IPtables Routing Script

th_dan · 12-03-2006, 07:47 AM

Hi Guys,

I have a simple question. I am running the following iptables script below. However this does not have any firewall security. I wanted to know how secure this is apart from not securing the acutal box which only has ssh/http running on it, does it have any security risks for internal machines?

#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X

# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT

amitsharma_26 · 12-03-2006, 07:54 AM

I cant see any INPUT -j DROP or -P INPUT DROP, so your local box security is at RISK. 100% risk(coz you have ssh/http running).

I cant see any FORWARD -j DROP or -P FORWARD DROP, so all your INTERNAL LAN box's security is at RISK, 100% risk.(any spyware,spamware, virus, cracker could easily talk to internet)

YOu got to block something at FORWARD chain, in the present scenario, thats the chain your should block or allow things to keep your LAN more secure.

th_dan · 12-03-2006, 08:20 AM

Hi amitsharma_26,

Thanks for your reply. I will be editing this script remotely so I need to make sure ssh will work after the script has been executed.

Whether these rules below will allow 80 and 21 to the local box I'm not sure.

iptables -A FORWARD -i eth1 (dsl) -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i eth1 (dsl) -p tcp --dport 80 -j ACCEPT

Dan

amitsharma_26 · 12-03-2006, 08:34 AM

Dan,
Blocking or allowing anything in FORWARD chain doesnt effect the access for local box from anywhere. Make that clear. And hence also be cautious that drop or deny rules at INPUT or OUTPUT will drop your connection to ssh to this box from anywhere (if not granted an exclusive allow access).

FORWARD chain is for your LAN or for your NATed packets.
INPUT & OUTPUT is for your local box.

th_dan · 12-03-2006, 10:14 AM

Hi,

I've decided to get a pre-made script. I have the following below however allowing port 80 on the box for outside access just does not work

. Any ideas?

The following interfaces are eth1 adsl ethernet modem and eth0 lan

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X

iptables -N open
iptables -N interfaces

iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A interfaces -i lo -j ACCEPT
iptables -A interfaces -i eth0 -j ACCEPT

#iptables -A open -p tcp --dport 22 -j ACCEPT
#iptables -A open -p tcp --dport 80 -j ACCEPT
#iptables -A open -i eth1 -p tcp --dport 80 -j ACCEPT
#iptables -A open -i eth1 -p tcp --dport 22 -j ACCEPT

# iptables -A open -i foo -p tcp --dport 65000:65005 -j ACCEPT
# iptables -A open -i foo -p udp --dport 65000:65005 -j ACCEPT

iptables -F FORWARD

iptables -N fw-interfaces
iptables -N fw-open

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j fw-interfaces
iptables -A FORWARD -j fw-open

iptables -A FORWARD -j REJECT --reject-with icmp-host-unreachable
iptables -P FORWARD DROP

iptables -A fw-interfaces -i eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth1 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A fw-open -d 10.0.0.1 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8000 -j DNAT --to 10.0.0.1:80

amitsharma_26 · 12-03-2006, 10:48 AM

Does you actual webserver sits on LAN ip of 10.0.0.1 ???
If yes then you got modify the last rule of your firewall script with

Code:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80

& also make sure that your webserver(10.0.0.1) should have your this firewall box as its gateway.

p.s: Highlighted text is the correction in your script.

th_dan · 12-03-2006, 01:37 PM

Hi,

Thanks for your reply. Its the router that I want the web server to be reachable externally. The rule you highlighted should be uncommented.

Any help would be appreciated.

Dan

amitsharma_26 · 12-03-2006, 02:45 PM

No, you cant uncomment that, its already uncommented. The only thing you got to do is to replace that last rule of your script with the rule i have mentioned here in my last post.

th_dan · 12-04-2006, 08:43 AM

Hi,

I need to the routers http server to be reachable externally. I tried iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80 and put the local IP for the router but it still didn't work. I don't think thats the rule to use if you want to locally forward ports.

Basically I just need a firewall that is secure, allows ssh and http and can do some port forwarding.

Dan

amitsharma_26 · 12-04-2006, 09:28 AM

Quote:

Originally Posted by th_dan

I need to the routers http server to be reachable externally. I tried iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 10.0.0.1:80 and put the local IP for the router but it still didn't work. I don't think thats the rule to use if you want to locally forward ports.

That is the only iptables rule available to use if you want to forward local ports over to another box in your own LAN network which has gateway of your IP.

Now the issue raises about how are you verifying that whether your port fowarding is working or not. Merely typing your real-static ip in your own local browser is not the right way. Are you checking it with this way ?
And if you want to see it happen this way then you got to add another rule for

Code:

-t nat -A OUTPUT

th_dan · 12-04-2006, 05:20 PM

Hi Amit,

Thanks again for your reply. I am checking this via a remote server. What I am trying to achive here is:

1. Port forwarding if needed to lan machines.
2. http 80 and ssh 21 open on the router so I can access these services on the outside via a remote server or pc on the internet.
3. secure firewall.

I can't see why the port forwarding isn't working. Anyhow i'm going to fiddle about with it.

Thank You

Dan

th_dan · 12-04-2006, 07:37 PM

Hi,

Finally I have gotten it to work. Incase someone else needs a little help thats what this forum is for. You will need to change certain parts. Its quick and dirty but works.

#eth1 ethernet adsl modem change for ppp0
#eth0 internal lan

/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
# only if both of the above rules succeed, use
/sbin/iptables -P INPUT DROP

/sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Open Local Ports
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT

# Port-Forwarding Lan Machines
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 10.0.0.40:80