iptables

rahmtech · 10-17-2010, 12:16 PM

I know this is an old post, but here it is 2010 and I cant seem to find any answer (that i understand) anywhere on google.

Is there a way to specify multiple src ips? I am filtering the internet for the safety of my kids, but I need to bypass that filter for my computer, my xbox and my server.

This is the current rule that allows my xbox to bypass the filter, but no matter what I have tried, I cant seem to specify more than 1 ip without having to specify an entire subnet.

iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 ! -s 172.21.27.20 -j REDIRECT --to-ports 8080

If anyone has any advice, it would be greatly appreciated.

win32sux · 10-17-2010, 08:18 PM

I've moved your post to a thread of its own. Please don't resurrect dead threads unless it's absolutely necessary. With regards to your question, AFAIK things haven't changed (there isn't a multiple IP match). In other words (assuming I'm right), you're gonna have to use individual rules for your PC, Xbox, and server. It's just a matter of sending packets with those source addresses to ACCEPT, before they can get sent to REDIRECT. For example (using three hypothetical IPs for your non-filtered boxes):

Code:

iptables -t nat -A PREROUTING -i $INTIF -s 172.21.27.20 -j ACCEPT
iptables -t nat -A PREROUTING -i $INTIF -s 172.21.27.21 -j ACCEPT
iptables -t nat -A PREROUTING -i $INTIF -s 172.21.27.22 -j ACCEPT
iptables -t nat -A PREROUTING -i $INTIF -p TCP --dport 80 -j REDIRECT --to-ports 8080

EDIT: Just wanted to add that there's also a way to do this with IP ranges (it's still not the same as being able to specify multiple IPs in a single rule, though). This would, of course, require your three IPs to be contiguous. Example:

Code:

iptables -t nat -A PREROUTING -i $INTIF -m iprange --src-range 172.21.27.20-172.21.27.22 -j ACCEPT
iptables -t nat -A PREROUTING -i $INTIF -p TCP --dport 80 -j REDIRECT --to-ports 8080

You could even boil it down to a single rule by using an inverse match, like:

Code:

iptables -t nat -A PREROUTING -i $INTIF -m iprange ! --src-range 172.21.27.20-172.21.27.22 \
-p TCP --dport 80 -j REDIRECT --to-ports 8080

rahmtech · 10-22-2010, 06:02 PM

win32sux,

Sorry about the resurrection. Thank you very much for such a quick reply. I will check this out and post results.

rahmtech · 10-22-2010, 07:02 PM

For some strange reason when I use any of the 3 rules you have supplied, everyone is able to surf the internet but the iprange supplied.

Single Address = Single address surfs freely (80), everyone else surfs filtered (8080). (old rule)
Multiple Addresses = Multiple addresses no longer surf (80), everyone else surfs filtered (8080). (any of 3 new rules)

Its obviously doing something, but almost like its dropping the iprange and continuing to forward everyone else.

win32sux · 10-22-2010, 08:12 PM

Please post the output of:

Code:

iptables -nvL FORWARD

Code:

iptables -nvL -t nat

rahmtech · 10-22-2010, 08:34 PM

This output is after your first (4 line) ruleset was applied

172.21.27.4 = My Desktop
172.21.27.6 = Nix Web/SSH Server (Not the system these rules are hosted on)
172.21.27.20 = Xbox

Code:

root@server:/etc# iptables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  eth2   *       0.0.0.0/0            172.21.27.6         tcp dpt:80
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 LOG flags 0 level 4 prefix `Incoming SSH Connection: '
    0     0 ACCEPT     tcp  --  eth2   *       0.0.0.0/0            172.21.27.6         tcp dpt:22
    0     0 ACCEPT     tcp  --  eth2   *       0.0.0.0/0            172.21.27.20        tcp dpt:88
    0     0 ACCEPT     udp  --  eth2   *       0.0.0.0/0            172.21.27.20        udp dpt:88
    0     0 ACCEPT     udp  --  eth2   *       0.0.0.0/0            172.21.27.20        udp dpt:3074
    0     0 ACCEPT     tcp  --  eth2   *       0.0.0.0/0            172.21.27.20        tcp dpt:3074
    2   124 ACCEPT     all  --  eth1   eth2    0.0.0.0/0            0.0.0.0/0
    1   116 ACCEPT     all  --  eth2   eth1    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpts:1024:65535
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpts:1024:65535
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:7
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:7
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:113
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:22
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:80
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:443
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpts:20:21
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:21
    0     0 drop-and-log-it  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Code:

root@server:/etc# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 15999 packets, 2010K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth1   *       172.21.27.4          0.0.0.0/0
    0     0 ACCEPT     all  --  eth1   *       172.21.27.6          0.0.0.0/0
    0     0 ACCEPT     all  --  eth1   *       172.21.27.20         0.0.0.0/0
    0     0 REDIRECT   tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080
    0     0 DNAT       tcp  --  eth2   *       0.0.0.0/0            xx.xxx.175.56       tcp dpt:80 to:172.21.27.6:80
    0     0 DNAT       tcp  --  eth2   *       0.0.0.0/0            xx.xxx.175.56       tcp dpt:22 to:172.21.27.6:22
    0     0 DNAT       tcp  --  eth2   *       0.0.0.0/0            xx.xxx.175.56       tcp dpt:88 to:172.21.27.20:88
    0     0 DNAT       udp  --  eth2   *       0.0.0.0/0            xx.xxx.175.56       udp dpt:88 to:172.21.27.20:88
    0     0 DNAT       udp  --  eth2   *       0.0.0.0/0            xx.xxx.175.56       udp dpt:3074 to:172.21.27.20:3074
    0     0 DNAT       tcp  --  eth2   *       0.0.0.0/0            xx.xxx.175.56       tcp dpt:3074 to:172.21.27.20:3074

Chain POSTROUTING (policy ACCEPT 7031 packets, 423K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      eth2    0.0.0.0/0            0.0.0.0/0
    2   656 MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 23355 packets, 2138K bytes)
 pkts bytes target     prot opt in     out     source               destination

I've obfuscated your real IP address, which was present in your output. --win32sux

win32sux · 10-22-2010, 10:36 PM

I'm not sure what's going on. I mean, it looks to me as if it should work as it is.

Quote:

Code:

Chain PREROUTING (policy ACCEPT 15999 packets, 2010K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth1   *       172.21.27.4          0.0.0.0/0
    0     0 ACCEPT     all  --  eth1   *       172.21.27.6          0.0.0.0/0
    0     0 ACCEPT     all  --  eth1   *       172.21.27.20         0.0.0.0/0
    0     0 REDIRECT   tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

These rules make it so that any packet with a source address of 172.21.27.4, 172.21.27.6, or 172.21.27.20 gets sent to ACCEPT right away, so that it can be dealt with in the FORWARD chain. In the FORWARD chain, the first rule which this packet would match is:

Quote:

Code:

2   124 ACCEPT     all  --  eth1   eth2    0.0.0.0/0            0.0.0.0/0

...which sends the packet to ACCEPT. Then, the packet gets its source address edited in the POSTROUTING chain:

Quote:

Code:

Chain POSTROUTING (policy ACCEPT 7031 packets, 423K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      eth2    0.0.0.0/0            0.0.0.0/0

...and it's on its final journey out to the WAN.

If that packet had a source address which didn't match either of those three IPs, and it had a destination port of 80/TCP, then it would match the REDIRECT rule and as such would be intercepted. There must be something I'm missing here, because like I said, I'm not sure why this wouldn't work as it is.

I'd suggest adding some LOG rules to get a better idea of what's happening.

rahmtech · 10-23-2010, 06:41 AM

Thanks for the address change. I wasn't concerned. Its dynamic anyway.

I'm glad that I'm not the only one looking at these rules, scratching my head and thinking. they should work. they should. haha

I will continue working this out and if I ever find a work around, Ill be sure to post it. Thanks for all your assistance win32sux.

win32sux · 10-23-2010, 07:55 AM

I put together this script for you. It basically gives you a clean slate, without touching your INPUT or OUTPUT chains. Maybe you can run your tests after running this script and see if anything changes? If not, something should show up in the log file, as all filtered packets get logged in this setup. Here it is:

Code:

#!/bin/sh

IPT="/sbin/iptables"

PC="172.21.27.4"
XBOX="172.21.27.20"
SERVER="172.21.27.6"

LAN_IFACE="eth1"
WAN_IFACE="eth2"

$IPT -P FORWARD DROP

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT

$IPT -F FORWARD
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw

$IPT -Z FORWARD
$IPT -Z -t nat
$IPT -Z -t mangle
$IPT -Z -t raw

$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s $PC -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s $XBOX -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s $SERVER -m state --state NEW -j ACCEPT
$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "

$IPT -t nat -A PREROUTING -i $LAN_IFACE -s $PC -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN_IFACE -s $XBOX -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN_IFACE -s $SERVER -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN_IFACE -p TCP --dport 80 -j REDIRECT --to-ports 8080

$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

rahmtech · 10-26-2010, 12:33 PM

Thanks a lot win32sux. I really wasnt expecting anyone to put that much effort into it. I havent been ignoring you, just really busy right now. As soon as I get a chance, I will get back on this iptables issue and try out your script.

Thanks again. You have been a great help.

win32sux · 10-26-2010, 08:11 PM

You're very welcome. I look forward to us getting this figured out!

rahmtech · 10-30-2010, 10:15 AM

Alright win32sux,

I had a few minutes to try your script. It errored out on me, but I dont have time to troubleshoot it right now. I have a work around that is getting me by for now. I have basically created 3 firewall.sh scripts. 1 for each system (ip). When I need a specific system to not go through 8080, i run the specific firewall.sh script for that system. I know its cheesy, but its working for now until I get time to continue troubleshooting it.

The only one that is a must for now is the xbox. It has to bypass filter for live to work. There is no internet surfing on the server and my personal computer, I can deal with until the issue is resolved.

Your script returned the

Bad argument try iptables -h for help error. I will be sure to update you with any findings or an updated script.

rahmtech · 10-30-2010, 10:20 AM

ignore that last post. I made a mistake when pasting your script. Sorry for the premature post.

rahmtech · 10-30-2010, 10:39 AM

I did try your script, but after running it the 3 computers (atleast the one I am on) quit accessing the internet all together.

Everything looks like it should work.

Logs show my src (client) and destination (linux proxy server) port 80, but no drops,etc.

I have some ideas/steps to help troubleshoot. I will post my findings...

win32sux · 11-10-2010, 08:21 PM

Hi, rahmtech! Just wondering if you've made any progress on this.