iptables masquarading problem with https

grayFalcon · 12-03-2005, 12:50 PM

Hello everybody!

I have the following problem here: I have a linux and a windows PC. The linux PC is connected to the Internet via DSL, the windows PC is connected to the linux PC. I use iptables masquarading to share the internet connection. This works fine, except I'm not able to access any https:// pages from the windows PC (they work fine from linux).

Any ideas what could be wrong? I'll post my whole iptables script here in case there's anything important, the masquarading line is bold: (the script's off the internet, I have no idea about iptables - love to learn it, but time's a rare commodity around here

)

Code:

#!/bin/sh
IPT="/sbin/iptables"

INT="ppp0"

$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE

$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP

$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPT -A firewall -j DROP
$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPT -A dropwall -j DROP
$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPT -A badflags -j DROP
$IPT -N silent
$IPT -A silent -j DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -s 192.168.10.25 -d 0/0 -p all -j ACCEPT
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewall
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p udp --sport 137 --dport 137 -j silent
$IPT -A INPUT -j dropwall

Thanks a lot in advance!

nbd · 12-09-2005, 08:38 AM

What is the interface between Windows and Linux?

Quote:

$IPT -A INPUT -s 192.168.10.25 -d 0/0 -p all -j ACCEPT

What is the interface for this? If it's not defined, I guess it will mean all interfaces. That means that anyone from internet with that IP, can get through.

Although that IP is in restricted IP space, the attacker could somehow fake his/her IP to be that.