LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-17-2014, 10:17 PM   #1
rorrow
LQ Newbie
 
Registered: Mar 2014
Posts: 3

Rep: Reputation: Disabled
Iptables + squid3 to forward trafic to subnet, help please


I have a machine Ubuntu 12.04 with iptables + squid3, I will call it "Firewall". This machine has 2 network cards:
eth0: 192.168.19.10 (to LAN)
eth1: 201.36.25.145 (to Internet)

I have 4 pc's in other netwoks (allready conected with "Firewall", I can ping it and connect to it by ssh:

PC1: 192.168.20.2
PC2: 192.168.20.3
PC3: 192.168.21.2
PC4: 192.168.22.3

I need to share internet through squid3, and open ports 993 and 587 to allow outlook e-mail client to work in PC1, PC2, PC3 and PC4.

I have this script that worked time ago, but I re installed a new distribution and the script doesnt work any more. Here is the script:

# interfaces
IF_INET="eth1" Access to Internet
IF_LAN="eth0" Access to LAN


# Flush
iptables -F
iptables -X
iptables -Z
iptables -t nat -F

#Default rules
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

# all conections to localhost
iptables -A INPUT -i lo -j ACCEPT

#----TRANSPARENT SQUID3
iptables -t nat -A PREROUTING -i $IF_LAN -p tcp --dport 80 -j DNAT --to 192.168.19.10:3128
iptables -t nat -A PREROUTING -i $IF_LAN -p tcp --dport 80 -j REDIRECT --to-port 3128


# Accept NAT for...
iptables -A FORWARD -s 192.168.20.2 -i $IF_INET -j ACCEPT
iptables -A FORWARD -s 192.168.20.3 -i $IF_INET -j ACCEPT
iptables -A FORWARD -s 192.168.21.2 -i $IF_INET -j ACCEPT
iptables -A FORWARD -s 192.168.21.3 -i $IF_INET -j ACCEPT
#----HTTP
iptables -t nat -A POSTROUTING -s 192.168.20.2 -p tcp --dport 80 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.20.3 -p tcp --dport 80 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.2 -p tcp --dport 80 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.3 -p tcp --dport 80 -o $IF_INET -j MASQUERADE

#----HTTPS
iptables -t nat -A POSTROUTING -s 192.168.20.2 -p tcp --dport 443 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.20.3 -p tcp --dport 443 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.2 -p tcp --dport 443 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.3 -p tcp --dport 443 -o $IF_INET -j MASQUERADE

#----OUTLOOK RECEIVE
iptables -t nat -A POSTROUTING -s 192.168.20.2 -p tcp --dport 993 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.20.3 -p tcp --dport 993 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.2 -p tcp --dport 993 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.3 -p tcp --dport 993 -o $IF_INET -j MASQUERADE

#----OUTLOOK SEND
iptables -t nat -A POSTROUTING -s 192.168.20.2 -p tcp --dport 587 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.20.3 -p tcp --dport 587 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.2 -p tcp --dport 587 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.3 -p tcp --dport 587 -o $IF_INET -j MASQUERADE

#----DNSLOOKUP
iptables -t nat -A POSTROUTING -s 192.168.20.2 -p tcp --dport 53 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.20.3 -p tcp --dport 53 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.2 -p tcp --dport 53 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.3 -p tcp --dport 53 -o $IF_INET -j MASQUERADE

#----SQUID
iptables -A INPUT -s 192.168.20.2 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 192.168.20.3 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 192.168.21.2 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 192.168.21.3 -p tcp --dport 3128 -j ACCEPT


#Drop all not listed ports
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 1:1024 -j DROP
iptables -A INPUT -s 0.0.0.0/0 -p udp --dport 1:1024 -j DROP

# Forward
echo 1 > /proc/sys/net/ipv4/ip_forward

# Stablished connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

The problem is that PC1, PC2, PC3 and PC4 can only connect to internet setting proxy options in internet explorer, and can't connect to 993 and 587 ports. I assume something is wrong with squid3 Transparent configuration but what is more important is that I dont know how to open 587 and 993 SSL ports to PC1, PC2, PC3 and PC4. Please any help will be apreciated
 
Old 03-17-2014, 11:30 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
Could you please put the script inside [code] tags? It would make it a lot easier to read.

I hope you don't actually have those comments behind the variable definitions at the beginning (under the "# interfaces" comment), as they would cause the shell to attempt to set the variable only in the context of running the non-existent command "Access".

Why are you using separate NAT statements for every type of traffic, even though it's all NATed behind the same address? That makes no sense and makes the script (and your ruleset) a lot more complex than necessary.

Last edited by Ser Olmy; 03-17-2014 at 11:32 PM.
 
Old 03-17-2014, 11:31 PM   #3
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
(double post)
 
Old 03-18-2014, 08:12 AM   #4
rorrow
LQ Newbie
 
Registered: Mar 2014
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thanks Ser Olmy for the reply:


Here is the code again:

Code:
# Access to Internet
IF_INET="eth1"
# Access to LAN 
IF_LAN="eth0" 


# Flush
iptables -F
iptables -X
iptables -Z
iptables -t nat -F

#Default rules
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

# all conections to localhost
iptables -A INPUT -i lo -j ACCEPT

#----TRANSPARENT SQUID3
iptables -t nat -A PREROUTING -i $IF_LAN -p tcp --dport 80 -j DNAT --to 192.168.19.10:3128
iptables -t nat -A PREROUTING -i $IF_LAN -p tcp --dport 80 -j REDIRECT --to-port 3128


# Accept NAT for...
iptables -A FORWARD -s 192.168.20.2 -i $IF_INET -j ACCEPT
iptables -A FORWARD -s 192.168.20.3 -i $IF_INET -j ACCEPT
iptables -A FORWARD -s 192.168.21.2 -i $IF_INET -j ACCEPT
iptables -A FORWARD -s 192.168.21.3 -i $IF_INET -j ACCEPT
#----HTTP
iptables -t nat -A POSTROUTING -s 192.168.20.2 -p tcp --dport 80 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.20.3 -p tcp --dport 80 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.2 -p tcp --dport 80 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.3 -p tcp --dport 80 -o $IF_INET -j MASQUERADE

#----HTTPS
iptables -t nat -A POSTROUTING -s 192.168.20.2 -p tcp --dport 443 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.20.3 -p tcp --dport 443 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.2 -p tcp --dport 443 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.3 -p tcp --dport 443 -o $IF_INET -j MASQUERADE

#----OUTLOOK RECEIVE
iptables -t nat -A POSTROUTING -s 192.168.20.2 -p tcp --dport 993 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.20.3 -p tcp --dport 993 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.2 -p tcp --dport 993 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.3 -p tcp --dport 993 -o $IF_INET -j MASQUERADE

#----OUTLOOK SEND
iptables -t nat -A POSTROUTING -s 192.168.20.2 -p tcp --dport 587 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.20.3 -p tcp --dport 587 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.2 -p tcp --dport 587 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.3 -p tcp --dport 587 -o $IF_INET -j MASQUERADE

#----DNSLOOKUP
iptables -t nat -A POSTROUTING -s 192.168.20.2 -p tcp --dport 53 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.20.3 -p tcp --dport 53 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.2 -p tcp --dport 53 -o $IF_INET -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.21.3 -p tcp --dport 53 -o $IF_INET -j MASQUERADE

#----SQUID
iptables -A INPUT -s 192.168.20.2 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 192.168.20.3 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 192.168.21.2 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -s 192.168.21.3 -p tcp --dport 3128 -j ACCEPT


#Drop all not listed ports
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 1:1024 -j DROP
iptables -A INPUT -s 0.0.0.0/0 -p udp --dport 1:1024 -j DROP

# Forward
echo 1 > /proc/sys/net/ipv4/ip_forward

# Stablished connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
The comments are not in the script, (in re-post I added a # at the bigining to clarify this).
I'm using separate NAT statements for every type of traffic because I only want to open those ports to PC1, PC2, PC3 and PC4. They all should have internet access through the firewall, all NATed behind the same address. You said this script is complex than necessary, Can you please write an example of an easier way to do this? and tell me why ports 993 and 587 are not being open to PC1, PC2, PC3 and PC4?. I have more PC's in the subnets thats why I specify the ip adress of the PC's I want to have access to internet.


Hope you can help me.

Last edited by rorrow; 03-18-2014 at 10:08 AM.
 
Old 03-18-2014, 01:11 PM   #5
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
The combination of an ACCEPT policy for the FORWARD chain and no blocking rules in that chain, means you're letting everything through (in both directions, I might add).

The nat table is not meant for filtering, but that's how you're using it: all traffic goes through the firewall, but some go out with a local source address. Since you're using RFC 1918 addresses, the remote server can't reply and the traffic appears to be blocked, but in reality you're informing the world about which local IP addresses you're using.

The above would be of little consequence, except some of the rules have the wrong interface match criteria:
Code:
# Accept NAT for...
iptables -A FORWARD -s 192.168.20.2 -i $IF_INET -j ACCEPT
iptables -A FORWARD -s 192.168.20.3 -i $IF_INET -j ACCEPT
iptables -A FORWARD -s 192.168.21.2 -i $IF_INET -j ACCEPT
iptables -A FORWARD -s 192.168.21.3 -i $IF_INET -j ACCEPT
Here, you're explicitly allowing spoofed traffic from the Internet to be forwarded to your internal network. Hopefully, the reverse path verification setting in the kernel will have blocked any such packets.

As for why things aren't working, my guess would be DNS. DNS is UDP-based, but you're only allowing TCP. True, DNS falls back to TCP if the reply message is too big to fit in a single packet, but the fallback mechanism only kicks in when the client receives a "reply too big" message in response to a UDP query.

Here's my (very much untested) version:
Code:
# Internet I/F
IF_INET="eth1"
# LAN I/F
IF_LAN="eth0" 


## Flush all tables
iptables -F
iptables -X
iptables -Z
iptables -t nat -F


## Set policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT


## Activate forwarding
#  (a separate forwarding setting is likely to exist in your
#  distribution, making this redundant)
echo 1 > /proc/sys/net/ipv4/ip_forward


## Access rules: INPUT

# localhost must be allowed
iptables -A INPUT -i lo -j ACCEPT

# established sessions
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Squid proxy; both ports 80 and 3128 must be allowed
# (transparent proxying)
iptables -A INPUT -i $IF_LAN -s 192.168.20.2 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $IF_LAN -s 192.168.20.3 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $IF_LAN -s 192.168.21.2 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $IF_LAN -s 192.168.21.3 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $IF_LAN -s 192.168.20.2 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i $IF_LAN -s 192.168.20.3 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i $IF_LAN -s 192.168.21.2 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i $IF_LAN -s 192.168.21.3 -p tcp --dport 3128 -j ACCEPT


## Access rules: FORWARD

# established sessions
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# DNS
iptables -A FORWARD -i $IF_LAN -s 192.168.20.2 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.20.3 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.21.2 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.21.3 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.20.2 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.20.3 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.21.2 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.21.3 -p tcp --dport 53 -j ACCEPT

# no HTTP rules are required, as transparent proxying is handled by
# the relevant NAT/INPUT rules

# HTTPS
iptables -A FORWARD -i $IF_LAN -s 192.168.20.2 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.20.3 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.21.2 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.21.3 -p tcp --dport 443 -j ACCEPT

# IMAP/SSL
iptables -A FORWARD -i $IF_LAN -s 192.168.20.2 -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.20.3 -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.21.2 -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.21.3 -p tcp --dport 993 -j ACCEPT

# SMTP/TLS Message Submission
iptables -A FORWARD -i $IF_LAN -s 192.168.20.2 -p tcp --dport 587 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.20.3 -p tcp --dport 587 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.21.2 -p tcp --dport 587 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -s 192.168.21.3 -p tcp --dport 587 -j ACCEPT


## NAT rules

# transparent proxying
iptables -t nat -A PREROUTING -i $IF_LAN -p tcp --dport 80 -j REDIRECT --to-port 3128

# NAT outbound traffic
iptables -t nat -A POSTROUTING -o $IF_INET -j MASQUERADE
I changed the FORWARD policy to DROP, and hence had to add a state matching rule for established sessions in the FORWARD chain. Since the policy for both the INPUT and the FORWARD chain is now DROP, no rules were needed for explicitly dropping non-allowed packets.

I chose to invert the NAT interface match logic from "-i <internal_IF>" to "-o <internet_IF>", as the former will also NAT internal intra-subnet traffic.

Technically, a "NEW" state match criteria could be added to all the FORWARD rules dealing with specific TCP protocols. That would only serve to prevent internal clients from sending invalid TCP packets, so I left it out. It would probably not improve security in any meaningful way.

I kept the host-specific matches, but if what you really mean is to allow all hosts on the 192.168.20.0/24 and 192.168.21.0/24 networks, using network matches would eliminate no less than 14 rules.

Finally, you may want to add a rule or two to the INPUT chain for remote administration (SSH?).
 
Old 03-19-2014, 02:47 PM   #6
rorrow
LQ Newbie
 
Registered: Mar 2014
Posts: 3

Original Poster
Rep: Reputation: Disabled
Dear Sir Olmy:

I'd copy your script to the firewall but I still doesn't have access to ports 587 and 993 from PC1, PC2, PC3 and PC4 . I do have access to internet setting proxy settings in their web browsers.

Any Idea howcan I track the problem?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to allow only particular browsers in squid3 and IPTables forward rules roopakl Linux - Newbie 1 04-21-2012 11:59 AM
Forward traffic from one subnet to another. airbornecow711 Linux - Networking 3 01-24-2012 02:23 AM
how to forward reverse dns subnet saiyen2002 Linux - Networking 1 03-25-2010 12:55 PM
trafic acounting with iptables sqn Linux - Networking 4 01-08-2004 04:34 PM
forward broadcast packets to another subnet VultureCulture Linux - Networking 9 10-25-2003 05:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration