iptables firewall script - Attached router to eth0 that had internet IP and cannot communicate with router
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptables firewall script - Attached router to eth0 that had internet IP and cannot communicate with router
I went from
Internet -- > eth0 iptables firewall/NAT - eth1 local lan 192.168.1.*
to
Internet --> router --> eth0 iptables firewall/NAT - eth1 local lan 192.168.1.*
the address of eth1 is 192.168.1.201
eth0 now connects to the router and gets a DHCP address in the range 192.168.100.* when it used to get an ipaddress that was a valid internet address.
The router itself is at 192.168.100.1
I cannot ping/browse to/traceroute the router from anywhere on my local lan including the linux PC running the iptables firewall.
I am wondering what I need to add to my firewall script to allow traffic to/from my local lan to the router.
If anyone is able to help, it would be greatly appreciated.
My skill level is not all that high. I would not consider myself a complete newbie, but I am definitely not an expert. I wrote some of my firewall script myself with bits that I got in various postings elsewhere.
Here is my iptables script: (NOTE that I am not running IPV6, therefore, the ip6tables lines in the script are irrelevant.)
Thanks in advance!
Code:
#! /bin/sh
# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany.
#
# Author: Kurt Garloff <feedback@suse.de>
#
# /etc/init.d/firewall
#
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $local_fs $dummy
# Required-Stop: network
# Default-Start: 2 3 5
# Default-Stop:
# Description: Provides a packet filtering firewall at startup.
### END INIT INFO
IPTABLES=`which iptables`
test -x $IPTABLES || exit 5
IP6TABLES=`which ip6tables`
test -x $IPTABLES || exit 5
# Set IPT_DBG to 1 to log all incoming packets accepted and all drops
IPT_DBG="0"
LAN_IP="192.168.1.201"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IFACE="eth0"
#INET_IFACE="ppp0"
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v ditto but be verbose in local rc status
# rc_status -v -r ditto and clear the local rc status
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num><num>
# rc_reset clear local rc status (overall remains)
# rc_exit exit appropriate to overall rc status
. /etc/rc.status
# First reset status of this service
rc_reset
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signalling is not supported) are
# considered a success.
case "$1" in
start)
echo "Starting IPTables and IP6TABLES"
#if test $IPT_DBG="1"; then
# echo "Firewall script set to log debug info."
# echo "All accepted and dropped packets will be logged."
#fi
# rc.firewall - DHCP IP Firewall script for 2.4.x
#
# Author: Oskar Andreasson <blueflux@koffein.net>
# (c) of BoingWorld.com, use at your own risk, do whatever you please with
# it as long as you don't distribute this without due credits to
# BoingWorld.com
#
# load OS footprints
/usr/sbin/nfnl_osf -f /usr/share/xtables/pf.os
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_nat_ftp
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP
# POSTROUTING chain in the nat table
#
#$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
#-j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
$IP6TABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
#
# Bad TCP packets we don't want
#
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New pkt dropped FORWARD ch: "
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
$IP6TABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New ipv6 pkt dropped FORWARD ch: "
$IP6TABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#
# Accept the packets we actually want to forward
#
#if test $IPT_DBG="1"; then
# $IPTABLES -A FORWARD -i $LAN_IFACE -j LOG \
# --log-prefix "Accepted FORWARD ch packet: "
#fi
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IP6TABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
#if test $IPT_DBG="1"; then
# $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j LOG \
# --log-prefix "Accepted est,rel FWD pkt: "
#fi
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level 2 --log-prefix "FORWARD packet died: "
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-level 2 --log-prefix "FORWARD packet died: "
if test $IPT_DBG="1"; then
$IPTABLES -A FORWARD -j LOG --log-prefix \
"Default, dropped FWD ch pkt: "
fi
#rules for accounting
$IPTABLES -N INET_IN
$IPTABLES -N INET_OUT
$IPTABLES -A INET_IN -i $INET_IFACE
$IPTABLES -A INET_OUT -o $INET_IFACE
$IPTABLES -I FORWARD -j INET_IN
$IPTABLES -I FORWARD -j INET_OUT
$IPTABLES -I INPUT -j INET_IN
$IPTABLES -I OUTPUT -j INET_OUT
$IP6TABLES -N INET_IN
$IP6TABLES -N INET_OUT
$IP6TABLES -A INET_IN -i $INET_IFACE
$IP6TABLES -A INET_OUT -o $INET_IFACE
$IP6TABLES -I FORWARD -j INET_IN
$IP6TABLES -I FORWARD -j INET_OUT
$IP6TABLES -I INPUT -j INET_IN
$IP6TABLES -I OUTPUT -j INET_OUT
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
$IP6TABLES -N icmp_packets
$IP6TABLES -N tcp_packets
$IP6TABLES -N udpincoming_packets
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IP6TABLES -N allowed
#if test $IPT_DBG="1"; then
# $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j LOG \
# --log-prefix "Acpt est,rel TCP alwd pkt: "
#fi
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -d 192.168.100.0/24 -j ACCEPT
$IP6TABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
if test $IPT_DBG="1"; then
$IPTABLES -A allowed -p TCP -s 0/0 -j LOG \
--log-prefix "Dropped TCP alwd chain pkt: "
fi
$IPTABLES -A allowed -p TCP -s 0/0 -j DROP
$IP6TABLES -A allowed -p TCP -s 0/0 -j DROP
#
# ICMP rules
#
#if test $IPT_DBG="1"; then
# $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j LOG \
# --log-prefix "Accepted ICMP type 0: "
#fi
# Destination unreachable
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IP6TABLES -A icmp_packets -p ICMP -s 0/0 -j DROP
#if test $IPT_DBG="1"; then
# $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j LOG \
# --log-prefix "Accepted ICMP type 3: "
#fi
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
#if test $IPT_DBG="1"; then
# $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j LOG \
# --log-prefix "Accepted ICMP type 5: "
#fi
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
#if test $IPT_DBG="1"; then
# $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j LOG \
# --log-prefix "Accepted ICMP type 11: "
#fi
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
if test $IPT_DBG="1"; then
$IPTABLES -A icmp_packets -p ICMP -s 0/0 -j LOG \
--log-prefix "Unallowed ICMP: "
fi
$IPTABLES -A icmp_packets -p ICMP -s 0/0 -j DROP
#
# TCP rules
#
# These have been commented out and are left for example just in case
# something similar is ever needed.
# $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
# $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
# $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
# $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
# Send all tcp packets that get this far to the allowed chain for
# further filtering.
$IPTABLES -A tcp_packets -p TCP -s 0/0 -j allowed
#
# UDP ports
#
# These lines allow a response to any outgoing DNS query to get through.
# Queries on port 53 are dropped if the incoming packet does not have an
# established connection by virtue of the line with the "NEW" state.
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 -m state --state NEW \
--source-port 53 -j LOG \
--log-prefix "Unallowed DNS: "
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 -m state --state NEW \
--source-port 53 -j DROP
#if test $IPT_DBG="1"; then
# $IPTABLES -A udpincoming_packets -p UDP -s 0/0 -m state --state ESTABLISHED,RELATED \
# --source-port 53 -j LOG --log-prefix \
# "Accepted est,rel UDP DNS: "
#fi
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 -m state --state ESTABLISHED,RELATED \
--source-port 53 -j ACCEPT
if test $IPT_DBG="1"; then
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 -j LOG --log-prefix \
"Dropped UDP packet: "
fi
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 -j DROP
#
# PREROUTING chain.
#
# Do some checks for obviously spoofed IP's
#
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
#
# INPUT chain
#
# Take care of bad TCP packets that we don't want
#
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#
# Special rule for Samba
#
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -j ACCEPT
#if test $IPT_DBG="1"; then
# $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state \
# --state ESTABLISHED,RELATED -j LOG --log-prefix \
# "Accepted est,rel pkt: "
#fi
$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
#
# Rules for incoming packets from the internet
#
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
if test $IPT_DBG="1"; then
$IPTABLES -A INPUT -p ALL -j LOG --log-prefix \
"Dropped INPUT chain packet: "
fi
#
# OUTPUT chain
#
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "Ouput chain - New not syn: "
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p UDP -o $INET_IFACE --source-port 137:139 -j \
LOG --log-prefix "Outgoing netbios: "
$IPTABLES -A OUTPUT -p TCP -o $INET_IFACE --source-port 137:139 -j \
LOG --log-prefix "Outgoing netbios: "
$IPTABLES -A OUTPUT -p UDP -o $INET_IFACE --source-port 445 -j \
LOG --log-prefix "Outgoing netbios: "
$IPTABLES -A OUTPUT -p TCP -o $INET_IFACE --source-port 445 -j \
LOG --log-prefix "Outgoing netbios: "
$IPTABLES -A OUTPUT -p UDP -o $INET_IFACE --source-port 137:139 -j DROP
$IPTABLES -A OUTPUT -p TCP -o $INET_IFACE --source-port 137:139 -j DROP
$IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
#
# Special rules for Samba
#
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -d $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -d $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 192.168.100.0/24 -d $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -d 192.168.1/24 -j ACCEPT
if test $IPT_DBG="1"; then
$IPTABLES -A OUTPUT -p ALL -j LOG --log-prefix \
"Dropped OUTPUT chain packet: "
fi
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down IPTables and IP6Tables"
/usr/sbin/nfnl_osf -f /usr/share/xtables/pf.os -d
/bin/date >> /export/net1/Accounting/inet_accounting.log
$IPTABLES -L INET_IN -v -x >> /export/net1/Accounting/inet_accounting.log
$IPTABLES -L INET_OUT -v -x >> /export/net1/Accounting/inet_accounting.log
$IP6TABLES -L INET_IN -v -x >> /export/net1/Accounting/inet_accounting.log
$IP6TABLES -L INET_OUT -v -x >> /export/net1/Accounting/inet_accounting.log
#Flush all rules from IPTables memory
$IPTABLES -F
$IP6TABLES -F
#Delete chains added during startup.
$IPTABLES -X icmp_packets
$IPTABLES -X tcp_packets
$IPTABLES -X udpincoming_packets
$IPTABLES -X allowed
$IPTABLES -X INET_IN
$IPTABLES -X INET_OUT
$IP6TABLES -X icmp_packets
$IP6TABLES -X tcp_packets
$IP6TABLES -X udpincoming_packets
$IP6TABLES -X allowed
$IP6TABLES -X INET_IN
$IP6TABLES -X INET_OUT
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP
# Remember status and be verbose
rc_status -v
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;
esac
rc_exit
Your problem is that both of your ethernet ports are on the same subnet. 192.168.0.0/16 means everything up to 192.168.255.255. You need to either renumber your internal net or change your router and rules to /24. Please add the output of "route -n".
Your problem is that both of your ethernet ports are on the same subnet. 192.168.0.0/16 means everything up to 192.168.255.255. You need to either renumber your internal net or change your router and rules to /24. Please add the output of "route -n".
The output of route -n is
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
I have tried commenting out the only rule that references 192.168.0.0/16 and things do not change.
If you do "iptables -vL" it will list the counts of matches for each rule. That lets you check what rule is dropping or not accepting (but should be) your traffic.
OK, I put this together going off what you have already done and this should get you started.
Code:
#!/bin/bash
#################################
## Cleanup Rules and filters ##
#################################
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
##########################
## Set Default Policies ##
##########################
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
########################
## Setup New Chains ##
########################
iptables -N CHECK
iptables -N LAN
iptables -N WAN
###################
## Check Chain ##
###################
iptables -A CHECK -i lo -j ACCEPT
iptables -A CHECK -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A CHECK -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A CHECK -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A CHECK -j RETURN
##########
## LAN ##
##########
iptables -A LAN -p udp -m udp -j ACCEPT
iptables -A LAN -p tcp -m tcp -m conntrack --ctstate NEW -j ACCEPT
iptables -A LAN -p icmp -m icmp --icmp-type 0 -j ACCEPT
iptables -A LAN -p icmp -m icmp --icmp-type 3 -j ACCEPT
iptables -A LAN -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A LAN -p icmp -m icmp --icmp-type 11 -j ACCEPT
iptables -A LAN -p icmp -j DROP
############
## WAN ###
############
iptables -A WAN -p icmp -m icmp --icmp-type 0 -j ACCEPT
iptables -A WAN -p icmp -m icmp --icmp-type 3 -j ACCEPT
iptables -A WAN -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A WAN -p icmp -m icmp --icmp-type 11 -j ACCEPT
iptables -A WAN -j DROP
############
## RULES ##
############
iptables -A INPUT -j CHECK
iptables -A INPUT -i eth0 -j WAN
iptables -A INPUT -i eth1 -j LAN
iptables -A FORWARD -j CHECK
iptables -A FORWARD -i eth0 -j WAN
iptables -A FORWARD -i eth1 -j LAN
iptables -A OUTPUT -j ACCEPT
Allow me to explain each part.
Cleanup Rules and filters:
This section will clean up everything and get the system ready for setting up the firewall.
Set Default Policies:
This sets up the default policies that match when nothing else matches.
Setup New Chains:
This section creates new chains for the firewall to simplify firewall management
Check Chain:
Instead of re-writing these rules in every chain it is not consolidated to one location.
LAN:
This is what we want to allow from the internal network doesn't matter if it is connecting to the firewall box itself or going out to the internet.
WAN:
This is what we are going to allow in from the WAN. Here we do not have to worry Related or Established traffic as it should be covered in the CHECK chain.
RULES:
This tells the firewall what to do with traffic depending on where it is coming from.
I find this type of setup easier to maintain as you don't have to worry if when you add a rule to the forward chain if another rule is going to keep it from working as all the rules for direction are grouped together. The only thing to do when looking to add a rule for example to the WAN interface is go to the WAN section and add it before the DROP rule.
If you do "iptables -vL" it will list the counts of matches for each rule. That lets you check what rule is dropping or not accepting (but should be) your traffic.
My apologies for the delay in getting back to this. Thing are generally working, however, I do think that the problem is having side effects. That is, I can still get from my local lan to the WAN.
Here is the output:
Code:
iptables -vL
Chain INPUT (policy DROP 339 packets, 10848 bytes)
pkts bytes target prot opt in out source destination
26719 46M INET_IN all -- any any anywhere anywhere
33 4046 LOG tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix "New not syn:"
33 4046 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
577 70043 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere localhost
20630 45M ACCEPT all -- eth1 any anywhere anywhere
5108 1385K ACCEPT all -- eth0 any anywhere anywhere state RELATED,ESTABLISHED
0 0 icmp_packets icmp -- eth0 any anywhere anywhere
29 2113 tcp_packets tcp -- eth0 any anywhere anywhere
3 984 udpincoming_packets udp -- eth0 any anywhere anywhere
339 10848 LOG all -- any any anywhere anywhere LOG level warning prefix "Dropped INPUT chain packet: "
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1204K 1181M INET_OUT all -- any any anywhere anywhere
1204K 1181M INET_IN all -- any any anywhere anywhere
1 71 LOG tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix "New pkt dropped FORWARD ch: "
1 71 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
485K 31M ACCEPT all -- eth1 any anywhere anywhere
719K 1150M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level crit prefix "FORWARD packet died: "
Chain OUTPUT (policy DROP 242 packets, 23232 bytes)
pkts bytes target prot opt in out source destination
73913 87M INET_OUT all -- any any anywhere anywhere
0 0 LOG tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix "Ouput chain - New not syn: "
0 0 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
302 44483 ACCEPT all -- any any localhost anywhere
211 29302 LOG udp -- any eth0 anywhere anywhere udp spts:netbios-ns:netbios-ssn LOG level warning prefix "Outgoing netbios: "
0 0 LOG tcp -- any eth0 anywhere anywhere tcp spts:netbios-ns:netbios-ssn LOG level warning prefix "Outgoing netbios: "
0 0 LOG udp -- any eth0 anywhere anywhere udp spt:microsoft-ds LOG level warning prefix "Outgoing netbios: "
0 0 LOG tcp -- any eth0 anywhere anywhere tcp spt:microsoft-ds LOG level warning prefix "Outgoing netbios: "
211 29302 DROP udp -- any eth0 anywhere anywhere udp spts:netbios-ns:netbios-ssn
0 0 DROP tcp -- any eth0 anywhere anywhere tcp spts:netbios-ns:netbios-ssn
65972 87M ACCEPT all -- any eth1 anywhere anywhere
6911 537K ACCEPT all -- any eth0 anywhere anywhere
30 2040 ACCEPT all -- any any 192.168.1.201 192.168.1.201
245 23520 ACCEPT all -- any any 192.168.1.201 localhost
0 0 ACCEPT all -- any lo anywhere 192.168.1.0/24
Chain INET_IN (2 references)
pkts bytes target prot opt in out source destination
724K 1152M all -- eth0 any anywhere anywhere
Chain INET_OUT (2 references)
pkts bytes target prot opt in out source destination
493K 32M all -- any eth0 anywhere anywhere
Chain allowed (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere state RELATED,ESTABLISHED
29 2113 DROP tcp -- any any anywhere anywhere
Chain icmp_packets (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp redirect
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 DROP icmp -- any any anywhere anywhere
Chain tcp_packets (1 references)
pkts bytes target prot opt in out source destination
29 2113 allowed tcp -- any any anywhere anywhere
Chain udpincoming_packets (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG udp -- any any anywhere anywhere state NEW udp spt:domain LOG level warning prefix "Unallowed DNS: "
0 0 DROP udp -- any any anywhere anywhere state NEW udp spt:domain
0 0 ACCEPT udp -- any any anywhere anywhere state RELATED,ESTABLISHED udp spt:domain
3 984 DROP udp -- any any anywhere anywhere
Quote:
Originally Posted by lazydog
OK, I put this together going off what you have already done and this should get you started.
Allow me to explain each part.
Cleanup Rules and filters:
This section will clean up everything and get the system ready for setting up the firewall.
Set Default Policies:
This sets up the default policies that match when nothing else matches.
Setup New Chains:
This section creates new chains for the firewall to simplify firewall management
Check Chain:
Instead of re-writing these rules in every chain it is not consolidated to one location.
LAN:
This is what we want to allow from the internal network doesn't matter if it is connecting to the firewall box itself or going out to the internet.
WAN:
This is what we are going to allow in from the WAN. Here we do not have to worry Related or Established traffic as it should be covered in the CHECK chain.
RULES:
This tells the firewall what to do with traffic depending on where it is coming from.
I find this type of setup easier to maintain as you don't have to worry if when you add a rule to the forward chain if another rule is going to keep it from working as all the rules for direction are grouped together. The only thing to do when looking to add a rule for example to the WAN interface is go to the WAN section and add it before the DROP rule.
Thanks for your reply. I like your approach and I will give it a try. I have been thinking that my script is sloppy mostly in part because I slapped the script together to make it do what I want it to do even though my understanding of iptables itself is limited. I make a living coding for windows, and the consolidation that you are suggesting is the right approach from my standpoint. I do have a section in the script that is intended only to count bytes in and out that I then parse with another program. At some point, I will need to add that back in, but simplifying is definitely the right approach for troubleshooting.
OK, I put this together going off what you have already done and this should get you started.
I made a script from the exact code that you posted, and I am able to communicate with the router both with ping and through my web browser. Thank you!
It looks like there is much that your script does that mine does only it does it in a much simpler fashion. I like that. It seems very graceful, to me.
I don't want to burden you with things for which you do not have time, however, other than the accounting rules, is there anything in my script that your script does not do?
For instance, not allowing NETBIOS traffic to the WAN?
NETBOIS is allowed. If you look at your setup you will see that in your OUTPUT rules you are allowing NETBIOS. Because I setup OUTPUT to allow all it is allowed. My only question is why would you want to allow NETBOIS outside of your network when it isn't secure?
Logging is also not done. I fine that it only fills up the logs and I only turn it on when troubleshooting connection issues so that I can see where the traffic is being dropped.
I believe you don't truly understand traffic flow as it pertains to this device. Let me see if I can clear that up for you.
INPUT: Is external traffic coming in on any interface (eth0, eth1) where the destination is the device itself. Ex. if the devices IP Address is 192.168.1.201 then all traffic that has a destination address of 192.1068.1.201 would be INPUT traffic and be handled by those rules.
OUTPUT: Is all traffic leaving the device with source address of itself. Ex. if the devices IP Address is 192.168.1.201 then all traffic that has a source address of 192.1068.1.201 would be OUTPUT traffic and be handled by those rules.
FORWARD: It all traffic that is traversing the device and does not have to connect to the device itself. Ex. if the devices IP Address is 192.168.1.201 then all traffic that does not have a source or destination address of 192.1068.1.201, coming in eth0 and exiting eth1 would be FORWARD traffic and be handled by those rules.
This TUTORIAL is some reading if you'd like. While it is not up to date, it still holds true for how to setup IPTABLES.
NETBOIS is allowed. If you look at your setup you will see that in your OUTPUT rules you are allowing NETBIOS. Because I setup OUTPUT to allow all it is allowed. My only question is why would you want to allow NETBOIS outside of your network when it isn't secure?
I don't.
Quote:
Logging is also not done. I fine that it only fills up the logs and I only turn it on when troubleshooting connection issues so that I can see where the traffic is being dropped.
Yes, I get that. At least that part is obvious to me.
Quote:
I believe you don't truly understand traffic flow as it pertains to this device. Let me see if I can clear that up for you.
You are correct. I never really took the time to understand iptables and flow. I mostly attempted to get it to do what I thought that I wanted it to do. However, for my lack of understanding, there are obviously mistakes in my script. At times, too, I was too specific - just because I could be, and I am sure you know as well as I do that just because I can is never a good reason.
Quote:
This TUTORIAL is some reading if you'd like. While it is not up to date, it still holds true for how to setup IPTABLES.
I had started reading the tutorial just before I posted this, however, the script was a mess.
I'll take the time to read the tutorial.
Thanks for the start at a new script. I will work with it in light of the tutorial and go from there.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.