LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables script not working (https://www.linuxquestions.org/questions/linux-networking-3/iptables-script-not-working-709077/)

lasantha 03-04-2009 06:00 AM
iptables script not working
 
Dear All,

I asked to setup a firewall that have two zones. My LAN having 192.168.1.0/24 (firewall eth1 - 192.168.1.200) and router's connected ip 10.64.78.1/24 (firewall eth0 - 10.64.78.2).

I have written a script with drop policy. Internal (192.168.1.0/24) pcs need to access external SMTP/POP server ip a.b.c.d and also few pcs need to connect to it via SSH(putty).

I have tried to do this using following script and it is not working.(I am only having experience to write few rules for SMTP/POP servers using INPUT and OUTPUT chains that not FORWARD chain)


Code:
# Drop all
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Accept loop back address
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Forward SMTP/POP3,ssh traffic to and from OUT side
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.1.0/24 -d a.b.c.d --dport smtp,pop3,ssh -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -i eth1 -p tcp -s a.b.c.d -d 192.168.1.0/24 --sport smtp,pop3,ssh -m state --state ESTABLISHED -j ACCEPT

# Save and Start Iptables
service iptables save
service iptables start
Using following script I cant access the a.b.c.d server for smtp, pop3 and ssh.
Pls someone help meto correct this..

Lasantha

win32sux 03-04-2009 10:04 AM
Replace those FORWARD rules with these:
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.1.0/24 \
-d a.b.c.d -m multiport --dports 22,25,110 -m state --state NEW -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Then make sure you have IP forwarding enabled:
Code:
cat /proc/sys/net/ipv4/ip_forward
If it's not enabled, enable it:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward

lasantha 03-04-2009 12:13 PM
Thanks very much. I got the whole theory from the codes you have sent.
Its really helpful. I was stuck in there to apply nat for that. Now you have cleared the way. Thanks.....

lasantha 03-04-2009 11:20 PM
Dear win32sux,
I have done that and I am wondering way I cant integrate INPUT, OUTPUT rules that I have create for the firewall box listed bellow. If I run the following rules I cant log to firewall box via ssh because my link disconnects.

If you have time pls check and just guide me for corrections(Highly appreciate If you can correct). Any way thanks for the contribution that you have done for this thread.

Code:
# Drop all
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Enable IP FORWARDING
echo 1 > /proc/sys/net/ipv4/ip_forward

# Accept loop back address
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Rules for connect to SSH firewall box.
IPTABLES -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 -d 192.168.1.200 \
--dport ssh -m state --state NEW, ESTABLISHED -j ACCEPT
IPTABLES -A OUTPUT -o eth1 -p tcp -d 192.168.1.0/24 -s 192.168.1.200 \
--sport ssh -m state --state ESTABLISHED -j ACCEPT

# Rules for Connect SMTP/POP3 and SSH for Admin works
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.1.0/24 \
-d a.b.c.d -m multiport --dports 22,25,110 -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Save and Start Iptables
service iptables save
service iptables start
Thanks
Lasantha

win32sux 03-05-2009 12:19 AM
It wouldn't work with IPTABLES written in capital letters like that.

lasantha 03-05-2009 06:45 AM
Dear win32sux,

Actually this is a typing mistake and I am very sorry for that. Normally I do this with the simple letters only as like upper lines in the script.

script -> http://pastebin.com/m248994af

I would highly appreciate If you can correct.

Thanks

Lasantha

win32sux 03-05-2009 12:03 PM
It's so much better if you just paste here using CODE tags instead of on that website. In any case, troubleshooting this should be really easy. Change your OUTPUT policy to ACCEPT and try again. If it then works, you know the problem is with your OUTPUT rule. If it still doesn't work, are you positive that 192.168.1.200 is the IP of this box? Your last troubleshooting step will be to enable logging of filtered packets to see what exactly is going on here.
Code:
iptables -A INPUT -j LOG --log-prefix "INPUT DROP: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "


All times are GMT -5. The time now is 04:34 PM.