Iptables with policity drop! Omg!

inmerv · 08-21-2009, 01:01 AM

hi guys, firts, sorry for my bad english, thats why am from venezuela!

i trying to do a firewall with policity INPUT OUTPUT and FORWARD DROP, but am a kid in linux, so... i already read too many man -help and bla bla bla, but i thing all i read it-s nice, but but but.! i got 2 NIC eth0 (internet) and eth1 (lan), my lan 192.168.0.0/24... my firewall have too squid and give dns for lan... with policities ACCEPT all working fine, but i want test with policies DROP, whith DROP, my firewall have normal connection, but my lan nothing.... then am asking if somebody can help me... here is my script...

Code:

#!/bin/sh

iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

iptables -A INPUT -s 200.44.32.12 -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -d 200.44.32.12 -p udp -m udp --dport 53 -j ACCEPT

iptables -A INPUT -s 200.11.248.12 -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -d 200.11.248.12 -p udp -m udp --dport 53 -j ACCEPT

iptables -A INPUT -s 192.168.0.0/24 -i eth1 -j ACCEPT

iptables -A OUTPUT -s 192.168.0.0/24 -p icmp -j ACCEPT

iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.0/24 -d ! 192.168.0.0/24 -p tcp --dport 80 -$

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

iptables -A FORWARD -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE

iptables -t nat -A POSTROUTING -o tap+ -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --sport 1194 --dport 1194 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --sport 1194 --dport 1194 -j ACCEPT
iptables -A INPUT -i tap+ -p all -j ACCEPT
iptables -A OUTPUT -o tap+ -p all -j ACCEPT

so guys... here nothing rules for my lan can get internet..., so guys somebody can help me with this, i just need my pc-s into my lan can get dns from my firewall and can get internet (80 and 443) from my firewall... thanks any reply.

win32sux · 08-21-2009, 01:17 AM

I see several weird things (which we could discuss later), but I think this is the root cause of the problem:

Quote:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE

I would eliminate that command and then re-execute the script.

BTW, I've removed the non-English content from your post in order to have it comply with the LQ Rules.

JulianTosh · 08-28-2009, 04:44 AM

I'll help out with some of the filtering.. I noticed you're trying to allow for return traffic in your rules.

Proper use of the Related/Established states makes writing rules easy and keeps your config clean and easy to read.

Here's what I'd suggest to clean it up:

Immediately after your "allow anything on the loopback" stuff, use these to quickly get the packets off the stack and free up the CPU:

Code:

iptables -A INPUT -m --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m --state RELATED,ESTABLISHED -j ACCEPT

Then, all you have to do is match the in or outbound packet and forget about the return traffic. For instance:

Code:

#Allow inbound service requests
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -i eth1 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 1194 -j ACCEPT


#Allow outbound service requests
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -d 200.44.32.12 -p udp -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -d 200.11.248.12 -p udp -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -p icmp -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 1194 -j ACCEPT

inmerv · 08-28-2009, 10:03 AM

hi guys, when i get back home, i will test your helps ! after that i'll reply again!