Fw: iptables - if you can find the time, I am stuck

["Oskar Andreasson" <blueflux@koffein.net>]

[-- Attachment #1: Type: text/plain, Size: 1681 bytes --]

Hi everyone,

Sorry to say, but I am simply too swamped to even read through this. 

CC maltec@tiscali.dk since he is not on the list.

Have a nice day,

Oskar Andreasson
http://iptables-tutorial.haringstad.com
http://people.unix-fu.org/andreasson/
mailto: blueflux@koffein.net

----- Original Message ----- 
From: <maltec@tiscali.dk>
To: <blueflux@koffein.net>
Sent: Wednesday, June 12, 2002 5:55 PM
Subject: iptables - if you can find the time, I am stuck


Oskar,

I appreciated your iptables tutorial, but I am probably too dense
to glean the right amount of knowledge from it.
My setup:
router external ip 213.237.89.99
internal address (gateway) 192.168.1.1
My machine (RH Advanced Server) 192.168.1.2, netmask 255.255.255.0

I wish to allow ports 80, 8888, 8080, ssh, dcc
from outside, but almost anything coming IN from 192.168.1.2-10

Likewise, I wish to allow almost anything going OUT to the Internet.

I have but one ethernet card, eth0 and am running ADSL through a Cisco 677
router.

My previous firewall, SuSE 8.0) worked like a charm, but I decided to try
Red Hat Linux Advanced Server, which uses ipchains as a default. I dropped
that and now want to use iptables, but the following iptables script prevents
me from accessing the Internet from my machine!

I'd appreciate any assistance you can provide, even rejection if you do
not have the time or inclination. I am busy myself ;-)

I attach my script, which deviates very little from your example.

Best Regards,

Malte Christensen
Med venlig hilsen
Best Regards,
Mit freundlichen/herzlichen Gruesse

N. Malte Christensen

http://www.maltec.linux.dk



[-- Attachment #2: iptables_malte.dat --]
[-- Type: application/octet-stream, Size: 6327 bytes --]


#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall test script for 2.4.x
#
# Author: Oskar Andreasson &lt;blueflux@koffein.net&gt;
# (c) of BoingWorld.com, use at your own risk, do whatever you please with
# it as long as you don't distribute this without due credits to
# BoingWorld.com
#

###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.

#
# your LAN's IP range and localhost IP. /24 means to only use the first 24 
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# INET_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you don't have a static
# IP, I suggest not using this option at all for now but it's stil
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)

LAN_IP="192.168.1.2"
LAN_IP_RANGE="192.168.1.0/24"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth0"

LO_IFACE="lo"
LO_IP="127.0.0.1"

INET_IP="213.237.89.99"
INET_IFACE="eth0"

IPTABLES="/sbin/iptables"

#########
# Load all required IPTables modules
#
/sbin/depmod -a

#
# Adds some iptables targets like LOG and MASQUARADE.
#
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#########
#
# Enable ip_forward, this is critical since it is turned off as default in 
# Linux.
#
echo "1" > /proc/sys/net/ipv4/ip_forward

#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#########
#
# Enable simple IP Forwarding and Network Address Translation
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# Bad TCP packets we don't want
#
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPT FORWARD New not syn:"
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

#
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#########
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# Create chain for bad tcp packets
# 
$IPTABLES -N bad_tcp_packets

#########
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# bad_tcp_packets chain
# $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 -j LOG --log-prefix "IPT tcp_packets :"
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1810 -j allowed

#
# UDP ports
#
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 25 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#########
#
# PREROUTING chain.
#
# Do some checks for obviously spoofed IP's 
#
#$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.1.0/16 -j DROP
#$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
#$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP

#########
#
# INPUT chain
#
# Take care of bad TCP packets that we don't want
#
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPT INPUT New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#
# Rules for incoming packets from the internet
#
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# OUTPUT chain
#
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPT OUTPUT New not syn:"
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j LOG --log-prefix "IPT OUTPUT $INET_IP: "
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "