iptables problem!!

Richtown · 04-30-2007, 08:30 AM

Hi Guys,

I'm building a gateway and i have two interface eth0(Internet) and eth1 (Private Network). I'm tring to write a rule that will block ip addresses recieved on eth0 and sent to eth1 for example (www.google.com). So the private network will not be able to access www.google.com for example.

I can't figure out the syntax i have something like:

iptables -A INPUT -s www.google.com 0 eth1 -j DROP

But this does not work, is there anyone that nows the correct sytax to do this?

Thanks Rich.

Centinul · 04-30-2007, 08:38 AM

Quote:

Originally Posted by Richtown

iptables -A INPUT -s www.google.com 0 eth1 -j DROP

I see a couple of things wrong with your syntax. First if you are going from the internal interface to the external interface you will want to use the FORWARD chain not the input chain. Second I don't think that "0" should be in your rule. Finally you list the link (www.google.com) as a source when it is really the destination address. Fourth, you don't list which interface eth1 is, it must be specified as incoming our outgoing, but in this case if you just want to block the address you don't really need it.

Try this:

Code:

iptables -A FORWARD -d www.google.com -j DROP

Richtown · 04-30-2007, 08:47 AM

Thanks for the speedy reply, ive only just learning iptables so im not really to hot on the commands. I can see where i went wrong now.

Thanks Rich

Centinul · 04-30-2007, 08:50 AM

Probably the best tutorial out there: IPTables Tutorial 1.2.2

Definitely worth a read!!

Let me know if you need any other help.

Centinul

Richtown · 05-01-2007, 04:49 AM

I'm having a bit of a problem with this script, im building an internat gateway. Eth0 for outside connection, eth1 for LAN connection.

First off:
I block all ports into and out of my Gateway
iptables -P INPUT DROP
iptables -P OUTPUT DROP

Then i block all FORWARD connections to my LAN
iptables -P FORWARD DROP

I then block all Telnet access to my LAN
iptables -A INPUT -p tcp --sport telnet -j REJECT
iptables -A INPUT -p udp --sport telnet -j REJECT

OK, so now i want to open port 80 (http) to my LAN but the following code does not work:
iptables -A FORWARD -p tcp -dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -sport 80 -j ACCEPT

Is the iptables line correct of have i done something wrong elsewhere?

Thanks Rich.

Centinul · 05-01-2007, 05:50 AM

Quote:

Originally Posted by Richtown

I then block all Telnet access to my LAN
iptables -A INPUT -p tcp --sport telnet -j REJECT
iptables -A INPUT -p udp --sport telnet -j REJECT

If you want to block telnet access to your LAN you'll want to change it to the DESTINATION port. Also the input rules only block telnet access to the gateway device not the PCs behind it. So you may want to add another rule to do that. An example would be:

Code:

iptables -A INPUT -p tcp --dport telnet -j REJECT
iptables -A FORWARD -p tcp --dport telnet -j REJECT

Technically speaking though since your default policies are to drop any packets that don't match anyways there really is no need to explicitly reject these packets because they will be dropped anyways. But it is good practice to make sure.

Quote:

Originally Posted by Richtown

OK, so now i want to open port 80 (http) to my LAN but the following code does not work:
iptables -A FORWARD -p tcp -dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -sport 80 -j ACCEPT

Now I'm confused as to what you want here. Do you want the clients in your LAN to be able to browse the NET? Or do you have a web server in your LAN that you want people on the outside to be able to view?

If it's the former then:

Code:

iptables -A FORWARD -p tcp --dport 80 -j ACCEPT

Should work. Also don't forget to allow all established and related packets back through your gateway

Code:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

if it's a web server that you want people from the outside to view then you will need to explain your network setup a little bit more (ala ip addresses NAT or no NAT, etc.).

HTH,

Centinul

Richtown · 05-01-2007, 06:16 AM

Sorry yeah i would like the Internal Network to access the NET.

Code:

iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

I tried the about but i still cannot gain access to the NET via a LAN Machine.

If i enter iptables -A FOWARD ACCEPT then i have access to the NET. This is my iptables -L

Code:

Chain INPUT (policy DROP)
target     prot opt source
ACCEPT     all -- anywhere        anywhere      stat RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source
ACCEPT     tcp  --  anywhere      anywhere      tcp dpt:http
ACCEPT     all  -- anywhere       anywhere      state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)
target     prot opt source

Would it have anything to do with no ACCEPT defined in the OUTPUT chain?

Centinul · 05-01-2007, 06:34 AM

That first rule I gave you should work in theory, we should try and investigate why it isn't working. Read the link to the tutorial about logging. You need to log those dropped packets. That way when you try and access the internet from a LAN machine you should be able to see WHY the packets are being dropped.

Please post the "iptables -L" output when the rule I gave you is in place.

The OUTPUT chain is used on the gateway. If you wanted your gateway machine to access the internet you would put the same rule in place except you would use the OUTPUT chain instead.

Just for the fun of it try this rule:

Code:

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT

Also don't forget to drop and recreate all your rules everytime that way you make sure there aren't any extraneous rules in there.

Richtown · 05-01-2007, 07:12 AM

Iptables Rules Entered:

Code:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -j LOG --log-prefix "IPF FWD DROP"

iptables -L

Code:

Chain INPUT (policy DROP)
target     prot opt source                              destination

Chain FORWARD (policy DROP)
target     prot opt source                               destination
ACCEPT     tcp   --  anywhere       anywhere      tcp dpt:http
LOG        all   --  anywhere       LOG level warning prefix 'IPF FWD DROP'

Chain OUTPUT (policy DROP)
target     prot opt source                                destination

From my LAN machine i tried www.google.com. Log on the Gateway was:

Code:

IPF FWD DROPIN=eth2 OUT=eth0 SRC=192.168.2.150
 DST=172.16.87.2 LEN=66 TOS=0X00 PREC=0X00 TTL=63 ID=3194 DF PROTO=UDP SPT=33035 DTP=53 LEN=40

eth2 will be used for my DMZ but its not setup at the moment it has a network subnet of 192.168.3./24. The 172.16.87.2 is the DNS server. The gateway is on a Virtual Machine (VMWARE) The IP Address of the gateway is 172.16.87.128 ITS gateway is 172.16.87.1.
192.168.2.150 is the LAN machine that executed the google request. As said before if i remove the OUPUT,INPUT,FORWARD DROP and replace with ACCEPT i have connectivity to the NET. So that illimunates that problem.

Would it have anything to do with port 53 (DNS) if it cannot resolve google.com then it wont be able to connect to it.

Thanks Rich

Centinul · 05-01-2007, 07:45 AM

Quote:

Originally Posted by Richtown

Would it have anything to do with port 53 (DNS) if it cannot resolve google.com then it wont be able to connect to it.

Yes that is most likely your problem. You will also have to allow DNS access from your LAN machines because if you don't they won't be able to resolve the addresses to the correct IP addresses. A rule that would allow that would be the following:

Code:

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 53 -j accept

Unfortunately the example that you gave for the rules that were entered would fail no matter way because you specified the eth1 interface as the input interface when you tried from the eth2 interface. Make sure that you add the proper rules to support that interface.

Let me know if you have any other questions.

Thanks,

Centinul

maxut · 05-02-2007, 04:15 AM

Quote:

Originally Posted by Centinul

Code:

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 53 -j accept

Centinul

let me correct please..
i think it must be UDP port 53 instead of TCP 53
so

Code:

iptables -A FORWARD -i eth1 -o eth0 -p udp --dport 53 -j accept

no need "TCP 53" to resolve domain names. Also UDP 53 packets are shown in logs..

best regards.

Centinul · 05-02-2007, 04:24 AM

Quote:

Originally Posted by maxut

let me correct please..
i think it must be UDP port 53 instead of TCP 53
so

Code:

iptables -A FORWARD -i eth1 -o eth0 -p udp --dport 53 -j accept

no need "TCP 53" to resolve domain names. Also UDP 53 packets are shown in logs..

best regards.

Thanks for the correction. I must have been sleeping when I wrote that.