My iptables setup

skibler1223 · 04-18-2008, 03:00 PM

This is a low priority post (well all are as its free support I suppose lol).

Anyway, I have tried to configure iptables on multiple occassions and each time it seems to destroy all communication on my server. So here is the script I'm currently trying to use. My main goal is to NAT all traffic to and from 192.168.2.100 over ports 36893,3389,28960,20800,20810. However I know that I really need to add a layer of security so I will later add some logging also but I'll leave that for later. Don't be shy.

EDIT: BTW my network config is something like the following ->>

Code:

                                                                        
  Internet => Linksys Router => Linux Server => 2 Linux/Windows Clients 
                  ||                                                    
                  \/                                                    
             2 Windows Clients

Code:

                    
#!/bin/bash
<<COMMENTBLOCK
..............................................................................
IPTABLES bootup script
..............................................................................
COMMENTBLOCK

# Variables
intIf=eth1
extIf=eth0
desktop=192.168.2.100
desktopPorts=36893,3389,28960,20800,20810

# Flush tables
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F DNAT
iptables -F SNAT

# Drop all packets by default
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -P DNAT DROP
iptables -P SNAT DROP

#Allow SSH to Linux boxes
iptables -A INPUT -dport 22000 -d 192.168.1.100,192.168.2.100
iptables -A OUTPUT -sport 22000 -s 192.168.1.100,192.168.2.100

#Allow LAN DNS
iptables -A INPUT  -s 192.168.0.0/24 --sport 53 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24  --dport 53 -j ACCEPT

#Allow all LAN/WAN HTTP traffic
iptables -A INPUT -m state -p tcp --dport 80,38064 \
 ! --state INVALID -j ACCEPT
iptables -A OUTPUT -m state -p tcp --sport 80,38064 \
 --state ESTABLISHED,RELATED -j ACCEPT

#Allow all loopback traffic
iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT

#SNAT/DNAT intIf -> extIf, extIf -> intIf
iptables -t NAT -A POSTROUTING -o ${intIf} -s ${desktop} -j SNAT --to ${desktop}
iptables -t NAT -A POSTROUTING -o ${extIf} -dport ${desktopPorts} \
 -m state --state RELATED,ESTABLISHED -j DNAT --to ${desktop}

#Forwarding traffic -> desktop
iptables -A FORWARD -i ${extIf} -o ${intIf} \
 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ${intIf} -o ${extIf} -j ACCEPT

Thanks greatly for any comments/advice.
Sean

dkm999 · 04-20-2008, 08:21 PM

Well, here are some thoughts on this script. I am not at all sure that, if you make the recommended changes, that everything will then be wonderful, but I am sure that it will be different, and probably less broken.

1. On my servers, SSH uses TCP port 22, not 22000.

2. If your intent is to allow DNS queries out of your LAN onto the Internet, and then to permit their replies to return, you need rules in the FORWARD chain, not the INPUT and OUTPUT chains, because those chains are only considered if the destination or source (respectively) are the server itself. In addition, because some DNS clients issue queries with dport=53, sport=some_high_port_number. This implies that you need to allow the replies in like this:

Code:

iptables -A FORWARD -i ${extIf} -p udp -sport 53 -dport 1024:65535 -j ACCEPT

3. There seems to be some confusion about SNAT and DNAT in your rules. SNAT is best used to make traffic that originates on your LAN machines appear to come from the server, which has the link to the outside world. Therefore, your first NAT line should probably look like this:

Code:

iptables -t nat -A POSTROUTING -o ${extIf} -s ${desktop} -j SNAT --to-source ${server}

This will take care of connections originating on your desktop machine; you do not need to include any more rules, because any reply packet will automatically be intercepted by the NAT processing when it arrives at the server.

4. To handle forwarding of the given ports to your desktop when the originator is an external source, you need to do port_forwarding, thus:

Code:

iptables -t nat PREROUTING -i ${extIf} -m multiport -dports ${desktopPorts} --to-destination ${desktop}

This rule will forward the specified list of ports to the desktop machine; that machine must specify the server as its default route, so that the replies will pass back through the server and be remapped to appear to have come from the server, not the desktop, address.

5. Once all this works, I think you may be able to eliminate, or at least tighten up, the FORWARD rules, so that you only allow particular kinds of traffic in from the Internet. This is a security measure, to eliminate several kinds of threats that depend on sending in packets to low-numbered ports in the hope that one of the attached daemons will have a bug in it that can be exploited.

6. As a rule, I include not only port qualifiers, but also protocol qualifiers in rules that are designed to permit traffic to and from a given daemon. Mostly, that will be TCP. The main UDP user you will probably need is the rules to permit DNS traffic.

Good luck.

skibler1223 · 04-20-2008, 09:54 PM

Great info and reply, I thank you. I should have time to apply this advice tomorrow so I will post by Wednesday how it goes.

Thanks again.

skibler1223 · 04-23-2008, 08:24 PM

Ok here is what I have now, forwarding is now working fine but as soon as I drop all packets by default and rely on the script to allow the proper packets I lose my SSH connection and any other reliance on the server as a router etc.

Code:

#!/bin/bash
<<COMMENTBLOCK
..............................................................................
IPTABLES bootup script
Using optinos for now to open/lock-down network until I get it working
..............................................................................
COMMENTBLOCK
case $1 in
        --secure)
#//////////////////////////
# VARS/DEFAULT POLICIES   /
#//////////////////////////

        # Variables
        intIf=eth1
        extIf=eth0
        desktop=192.168.2.100
        serverExt=192.168.1.100
        serverInt=192.168.2.1
        desktopPorts=36893,3389,28960,20800,20810

        # Flush tables
        iptables -F INPUT
        iptables -F OUTPUT
        iptables -F FORWARD

        # Drop all packets by default (still crashes network)
#       iptables -P INPUT DROP
#       iptables -P FORWARD DROP
#       iptables -P OUTPUT DROP

#/////////////
# PINHOLES   /
#/////////////

        #Allow SSH to Linux boxes
        iptables -A FORWARD -p tcp -m multiport --ports 22000,22


        #Allow LAN DNS (narrow down to being from 192.168.0.0 later)
        iptables -A FORWARD -p udp --sport 53 -m multiport --dports 1024:65535 -j ACCEPT

        #Allow all LAN/WAN HTTP traffic
        iptables -A INPUT -p tcp -m multiport --dports 80,38064 \
         -m state ! --state INVALID -j ACCEPT
        iptables -A OUTPUT -p tcp -m multiport --sports 80,38064 \
         -m state --state ESTABLISHED,RELATED -j ACCEPT

        #Allow all loopback traffic
        iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
        iptables -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT

#///////////////////
#  NAT/FORWARDING  /
#///////////////////

        #SNAT intIf -> extIf, extIf -> intIf
        iptables -t nat -A POSTROUTING -o ${extIf} -s ${desktop} -j SNAT --to-source ${serverExt}
        iptables -t nat -A PREROUTING -i ${extIf} -m multiport -p tcp --dports ${desktopPorts} -j DNAT --to-destination ${desktop}

        #Forwarding traffic -> desktop
        iptables -A FORWARD -i ${extIf} -o ${intIf} \
         -m state --state RELATED,ESTABLISHED -j ACCEPT
        iptables -A FORWARD -i ${intIf} -o ${extIf} -j ACCEPT
        ;;
--open)

#Let all traffic through (when things quit working)
        iptables -P INPUT ACCEPT
        iptables -P FORWARD ACCEPT
        iptables -P OUTPUT ACCEPT
        ;;
*)
        echo "IDIOT"
esac

I will be looking at this some tomorrow to see if I can figure out why this is happening but I have learned quite a bit just from your advice as well as things like I need a -m multiport and -p TCP|UDP to match multiple ports etc.

BTW I run my SSH daemons on 22000 just for a tid bit of extra security. But I access another SSH server for school work sometimes so I have that in there for now but will later change it.

Again thanks for any advice.

Sean