LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-13-2014, 01:52 AM   #1
enyawix
Member
 
Registered: Sep 2003
Location: ky
Distribution: gentoo
Posts: 409

Rep: Reputation: 32
Please check my work. I miss somthing (iptables)


PATH=/usr/sbin:/sbin:/bin:/usr/bin
# Setting interface variables
WAN="eth0"
LAN="eth1"

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Layer 4 state checking
iptables -N state-checking
iptables -A state-checking -m state --state INVALID -j DROP
iptables -A state-checking -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
iptables -A state-checking -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A state-checking -p udp -m udp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A state-checking -p tcp -m tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

#
# Some ip range checking
#
iptables -N local-only
iptables -A local-only -i lo -j ACCEPT
iptables -A local-only -i $LAN -s 192.168.0.0/24 -j ACCEPT
iptables -A local-only -i $LAN -d 192.168.0.0/24 -j ACCEPT
iptables -A local-only -i $WAN -s 0.0.0.0/8 -j DROP
iptables -A local-only -i $WAN -s 127.0.0.0/8 -j DROP
iptables -A local-only -i $WAN -s 10.0.0.0/8 -j DROP
iptables -A local-only -i $WAN -s 169.254.0.0/16 -j DROP
iptables -A local-only -i $WAN -s 172.16.0.0/12 -j DROP
iptables -A local-only -i $WAN -s 192.0.2.0/24 -j DROP
iptables -A local-only -i $WAN -s 192.168.0.0/16 -j DROP
iptables -A local-only -i $WAN -s 224.0.0.0/3 -j DROP
[/COLOR]
#
# Network Address Translation
#

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o $LAN -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i $WAN -o $LAN -j DROP

iptables -P INPUT DROP
iptables -A INPUT -j state-checking
iptables -A INPUT -j local-only

iptables -P FORWARD DROP
iptables -A FORWARD -j state-checking
iptables -A FORWARD -j local-only
iptables -A FORWARD -i $LAN -j ACCEPT

# Bringing up interfaces
dhclient $WAN
ifconfig $LAN 192.168.0.254/24

# Setting up DNS
echo "nameserver 208.67.222.222" > /etc/resolv.conf
echo "nameserver 208.67.220.220" >> /etc/resolv.conf
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
echo "nameserver 8.8.4.4" >> /etc/resolv.conf
 
Old 04-13-2014, 02:07 AM   #2
enyawix
Member
 
Registered: Sep 2003
Location: ky
Distribution: gentoo
Posts: 409

Original Poster
Rep: Reputation: 32
Thinking

# Masquerade.
iptables -t nat -A POSTROUTING -o $LAN -j MASQUERADE

should become

# Masquerade.
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
 
Old 04-13-2014, 02:25 AM   #3
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
You're right about the MASQUERADE rule; it needs to match traffic exiting the WAN interface.

Please use [code][/code] tags around code, scripts, logs etc. as it greatly improves readability.

Quote:
Originally Posted by enyawix View Post
iptables -N state-checking
iptables -A state-checking -m state --state INVALID -j DROP
iptables -A state-checking -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
iptables -A state-checking -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
Check state or flags, not both. The last rule is pointless, as you're matching "packets without the SYN flag set and the FIN/RST/ACK flags set, matching the state NEW". No packet can possibly match those criteria.

Quote:
Originally Posted by enyawix View Post
iptables -A state-checking -p udp -m udp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A state-checking -p tcp -m tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
Unless you deliberately want to exclude non-TCP/UDP sessions (like responses to ICMP pings), you might as well delete the "-p udp -m udp" part from the first of these two rules, and omit the second rule.

Quote:
Originally Posted by enyawix View Post
#
# Some ip range checking
#
iptables -N local-only
iptables -A local-only -i lo -j ACCEPT
iptables -A local-only -i $LAN -s 192.168.0.0/24 -j ACCEPT
iptables -A local-only -i $LAN -d 192.168.0.0/24 -j ACCEPT
iptables -A local-only -i $WAN -s 0.0.0.0/8 -j DROP
iptables -A local-only -i $WAN -s 127.0.0.0/8 -j DROP
iptables -A local-only -i $WAN -s 10.0.0.0/8 -j DROP
iptables -A local-only -i $WAN -s 169.254.0.0/16 -j DROP
iptables -A local-only -i $WAN -s 172.16.0.0/12 -j DROP
iptables -A local-only -i $WAN -s 192.0.2.0/24 -j DROP
iptables -A local-only -i $WAN -s 192.168.0.0/16 -j DROP
iptables -A local-only -i $WAN -s 224.0.0.0/3 -j DROP
Some of these rules are not required. Invalid addresses like 0.0.0.0/0 and 127.0.0.0/8 ("martians") are dropped by the IP stack. Not sure why you're blocking all multicast addresses; should that perhaps be 224.0.0.0/8 (link-local multicast)?

Also, the "-i lo -j ACCEPT" rule really, really, REALLY needs to be at the top of the INPUT chain, and not in a user-defined chain called further down the line.

Quote:
Originally Posted by enyawix View Post
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
OK, you just allowed all traffic from the LAN to the Internet...

Quote:
Originally Posted by enyawix View Post
# Don't forward from the outside to the inside.
iptables -A FORWARD -i $WAN -o $LAN -j DROP
...and then you summarily block everything going in the opposite direction, including reply packets. The result will be that nothing will work.

Quote:
Originally Posted by enyawix View Post
iptables -P INPUT DROP
iptables -A INPUT -j state-checking
iptables -A INPUT -j local-only
This looks OK (but as I mentioned, the loopback rule should be the first rule in the INPUT chain).

Quote:
Originally Posted by enyawix View Post
iptables -P FORWARD DROP
iptables -A FORWARD -j state-checking
iptables -A FORWARD -j local-only
iptables -A FORWARD -i $LAN -j ACCEPT
No packets will ever reach this part of the FORWARD chain, as they will either have been allowed by the blanket ACCEPT rule for LAN-to-WAN traffic, or blocked by the DROP rule covering all WAN-to-LAN traffic.
 
  


Reply

Tags
iptables, masquerade, nat


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
.htaccess / .htpasswd don't work, what do I miss MarkRaats Linux - Newbie 4 12-29-2010 02:54 AM
Unable to check the box - what did I miss, tnx 4 helping out ButterflyMelissa Programming 1 04-18-2010 04:05 AM
Boot disk; check. CD in drive; check. Doesn't work; check. Hal DamnSmallLinux 7 02-04-2004 03:10 AM
iptables - somthing gone wrong ? qwijibow Linux - Security 7 09-01-2003 12:56 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration