using iptables to route between public networks

using iptables to route between public networks

[Matthew Simpson]

I'm having trouble adjusting to using iptables instead of Cisco IOS.

I have a "router" linux box with a very simple ruleset, I'm accepting INPUT,
OUTPUT, and FORWARD chains.

I have two ethernet cards in this box.  One card has a public IP going to my
internet provider [255.255.255.252 subnet].  The other card also has a
public IP that is routed to me by my Internet provider [255.255.255.240
subnet].

Right now with my simple ruleset, packets forward properly.  If I ping a box
that is connected behind the "router", it works.  If I change the FORWARD
accept policy to deny the packets, then it quits working.

My first question, however... if I do a traceroute to a box connected behind
the router, the "router" interface IP address does not show up in the
traceroute.  It skips directly from my internet provider's gateway address
to the final destination address.  Why?  How can I make my router IP show up
in the traceroute?

Second question, it's not a good idea to blindly forward all packets is it?
I tried to set up an append rule to the FORWARD chain to drop all packets
that did not have a destination of $myiprange/28, but iptables seems to
ignore the rule [it doesn't work and it doesn't show up in an iptables -L]
Unless forwarding all packets is okay, what should I do to fix this?

Thanks,
Matthew

Re: using iptables to route between public networks

[Chris Brenton]

On Mon, 2003-12-22 at 23:30, Matthew Simpson wrote:
>
> I have two ethernet cards in this box.  One card has a public IP going to my
> internet provider [255.255.255.252 subnet].  The other card also has a
> public IP that is routed to me by my Internet provider [255.255.255.240
> subnet].

<snip>

> My first question, however... if I do a traceroute to a box connected behind
> the router, the "router" interface IP address does not show up in the
> traceroute.  It skips directly from my internet provider's gateway address
> to the final destination address.  Why?

If everything is configured correctly it should, although most people
would consider this a "feature" as they deny inbound trace attempts. 

If it does actually skip from your provider to the internal address,
there are a couple of possibilities:
1) The Linux box is in bridging mode
2) Your subnet address space overlaps

If in between your provider's IP and the internal system is a line that
shows three *'s or three characters preceded by a exclamation point, the
Linux box is filtering this traffic. Possibilities:
1) An OUTBOUND iptables filter rule
2) A sysctl setting has been changed

> Second question, it's not a good idea to blindly forward all packets is it?

Absolutely not. The whole purpose of a firewall is to let through only
what you understand and expect to receive.

> I tried to set up an append rule to the FORWARD chain to drop all packets
> that did not have a destination of $myiprange/28, but iptables seems to
> ignore the rule 

Can we see the exact syntax of the rule that you entered?

> [it doesn't work and it doesn't show up in an iptables -L]
> Unless forwarding all packets is okay, what should I do to fix this?

You probably already know this, so maybe its just a language thing, but
there is a whole lot more you want to block besides packets not headed
to you internal IP address space. Think about what services you actually
have a need for letting people access from the Internet (mail server,
Web server, etc.) and block access to everything else. There is a whole
lot more you can do, but this will get you started in the right
direction.

HTH,
C

Re: using iptables to route between public networks

[Antony Stone]

On Tuesday 23 December 2003 4:30 am, Matthew Simpson wrote:

> I have a "router" linux box with a very simple ruleset, I'm accepting
> INPUT, OUTPUT, and FORWARD chains.

Firstly, please make sure you understand what each of these three chains is
for:

INPUT is *only* for packets addressed to the firewall - *not* for packets
going through it to somewhere else.

FORWARD is *only* for packets being routed through the firewall - nothing to
do with packets addressed to or from the firewall itself.

OUTPUT is *only* for packets being sent from the firewall itself - *not* for
packets being routed through it from somewhere else.

Sorry if you realise this already - I don't mean to teach you something you
already know - but it is a common mistake for people to make and I think it's
worth repeating, for other newbies on the list, if nothing else.

> I have two ethernet cards in this box.  One card has a public IP going to
> my internet provider [255.255.255.252 subnet].  The other card also has a
> public IP that is routed to me by my Internet provider [255.255.255.240
> subnet].
>
> Right now with my simple ruleset, packets forward properly.  If I ping a
> box that is connected behind the "router", it works.  If I change the
> FORWARD accept policy to deny the packets, then it quits working.

Sounds good so far.

> My first question, however... if I do a traceroute to a box connected
> behind the router, the "router" interface IP address does not show up in
> the traceroute.  It skips directly from my internet provider's gateway
> address to the final destination address.  Why?  How can I make my router
> IP show up in the traceroute?

This sounds like something strange happening to the TTL field, but I cannot
imagine why.   When you say it skips straight from the ISP gateway address to
the final destination, dio you mean those are on consecutive lines of output
from traceroute, or is there a line of " * * * " in between them?

> Second question, it's not a good idea to blindly forward all packets is it?

No :)   That's what netfilter is for - otherwise we'd all just iuse plain
routers with no firewalling rules to block stuff.

> I tried to set up an append rule to the FORWARD chain to drop all packets
> that did not have a destination of $myiprange/28, but iptables seems to
> ignore the rule [it doesn't work and it doesn't show up in an iptables -L]
> Unless forwarding all packets is okay, what should I do to fix this?

Tell us what rule you tried to put in (post the command you used to try and
enter it), and tell us any response which came back after you typed it.   It
might also be helpful to tell us what distro you're using, what version,
which kernel, and which version of netfilter.

Regards,

Antony.

--
How I want a drink, alcoholic of course, after the heavy chapters involving
quantum mechanics.

 - 3.14159265358979
                                                     Please reply to the list;
                                                           please don't CC me.

Re: using iptables to route between public networks

[Matthew Simpson]

Subject: Re: using iptables to route between public networks
From: Chris Brenton <cbrenton@chrisbrenton.org>
To: Matthew Simpson <matthew@txlink.net>
Cc: netfilter@lists.netfilter.org
Date: Tue, 23 Dec 2003 05:53:41 -0500

On Mon, 2003-12-22 at 23:30, Matthew Simpson wrote:
>
> I have two ethernet cards in this box.  One card has a public IP going to
my
> internet provider [255.255.255.252 subnet].  The other card also has a
> public IP that is routed to me by my Internet provider [255.255.255.240
> subnet].

<snip>

>> My first question, however... if I do a traceroute to a box connected
behind
>> the router, the "router" interface IP address does not show up in the
>> traceroute.  It skips directly from my internet provider's gateway
address
>> to the final destination address.  Why?

>If everything is configured correctly it should, although most people
>would consider this a "feature" as they deny inbound trace attempts.

>If it does actually skip from your provider to the internal address,
>there are a couple of possibilities:
>1) The Linux box is in bridging mode
>2) Your subnet address space overlaps

>If in between your provider's IP and the internal system is a line that
>shows three *'s or three characters preceded by a exclamation point, the
>Linux box is filtering this traffic.

There are no *'s.

To be more specific about my configuration [I'm going to munge the IP
Addresses a little here since they are public, but the subnets, etc will be
correct],

I have the ethernet cable from my bandwidth provider with ip address
216.190.34.38 [my side] and 216.190.34.37 [bandwidth provider's side -- 
gateway] with subnet 255.255.255.252 plugged into eth1.

My provider is routing 209.210.10.0/24 to me.  I have eth0 set up with
209.210.10.1 subnet 255.255.255.240 [I'm not using the whole class C as of
now].

I have done no config except for I have the FORWARD chain set to accept
packets.  I have 209.210.10.1 as the gateway on the machines behind the
router.

>Possibilities:
>1) An OUTBOUND iptables filter rule
>2) A sysctl setting has been changed

>> Second question, it's not a good idea to blindly forward all packets is
it?

>Absolutely not. The whole purpose of a firewall is to let through only
>what you understand and expect to receive.

I'm not really trying to firewall, I'm just trying to route.  :-)   I just
want to make sure I'm not enabling someone to use my router box as a jump
point to attack someone else.  I know that was a problem back in the day if
one set up masquerade incorrectly.

>> I tried to set up an append rule to the FORWARD chain to drop all packets
>> that did not have a destination of $myiprange/28, but iptables seems to
>> ignore the rule

>Can we see the exact syntax of the rule that you entered?

I must have been doing something stupid last night, because I retried it
this morning and it works.  Here is what I have for the forward chain:

$IPTABLES -A FORWARD -d 209.210.10.1/28 -j ACCEPT
$IPTABLES -A FORWARD -d ! 209.210.10.1/28 -j DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD

This works.

>> [it doesn't work and it doesn't show up in an iptables -L]
>> Unless forwarding all packets is okay, what should I do to fix this?

>You probably already know this, so maybe its just a language thing, but
>there is a whole lot more you want to block besides packets not headed
>to you internal IP address space. Think about what services you actually
>have a need for letting people access from the Internet (mail server,
>Web server, etc.) and block access to everything else. There is a whole
>lot more you can do, but this will get you started in the right
>direction.

In this case, I need all the machines to be open.  I'm eventually going to
use the router to police and account for bandwidth usage, but I will be
blocking precious little.  All the services running on the machines behind
the router need to be publically accessable.

>HTH,
>C

thanks,
mathew

Re: using iptables to route between public networks

[Antony Stone]

On Tuesday 23 December 2003 3:32 pm, Matthew Simpson wrote:

> I must have been doing something stupid last night, because I retried it
> this morning and it works.  Here is what I have for the forward chain:
>
> $IPTABLES -A FORWARD -d 209.210.10.1/28 -j ACCEPT
> $IPTABLES -A FORWARD -d ! 209.210.10.1/28 -j DROP
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -F FORWARD
>
> This works.

When you say "this works", is assume that's only for minimal values of 
"working" :)

I can't believe that a router which will drop all packets except those 
addressed to 209.210.10.0/28 (note that your address designation is slightly 
incorrect above) will do an effective job.

You may want to route inbound packets only to these IP addresses, but what 
about the replies?   They are going to be going to other destination 
addresses, and need routing too.....

Antony.

-- 
If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: using iptables to route between public networks

[Chris Brenton]

I replied to Matthew off-list on this one. Note the last two lines. "It
works" because he sets a default ACCEPT policy and then flushes the
previous rules. 

You are right about the syntax on the first two lines, but iptables is
smart enough to correct it and implements 209.210.10.0/28.

C


On Tue, 2003-12-23 at 10:42, Antony Stone wrote:
> On Tuesday 23 December 2003 3:32 pm, Matthew Simpson wrote:
> 
> > I must have been doing something stupid last night, because I retried it
> > this morning and it works.  Here is what I have for the forward chain:
> >
> > $IPTABLES -A FORWARD -d 209.210.10.1/28 -j ACCEPT
> > $IPTABLES -A FORWARD -d ! 209.210.10.1/28 -j DROP
> > $IPTABLES -P FORWARD ACCEPT
> > $IPTABLES -F FORWARD
> >
> > This works.
> 
> When you say "this works", is assume that's only for minimal values of 
> "working" :)
> 
> I can't believe that a router which will drop all packets except those 
> addressed to 209.210.10.0/28 (note that your address designation is slightly 
> incorrect above) will do an effective job.
> 
> You may want to route inbound packets only to these IP addresses, but what 
> about the replies?   They are going to be going to other destination 
> addresses, and need routing too.....
> 
> Antony.

Re: using iptables to route between public networks

[Matthew Simpson]

Thanks for all the help everyone.  I have it figured out, now.  Chris
Brenton clued me in to my major error and everything is working properly,
now.

- Matthew