 192.168.100.1

I cannot ping/browse to/traceroute the router from anywhere on my local lan including the linux PC running the iptables firewall.

I am wondering what I need to add to my firewall script to allow traffic to/from my local lan to the router.

If anyone is able to help, it would be greatly appreciated.

My skill level is not all that high. I would not consider myself a complete newbie, but I am definitely not an expert. I wrote some of my firewall script myself with bits that I got in various postings elsewhere.

Here is my iptables script: (NOTE that I am not running IPV6, therefore, the ip6tables lines in the script are irrelevant.)

Thanks in advance!

Code:
#! /bin/sh
# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany.
#
# Author: Kurt Garloff <feedback@suse.de>
#
# /etc/init.d/firewall
#
### BEGIN INIT INFO
# Provides:          firewall
# Required-Start: $local_fs $dummy
# Required-Stop: network
# Default-Start:  2 3 5
# Default-Stop:
# Description:    Provides a packet filtering firewall at startup.
### END INIT INFO

IPTABLES=`which iptables`
test -x $IPTABLES || exit 5

IP6TABLES=`which ip6tables`
test -x $IPTABLES || exit 5

# Set IPT_DBG to 1 to log all incoming packets accepted and all drops
IPT_DBG="0"

LAN_IP="192.168.1.201"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth1"

LO_IFACE="lo"
LO_IP="127.0.0.1"

INET_IFACE="eth0"
#INET_IFACE="ppp0"

# Shell functions sourced from /etc/rc.status:
#      rc_check        check and set local and overall rc status
#      rc_status        check and set local and overall rc status
#      rc_status -v    ditto but be verbose in local rc status
#      rc_status -v -r  ditto and clear the local rc status
#      rc_failed        set local and overall rc status to failed
#      rc_failed <num>  set local and overall rc status to <num><num>
#      rc_reset        clear local rc status (overall remains)
#      rc_exit          exit appropriate to overall rc status
. /etc/rc.status

# First reset status of this service
rc_reset

# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signalling is not supported) are
# considered a success.

case "$1" in
    start)
        echo "Starting IPTables and IP6TABLES"
#if test $IPT_DBG="1"; then
#        echo "Firewall script set to log debug info."
#        echo "All accepted and dropped packets will be logged."
#fi


        # rc.firewall - DHCP IP Firewall script for 2.4.x
        #
        # Author: Oskar Andreasson &lt;blueflux@koffein.net&gt;
        # (c) of BoingWorld.com, use at your own risk, do whatever you please with
        # it as long as you don't distribute this without due credits to
        # BoingWorld.com
        #
        # load OS footprints
        /usr/sbin/nfnl_osf -f /usr/share/xtables/pf.os
        #
        # Needed to initially load modules
        #
        /sbin/depmod -a

        #
        # Adds some iptables targets like LOG, REJECT and MASQUARADE.
        #
        /sbin/modprobe ipt_LOG
        #/sbin/modprobe ipt_REJECT
        /sbin/modprobe ipt_MASQUERADE
        /sbin/modprobe ip_nat_ftp
        #
        # Support for owner matching
        #
        #/sbin/modprobe ipt_owner

        #
        # Support for connection tracking of FTP and IRC.
        #
        /sbin/modprobe ip_conntrack_ftp
        #/sbin/modprobe ip_conntrack_irc

        #
        # Set default policies for the INPUT, FORWARD and OUTPUT chains
        #

        $IPTABLES -P INPUT DROP
        $IPTABLES -P OUTPUT DROP
        $IPTABLES -P FORWARD DROP
       
        $IP6TABLES -P INPUT DROP
        $IP6TABLES -P OUTPUT DROP
        $IP6TABLES -P FORWARD DROP

        # POSTROUTING chain in the nat table
        #
        #$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
        #-j TCPMSS --clamp-mss-to-pmtu
        $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

        $IP6TABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
       
        #
        # Bad TCP packets we don't want
        #

        $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG \
        --log-prefix "New pkt dropped FORWARD ch: "
        $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

        $IP6TABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG \
        --log-prefix "New ipv6 pkt dropped FORWARD ch: "
        $IP6TABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

        #
        # Accept the packets we actually want to forward
        #

#if test $IPT_DBG="1"; then
#        $IPTABLES -A FORWARD -i $LAN_IFACE -j LOG \
#      --log-prefix "Accepted FORWARD ch packet: "
#fi
        $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT

        $IP6TABLES -A FORWARD -i $LAN_IFACE -j ACCEPT

#if test $IPT_DBG="1"; then
#        $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j LOG \
#        --log-prefix "Accepted est,rel FWD pkt: "
#fi
        $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
        $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \
        -j LOG --log-level 2  --log-prefix "FORWARD packet died: "

        $IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
        $IP6TABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \
        -j LOG --log-level 2  --log-prefix "FORWARD packet died: "

if test $IPT_DBG="1"; then
        $IPTABLES -A FORWARD -j LOG --log-prefix \
        "Default, dropped FWD ch pkt: "
fi

        #rules for accounting
        $IPTABLES -N INET_IN
        $IPTABLES -N INET_OUT
        $IPTABLES -A INET_IN -i $INET_IFACE
        $IPTABLES -A INET_OUT -o $INET_IFACE
        $IPTABLES -I FORWARD -j INET_IN
        $IPTABLES -I FORWARD -j INET_OUT
        $IPTABLES -I INPUT -j INET_IN
        $IPTABLES -I OUTPUT -j INET_OUT

        $IP6TABLES -N INET_IN
        $IP6TABLES -N INET_OUT
        $IP6TABLES -A INET_IN -i $INET_IFACE
        $IP6TABLES -A INET_OUT -o $INET_IFACE
        $IP6TABLES -I FORWARD -j INET_IN
        $IP6TABLES -I FORWARD -j INET_OUT
        $IP6TABLES -I INPUT -j INET_IN
        $IP6TABLES -I OUTPUT -j INET_OUT

        #
        # Create separate chains for ICMP, TCP and UDP to traverse
        #

        $IPTABLES -N icmp_packets
        $IPTABLES -N tcp_packets
        $IPTABLES -N udpincoming_packets

        $IP6TABLES -N icmp_packets
        $IP6TABLES -N tcp_packets
        $IP6TABLES -N udpincoming_packets

        #
        # The allowed chain for TCP connections
        #

        $IPTABLES -N allowed

        $IP6TABLES -N allowed

#if test $IPT_DBG="1"; then
#        $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j LOG \
#        --log-prefix "Acpt est,rel TCP alwd pkt: "
#fi
        $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

        $IPTABLES -A allowed -p TCP -d 192.168.100.0/24 -j ACCEPT

        $IP6TABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

if test $IPT_DBG="1"; then
        $IPTABLES -A allowed -p TCP -s 0/0 -j LOG \
        --log-prefix "Dropped TCP alwd chain pkt: "
fi
        $IPTABLES -A allowed -p TCP -s 0/0 -j DROP

        $IP6TABLES -A allowed -p TCP -s 0/0 -j DROP

        #
        # ICMP rules
        #

#if test $IPT_DBG="1"; then
#        $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j LOG \
#        --log-prefix "Accepted ICMP type 0: "
#fi
        # Destination unreachable
        $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT

        $IP6TABLES -A icmp_packets -p ICMP -s 0/0 -j DROP

#if test $IPT_DBG="1"; then
#        $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j LOG \
#        --log-prefix "Accepted ICMP type 3: "
#fi
        $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT

#if test $IPT_DBG="1"; then
#        $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j LOG \
#        --log-prefix "Accepted ICMP type 5: "
#fi
        $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT

#if test $IPT_DBG="1"; then
#        $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j LOG \
#        --log-prefix "Accepted ICMP type 11: "
#fi
        $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

if test $IPT_DBG="1"; then
        $IPTABLES -A icmp_packets -p ICMP -s 0/0 -j LOG \
        --log-prefix "Unallowed ICMP: "
fi
        $IPTABLES -A icmp_packets -p ICMP -s 0/0 -j DROP

        #
        # TCP rules
        #

        # These have been commented out and are left for example just in case
        # something similar is ever needed.
        # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
        # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
        # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
        # $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

        # Send all tcp packets that get this far to the allowed chain for
        # further filtering.
        $IPTABLES -A tcp_packets -p TCP -s 0/0 -j allowed

        #
        # UDP ports
        #

        # These lines allow a response to any outgoing DNS query to get through.
        # Queries on port 53 are dropped if the incoming packet does not have an
        # established connection by virtue of the line with the "NEW" state.
        $IPTABLES -A udpincoming_packets -p UDP -s 0/0 -m state --state NEW \
        --source-port 53 -j LOG \
        --log-prefix "Unallowed DNS: "
        $IPTABLES -A udpincoming_packets -p UDP -s 0/0 -m state --state NEW \
        --source-port 53 -j DROP
#if test $IPT_DBG="1"; then
#        $IPTABLES -A udpincoming_packets -p UDP -s 0/0 -m state --state ESTABLISHED,RELATED \
#        --source-port 53 -j LOG --log-prefix \
#        "Accepted est,rel UDP DNS: "
#fi
        $IPTABLES -A udpincoming_packets -p UDP -s 0/0 -m state --state ESTABLISHED,RELATED \
        --source-port 53 -j ACCEPT

if test $IPT_DBG="1"; then
        $IPTABLES -A udpincoming_packets -p UDP -s 0/0 -j LOG --log-prefix \
        "Dropped UDP packet: "
fi
        $IPTABLES -A udpincoming_packets -p UDP -s 0/0 -j DROP

        #
        # PREROUTING chain.
        #
        # Do some checks for obviously spoofed IP's
        #

        $IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
        $IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
        $IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP


        #
        # INPUT chain
        #
        # Take care of bad TCP  packets that we don't want
        #

        $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \
        --log-prefix "New not syn:"
        $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

        #
        # Special rule for Samba
        #
        $IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

        #
        # Rules for special networks not part of the Internet
        #

        $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
        $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT
        $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -j ACCEPT
#if test $IPT_DBG="1"; then
#        $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state \
#        --state ESTABLISHED,RELATED -j LOG --log-prefix \
#        "Accepted est,rel pkt: "
#fi
        $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state \
        --state ESTABLISHED,RELATED -j ACCEPT

        #
        # Rules for incoming packets from the internet
        #

        $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
        $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
        $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

if test $IPT_DBG="1"; then
        $IPTABLES -A INPUT -p ALL -j LOG --log-prefix \
        "Dropped INPUT chain packet: "
fi
        #
        # OUTPUT chain
        #

        $IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG \
        --log-prefix "Ouput chain - New not syn: "
        $IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

        $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
        $IPTABLES -A OUTPUT -p UDP -o $INET_IFACE --source-port 137:139 -j \
        LOG --log-prefix "Outgoing netbios: "
        $IPTABLES -A OUTPUT -p TCP -o $INET_IFACE --source-port 137:139 -j \
        LOG --log-prefix "Outgoing netbios: "
        $IPTABLES -A OUTPUT -p UDP -o $INET_IFACE --source-port 445 -j \
        LOG --log-prefix "Outgoing netbios: "
        $IPTABLES -A OUTPUT -p TCP -o $INET_IFACE --source-port 445 -j \
        LOG --log-prefix "Outgoing netbios: "
        $IPTABLES -A OUTPUT -p UDP -o $INET_IFACE --source-port 137:139 -j DROP
        $IPTABLES -A OUTPUT -p TCP -o $INET_IFACE --source-port 137:139 -j DROP
        $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -j ACCEPT
        $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

        #
        # Special rules for Samba
        #
        $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -d $LAN_IP -j ACCEPT
        $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -d $LO_IP -j ACCEPT
        $IPTABLES -A OUTPUT -p ALL -s 192.168.100.0/24 -d $LO_IP -j ACCEPT
        $IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -d 192.168.1/24 -j ACCEPT

if test $IPT_DBG="1"; then
        $IPTABLES -A OUTPUT -p ALL -j LOG --log-prefix \
        "Dropped OUTPUT chain packet: "
fi

        # Remember status and be verbose
        rc_status -v
        ;;
    stop)
        echo -n "Shutting down IPTables and IP6Tables"
        /usr/sbin/nfnl_osf -f /usr/share/xtables/pf.os -d
        /bin/date >> /export/net1/Accounting/inet_accounting.log
        $IPTABLES -L INET_IN -v -x >> /export/net1/Accounting/inet_accounting.log
        $IPTABLES -L INET_OUT -v -x >> /export/net1/Accounting/inet_accounting.log

        $IP6TABLES -L INET_IN -v -x >> /export/net1/Accounting/inet_accounting.log
        $IP6TABLES -L INET_OUT -v -x >> /export/net1/Accounting/inet_accounting.log

        #Flush all rules from IPTables memory
        $IPTABLES -F
        $IP6TABLES -F

        #Delete chains added during startup.
        $IPTABLES -X icmp_packets
        $IPTABLES -X tcp_packets
        $IPTABLES -X udpincoming_packets
        $IPTABLES -X allowed
        $IPTABLES -X INET_IN
        $IPTABLES -X INET_OUT

        $IP6TABLES -X icmp_packets
        $IP6TABLES -X tcp_packets
        $IP6TABLES -X udpincoming_packets
        $IP6TABLES -X allowed
        $IP6TABLES -X INET_IN
        $IP6TABLES -X INET_OUT

        $IPTABLES -P INPUT DROP
        $IPTABLES -P OUTPUT DROP
        $IPTABLES -P FORWARD DROP
       
        $IP6TABLES -P INPUT DROP
        $IP6TABLES -P OUTPUT DROP
        $IP6TABLES -P FORWARD DROP
       
        # Remember status and be verbose
        rc_status -v
        ;;
    restart)
        ## Stop the service and regardless of whether it was
        ## running or not, start it again.
        $0 stop
        $0 start

        # Remember status and be quiet
        rc_status
        ;;
    *)
        echo "Usage: $0 {start|stop|restart}"
        exit 1
        ;;
esac
rc_exit

wiyosaya 10-04-2018 12:40 PM
Anyone reading this might have noticed the following rules and thought that they are part of the problem:

Code:
        $IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
        $IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
        $IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
I removed those prior to posting and that did not help.

Thanks again.

lazydog 10-04-2018 01:17 PM
First question do you have FORWARD turned on?

Look in /etc/sysctl.conf for

Code:
net.ipv4.ip_forward = 1
If that is turned on can you post the output from the following command:
Code:
iptables -S

smallpond 10-04-2018 01:58 PM
Your problem is that both of your ethernet ports are on the same subnet. 192.168.0.0/16 means everything up to 192.168.255.255. You need to either renumber your internal net or change your router and rules to /24. Please add the output of "route -n".

wiyosaya 10-04-2018 10:09 PM
Thanks for your reply.

Code:
net.ipv4.ip_forward = 1
Is set in /etc/sysctl.conf

Here is the output from iptables -S
Code:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N INET_IN
-N INET_OUT
-N allowed
-N icmp_packets
-N tcp_packets
-N udpincoming_packets
-A INPUT -j INET_IN
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn:"
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.1/32 -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -i eth0 -p tcp -j tcp_packets
-A INPUT -i eth0 -p udp -j udpincoming_packets
-A INPUT -j LOG --log-prefix "Dropped INPUT chain packet: "
-A FORWARD -j INET_OUT
-A FORWARD -j INET_IN
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New pkt dropped FORWARD ch: "
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: " --log-level 2
-A OUTPUT -j INET_OUT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "Ouput chain - New not syn: "
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 137:139 -j LOG --log-prefix "Outgoing netbios: "
-A OUTPUT -o eth0 -p tcp -m tcp --sport 137:139 -j LOG --log-prefix "Outgoing netbios: "
-A OUTPUT -o eth0 -p udp -m udp --sport 445 -j LOG --log-prefix "Outgoing netbios: "
-A OUTPUT -o eth0 -p tcp -m tcp --sport 445 -j LOG --log-prefix "Outgoing netbios: "
-A OUTPUT -o eth0 -p udp -m udp --sport 137:139 -j DROP
-A OUTPUT -o eth0 -p tcp -m tcp --sport 137:139 -j DROP
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -s 192.168.1.201/32 -d 192.168.1.201/32 -j ACCEPT                                                                                               
-A OUTPUT -s 192.168.1.201/32 -d 127.0.0.1/32 -j ACCEPT                                                                                                   
-A OUTPUT -d 192.168.1.0/24 -o lo -j ACCEPT                                                                                                               
-A INET_IN -i eth0                                                                                                                                         
-A INET_OUT -o eth0                                                                                                                                       
-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT                                                                                           
-A allowed -p tcp -j DROP                                                                                                                                 
-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT                                                                                                   
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT                                                                                                   
-A icmp_packets -p icmp -m icmp --icmp-type 5 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j DROP
-A tcp_packets -p tcp -j allowed
-A udpincoming_packets -p udp -m state --state NEW -m udp --sport 53 -j LOG --log-prefix "Unallowed DNS: "
-A udpincoming_packets -p udp -m state --state NEW -m udp --sport 53 -j DROP
-A udpincoming_packets -p udp -m state --state RELATED,ESTABLISHED -m udp --sport 53 -j ACCEPT
-A udpincoming_packets -p udp -j DROP

wiyosaya 10-04-2018 10:17 PM
Quote:
Originally Posted by smallpond (Post 5911103)
Your problem is that both of your ethernet ports are on the same subnet. 192.168.0.0/16 means everything up to 192.168.255.255. You need to either renumber your internal net or change your router and rules to /24. Please add the output of "route -n".
The output of route -n is
Code:
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
0.0.0.0        192.168.100.1  0.0.0.0        UG    0      0        0 eth0
192.168.1.0    0.0.0.0        255.255.255.0  U    0      0        0 eth1
192.168.100.0  0.0.0.0        255.255.255.0  U    0      0        0 eth0
I have tried commenting out the only rule that references 192.168.0.0/16 and things do not change.

smallpond 10-05-2018 12:18 PM
If you do "iptables -vL" it will list the counts of matches for each rule. That lets you check what rule is dropping or not accepting (but should be) your traffic.

lazydog 10-05-2018 08:58 PM
OK, I put this together going off what you have already done and this should get you started.

Code:
#!/bin/bash

#################################
##  Cleanup Rules and filters  ##
#################################
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

##########################
## Set Default Policies ##
##########################
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP


########################
##  Setup New Chains  ##
########################
iptables -N CHECK
iptables -N LAN
iptables -N WAN


###################
##  Check Chain  ##
###################
iptables -A CHECK -i lo -j ACCEPT
iptables -A CHECK -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A CHECK -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A CHECK -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A CHECK -j RETURN


##########
## LAN  ##
##########
iptables -A LAN -p udp -m udp -j ACCEPT
iptables -A LAN -p tcp -m tcp -m conntrack --ctstate NEW -j ACCEPT
iptables -A LAN -p icmp -m icmp --icmp-type 0 -j ACCEPT                                                                                                   
iptables -A LAN -p icmp -m icmp --icmp-type 3 -j ACCEPT                                                                                                   
iptables -A LAN -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A LAN -p icmp -m icmp --icmp-type 11 -j ACCEPT
iptables -A LAN -p icmp -j DROP


############
##  WAN  ###
############
iptables -A WAN -p icmp -m icmp --icmp-type 0 -j ACCEPT                                                                                                   
iptables -A WAN -p icmp -m icmp --icmp-type 3 -j ACCEPT                                                                                                 
iptables -A WAN -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A WAN -p icmp -m icmp --icmp-type 11 -j ACCEPT
iptables -A WAN -j DROP


############
## RULES  ##
############
iptables -A INPUT -j CHECK
iptables -A INPUT -i eth0 -j WAN
iptables -A INPUT -i eth1 -j LAN
iptables -A FORWARD -j CHECK
iptables -A FORWARD -i eth0 -j WAN
iptables -A FORWARD -i eth1 -j LAN
iptables -A OUTPUT -j ACCEPT
Allow me to explain each part.

Cleanup Rules and filters:
This section will clean up everything and get the system ready for setting up the firewall.

Set Default Policies:
This sets up the default policies that match when nothing else matches.

Setup New Chains:
This section creates new chains for the firewall to simplify firewall management

Check Chain:
Instead of re-writing these rules in every chain it is not consolidated to one location.

LAN:
This is what we want to allow from the internal network doesn't matter if it is connecting to the firewall box itself or going out to the internet.

WAN:
This is what we are going to allow in from the WAN. Here we do not have to worry Related or Established traffic as it should be covered in the CHECK chain.

RULES:
This tells the firewall what to do with traffic depending on where it is coming from.

I find this type of setup easier to maintain as you don't have to worry if when you add a rule to the forward chain if another rule is going to keep it from working as all the rules for direction are grouped together. The only thing to do when looking to add a rule for example to the WAN interface is go to the WAN section and add it before the DROP rule.

wiyosaya 10-06-2018 03:05 PM
Quote:
Originally Posted by smallpond (Post 5911503)
If you do "iptables -vL" it will list the counts of matches for each rule. That lets you check what rule is dropping or not accepting (but should be) your traffic.
My apologies for the delay in getting back to this. Thing are generally working, however, I do think that the problem is having side effects. That is, I can still get from my local lan to the WAN.
Here is the output:
Code:
iptables -vL
Chain INPUT (policy DROP 339 packets, 10848 bytes)
 pkts bytes target    prot opt in    out    source              destination       
26719  46M INET_IN    all  --  any    any    anywhere            anywhere           
  33  4046 LOG        tcp  --  any    any    anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix "New not syn:"
  33  4046 DROP      tcp  --  any    any    anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
  577 70043 ACCEPT    all  --  lo    any    anywhere            anywhere           
    0    0 ACCEPT    all  --  lo    any    anywhere            localhost         
20630  45M ACCEPT    all  --  eth1  any    anywhere            anywhere           
 5108 1385K ACCEPT    all  --  eth0  any    anywhere            anywhere            state RELATED,ESTABLISHED
    0    0 icmp_packets  icmp --  eth0  any    anywhere            anywhere           
  29  2113 tcp_packets  tcp  --  eth0  any    anywhere            anywhere           
    3  984 udpincoming_packets  udp  --  eth0  any    anywhere            anywhere           
  339 10848 LOG        all  --  any    any    anywhere            anywhere            LOG level warning prefix "Dropped INPUT chain packet: "

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
1204K 1181M INET_OUT  all  --  any    any    anywhere            anywhere           
1204K 1181M INET_IN    all  --  any    any    anywhere            anywhere           
    1    71 LOG        tcp  --  any    any    anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix "New pkt dropped FORWARD ch: "
    1    71 DROP      tcp  --  any    any    anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
 485K  31M ACCEPT    all  --  eth1  any    anywhere            anywhere           
 719K 1150M ACCEPT    all  --  any    any    anywhere            anywhere            state RELATED,ESTABLISHED
    0    0 LOG        all  --  any    any    anywhere            anywhere            limit: avg 3/min burst 3 LOG level crit prefix "FORWARD packet died: "

Chain OUTPUT (policy DROP 242 packets, 23232 bytes)
 pkts bytes target    prot opt in    out    source              destination       
73913  87M INET_OUT  all  --  any    any    anywhere            anywhere           
    0    0 LOG        tcp  --  any    any    anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix "Ouput chain - New not syn: "
    0    0 DROP      tcp  --  any    any    anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
  302 44483 ACCEPT    all  --  any    any    localhost            anywhere                                                                               
  211 29302 LOG        udp  --  any    eth0    anywhere            anywhere            udp spts:netbios-ns:netbios-ssn LOG level warning prefix "Outgoing netbios: "                                                                                                                                                 
    0    0 LOG        tcp  --  any    eth0    anywhere            anywhere            tcp spts:netbios-ns:netbios-ssn LOG level warning prefix "Outgoing netbios: "                                                                                                                                                 
    0    0 LOG        udp  --  any    eth0    anywhere            anywhere            udp spt:microsoft-ds LOG level warning prefix "Outgoing netbios: "
    0    0 LOG        tcp  --  any    eth0    anywhere            anywhere            tcp spt:microsoft-ds LOG level warning prefix "Outgoing netbios: "
  211 29302 DROP      udp  --  any    eth0    anywhere            anywhere            udp spts:netbios-ns:netbios-ssn                                   
    0    0 DROP      tcp  --  any    eth0    anywhere            anywhere            tcp spts:netbios-ns:netbios-ssn                                   
65972  87M ACCEPT    all  --  any    eth1    anywhere            anywhere           
 6911  537K ACCEPT    all  --  any    eth0    anywhere            anywhere           
  30  2040 ACCEPT    all  --  any    any    192.168.1.201        192.168.1.201     
  245 23520 ACCEPT    all  --  any    any    192.168.1.201        localhost         
    0    0 ACCEPT    all  --  any    lo      anywhere            192.168.1.0/24     

Chain INET_IN (2 references)
 pkts bytes target    prot opt in    out    source              destination       
 724K 1152M            all  --  eth0  any    anywhere            anywhere           

Chain INET_OUT (2 references)
 pkts bytes target    prot opt in    out    source              destination       
 493K  32M            all  --  any    eth0    anywhere            anywhere           

Chain allowed (1 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    tcp  --  any    any    anywhere            anywhere            state RELATED,ESTABLISHED
  29  2113 DROP      tcp  --  any    any    anywhere            anywhere           

Chain icmp_packets (1 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    icmp --  any    any    anywhere            anywhere            icmp echo-reply
    0    0 ACCEPT    icmp --  any    any    anywhere            anywhere            icmp destination-unreachable
    0    0 ACCEPT    icmp --  any    any    anywhere            anywhere            icmp redirect
    0    0 ACCEPT    icmp --  any    any    anywhere            anywhere            icmp time-exceeded
    0    0 DROP      icmp --  any    any    anywhere            anywhere           

Chain tcp_packets (1 references)
 pkts bytes target    prot opt in    out    source              destination       
  29  2113 allowed    tcp  --  any    any    anywhere            anywhere           

Chain udpincoming_packets (1 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 LOG        udp  --  any    any    anywhere            anywhere            state NEW udp spt:domain LOG level warning prefix "Unallowed DNS: "
    0    0 DROP      udp  --  any    any    anywhere            anywhere            state NEW udp spt:domain
    0    0 ACCEPT    udp  --  any    any    anywhere            anywhere            state RELATED,ESTABLISHED udp spt:domain
    3  984 DROP      udp  --  any    any    anywhere            anywhere
Quote:
Originally Posted by lazydog (Post 5911614)
OK, I put this together going off what you have already done and this should get you started.

Allow me to explain each part.

Cleanup Rules and filters:
This section will clean up everything and get the system ready for setting up the firewall.

Set Default Policies:
This sets up the default policies that match when nothing else matches.

Setup New Chains:
This section creates new chains for the firewall to simplify firewall management

Check Chain:
Instead of re-writing these rules in every chain it is not consolidated to one location.

LAN:
This is what we want to allow from the internal network doesn't matter if it is connecting to the firewall box itself or going out to the internet.

WAN:
This is what we are going to allow in from the WAN. Here we do not have to worry Related or Established traffic as it should be covered in the CHECK chain.

RULES:
This tells the firewall what to do with traffic depending on where it is coming from.

I find this type of setup easier to maintain as you don't have to worry if when you add a rule to the forward chain if another rule is going to keep it from working as all the rules for direction are grouped together. The only thing to do when looking to add a rule for example to the WAN interface is go to the WAN section and add it before the DROP rule.
Thanks for your reply. I like your approach and I will give it a try. I have been thinking that my script is sloppy mostly in part because I slapped the script together to make it do what I want it to do even though my understanding of iptables itself is limited. I make a living coding for windows, and the consolidation that you are suggesting is the right approach from my standpoint. I do have a section in the script that is intended only to count bytes in and out that I then parse with another program. At some point, I will need to add that back in, but simplifying is definitely the right approach for troubleshooting.

wiyosaya 10-06-2018 03:22 PM
Quote:
Originally Posted by lazydog (Post 5911614)
OK, I put this together going off what you have already done and this should get you started.
I made a script from the exact code that you posted, and I am able to communicate with the router both with ping and through my web browser. Thank you!

It looks like there is much that your script does that mine does only it does it in a much simpler fashion. I like that. It seems very graceful, to me. :hattip::thumbsup:

I don't want to burden you with things for which you do not have time, however, other than the accounting rules, is there anything in my script that your script does not do?

For instance, not allowing NETBIOS traffic to the WAN?

lazydog 10-07-2018 08:52 AM
NETBOIS is allowed. If you look at your setup you will see that in your OUTPUT rules you are allowing NETBIOS. Because I setup OUTPUT to allow all it is allowed. My only question is why would you want to allow NETBOIS outside of your network when it isn't secure?

Logging is also not done. I fine that it only fills up the logs and I only turn it on when troubleshooting connection issues so that I can see where the traffic is being dropped.

I believe you don't truly understand traffic flow as it pertains to this device. Let me see if I can clear that up for you.

INPUT: Is external traffic coming in on any interface (eth0, eth1) where the destination is the device itself. Ex. if the devices IP Address is 192.168.1.201 then all traffic that has a destination address of 192.1068.1.201 would be INPUT traffic and be handled by those rules.

OUTPUT: Is all traffic leaving the device with source address of itself. Ex. if the devices IP Address is 192.168.1.201 then all traffic that has a source address of 192.1068.1.201 would be OUTPUT traffic and be handled by those rules.

FORWARD: It all traffic that is traversing the device and does not have to connect to the device itself. Ex. if the devices IP Address is 192.168.1.201 then all traffic that does not have a source or destination address of 192.1068.1.201, coming in eth0 and exiting eth1 would be FORWARD traffic and be handled by those rules.

This TUTORIAL is some reading if you'd like. While it is not up to date, it still holds true for how to setup IPTABLES.

wiyosaya 10-08-2018 12:14 PM
Thanks for your reply.
Quote:
Originally Posted by lazydog (Post 5912022)
NETBOIS is allowed. If you look at your setup you will see that in your OUTPUT rules you are allowing NETBIOS. Because I setup OUTPUT to allow all it is allowed. My only question is why would you want to allow NETBOIS outside of your network when it isn't secure?
I don't.

Quote:
Logging is also not done. I fine that it only fills up the logs and I only turn it on when troubleshooting connection issues so that I can see where the traffic is being dropped.
Yes, I get that. At least that part is obvious to me.

Quote:
I believe you don't truly understand traffic flow as it pertains to this device. Let me see if I can clear that up for you.
You are correct. I never really took the time to understand iptables and flow. I mostly attempted to get it to do what I thought that I wanted it to do. However, for my lack of understanding, there are obviously mistakes in my script. At times, too, I was too specific - just because I could be, and I am sure you know as well as I do that just because I can is never a good reason.

Quote:
This TUTORIAL is some reading if you'd like. While it is not up to date, it still holds true for how to setup IPTABLES.
I had started reading the tutorial just before I posted this, however, the script was a mess.

I'll take the time to read the tutorial.

Thanks for the start at a new script. I will work with it in light of the tutorial and go from there.


All times are GMT -5. The time now is 06:42 AM.