LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-24-2007, 10:23 AM   #1
daniel-linux
LQ Newbie
 
Registered: Jun 2007
Posts: 16

Rep: Reputation: 0
Firewall with two subnets is not working


Hi,

I am having a problem here. I have a internet server, and behind this server there are two subnet, 192.168.2.x and 192.168.3.x ..and i start the firewall script below, the internet stop working. Any help is very welcome.

=============

#!/bin/bash

# Change this to the name of the interface that provides your "uplink"
# (connection to the Internet)
UPLINK="eth0"

# Change this next line so it lists all your network interfaces, including lo, but LESS the UPLINK.
INTERFACES="lo eth1 eth2"

# Change this line so that it lists the assigned numbers or symbolic names (from
# /etc/services) of all the services that you'd like to provide to the general
# public. If you don't want any services enabled, set it to.
SERVICES="ftp ssh"

################

if [ "$1" = "start" ]
then
echo "Starting firewall..."

# (1) inicial configurations.
#

# clear any existing firewall stuff before we start.
iptables --flush
iptables --zero
iptables --delete-chain

# by default all traffic that comes to/through this machine it will drop it,
# outgoing is allowed.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# we're a router of some kind, enable IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward


# (2) otimization and security options.
#

# explicitly disable ECN.
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi

# disable spoofing on all interfaces
for x in ${INTERFACES} ${UPLINK}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done

# reject bad/malicious packates
iptables -A INPUT -p tcp -i ${UPLINK} --reject-with tcp-reset -j REJECT
iptables -A INPUT -p udp -i ${UPLINK} --reject-with icmp-port-unreachable -j REJECT

# allow certain inbound ICMP types (ping, traceroute..)
iptables -A INPUT -i ${UPLINK} -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -i ${UPLINK} -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i ${UPLINK} -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -i ${UPLINK} -p icmp --icmp-type echo-request -j ACCEPT

# (3) open and close the doors.
#

# enable public access to certain services
for x in ${SERVICES}
do
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done

# some others services
# squid
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128

# allow msn for these mac address.
iptables -A FORWARD -m mac --mac-source 000:09:9E:9A:08 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 000:09:9E:9A:08 -d loginnet.passport.com -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:90:4B:55:A4:03 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:90:4B:55:A4:03 -d loginnet.passport.com -j ACCEPT

# deny msn to everyone.
iptables -A FORWARD -m mac --mac-source ! 00:00:00:00:00:00 -p tcp --dport 1863 -j DROP
iptables -A FORWARD -m mac --mac-source ! FF:FF:FF:FF:FF:FF -p tcp --dport 1863 -j DROP
iptables -A FORWARD -m mac --mac-source ! 00:00:00:00:00:00 -d loginnet.passport.com -j DROP
iptables -A FORWARD -m mac --mac-source ! FF:FF:FF:FF:FF:FF -d loginnet.passport.com -j DROP

# (4) finishing ...
#

# dynamic IP address, use masquerading
iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE

iptables -A FORWARD -i eth1 -d 192.168.0.0 -j ACCEPT
iptables -A FORWARD -i eth2 -d 192.168.0.0 -j ACCEPT


elif [ "$1" = "stop" ]
then
echo "Stopping firewall..."
for TABLE in filter nat mangle; do
iptables -t $TABLE -F
iptables -t $TABLE -X
done
for CHAIN in INPUT OUTPUT FORWARD; do
iptables -t filter -P $CHAIN ACCEPT
done
fi

============

Thanks

Last edited by daniel-linux; 08-24-2007 at 10:24 AM.
 
Old 08-24-2007, 11:29 AM   #2
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Brazil
Distribution: Debian, CentOS
Posts: 301

Rep: Reputation: 31
iptables -A FORWARD -i eth1 -d 192.168.0.0 -j ACCEPT
iptables -A FORWARD -i eth2 -d 192.168.0.0 -j ACCEPT


You should change these two lines for:

iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -s 192.168.0.0/16 -j ACCEPT


This would liberate the entire subnet 255.255.0.0


More information about a basic gateway firewall settings you can find at http://wiki.linuxquestions.org/wiki/..._a_gateway/nat



Hope it now works for you.

Last edited by sparc86; 08-24-2007 at 03:06 PM.
 
Old 08-24-2007, 12:36 PM   #3
daniel-linux
LQ Newbie
 
Registered: Jun 2007
Posts: 16

Original Poster
Rep: Reputation: 0
Hi.

Thanks for your help sparc86...but still not working.
More info:

eth0=192.168.1.2 = internet
eth1=192.168.2.1 = subnet 1
eth2=192.168.3.1 = subnet 2

I revised all the script...but didn't find "where" is wrong.
 
Old 08-24-2007, 12:57 PM   #4
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Brazil
Distribution: Debian, CentOS
Posts: 301

Rep: Reputation: 31
iptables -A FORWARD -i eth2 -s 192.168.3.1 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.2.1 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

This works?


By the way, do you have static or dynamic IP?
 
Old 08-24-2007, 02:41 PM   #5
daniel-linux
LQ Newbie
 
Registered: Jun 2007
Posts: 16

Original Poster
Rep: Reputation: 0
Hi...i will try this.

I have DSL with dynamic IP.

Thanks.
-----------------
#!/bin/bash

# Change this to the name of the interface that provides your "uplink"
# (connection to the Internet)
UPLINK="eth0"

# Change this next line so it lists all your network interfaces, including lo, but LESS the UPLINK.
INTERFACES="lo eth1 eth2"

# Change this line so that it lists the assigned numbers or symbolic names (from
# /etc/services) of all the services that you'd like to provide to the general
# public. If you don't want any services enabled, set it to.
SERVICES="ftp ssh"

################

if [ "$1" = "start" ]
then
echo "Starting firewall..."

# (1) inicial configurations.
#

# clear any existing firewall stuff before we start.
iptables --flush
iptables --zero
iptables --delete-chain

# by default all traffic that comes to/through this machine it will drop it,
# outgoing is allowed.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# we're a router of some kind, enable IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward


# (2) otimization and security options.
#

# explicitly disable ECN.
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi

# disable spoofing on all interfaces
for x in ${INTERFACES} ${UPLINK}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done

# reject bad/malicious packates
iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable

# allow certain inbound ICMP types (ping, traceroute..)
iptables -A INPUT -i ${UPLINK} -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -i ${UPLINK} -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i ${UPLINK} -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -i ${UPLINK} -p icmp --icmp-type echo-request -j ACCEPT

# (3) open and close the doors.
#

# enable public access to certain services
for x in ${SERVICES}
do
iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done

# some others services
# squid
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3128

# allow msn for these mac address.
iptables -A FORWARD -m mac --mac-source 000:09:9E:9A:08 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 000:09:9E:9A:08 -d loginnet.passport.com -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:90:4B:55:A4:03 -p tcp --dport 1863 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:90:4B:55:A4:03 -d loginnet.passport.com -j ACCEPT

# deny msn to everyone.
iptables -A FORWARD -m mac --mac-source ! 00:00:00:00:00:00 -p tcp --dport 1863 -j DROP
iptables -A FORWARD -m mac --mac-source ! FF:FF:FF:FF:FF:FF -p tcp --dport 1863 -j DROP
iptables -A FORWARD -m mac --mac-source ! 00:00:00:00:00:00 -d loginnet.passport.com -j DROP
iptables -A FORWARD -m mac --mac-source ! FF:FF:FF:FF:FF:FF -d loginnet.passport.com -j DROP

# (4) finishing ...
#

# dynamic IP address, use masquerading
iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE

# forward stuffs
iptables -A FORWARD -i eth2 -s 192.168.3.1 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.2.1 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

elif [ "$1" = "stop" ]
then
echo "Stopping firewall..."
for TABLE in filter nat mangle; do
iptables -t $TABLE -F
iptables -t $TABLE -X
done
for CHAIN in INPUT OUTPUT FORWARD; do
iptables -t filter -P $CHAIN ACCEPT
done
fi

-----------------

The above is the firewall with all the changes.
But i still can't surf and ping .

There is no problem with the internet, cause and i use another firewall , everything works.

Last edited by daniel-linux; 08-24-2007 at 02:53 PM.
 
Old 08-24-2007, 03:21 PM   #6
daniel-linux
LQ Newbie
 
Registered: Jun 2007
Posts: 16

Original Poster
Rep: Reputation: 0
with the last script...i can ping outside now...but still can't surf.
 
Old 08-24-2007, 04:07 PM   #7
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Brazil
Distribution: Debian, CentOS
Posts: 301

Rep: Reputation: 31
That's quite weird, since the OUTPUT policy is configured to ACCEPT all.


I will keep myself analyzing this...


Doesn't anybody else with ideas about what is going on here?
 
Old 08-24-2007, 04:20 PM   #8
daniel-linux
LQ Newbie
 
Registered: Jun 2007
Posts: 16

Original Poster
Rep: Reputation: 0
It's works now, with the last script i put here. Just restart the machine and all works. Now, i would like to understand this lines:

iptables -A FORWARD -i eth2 -s 192.168.3.1 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.2.1 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

What did you do ? And why do you use FORWARD ?

Thank you,
Daniel
 
Old 08-27-2007, 02:31 PM   #9
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Brazil
Distribution: Debian, CentOS
Posts: 301

Rep: Reputation: 31
Quote:
Originally Posted by daniel-linux View Post
It's works now, with the last script i put here. Just restart the machine and all works. Now, i would like to understand this lines:

iptables -A FORWARD -i eth2 -s 192.168.3.1 -j ACCEPT
iptables -A FORWARD -i eth1 -s 192.168.2.1 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

What did you do ? And why do you use FORWARD ?

Thank you,
Daniel

http://iptables-tutorial.frozentux.n...l#FORWARDCHAIN


This will make the things clear.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
DHCP subnets klnasveschuk Linux - Networking 2 11-18-2007 12:04 AM
subnets and subnetting johnMG Linux - Networking 25 12-20-2005 11:05 PM
help on subnets HappyGilmore Linux - Networking 12 07-07-2005 10:33 AM
newbie and subnets nkeever Linux - Newbie 10 05-03-2005 07:29 PM
Firewall, Routing and Subnets - is this possible? donoss Linux - Networking 2 10-28-2004 01:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration