[SOLVED] IPTABLES: question about forwarding rules

Annielover · 04-03-2013, 04:16 PM

Hi all,

First of all: this is my network layout:

internal network (192.168.100.0) --> (eth1) firewall (eth0) --> internet

Consider this script:

Code:

#!/bin/bash
#
###################
# FIREWALL SCRIPT #
###################

# Flush existing rules
iptables -F
iptables -t nat -F
iptables -t mangle -F

# Set default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow all SSH traffic on all interfaces
iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Configure NAT
# eth0 is the public (internet) network interface
# eth1 is the private network interface
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.100.0/24 -d 0/0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED, ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW, ESTABLISHED, RELATED -j ACCEPT

# Block all other traffic
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP

As you can see I'm forwarding all traffic between the two interfaces.
With these firewall rules, will my internal clients be able to access the internet?

Or do I have to add following rules?

Code:

# Allow WWW access
iptables -A INPUT -p tcp --dport 80 -m state --state NEW, ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# Allow sWWW access
iptables -A INPUT -p tcp --dport 443 -m state --state NEW, ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

I'm a little confused about that and I'm unable to test 'cause currently I'm at an external location...

Thank you very much!!

GlennsPref · 04-03-2013, 05:19 PM

Hi, you may need this line, net/ipv4/ip_forward = 1

Code:

#---------------------------------------------------------------
# Enable IP routing. Required if your firewall is protecting a
# network, NAT included
#---------------------------------------------------------------

net/ipv4/ip_forward = 1

net.ipv4.icmp_ignore_bogus_error_responses=1

in /etc/sysctl.conf

Annielover · 04-03-2013, 05:38 PM

Hi,

I already set up "ip_forward=1"

I'm just wondering if I have to add those rules in addition to the FORWARD rules:
Am I correct that iptables forwards all traffic coming from eth1 to eth0 or do I need to tell iptables what type of traffic is allowed to be forwarded?

Code:

# Allow WWW access
iptables -A INPUT -p tcp --dport 80 -m state --state NEW, ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# Allow sWWW access
iptables -A INPUT -p tcp --dport 443 -m state --state NEW, ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

KinnowGrower · 04-03-2013, 06:14 PM

Quote:

Or do I have to add following rules?
Code:

# Allow WWW access
iptables -A INPUT -p tcp --dport 80 -m state --state NEW, ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# Allow sWWW access
iptables -A INPUT -p tcp --dport 443 -m state --state NEW, ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

I'm a little confused about that and I'm unable to test 'cause currently I'm at an external location...

INPUT chain contains the rules that allow or deny only the traffic destined for firewall it self. Means server running firewall. In your case you want to allow to FORWARD traffic so you dont need this

OUTPUT chain contains the rules that allow or deny the traffic that is generated, itself from the firewall. Means from the server running firewall. Even in this case you want allow traffic from network behind the firewall server. You dont need it.

Annielover · 04-04-2013, 05:53 AM

Thanks, now I get it!