possible iptables/ifconfig bug

nik.martin · 11-14-2005, 01:36 PM

I have set up an iptables router on a linux box running a 2.6.13 kernel, and everything is running fine. I'm moving over from a PIX 501 that was getting loaded down a little too heavily. I say that to state that all the configuration I'm talking about worked fine BEFORE moving to Linux, so My ISP is in the clear on this issue:

I have a /29 block of addresses assigned by my isp. Lets call these 1.2.3.168/29

so I have usable addresses from 1.2.3.170-174, with .169 my upstream router (next hop address), and 175 the broadcast address. I have 3 nic cards in the machine, set up like this:

eth0 1.2.3.170 mask 255.255.255.248
eth0:0 1.2.3.171 mask 255.255.255.248
eth0:1 1.2.3.172 mask 255.255.255.248
eth0:2 1.2.3.173 mask 255.255.255.248
eth0:3 1.2.3.174 mask 255.255.255.248

# my dmz
eth1 10.10.31.254 mask 255.255.255.0

#local network
eth2 172.31.30.254

I have a clean iptables configuration, with 1:1 nats between all my eth0:x addresses and machines in my dmz

Traffic moves in and out of the dmz ok, except for the machine natted to eth0:3. This bugged me for a whole day, until I started trying to figure out what makes this machine different than the others. the ONLY difference that I know of is that his outside, public address is the last usable address in my ip block. This address works fine, as tcpdump on eth0 shows traffic bound for him, but tcpdump on eth1 doesn't show any traffic to him, but does show traffic to the other machines in the dmz.

As an experiment, I reconfigured my iptables script to nat traffic to eth0:0, address 1.2.3.171 - IT WORKS GREAT! No Problems. Moving it back to 1.2.3.174 causes all traffic to cease.

In my iptables firewall script, I use calls to ipcalc, ifconfig, grep and awk to build up the different pieces of information needed to build NAT tables and my varios filters, and they all work well, because every other interface routes traffic fine. Just the last address in my subnet is hosed.

I dont think it's an iptables issue, because I placed several log statements that logs ALL traffic, and it never shows any raffic bound for the DMZ machine in question from the WAN eth0:3 virtual interface.

Any other suggestions to try to debug the problem?

Regards,

nik martin

Brian1 · 11-14-2005, 03:55 PM

I have no idea why using 171 would work then changing to 174 would not. You are right on your subnetting. 168 and 175 not useable. 169-174 are assignable.

Need more info:
Post your iptables script.
Post route table.

Brian1

nik.martin · 11-14-2005, 03:59 PM

Route table:

root@perimeter:~# ip route
1.2.3.168/29 dev eth0 proto kernel scope link src 1.2.3.170
10.10.31.0/24 dev eth2 proto kernel scope link src 10.10.31.254
172.31.30.0/23 dev eth1 proto kernel scope link src 172.31.30.254
default via 69.85.201.169 dev eth0

IPTables script: (part 1)

#!/bin/bash

DEBUG=TRUE

AWK='/usr/bin/awk'
GREP='/bin/grep'
IFCONFIG='/sbin/ifconfig'
IPCALC='/usr/bin/ipcalc'
IPTABLES='/sbin/iptables'

function get_ip {
$IFCONFIG $1 | $GREP 'inet addr' | $AWK '{ print $2 }' | $AWK -F':' '{ print $2 }'
}

function get_mask {
$IFCONFIG $1 | $GREP 'inet addr' | $AWK '{ print $4 }' | $AWK -F':' '{ print $2 }'
}

function get_net {
$IPCALC $1 $2 | $GREP ^Network | $AWK '{ print $2 }'
}

WAN_DEV=eth0
WAN_IP=`get_ip $WAN_DEV`
WAN_MASK=`get_mask $WAN_DEV`
WAN_NET=`get_net $WAN_IP $WAN_MASK`

LOCAL_DEV=eth1
LOCAL_IP=`get_ip $LOCAL_DEV`
LOCAL_MASK=`get_mask $LOCAL_DEV`
LOCAL_NET=`get_net $LOCAL_IP $LOCAL_MASK`

DMZ_DEV=eth2
DMZ_IP=`get_ip $DMZ_DEV`
DMZ_MASK=`get_mask $DMZ_DEV`
DMZ_NET=`get_net $DMZ_IP $DMZ_MASK`

LOOP_DEV=lo
LOOP_IP='127.0.0.1'

WWW_WAN='1.2.3.173'

PBX_SERVER_WAN='1.2.3.172'
PBX_SERVER_DMZ='10.10.31.100'
PBX_SERVER_LOCAL='172.31.30.3'
# the problem child
WINSHACK_DMZ='10.10.31.103'
WINSHACK_WAN='1.2.3.174'
JWATH_DMZ='10.10.31.101'
P2SUMS_DMZ='10.10.31.102'

PPORTS='0:1023'
UPORTS='1024:65535'

function show_args {
echo "WAN_DEV = $WAN_DEV";
echo "WAN_IP = $WAN_IP";
echo "WAN_MASK = $WAN_MASK";
echo "WAN_NET = $WAN_NET";

echo "LOCAL_DEV = $LOCAL_DEV";
echo "LOCAL_IP = $LOCAL_IP";
echo "LOCAL_MASK = $LOCAL_MASK";
echo "LOCAL_NET = $LOCAL_NET";

echo "DMZ_DEV = $DMZ_DEV";
echo "DMZ_IP = $DMZ_IP";
echo "DMZ_MASK = $DMZ_MASK";
echo "DMZ_NET = $DMZ_NET";
}

#show_args

function FW2WAN {
[ -z $DEBUG ] || echo "Building chain FW2WAN"
$IPTABLES -t filter -N FW2WAN

# allow normal responses
$IPTABLES -A FW2WAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow outgoing DNS
$IPTABLES -A FW2WAN -p udp --sport $UPORTS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing ssh
$IPTABLES -A FW2WAN -p tcp --sport $UPORTS --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing http/https
$IPTABLES -A FW2WAN -p tcp --sport $UPORTS --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FW2WAN -p tcp --sport $UPORTS --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing ntp
$IPTABLES -A FW2WAN -p udp --sport $UPORTS --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FW2WAN -p udp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing ftp
$IPTABLES -A FW2WAN -p tcp --sport $UPORTS --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FW2WAN -p tcp --sport $UPORTS --dport 20 -m state --state ESTABLISHED -j ACCEPT

# allow outgoing smtp
$IPTABLES -A FW2WAN -p tcp --sport $UPORTS --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing ping
$IPTABLES -A FW2WAN -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT

# log and drop remaining packets
$IPTABLES -A FW2WAN -j LOG --log-prefix "FW2WAN: " -m limit --limit 10/minute
$IPTABLES -A FW2WAN -j DROP
}

function WAN2FW {
[ -z $DEBUG ] || echo "Building chain WAN2FW"
$IPTABLES -N WAN2FW

# allow normal responses
$IPTABLES -A WAN2FW -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow incoming ssh
$IPTABLES -A WAN2FW -p tcp --sport $UPORTS --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow incoming http/https
$IPTABLES -A WAN2FW -p tcp --sport $UPORTS --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A WAN2FW -p tcp --sport $UPORTS --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

# log and drop remaining packets
$IPTABLES -A WAN2FW -j LOG --log-prefix "WAN2FW: " -m limit --limit 10/minute
$IPTABLES -A WAN2FW -j DROP
}

function LOCAL2WAN {
[ -z $DEBUG ] || echo "Building chain LOCAL2WAN"
$IPTABLES -N LOCAL2WAN

# ICMP source quench
$IPTABLES -A LOCAL2WAN -p icmp --icmp-type source-quench -j ACCEPT -m limit --limit 20/minute

# ICMP parameter problem
$IPTABLES -A LOCAL2WAN -p icmp --icmp-type parameter-problem -j ACCEPT -m limit --limit 20/minute

# ICMP destination unreachable
$IPTABLES -A LOCAL2WAN -p icmp --icmp-type destination-unreachable -j DROP
$IPTABLES -A LOCAL2WAN -p icmp --icmp-type fragmentation-needed -j ACCEPT -m limit --limit 20/minute

# allow normal responses
$IPTABLES -A LOCAL2WAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow outgoing http/https
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

#time sheets
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 7001 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing VOIP
$IPTABLES -A LOCAL2WAN -p udp --sport 4569 --dport 4569 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A LOCAL2WAN -p udp --sport 5060 --dport 5060 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 7070 -m state --state NEW,ESTABLISHED -j ACCEPT
# Nasty hack for Gizmo project
$IPTABLES -A LOCAL2WAN -p udp --sport $UPORTS --dport $UPORTS -j ACCEPT

#marks cisco phone
$IPTABLES -A LOCAL2WAN -p udp --sport $UPORTS --dport 69 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 2000 -m state --state NEW,ESTABLISHED -j ACCEPT

# FTP client
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 20 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport $UPORTS -m state --state ESTABLISHED,RELATED -j ACCEPT

# Internet relay chat
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT

# ICQ/AOL instant messenger
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 5190 -m state --state NEW,ESTABLISHED -j ACCEPT

# Yahoo! instant messenger
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 5050 -m state --state NEW,ESTABLISHED -j ACCEPT

# Google instant messenger (jabber)
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 5222 -m state --state NEW,ESTABLISHED -j ACCEPT

# MSN instant messenger
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 1863 -m state --state NEW,ESTABLISHED -j ACCEPT

# POP3 email clients
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS -m multiport --dports 110,995 -m state --state NEW,ESTABLISHED -j ACCEPT

# IMAP email clients
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS -m multiport --dports 143,220,993 -m state --state NEW,ESTABLISHED -j ACCEPT

# SMPT client
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

# NNTP news clients
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 119 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing ntp
$IPTABLES -A LOCAL2WAN -p udp --sport $UPORTS --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A LOCAL2WAN -p udp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT

#Windows Media Streaming
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 1755 -m state --state NEW,ESTABLISHED -j ACCEPT

#shoutcast type streaming of death metal
$IPTABLES -A LOCAL2WAN -p tcp --sport $UPORTS --dport 8016 -m state --state NEW,ESTABLISHED -j ACCEPT

# ICMP echo request
$IPTABLES -A LOCAL2WAN -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT

# log and reject remaining packets
$IPTABLES -A LOCAL2WAN -j LOG --log-prefix "LOCAL2WAN: " -m limit --limit 40/minute
$IPTABLES -A LOCAL2WAN -j REJECT
}

function WAN2LOCAL {
[ -z $DEBUG ] || echo "Building chain WAN2LOCAL"
$IPTABLES -t filter -N WAN2LOCAL

# ICMP source quench
$IPTABLES -A WAN2LOCAL -p icmp --icmp-type source-quench -j ACCEPT -m limit --limit 20/minute

# ICMP parameter problem
$IPTABLES -A WAN2LOCAL -p icmp --icmp-type parameter-problem -j ACCEPT -m limit --limit 20/minute

# ICMP destination unreachable
$IPTABLES -A WAN2LOCAL -p icmp --icmp-type destination-unreachable -j ACCEPT -m limit --limit 40/minute
$IPTABLES -A WAN2LOCAL -p icmp --icmp-type fragmentation-needed -j ACCEPT -m limit --limit 20/minute

# ICMP time exceeded
$IPTABLES -A WAN2LOCAL -p icmp --icmp-type time-exceeded -j ACCEPT -m limit --limit 20/minute

# Normal responses
$IPTABLES -A WAN2LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow incoming PBX traffic
$IPTABLES -A WAN2LOCAL -p udp --sport $UPORTS -d $PBX_SERVER_LOCAL -m multiport --dports 5036,4569,64064,5004 -m state --state NEW,ESTABLIS
HED -j ACCEPT

# Auth server
$IPTABLES -A WAN2LOCAL -p tcp --sport $UPORTS --dport 113 -j REJECT --reject-with tcp-reset -m limit --limit 20/minute --limit-burst 6

# Logging
$IPTABLES -A WAN2LOCAL -j LOG --log-prefix "WAN2LOCAL: " -m limit --limit 1/minute --limit-burst 4

# Drop remaining packets
$IPTABLES -A WAN2LOCAL -j DROP
}

function DMZ2WAN {
[ -z $DEBUG ] || echo "Building chain DMZ2WAN"
$IPTABLES -t filter -N DMZ2WAN

# ICMP source quench
$IPTABLES -A DMZ2WAN -p icmp --icmp-type source-quench -j ACCEPT -m limit --limit 20/minute

# ICMP parameter problem
$IPTABLES -A DMZ2WAN -p icmp --icmp-type parameter-problem -j ACCEPT -m limit --limit 20/minute

# ICMP destination unreachable
$IPTABLES -A DMZ2WAN -p icmp --icmp-type destination-unreachable -j DROP
$IPTABLES -A DMZ2WAN -p icmp --icmp-type fragmentation-needed -j ACCEPT -m limit --limit 20/minute

# allow normal responses
$IPTABLES -A DMZ2WAN -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow outgoing dns
$IPTABLES -A DMZ2WAN -p udp --sport $UPORTS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing ssh
$IPTABLES -A DMZ2WAN -p tcp --sport $UPORTS --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing http/https
$IPTABLES -A DMZ2WAN -p tcp --sport $UPORTS --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A DMZ2WAN -p tcp --sport $UPORTS --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing ftp
$IPTABLES -A DMZ2WAN -p tcp --sport $UPORTS --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A DMZ2WAN -p tcp --sport $UPORTS --dport 20 -m state --state ESTABLISHED -j ACCEPT
# allow outgoing smtp
$IPTABLES -A DMZ2WAN -p tcp --sport $UPORTS --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

#allow outgoing NTP
$IPTABLES -A DMZ2WAN -p udp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A DMZ2WAN -p udp --sport $UPORTS --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A DMZ2WAN -p tcp --sport $UPORTS --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT

# log and drop remaining packets
$IPTABLES -A DMZ2WAN -j LOG --log-prefix "DMZ2WAN: " -m limit --limit 10/minute
$IPTABLES -A DMZ2WAN -j DROP
}

function WAN2DMZ {
[ -z $DEBUG ] || echo "Building chain WAN2DMZ"
$IPTABLES -t filter -N WAN2DMZ

# allow normal responses
$IPTABLES -A WAN2DMZ -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow incoming PBX
$IPTABLES -A WAN2DMZ -p udp --sport $UPORTS -d $PBX_SERVER_DMZ -m multiport --dports 5036,4569,64064,5004 -m state --state NEW,ESTABLISHED
-j ACCEPT

# allow incoming services to WINSHACK
$IPTABLES -A WAN2DMZ -p tcp --sport $UPORTS -d $WINSHACK_DMZ --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# $IPTABLES -A WAN2DMZ -p tcp --sport $UPORTS -d $WINSHACK_DMZ -m multiport --dports 20,21,25,53,80,110,3389,6667 -m state --state NEW,ESTABL
ISHED -j ACCEPT
# $IPTABLES -A WAN2DMZ -p udp --sport $UPORTS -d $WINSHACK_DMZ -m multiport --dports 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow incoming ssh to JWATH_DMZ
$IPTABLES -A WAN2DMZ -p tcp --sport $UPORTS -d $JWATH_DMZ --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow incoming ssh to P2SUMS_DMZ
$IPTABLES -A WAN2DMZ -p tcp --sport $UPORTS -d $P2SUMS_DMZ --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# log and drop remaining packets
$IPTABLES -A WAN2DMZ -j LOG --log-prefix "WAN2DMZ: " -m limit --limit 20/minute
$IPTABLES -A WAN2DMZ -j DROP
}

function FW2DMZ {
[ -z $DEBUG ] || echo "Building chain FW2DMZ"
$IPTABLES -t filter -N FW2DMZ

# allow normal responses
$IPTABLES -A FW2DMZ -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow outgoing http
$IPTABLES -A FW2DMZ -p tcp --sport $UPORTS --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing ssh
$IPTABLES -A FW2DMZ -p tcp --sport $UPORTS --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# ICMP echo request
$IPTABLES -A FW2DMZ -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT

# log and reject remaining packets
$IPTABLES -A FW2DMZ -j LOG --log-prefix "FW2DMZ: " -m limit --limit 10/minute
$IPTABLES -A FW2DMZ -j REJECT
}

function DMZ2FW {
[ -z $DEBUG ] || echo "Building chain DMZ2FW"
$IPTABLES -t filter -N DMZ2FW

# allow normal responses
$IPTABLES -A DMZ2FW -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow outgoing DNS
$IPTABLES -A DMZ2FW -p udp --sport $UPORTS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# log and drop remaining packets
$IPTABLES -A FW2DMZ -j LOG --log-prefix "FW2DMZ: " -m limit --limit 10/minute
$IPTABLES -A FW2DMZ -j DROP
}

function FW2LOCAL {
[ -z $DEBUG ] || echo "Building chain FW2LOCAL"
$IPTABLES -t filter -N FW2LOCAL

# ICMP source quench
$IPTABLES -A FW2LOCAL -p icmp --icmp-type source-quench -j ACCEPT -m limit --limit 20/minute

# ICMP parameter problem
$IPTABLES -A FW2LOCAL -p icmp --icmp-type parameter-problem -j ACCEPT -m limit --limit 20/minute

# ICMP destination unreachable
$IPTABLES -A FW2LOCAL -p icmp --icmp-type destination-unreachable -j ACCEPT -m limit --limit 40/minute
$IPTABLES -A FW2LOCAL -p icmp --icmp-type fragmentation-needed -j ACCEPT -m limit --limit 20/minute

# ICMP time exceeded
$IPTABLES -A FW2LOCAL -p icmp --icmp-type time-exceeded -j ACCEPT -m limit --limit 20/minute

# allow normal responses
$IPTABLES -A FW2LOCAL -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing ssh
$IPTABLES -A FW2LOCAL -p tcp --sport $UPORTS --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# ICMP echo request
$IPTABLES -A FW2LOCAL -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT

# log and reject remaining packets
$IPTABLES -A FW2LOCAL -j LOG --log-prefix "FW2LOCAL: " -m limit --limit 10/minute
$IPTABLES -A FW2LOCAL -j REJECT
}

function LOCAL2FW {
[ -z $DEBUG ] || echo "Building chain LOCAL2FW"
$IPTABLES -t filter -N LOCAL2FW

# allow normal responses
$IPTABLES -A LOCAL2FW -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing DNS
$IPTABLES -A LOCAL2FW -p udp --sport $UPORTS --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing SMTP
$IPTABLES -A LOCAL2FW -p tcp --sport $UPORTS --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing http
$IPTABLES -A LOCAL2FW -p tcp --sport $UPORTS --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing ssh
$IPTABLES -A LOCAL2FW -p tcp --sport $UPORTS --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# ICMP echo request
$IPTABLES -A LOCAL2FW -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT

# log and reject remaining packets
$IPTABLES -A LOCAL2FW -j LOG --log-prefix "LOCAL2FW: " -m limit --limit 10/minute
$IPTABLES -A LOCAL2FW -j REJECT
}

function LOCAL2DMZ {
[ -z $DEBUG ] || echo "Building chain LOCAL2DMZ"
$IPTABLES -t filter -N LOCAL2DMZ

# allow normal responses
$IPTABLES -A LOCAL2DMZ -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing http
$IPTABLES -A LOCAL2DMZ -p tcp --sport $UPORTS --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing ssh
$IPTABLES -A LOCAL2DMZ -p tcp --sport $UPORTS --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing smtp
$IPTABLES -A LOCAL2DMZ -p tcp --sport $UPORTS --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing pop3
$IPTABLES -A LOCAL2DMZ -p tcp --sport $UPORTS --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT

# allow outgoing remote desktop
$IPTABLES -A LOCAL2DMZ -p tcp --sport $UPORTS --dport 3389 -m state --state NEW,ESTABLISHED -j ACCEPT

# log and reject remaining packets
$IPTABLES -A LOCAL2DMZ -j LOG --log-prefix "LOCAL2DMZ: " -m limit --limit 10/minute
$IPTABLES -A LOCAL2DMZ -j REJECT
}

function DMZ2LOCAL {
[ -z $DEBUG ] || echo "Building chain DMZ2LOCAL"
$IPTABLES -t filter -N DMZ2LOCAL

# allow normal responses
$IPTABLES -A DMZ2LOCAL -m state --state NEW,ESTABLISHED -j ACCEPT

# log and drop remaining packets
$IPTABLES -A DMZ2LOCAL -j LOG --log-prefix "DMZ2LOCAL: " -m limit --limit 10/minute
$IPTABLES -A DMZ2LOCAL -j DROP
}

function DHCP {
[ -z $DEBUG ] || echo "Building chain DHCP"
$IPTABLES -t filter -N DHCP

# Drop DHCP requests coming from the internet
$IPTABLES -A DHCP -i $WAN_DEV -j DROP

# Allow limited DHCP traffic from local clients
$IPTABLES -A DHCP -i $LOCAL_DEV -j ACCEPT -m limit --limit 40/minute
$IPTABLES -A DHCP -i $DMZ_DEV -j ACCEPT -m limit --limit 20/minute

# Reject DHCP responses to the internet
$IPTABLES -A DHCP -o $WAN_DEV -j REJECT

# Allow DHCP responses to the local interfaces
$IPTABLES -A DHCP -o $LOCAL_DEV -j ACCEPT -m limit --limit 40/minute
$IPTABLES -A DHCP -o $DMZ_DEV -j ACCEPT -m limit --limit 20/minute

# Logging
$IPTABLES -A DHCP -j LOG --log-prefix "DHCP: " -m limit --limit 20/hour
}

function SetPolicies {
case $1 in
ACCEPT|DROP|REJECT)
POLICY=$1
;;
*)
echo "Invalid policy '$1', using 'DROP' instead"
POLICY="DROP"
;;
esac

[ -z $DEBUG ] || echo "Setting default policies to '$POLICY'"

$IPTABLES -P INPUT $POLICY
$IPTABLES -P OUTPUT $POLICY
$IPTABLES -P FORWARD $POLICY
}

nik.martin · 11-14-2005, 04:00 PM

iptables script (part II):

function Start {
[ -z $DEBUG ] || echo "Starting firewall"

show_args
SetPolicies ACCEPT

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X

# build rulesets
FW2WAN
WAN2FW
LOCAL2WAN
WAN2LOCAL
DMZ2WAN
WAN2DMZ
FW2DMZ
DMZ2FW
FW2LOCAL
LOCAL2FW
LOCAL2DMZ
DMZ2LOCAL
DHCP

[ -z $DEBUG ] || echo "Setting kernel parameters"

# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
# echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

[ -z $DEBUG ] || echo "Building global chains"

# allow traffic on loopback interface
$IPTABLES -t filter -A INPUT -i $LOOP_DEV -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $LOOP_DEV -j ACCEPT

# Drop all MS Windows networking noise
$IPTABLES -t filter -A INPUT -p udp --sport 137:139 -j DROP
$IPTABLES -t filter -A FORWARD -p udp --sport 137:139 -j DROP
$IPTABLES -t filter -A INPUT -p udp --dport 137:139 -j DROP
$IPTABLES -t filter -A FORWARD -p udp --dport 137:139 -j DROP

# Drop all SNMP noise
$IPTABLES -t filter -A INPUT -p udp --dport 161 -j DROP
$IPTABLES -t filter -A FORWARD -p udp --dport 161 -j DROP

# Drop port 445 worm scans
$IPTABLES -t filter -A INPUT -p tcp --dport 445 -j DROP
$IPTABLES -t filter -A FORWARD -p tcp --dport 445 -j DROP

# Route DHCP traffic to the DHCP chain
$IPTABLES -t filter -A INPUT -p udp --sport 68 --dport 67 -j DHCP
$IPTABLES -t filter -A OUTPUT -p udp --sport 67 --dport 68 -j DHCP

# Disable fragmented ICMP messages
$IPTABLES -t filter -A INPUT --fragment -p icmp -j LOG --log-prefix "Fragmented INPUT: " -m limit --limit 20/hour
$IPTABLES -t filter -A INPUT --fragment -p icmp -j DROP
$IPTABLES -t filter -A OUTPUT --fragment -p icmp -j LOG --log-prefix "Fragmented OUTPUT: " -m limit --limit 20/hour
$IPTABLES -t filter -A OUTPUT --fragment -p icmp -j DROP
$IPTABLES -t filter -A FORWARD --fragment -p icmp -j LOG --log-prefix "Fragmented FORWARD: " -m limit --limit 20/hour
$IPTABLES -t filter -A FORWARD --fragment -p icmp -j DROP

[ -z $DEBUG ] || echo "Routing traffic to local chains"

# Route remaining packets to user chains
$IPTABLES -t filter -A INPUT -i $WAN_DEV -d $WAN_IP -j WAN2FW
$IPTABLES -t filter -A INPUT -p tcp -i $WAN_DEV --sport $UPORTS -d $WWW_WAN --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $WAN_DEV -s $WAN_IP -j FW2WAN
$IPTABLES -t filter -A OUTPUT -p tcp -o $WAN_DEV -s $WWW_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT

[ -z $DEBUG ] || echo "Building local traffic rules"

$IPTABLES -t filter -A INPUT -i $LOCAL_DEV -s $LOCAL_NET -d $LOCAL_IP -j LOCAL2FW
$IPTABLES -t filter -A OUTPUT -o $LOCAL_DEV -s $LOCAL_IP -d $LOCAL_NET -j FW2LOCAL
$IPTABLES -t filter -A FORWARD -i $LOCAL_DEV -o $WAN_DEV -s $LOCAL_NET -j LOCAL2WAN
$IPTABLES -t filter -A FORWARD -i $WAN_DEV -o $LOCAL_DEV -d $LOCAL_NET -j WAN2LOCAL
$IPTABLES -t filter -A FORWARD -i $LOCAL_DEV -o $DMZ_DEV -s $LOCAL_NET -d $DMZ_NET -j LOCAL2DMZ
$IPTABLES -t filter -A FORWARD -i $DMZ_DEV -o $LOCAL_DEV -s $DMZ_NET -d $LOCAL_NET -j DMZ2LOCAL

[ -z $DEBUG ] || echo "Building DMZ traffic rules"

$IPTABLES -t filter -A INPUT -i $DMZ_DEV -s $DMZ_NET -d $DMZ_IP -j DMZ2FW
$IPTABLES -t filter -A OUTPUT -o $DMZ_DEV -s $DMZ_IP -d $DMZ_NET -j FW2DMZ
$IPTABLES -t filter -A FORWARD -i $WAN_DEV -o $DMZ_DEV -d $DMZ_NET -j WAN2DMZ
$IPTABLES -t filter -A FORWARD -i $DMZ_DEV -o $WAN_DEV -s $DMZ_NET -j DMZ2WAN

[ -z $DEBUG ] || echo "Building NAT rules"

# NAT traffic
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_NET -o $WAN_DEV -j SNAT --to-source $WAN_IP
$IPTABLES -t nat -A PREROUTING -i $WAN_DEV -d $PBX_SERVER_WAN -j DNAT --to-destination $PBX_SERVER_LOCAL
$IPTABLES -t nat -A PREROUTING -p tcp -i $WAN_DEV --sport $UPORTS -d $WWW_WAN --dport 22 -j DNAT --to-destination $JWATH_DMZ
# $IPTABLES -t nat -A PREROUTING -i $WAN_DEV -d $PBX_SERVER_WAN -j DNAT --to-dest $PBX_SERVER_DMZ

$IPTABLES -t nat -A POSTROUTING -o $WAN_DEV -s $JWATH_DMZ -j SNAT --to-source $WWW_WAN
$IPTABLES -t nat -A POSTROUTING -o $WAN_DEV -s $P2SUMS_DMZ -j SNAT --to-source $WWW_WAN

[ -z $DEBUG ] || echo "WINSHACK NAT"

#attempt to NAT Winshack
# $IPTABLES -t nat -A PREROUTING -j LOG --log-prefix "winshack prerouting:" -m limit --limit 40/minute
$IPTABLES -t nat -A PREROUTING -i $WAN_DEV -d $WINSHACK_WAN -j DNAT --to-destination $WINSHACK_DMZ
$IPTABLES -t nat -A POSTROUTING -o $WAN_DEV -s $WINSHACK_DMZ -j SNAT --to-source $WINSHACK_WAN

# log remaining packets
$IPTABLES -t filter -A INPUT -j LOG --log-prefix "INPUT: " -m limit --limit 40/minute
$IPTABLES -t filter -A OUTPUT -j LOG --log-prefix "OUTPUT: " -m limit --limit 40/minute
$IPTABLES -t filter -A FORWARD -j LOG --log-prefix "FORWARD: " -m limit --limit 40/minute

# drop everything that's left
$IPTABLES -t filter -A INPUT -j DROP
$IPTABLES -t filter -A OUTPUT -j DROP
$IPTABLES -t filter -A FORWARD -j DROP

# enable ip forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
}

function Stop {
[ -z $DEBUG ] || echo "Stopping firewall"

SetPolicies ACCEPT

echo "0" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -F
$IPTABLES -X
}

function Usage {
echo "firewall {Start|Stop}"
}

case $1 in
start)
Start
;;
stop)
Stop
;;
*)
Usage
;;
esac

nik.martin · 11-14-2005, 04:04 PM

also, I'm not a newbie on LinuxQuestions, but the machine that is not routing properly has my mail server of the email address I registered on here with a year or so ago, and I forgot the password! I had to register with a different email address

Brian1 · 11-14-2005, 04:22 PM

Working on it. I do agree with your line in #attempt to NAT Winshack. Must be a line dropping output somewhere. Or

$IPTABLES -t nat -A POSTROUTING -o $WAN_DEV -s $WINSHACK_DMZ -j SNAT --to-source $WINSHACK_WAN

The man that can handle here is Capt_Caveman.
Got to go out for a while but will take a printout to look over.
Brian1

nik.martin · 11-14-2005, 04:27 PM

Quote:

Originally posted by Brian1

The man that can handle here is Capt_Caveman.
Got to go out for a while but will take a printout to look over.
Brian1 [/B]

Thanks for adding a second set of eyes to this. I'm blind from digging through that script, and have second guessed everything I've done, and it's really getting to me. I'm not sure it's not a kernel/iptables or ifconfig bug for real, but maybe you'll see something I didn't.

Brian1 · 11-15-2005, 05:05 PM

Haven't spent much time on it. But to make sure of something when said if you change to 171 did you mean you change your line ' WINSHACK_WAN='1.2.3.174' ' here to 171 or what did you modify.

Brian1

nik.martin · 11-15-2005, 05:12 PM

Quote:

Originally posted by Brian1
Haven't spent much time on it. But to make sure of something when said if you change to 171 did you mean you change your line ' WINSHACK_WAN='1.2.3.174' ' here to 171 or what did you modify.

Brian1

Exactly. I moved WINSHACK_WAN to 1.2.3.171, re-ran the firewall script (making NO other changes on the system), and it worked like a champ. Of course I entered the address as http://1.2.3.171 in my browser vs. the normal url/address that that server resolves to since my DNS was now invalid for the address in question.

Regards,

Nik Martin

Brian1 · 11-15-2005, 05:35 PM

And if is on 174 then even using http://1.2.3.174 does not work?

Brian1