LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-27-2006, 05:02 PM   #1
Kanon
Member
 
Registered: Sep 2004
Location: Norge
Distribution: Debian
Posts: 116

Rep: Reputation: 15
Problems with IPtables on Debian


Iv been sitting here for the last few days and cant seem to get hang of the iptables stuff.
How can I open port 80 to the web server whos on another box on the lan? I'v tried a zillion things but nothing works. All i found so far either old or for different distro and...well Iam about to give it up. Running fresh install of Debian with no gui btw.
And how come port 22 is open? I thought I closed it.

Code:
#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j DROP 
iptables -A FORWARD -p tcp -s 192.168.0.0/24 -i eth0 -j DROP
iptables -A FORWARD -p udp -s 192.168.0.0/24 -i eth0 -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth0 -o eth0 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
 
Old 12-27-2006, 05:34 PM   #2
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Kanon

If you want to redirect traffic to another box - port 80 on another box, you need to use

PREROUTING and DNAT.

iptables -A FORWARD -i eth0 -d <ip of webserver> -j ACCEPT
iptables -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-dest <IP of webserver>:80

You have only closed ssh traffic going out.

iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP

will close port 22 to incoming traffic on eth0. the OUTPUT rule for port 22 is not necessary.

Suggest you start your rules with

iptables -P INPUT DROP
iptables -P FORWARD DROP

This will enforce the default deny stance, effectively seals your system.

Last edited by ppuru; 12-27-2006 at 05:38 PM.
 
Old 12-27-2006, 05:35 PM   #3
rickh
Senior Member
 
Registered: May 2004
Location: Albuquerque, NM USA
Distribution: Debian-Lenny/Sid 32/64 Desktop: Generic AMD64-EVGA 680i Laptop: Generic Intel SIS-AC97
Posts: 4,250

Rep: Reputation: 62
Working with iptables is an art as well as a science. Do you have to do it manually? Firestarter is an easy and fairly secure GUI. Shorewall or some other front-end for iptables is easier and as secure as you want to make it.
 
Old 12-27-2006, 06:00 PM   #4
Jaqui
Member
 
Registered: Jan 2006
Location: Vancouver BC
Distribution: LFS, SLak, Gentoo, Debian
Posts: 291

Rep: Reputation: 36
Quote:
Originally Posted by rickh
Working with iptables is an art as well as a science. Do you have to do it manually? Firestarter is an easy and fairly secure GUI. Shorewall or some other front-end for iptables is easier and as secure as you want to make it.
true enough, but the op did state that this is a cli only box he is working on, so not really a viable option.
 
Old 12-28-2006, 12:55 AM   #5
Kanon
Member
 
Registered: Sep 2004
Location: Norge
Distribution: Debian
Posts: 116

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by ppuru
Kanon

If you want to redirect traffic to another box - port 80 on another box, you need to use

PREROUTING and DNAT.

iptables -A FORWARD -i eth0 -d <ip of webserver> -j ACCEPT
iptables -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-dest <IP of webserver>:80

You have only closed ssh traffic going out.

iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP

will close port 22 to incoming traffic on eth0. the OUTPUT rule for port 22 is not necessary.

Suggest you start your rules with

iptables -P INPUT DROP
iptables -P FORWARD DROP

This will enforce the default deny stance, effectively seals your system.
Nice! ssh port is now closed.
But I dont have PREROUTING. How do I add the file/filter? Im assuming its going into the netfilter.

Thanks for the solution to port 22!
 
Old 12-28-2006, 08:43 AM   #6
sarajevo
Member
 
Registered: Apr 2005
Distribution: Debian, OpenBSD,Fedora,RedHat
Posts: 228
Blog Entries: 1

Rep: Reputation: 31
Quote:
Originally Posted by Kanon
Nice! ssh port is now closed.
But I dont have PREROUTING. How do I add the file/filter? Im assuming its going into the netfilter.

Thanks for the solution to port 22!
I think solution before will solve problem related to forwarding.
But you have to put

echo 1 >/proc/sys/net/ipv4/ip_forward

in order to make your machine able to forward packets.
Just put this as last line inside your script

Regards and best wishes

 
Old 12-28-2006, 09:28 AM   #7
Kanon
Member
 
Registered: Sep 2004
Location: Norge
Distribution: Debian
Posts: 116

Original Poster
Rep: Reputation: 15
I got "echo 1 >/proc/sys/net/ipv4/ip_forward" as the last line. But I get "Unable to connect" in my browser. And I get ann error:

Code:
bound to my.static.ip.10 -- renewal in 10800 seconds.
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
done.
if I remove or comment out the PREROUTING line I get no error. And no access to the web server; "Unable to connect".

Thanks for helping me out here every one!
 
Old 12-28-2006, 12:23 PM   #8
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
My sincere apologies Kanon

the prerouting line should be

iptables -t nat -A PREROUTING ...
 
Old 12-28-2006, 02:23 PM   #9
Kanon
Member
 
Registered: Sep 2004
Location: Norge
Distribution: Debian
Posts: 116

Original Poster
Rep: Reputation: 15
W00T!! I got no hair left now!! Just kidding

Ok, now its kinda working. Well, that is the port is open, but clients dont get any pages from the web server.

This is my iptables now:

Code:
#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

#iptables -P INPUT DROP
#iptables -P FORWARD DROP

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -s the.bad.guy.ip -j DROP
iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP
#iptables -A FORWARD -p tcp -s 192.168.0.0/24 -i eth0 -j DROP
#iptables -A FORWARD -p udp -s 192.168.0.0/24 -i eth0 -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth0 -d 192.168.0.120 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-dest 192.168.0.120:80
iptables -A FORWARD -i eth0 -o eth0 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
Now, I can connect to the web server from the inside with no problem. But not from the outside. And I can get out from the web server (Lynx) with no problem.
Can any one see any problems with the table? Think Im going iptables-blind :P
 
Old 12-28-2006, 02:48 PM   #10
timdsmith
Member
 
Registered: Nov 2003
Location: The Colony, TX
Distribution: Slackware, Debian Etch, FreeBSD, MicroSh*t free.
Posts: 209

Rep: Reputation: 30
Try changing this line, the one right before your PREROUTING line
Code:
iptables -A FORWARD -i eth0 -d 192.168.0.120 -j ACCEPT
to this:
Code:
iptables -A FORWARD -p tcp -d 192.168.0.120 --dport 80 -j ACCEPT
And you may also need this line before those two...
Code:
iptables -A INPUT -p tcp -i eth0 -s 0.0.0.0/0 --dport 80 -j ACCEPT
 
Old 12-28-2006, 05:06 PM   #11
Kanon
Member
 
Registered: Sep 2004
Location: Norge
Distribution: Debian
Posts: 116

Original Poster
Rep: Reputation: 15
Hmm Did not help any. How can I check to see if the gw establishes connection at all between the machines?
 
Old 12-28-2006, 05:52 PM   #12
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,399
Blog Entries: 2

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
It appears that you are trying to build a firewall to protect a home network on a DSL connection. May I suggest the nicely tailored setup HomeLANSecurity, which is easy to figure out & easy to add stuff for your specific purposes. It just makes a lot of sense to me, to use a mature configuration, in which someone has paid a lot of attention to details, and has had the benefit of many previous users' input. You can still modify it to your specification, in case it doesn't do everything you want (ie. hacking is encouragead).

--- rod.
 
Old 12-28-2006, 05:57 PM   #13
Kanon
Member
 
Registered: Sep 2004
Location: Norge
Distribution: Debian
Posts: 116

Original Poster
Rep: Reputation: 15
Yeah, looks good. And its cli too!
I'll have a go at it after a few hours of sleep

Thanks all, for all the help!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Debian iptables kingcomein Debian 4 10-31-2005 10:17 PM
Debian iptables kingcomein Linux - Networking 6 10-26-2005 06:20 AM
iptables on Debian ujotne Linux - Security 4 09-16-2005 07:36 PM
Debian - IPTABLES czezz Linux - Security 6 06-20-2005 05:07 AM
debian and iptables? banana2 Linux - Security 5 01-12-2003 09:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration