LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-29-2007, 02:24 PM   #1
davidz
LQ Newbie
 
Registered: Aug 2007
Posts: 11

Rep: Reputation: 0
IPTABLES Misunderstanding


Forgive of my newbie status, but I am working on a new firewall/router for our company network. I am having a hard time getting it to function the way I would expect. I have read "Linux Firewalls" third edition, and that helped a lot. But none of the examples match our network very well.

First a little background on the network:
We have a 10meg dedicated ethernet connection to the internet. This connects to eth1 on a Centos 4.5 server. Then eth0 is the LAN interface. So we have 13 usable IP addresses from our ISP. We are only planning on using 3 at the moment. One for the firewall, one for the email server, one for the web server. (Three separate servers). The plan was to use DNAT for the two external servers (web, email).

So the setup we are looking for is a DENY by default policy. But I am having trouble getting packets to flow as expected. So what I am looking for here from more experienced linux gurus is some help understanding the best way to do this.

I have noticed that for a packet to get from the outside to a local machine on the network I have to add 6 different rules. INPUT, OUTPUT, FORWARD, NAT PREROUTING, NAT POSTROUTING, NAT OUTPUT. Is this really how it works?

I will post the firewall I have been working on:

Code:
#!/bin/sh

/sbin/modprobe ip_conntrack_ftp

IPT="/sbin/iptables"                 # Location of iptables on your system
INTERNET="eth1"                      # Internet-connected interface
LOOPBACK_INTERFACE="lo"              # however your system names it
IPADDRESS="209.xxx.xxx.114"           # your IP address
SUBNET_BASE="209.xxx.xxx.112"         # ISP network segment base address
SUBNET_BROADCAST="209.xxx.xxx.127"    # network segment broadcast address
DEFAULTGW="209.xxx.xxx.113"           # ISP server & NOC address range
LAN_INTERFACE="eth0"                 # LAN Interface
LAN_ADDRESS="192.168.100.6"          # LAN Ip Address
LAN_NETWORK="192.168.0.0/16"         # The whole LAN

TIME_SERVER1="198.60.22.240"         # address of a remote time server
TIME_SERVER2="216.218.254.202"       # address of a remote time server
dnsEXTADDRESS="209.xxx.xxx.115"    # external address of web server
dnsINTADDRESS="192.168.100.54"    # internal address of web server
mailEXTADDRESS="209.xxx.xxx.116"    # external address of email server
mailINTADDRESS="192.168.100.50"    # internal address of email server

LOOPBACK="127.0.0.0/8"               # reserved loopback address range
CLASS_A="10.0.0.0/8"                 # Class A private networks
CLASS_B="172.16.0.0/12"              # Class B private networks
CLASS_C="192.168.0.0/16"             # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4"      # Class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5"   # Class E reserved addresses
BROADCAST_SRC="0.0.0.0"              # broadcast source address
BROADCAST_DEST="255.255.255.255"     # broadcast destination address

PRIVPORTS="0:1023"                   # well-known, privileged port range
UNPRIVPORTS="1024:65535"             # unprivileged port range

NFS_PORT="2049"
LOCKD_PORT="4045"
SOCKS_PORT="1080"
OPENWINDOWS_PORT="2000"
XWINDOW_PORTS="6000:6063"
SQUID_PORT="3128"

###############################################################

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
done

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
done

# Don.t Send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
done

# Drop Spoofed Packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
done

# Log packets with impossible addresses.
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f
done

###############################################################
# Remove any existing rules from all chains
$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT --policy INPUT   ACCEPT
$IPT --policy OUTPUT  ACCEPT
$IPT --policy FORWARD ACCEPT
$IPT -t nat --policy PREROUTING  ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
if [ "$1" = "stop" ]
then
echo "Firewall completely stopped!  WARNING: THIS HOST HAS NO FIREWALL RUNNING."
exit 0
fi
# Unlimited traffic on the loopback interface
$IPT -A INPUT  -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Unlimited traffic on the lan interface
$IPT -A INPUT  -i $LAN_INTERFACE -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -j ACCEPT
$IPT -A FORWARD -i $LAN_INTERFACE -j ACCEPT
$IPT -A FORWARD -o $LAN_INTERFACE -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN_INTERFACE -j ACCEPT
$IPT -t nat -A POSTROUTING -o $LAN_INTERFACE -j ACCEPT
$IPT -t nat -A OUTPUT -o $LAN_INTERFACE -j ACCEPT

# Log everything for testing...
$IPT -A INPUT -j LOG --log-prefix "INPUT: "
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT: "
$IPT -A FORWARD -j LOG --log-prefix "FORWARD: "
$IPT -t nat -A PREROUTING -j LOG --log-prefix "NAT PREROUTING: "
$IPT -t nat -A POSTROUTING -j LOG --log-prefix "NAT POSTROUTING: "
$IPT -t nat -A OUTPUT -j LOG --log-prefix "NAT OUTPUT: "

# Set the default policy to drop
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP
$IPT -t nat --policy PREROUTING DROP
$IPT -t nat --policy POSTROUTING DROP
$IPT -t nat --policy OUTPUT DROP

###############################################################
# Stealth Scans and TCP State Flags
# All of the bits are cleared
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

###############################################################
# Using Connection State to By-pass Rule Checking

$IPT -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A PREROUTING -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A POSTROUTING -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Using the state module alone, INVALID will break protocols that use
# bi-directional connections or multiple connections or exchanges,
# unless an ALG is provided for the protocol. At this time, FTP and is
# IRC are the only protocols with ALG support.

$IPT -A INPUT -m state --state INVALID -j LOG \
        --log-prefix "INVALID input: "
$IPT -A INPUT -m state --state INVALID -j DROP

$IPT -A OUTPUT -m state --state INVALID -j LOG \
        --log-prefix "INVALID output: "
$IPT -A OUTPUT -m state --state INVALID -j DROP

$IPT -A FORWARD -m state --state INVALID -j LOG \
        --log-prefix "INVALID forward: "
$IPT -A FORWARD -m state --state INVALID -j DROP

$IPT -t nat -A PREROUTING -m state --state INVALID -j LOG \
        --log-prefix "INVALID prerouting: "
$IPT -t nat -A PREROUTING -m state --state INVALID -j DROP

$IPT -t nat -A POSTROUTING -m state --state INVALID -j LOG \
        --log-prefix "INVALID postrouting: "
$IPT -t nat -A POSTROUTING -m state --state INVALID -j DROP

$IPT -t nat -A OUTPUT -m state --state INVALID -j LOG \
        --log-prefix "INVALID nat output: "
$IPT -t nat -A OUTPUT -m state --state INVALID -j DROP

###############################################################
# Source Address Spoofing and Other Bad Addresses

# Refuse spoofed packets pretending to be from the external interface.s IP address
$IPT -A INPUT -i $INTERNET -s $IPADDRESS -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $IPADDRESS -j DROP

# Refuse packets claiming to be from a Class A private network
$IPT -A INPUT -i $INTERNET -s $CLASS_A -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $CLASS_A -j DROP

# Refuse packets claiming to be from a Class B private network
$IPT -A INPUT -i $INTERNET -s $CLASS_B -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $CLASS_B -j DROP

# Refuse packets claiming to be from a Class C private network
$IPT -A INPUT -i $INTERNET -s $CLASS_C -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $CLASS_C -j DROP

# Refuse packets claiming to be from the loopback interface
$IPT -A INPUT -i $INTERNET -s $LOOPBACK -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $LOOPBACK -j DROP

# Refuse malformed broadcast packets
# Broadcast comming from the internet
$IPT -A INPUT -i $INTERNET -s $BROADCAST_DEST -j DROP
$IPT -A INPUT -i $INTERNET -s $BROADCAST_SRC -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $BROADCAST_DEST -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $BROADCAST_SRC -j DROP

# Broadcast out to the internet
$IPT -A FORWARD -i $LAN_INTERFACE -o $INTERNET \
         -d $BROADCAST_SRC  -j DROP

# Don.t forward limited broadcasts in either direction
$IPT -A FORWARD -d $BROADCAST_DEST -j DROP

# Block illegal multicast packets
$IPT -A INPUT   -p ! udp -d $CLASS_D_MULTICAST -j DROP
$IPT -A FORWARD -p ! udp -d $CLASS_D_MULTICAST -j DROP

# Refuse Class E reserved IP addresses
$IPT -A INPUT -i $INTERNET -s $CLASS_E_RESERVED_NET -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s $CLASS_E_RESERVED_NET -j DROP

# refuse addresses defined as reserved by the IANA
# 0.*.*.*          - Can.t be blocked unilaterally with DHCP
# 169.254.0.0/16   - Link Local Networks
# 192.0.2.0/24     - TEST-NET

$IPT -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP
$IPT -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP
$IPT -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s 192.0.2.0/24 -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s 169.254.0.0/16 -j DROP
$IPT -t nat -A PREROUTING -i $INTERNET -s 192.0.2.0/24 -j DROP

###############################################################
# ICMP Control and Status Messages

# Drop initial ICMP fragments
$IPT -A INPUT --fragment -p icmp -j DROP
$IPT -A OUTPUT --fragment -p icmp -j DROP
$IPT -A FORWARD --fragment -p icmp -j DROP
$IPT -t nat -A PREROUTING --fragment -p icmp -j DROP
$IPT -t nat -A POSTROUTING --fragment -p icmp -j DROP
$IPT -t nat -A OUTPUT --fragment -p icmp -j DROP

#Other pings
$IPT -A INPUT -i $INTERNET -p icmp -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -p icmp -j ACCEPT
$IPT -A FORWARD -i $INTERNET -p icmp -j ACCEPT
$IPT -A FORWARD -o $INTERNET -p icmp -j ACCEPT
$IPT -t nat -A PREROUTING -i $INTERNET -p icmp -j ACCEPT
$IPT -t nat -A OUTPUT -o $INTERNET -p icmp -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INTERNET -p icmp -j ACCEPT

###############################################################
# Allow Traceroutes

$IPT -A INPUT -i $INTERNET -p udp \
        -d $IPADDRESS --dport 32769:65535 -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -p udp \
        -s $IPADDRESS --sport 32769:65535 \
        --dport 33434:33523 -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INTERNET -p udp \
        -s $IPADDRESS --sport 32769:65535 \
        --dport 33434:33523 -j ACCEPT
$IPT -t nat -A PREROUTING -i $INTERNET -p udp \
        -d $IPADDRESS --dport 32769:65535 -j ACCEPT
$IPT -t nat -A OUTPUT -o $INTERNET -p udp \
        -s $IPADDRESS --sport 32769:65535 \
        --dport 33434:33523 -j ACCEPT

###############################################################
###############################################################
#                                                             #
#               This is our custom stuff                      #
#                                                             #
###############################################################
###############################################################
#Prerouting address to other Servers

#...........Website on Athena ports 80 and 443.............#
$IPT -t nat -A PREROUTING -i $INTERNET -p tcp \
        --sport $UNPRIVPORTS -d $ATHENAEXTADDRESS --dport 80 \
        -j DNAT --to-destination $ATHENAINTADDRESS

$IPT -t nat -A PREROUTING -i $INTERNET -p tcp \
        --sport $UNPRIVPORTS -d $ATHENAEXTADDRESS --dport 443 \
        -j DNAT --to-destination $ATHENAINTADDRESS

#..........DNS Server on Athena...............#
$IPT -t nat -A PREROUTING -i $INTERNET -p tcp \
        --sport $UNPRIVPORTS -d $ATHENAEXTADDRESS --dport 53 \
        -j DNAT --to-destination $ATHENAINTADDRESS

#...........Email Server On Hermes............#
#....First Redirect all incomming Port 25 through Barracuda....#
$IPT -t nat -A PREROUTING -i $INTERNET -p tcp \
        --sport $UNPRIVPORTS -d $HERMESEXTADDRESS --dport 25 \
        -j DNAT --to-destination 192.168.100.14

#...All Other Email Stuff is Done From HERMES....#
#POP
$IPT -t nat -A PREROUTING -i $INTERNET -p tcp \
        --sport $UNPRIVPORTS -d $HERMESEXTADDRESS --dport 110 \
        -j DNAT --to-destination $HERMESINTADDRESS
#IMAP
$IPT -t nat -A PREROUTING -i $INTERNET -p tcp \
        --sport $UNPRIVPORTS -d $HERMESEXTADDRESS --dport 143 \
        -j DNAT --to-destination $HERMESINTADDRESS

###############################################################
# DNS
# One name server gets prerouting 

#..................Local Name Server Number ..................#
$IPT -A INPUT -i $INTERNET -p udp \
        --sport $UNPRIVPORTS -d $IPADDRESS --dport 53 -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -p udp \
        --sport $UNPRIVPORTS --dport 53 -j ACCEPT
$IPT -A FORWARD -o $INTERNET -p udp \
        --sport $UNPRIVPORTS --dport 53 -j ACCEPT
$IPT -t nat -A PREROUTING -i $INTERNET -p udp \
        --sport $UNPRIVPORTS -d $IPADDRESS --dport 53 -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INTERNET -p udp \
        --sport $UNPRIVPORTS --dport 53 -j ACCEPT
$IPT -t nat -A OUTPUT -o $INTERNET -p udp \
        --sport $UNPRIVPORTS --dport 53 -j ACCEPT


###############################################################
###############################################################
#                                                             #
#               Leave at the bottom for SNAT                  #
#                                                             #
###############################################################
###############################################################

#..............For Email................#
$IPT -t nat -A POSTROUTING -o eth1 \
        -s 192.168.100.50/32 \
        -j SNAT --to-source 209.33.201.116

#..............For Everything else......#
$IPT -t nat -A POSTROUTING -o eth1 \
        -s 192.168.0.0/16 \
        -j SNAT --to-source 209.33.201.114
 
Old 08-29-2007, 03:40 PM   #2
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Brazil
Distribution: Debian, CentOS
Posts: 301

Rep: Reputation: 31
Check these links, it will probably help you:

http://wiki.linuxquestions.org/wiki/..._a_gateway/nat


http://iptables-tutorial.frozentux.n...-tutorial.html
 
Old 08-29-2007, 04:06 PM   #3
davidz
LQ Newbie
 
Registered: Aug 2007
Posts: 11

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by sparc86 View Post
Check these links, it will probably help you:

http://wiki.linuxquestions.org/wiki/..._a_gateway/nat
Good link. What I am wondering is the best way to do default policies. Even in that example they only apply DROP policy to INPUT and FORWARD all others are ACCEPT policies. Is it safe to say that I can change my default policy on my NAT tables to accept? Then I only have to make rules for INPUT, OUTPUT, FORWARD?

I'm mostly looking for best default practices. Mainly because when I do DROP policy on all tables I can't get anything to work properly. :-)

Thanks,
David
 
Old 08-29-2007, 05:31 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by davidz View Post
What I am wondering is the best way to do default policies. Even in that example they only apply DROP policy to INPUT and FORWARD all others are ACCEPT policies. Is it safe to say that I can change my default policy on my NAT tables to accept? Then I only have to make rules for INPUT, OUTPUT, FORWARD?
Yes, you should keep your nat table chains' policies set to ACCEPT. But you still need to make your DNAT and SNAT rules, of course. Filtering should be done only in the filter table, so set your INPUT, OUTPUT, and FORWARD policies to DROP, but leave your nat table's PREROUTING, POSTROUTING, and OUTPUT chains set to ACCEPT. Same goes for your mangle and raw tables.
Code:
$IPT -t filter -P INPUT DROP
$IPT -t filter -P FORWARD DROP
$IPT -t filter -P OUTPUT DROP

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
EDIT: Note that there are probably special cases when changing policies for some of these non-filter chains is indeed necessary. I am, however, not familiar with those cases.

Last edited by win32sux; 08-30-2007 at 09:36 AM.
 
Old 08-30-2007, 09:31 AM   #5
davidz
LQ Newbie
 
Registered: Aug 2007
Posts: 11

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux View Post
Yes, you should keep your nat table chains' policies set to ACCEPT. But you still need to make your DNAT and SNAT rules, of course. Filtering should be done only in the filter table, so set your INPUT, OUTPUT, and FORWARD policies to DROP, but leave your nat table's PREROUTING, POSTROUTING, and OUTPUT chains set to ACCEPT. Same goes for your mangle and raw tables.
Thanks for the tip. I think I am actually making progress now, and the firewall is functioning as expected with new rules and such.


Thanks again,
David
 
Old 08-30-2007, 09:39 AM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by davidz View Post
Thanks for the tip.
You're very welcome.

Quote:
I think I am actually making progress now, and the firewall is functioning as expected with new rules and such.
Glad to hear that!

If you have any further questions down the line please don't hesitate to ask.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Am I misunderstanding the error messages from yum? prn Linux - Software 18 04-25-2007 07:59 AM
LXer: Open Source Abuse or Misunderstanding in China? LXer Syndicated Linux News 1 02-27-2007 02:17 AM
Misunderstanding Logical Drives chess380 Linux - Newbie 11 01-10-2007 04:06 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
select - a misunderstanding jhon Programming 3 09-08-2004 12:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration