* Curious problem with my iptable rules.....detailed post inside, help appreciated.
@ 2004-04-16 23:35 Krunk
2004-04-17 19:09 ` Rob Sterenborg
0 siblings, 1 reply; 7+ messages in thread
From: Krunk @ 2004-04-16 23:35 UTC (permalink / raw)
To: netfilter
Setup:
I have one external NIC (ppp0) and two internal NIC's (eth1, eth2). I
also have two rule sets. The first a bare minimum "get it up and going
script" I used for testing and my main rule set.
Problem:
After a fresh start-up if I initialize my basic rule set everything
works perfectly. If I than initialize my main rule set (which deletes
all chains and flushes all rules) it still works perfectly. However if I
initialize my main script first. eth1 can access the internet, but eth2
cannot. All internal connections are still up everyone can ping everyone
else, etc., etc. Even odder is if I clear all rules and Policies and
delete all chains than load the bare minimum script, it doesn't work
either. The only thing I've found is to do a hard reboot (which makes me
get that funny feeling like I've done something sacreligious, hehe),
load the minimum and than load the main script.
I would very much appreciate if anyone could troubleshoot my scripts.
Thanks in advance.
#######Begin minimum script ########
1 #!/bin/bash
2 IPTABLES='/sbin/iptables'
3
4 # Set interface values
5 EXTIF='ppp0'
6 INTIF1='eth1'
7 INTIF2='eth2'
8
9 # enable ip forwarding in the kernel
10 /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
11
12 # flush rules and delete chains
13 iptables -F
14 iptables -X
15
16 # enable masquerading to allow LAN internet access
17 $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
18
19 # forward LAN traffic from $INTIF1 to Internet interface $EXTIF
20 $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
21
22 # forward LAN traffic from $INTIF2 to Internet interace $EXTIF
23 $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
24
25 #echo -e " - Allowing access to the SSH server"
26 $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
27
28 #echo -e " - Allowing access to the HTTP server"
29 $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
30
31 # block out all other Internet access on $EXTIF
32 $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
33 $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
########Begin Main Script########
1 #!/bin/bash
2 # rc.fwsoho: SOHO IP Tables rule set
3 # Copyright 2003 Bob Toxen. All rights reserved.
4 # See book "Real World Linux Security 2nd ed" for terms of use
5
6 # uncomment to output all commands executed
7 #set -v
8
9 # External interface
10 EXTIF=ppp0
11 # Internal interface
12 INTIF1=eth1
13 INTIF2=eth2
14
15 # Loop device/localhost
16 LPDIF=lo
17 LPDIP=127.0.0.1
18 LPDMSK=255.0.0.0
19 LPDNET="$LPDIP/$LPDMSK"
20
21 # Text tools variables
22 IPT='/sbin/iptables'
23 IFC='/sbin/ifconfig'
24 G='/bin/grep'
25 SED='/bin/sed'
26
27 # Last but not least, the users
28
29 # Deny than accept: this keeps holes from opening up
30 # while we close ports and such
31
32 $IPT -P INPUT DROP
33 $IPT -P OUTPUT DROP
34 $IPT -P FORWARD DROP
35
36 $IPT -t nat -P PREROUTING DROP
37 $IPT -t nat -P POSTROUTING DROP
38 $IPT -t nat -P OUTPUT DROP
39
40 # Flush all existing chains and erase personal chains
41 CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
42 for i in $CHAINS;
43 do
44 $IPT -t $i -F
45 done
46
47 for i in $CHAINS;
48 do
49 $IPT -t $i -X
50 done
51
52 echo 1 > /proc/sys/net/ipv4/tcp_syncookies
53 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
54
55 # Source Address Verification
56 for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
57 echo 1 > $f
58 done
59 # Disable IP source routing and ICMP redirects
60 for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
61 echo 0 > $f
62 done
63 for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
64 echo 0 > $f
65 done
66
67 echo 1 > /proc/sys/net/ipv4/ip_forward
68
69
70 # Setting up external interface environment variables
71 EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
72 #EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
73 EXTBC="255.255.255.255"
74 EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
75 EXTNET="$EXTIP/$EXTMSK"
76 echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
77
78 # Due to absence of EXTBC I manually set it to 255.255.255.255
79 # this (hopefully) will server the same purpose
80
81
82 # Setting up environment variables for internal interface one
83 INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
84 INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
85 INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
86 INTNET1="$INTIP1/$INTMSK1"
87 echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"
88
89 #Setting up environment variables for internal interface two
90 INTIP2="`$IFC $INTIF2|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
91 INTBC2="`$IFC $INTIF2|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
92 INTMSK2="`$IFC $INTIF2|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
93 INTNET2="$INTIP2/$INTMSK2"
94 echo "INTIP2=$INTIP2 INTBC2=$INTBC2 INTMSK2=$INTMSK2 INTNET2=$INTNET2"
95
96 #INITIP="$INTIP1 $INTIP2"
97 #INTBC="$INTBC1 $INTBC2"
98 #INTMSK="$INTMSK1 $INTMSK2"
99 #INTNET="$INTNET1 $INTNET2"
100
101 # We are now going to create a few custom chains that will result in
102 # logging of dropped packets. This will enable us to avoid having to
103 # enter a log command prior to every drop we wish to log. The
104 # first will be first log drops the other will log rejects.
105
106 # Do not complain if chain already exists (so restart is clean)
106 # Do not complain if chain already exists (so restart is clean)
107 $IPT -N DROPl 2> /dev/null
108 $IPT -A DROPl -j LOG --log-prefix 'DROPl:'
109 $IPT -A DROPl -j DROP
110
111 $IPT -N REJECTl 2> /dev/null
112 $IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
113 $IPT -A REJECTl -j REJECT
114
115 # Now we are going to accept all traffic from our loopback device
116 # if the IP matches any of our interfaces.
117
118 $IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
119 $IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
120 $IPT -A INPUT -i $LPDIF -s $INTIP1 -j ACCEPT
121 $IPT -A INPUT -i $LPDIF -s $INTIP2 -j ACCEPT
122
123 # Added to enable cups management: lo to lo communication
124 $IPT -A OUTPUT -o $LPDIF -d $LPDIP -j ACCEPT
125 $IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
126
127 # Blocking Broadcasts
128 $IPT -A INPUT -i $EXTIF -d $EXTBC -j DROPl
129 $IPT -A INPUT -i $INTIF1 -d $INTBC1 -j DROPl
130 $IPT -A INPUT -i $INTIF2 -d $INTBC2 -j DROPl
131 $IPT -A OUTPUT -o $EXTIF -d $EXTBC -j DROPl
132 $IPT -A OUTPUT -o $INTIF1 -d $INTBC1 -j DROPl
133 $IPT -A OUTPUT -o $INTIF2 -d $INTBC2 -j DROPl
134 $IPT -A FORWARD -o $EXTIF -d $EXTBC -j DROPl
135 $IPT -A FORWARD -o $INTIF1 -d $INTBC1 -j DROPl
136 $IPT -A FORWARD -o $INTIF2 -d $INTBC2 -j DROPl
137
138 # Block WAN access to internal network
139 # This also stops nefarious crackers from using our network as a
140 # launching point to attack other people
141 # iptables translation:
142 # "if input going into our external interface does not originate from our isp assigned
143 # ip address, drop it like a hot potato
144
145 $IPT -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl
146
147 # Now we will block internal addresses originating from anything but our
148 # two predefined interfaces.....just remember that if you jack your
149 # your laptop or another pc into one of these NIC's directly, you'll need
150 # to ensure that they either have the same ip or that you add a line explicitly
151 # that IP as well
152
153 # Interface one/internal net one
154 $IPT -A INPUT -i $INTIF1 -s ! $INTNET1 -j DROPl
155 $IPT -A OUTPUT -o $INTIF1 -d ! $INTNET1 -j DROPl
156 $IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl
157 $IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl
158
159 # Interface two/internal net two
160 $IPT -A INPUT -i $INTIF2 -s ! $INTNET2 -j DROPl
161 $IPT -A OUTPUT -o $INTIF2 -d ! $INTNET2 -j DROPl
162 $IPT -A FORWARD -i $INTIF2 -s ! $INTNET2 -j DROPl
163 $IPT -A FORWARD -o $INTIF2 -d ! $INTNET2 -j DROPl
164
165 # An additional Egress check
166
167 $IPT -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl
168
169 # Block outbound ICMP (except for PING)
170
171 $IPT -A OUTPUT -o $EXTIF -p icmp \
172 --icmp-type ! 8 -j DROPl
173 $IPT -A FORWARD -o $EXTIF -p icmp \
174 --icmp-type ! 8 -j DROPl
175
176 # COMmon ports:
177 # 0 is tcpmux; SGI had vulnerability, 1 is common attack
178 # 13 is daytime
179 # 98 is Linuxconf
180 # 111 is sunrpc (portmap)
181 # 137:139, 445 is Microsoft
182 # SNMP: 161,2
183 # Squid flotilla: 3128, 8000, 8008, 8080
184 # 1214 is Morpheus or KaZaA
185 # 2049 is NFS
186 # 3049 is very virulent Linux Trojan, mistakable for NFS
187 # Common attacks: 1999, 4329, 6346
188 # Common Trojans 12345 65535
189 COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
190
191 # TCP ports:
192 # 98 is Linuxconf
193 # 512-5!5 is rexec, rlogin, rsh, printer(lpd)
194 # [very serious vulnerabilities; attacks continue daily]
195 # 1080 is Socks proxy server
196 # 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
197 # Block 6112 (Sun's/HP's CDE)
198 TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
199
200 # UDP ports:
201 # 161:162 is SNMP
202 # 520=RIP, 9000 is Sangoma
203 # 517:518 are talk and ntalk (more annoying than anything)
204 UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
205
206 echo -n "FW: Blocking attacks to TCP port"
207 for i in $TCPBLOCK;
208 do
209 echo -n "$i "
210 $IPT -A INPUT -p tcp --dport $i -j DROPl
211 $IPT -A OUTPUT -p tcp --dport $i -j DROPl
211 $IPT -A OUTPUT -p tcp --dport $i -j DROPl
212 $IPT -A FORWARD -p tcp --dport $i -j DROPl
213 done
214 echo ""
215
216 echo -n "FW: Blocking attacks to UDP port "
217 for i in $UDPBLOCK;
218 do
219 echo -n "$i "
220 $IPT -A INPUT -p udp --dport $i -j DROPl
221 $IPT -A OUTPUT -p udp --dport $i -j DROPl
222 $IPT -A FORWARD -p udp --dport $i -j DROPl
223 done
224 echo ""
225 # ftp and irc tracking
226 #MODULES="ip_nat_ftp ip_conntrack_ftp ip_conntrack_irc ip_nat_irc"
227 #for i in $MODULES;
228 #do
229 # echo "Inserting module $i"
230 # modprobe $i
231 #done
232
233 #iptables -A OUTPUT -p tcp --dport 873 -o $INTIF -i $EXTIF1 -j ACCEPT
234
235 # Defining some common chat clients and services. Remove these from your accepted list
236 # for better security.
237 IRC=ircd
238 MSN=1863
239 ICQ=5190
240 NFS="111 2049 32764 32765 32766 32767 32768 sunrpc"
241 RPCRQUOTAD=32764
242
243 # We have to sync!!
244 PORTAGE=rsync
245 OpenPGP_HTTP_Keyserver=11371
246 # 8000:8100--> Somafm streaming audio
247
248 # All services ports are read from /etc/services
249
250 TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE $IRC $MSN $ICQ $OpenPGP_HTTP_Keyserver courier 8000:8100" 251 UDPSERV="domain time ntp"
252
253 echo -n "FW: Allowing inside systems to use service:"
254 for i in $TCPSERV;
255 do
256 echo -n "$i"
257 $IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP \
258 --dport $i --syn -m state --state NEW -j ACCEPT
259 $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \
260 --dport $i --syn -m state --state NEW -j ACCEPT
261 $IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 \
262 --dport $i --syn -m state --state NEW -j ACCEPT
263 done
264 echo ""
265
266 echo -n "FW: Allowing inside systems to use service:"
267 for i in $UDPSERV;
268 do
269 echo -n "$i"
270 $IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP \
271 --dport $i -m state --state NEW -j ACCEPT
272 $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 \
273 --dport $i -m state --state NEW -j ACCEPT
274 $IPT -A FORWARD -i $INTIF2 -p udp -s $INTNET2 \
275 --dport $i -m state --state NEW -j ACCEPT
276 done
277 echo ""
278
279 # Allow to ping out
280 $IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP \
281 --icmp-type 8 -m state --state NEW -j ACCEPT
282 $IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 \
283 --icmp-type 8 -m state --state NEW -j ACCEPT
284 $IPT -A FORWARD -i $INTIF2 -p icmp -s $INTNET2 \
285 --icmp-type 8 -m state --state NEW -j ACCEPT
286
287 # Allow firewall to ping internal systems
288 $IPT -A OUTPUT -o $INTIF1 -p icmp -s $INTNET1 \
289 --icmp-type 8 -m state --state NEW -j ACCEPT
290 $IPT -A OUTPUT -o $INTIF2 -p icmp -s $INTNET2 \
291 --icmp-type 8 -m state --state NEW -j ACCEPT
292
293 #$IPT -A INPUT -i $EXTIF -p tcp --dport 22 \
294 # --syn -m state --state NEW -j ACCEPT
295
296 # $IPT -A INPUT -i $EXTIF -p tcp -s pentacorp.com/24 --dport 22 \
297 # --syn -m state --state NEW -j ACCEPT
298 # $IPT -A INPUT -i $EXTIF -p tcp -s chemwiz.state.edu --dport 22 \
299 # --syn -m state --state NEW -j ACCEPT
300
301
302 # Allow Bittorrent conncetions:
303 #echo "Alowing connections by bittorrents"
304 #$IPT -A FORWARD -i $EXTIF -p tcp --dport 6881:6889 -j ACCEPT
305 #echo ""
306
307
308 # Connect only from hardened systems
309 # (hopefully only those running Linux or Unix hardened as per the book)
310 $IPT -A INPUT -i $INTIF1 -p tcp --dport 22 \
311 --syn -m state --state NEW -j ACCEPT
312 $IPT -A INPUT -i $INTIF2 -p tcp --dport 22 \
313 --syn -m state --state NEW -j ACCEPT
314
315 # Connect only to hardened systems
316 # (hopefully only those running Linux or Unix hardened as per the book)
317 # $IPT -A OUTPUT -o $INTIF -p tcp --dport 22 \
318 # -d 10.0.0.42 --syn -m state --state NEW -j ACCEPT
319 INTNET="$INTNET1 $INTNET2"
320 echo "Enabling local network CUPS printing"
321
322 for i in $INTNET
323 do
324 $IPT -A INPUT -s $i -p tcp --dport 631 -j ACCEPT
325 $IPT -A INPUT -s $i -p udp --dport 631 -j ACCEPT
326
327 $IPT -A OUTPUT -s $i -p tcp --dport 631 -j ACCEPT
328 $IPT -A OUTPUT -s $i -p udp --dport 631 -j ACCEPT
329 done
330 echo ""
331
332
333 #BITTORRENT="6890 6891 6892 6893 6894 6895 6896 6897 6898 6899"
334 #echo "Enabling bittorrent sharing"
335 #for i in $BITTORRENT
336 #do
337 # $IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport \
338 # $BITTORRENT -j DNAT --to-destination 192.168.1.77:$BITTORRENT
339 # $IPT -A FORWARD -s $INTIP -p tcp --dport 192.168.1.77 -j ACCEPT
340 #
341 # $IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport \
342 # $BITTORRENT -j DNAT --to-destination 192.168.2.77:$BITTORRENT
343 # $IPT -A FORWARD -s $INTIP -p tcp --dport 192.168.2.77 -j ACCEPT
344 #done
345
346
347
348 $IPT -t nat -A PREROUTING -j ACCEPT
349 #$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j SNAT --to $EXTIP
350 #$IPT -t nat -A POSTROUTING -o $EXTIP -s $INTNET2 -j SNAT --to $EXTIP
351 # Comment out next line (that has "MASQUERADE") to not NAT internal network
352 $IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
353 $IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j MASQUERADE
354 $IPT -t nat -A POSTROUTING -j ACCEPT
355 $IPT -t nat -A OUTPUT -j ACCEPT
356
357 $IPT -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
358
359 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
360 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
361 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
362
363 # Log & block whatever is left
364 $IPT -A INPUT -j DROPl
365 $IPT -A OUTPUT -j REJECTl
366 $IPT -A FORWARD -j DROPl
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Curious problem with my iptable rules.....detailed post inside, help appreciated.
2004-04-16 23:35 Curious problem with my iptable rules.....detailed post inside, help appreciated Krunk
@ 2004-04-17 19:09 ` Rob Sterenborg
2004-04-18 18:10 ` Krunk
0 siblings, 1 reply; 7+ messages in thread
From: Rob Sterenborg @ 2004-04-17 19:09 UTC (permalink / raw)
To: Netfilter
On Sat, 2004-04-17 at 01:35, Krunk wrote:
> Setup:
> I have one external NIC (ppp0) and two internal NIC's (eth1, eth2). I
> also have two rule sets. The first a bare minimum "get it up and going
> script" I used for testing and my main rule set.
>
> Problem:
> After a fresh start-up if I initialize my basic rule set everything
> works perfectly. If I than initialize my main rule set (which deletes
> all chains and flushes all rules) it still works perfectly. However if I
> initialize my main script first. eth1 can access the internet, but eth2
> cannot. All internal connections are still up everyone can ping everyone
> else, etc., etc. Even odder is if I clear all rules and Policies and
> delete all chains than load the bare minimum script, it doesn't work
> either. The only thing I've found is to do a hard reboot (which makes me
> get that funny feeling like I've done something sacreligious, hehe),
> load the minimum and than load the main script.
<strip lots of script>
>>> DON'T set policy to DROP in the nat table. If you want to do packet
filtering ; do it in the filter table with the INPUT, OUTPUT and FORWARD
chains. You probably get unexpected results if you filter in the nat or
mangle table.
Maybe it's a bit easier if you also told us what it is that you want to
achieve (and why you're using 2 scripts) because I think your script can
be a lot shorter than the main script you're using right now.
(Btw, I didn't read all of the script.)
There's a lot of DROPping going on while in the same time you have set
policy to DROP for the INPUT, OUTPUT and FORWARD chains. That means
*everything* is closed already : you can't get in, out or through the
box. Only packets you have set an ACCEPT rule for can be received, sent
or forwarded/routed.
Setting OUTPUT policy to DROP is good. Only it might be easier to
troubleshoot your script if you first set it to ACCEPT, do some testing
untill it works. Then set OUTPUT to DROP and get it working again (if it
doesn't, because then only the iptables box won't be able to send
packets so your clients on eth1 and eth2 shouldn't notice it).
You have the RELATED/ESTABLISHED rules at the bottom of your script.
As most (accepted) packets will be matched by these rules, put these
close to the top of your script.
Put : echo 0 > /proc/sys/net/ipv4/ip_forward
at the top of your script, so there won't be any packet forwarding, even
if there are rules already.
Put : echo 1 > /proc/sys/net/ipv4/ip_forward
at the bottom of your script so forwarding starts when all rules are in
place.
You realize that the :
- INPUT chain is for incoming packets, DESTINED FOR the iptables box.
- OUTPUT chain is for outgoing packets, COMING FROM the iptables box.
- FORWARD chain is for packets going through the iptables box in either
way.
Every packet will *only* go through one chain.
Did you read Oskar's iptables tutorial ?
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
Gr,
Rob
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Curious problem with my iptable rules.....detailed post inside, help appreciated.
2004-04-17 19:09 ` Rob Sterenborg
@ 2004-04-18 18:10 ` Krunk
2004-04-18 19:47 ` Curious problem with my iptable rules.....detailed postinside, " Rob Sterenborg
0 siblings, 1 reply; 7+ messages in thread
From: Krunk @ 2004-04-18 18:10 UTC (permalink / raw)
To: Netfilter
On Sat, 2004-04-17 at 14:09, Rob Sterenborg wrote:
>
> Maybe it's a bit easier if you also told us what it is that you want to
> achieve
I'm approaching this with the intention of learning the proper way to
securely lock down a production system. (it's just an old mac I have).
Most of the script was adapted from a book on security which I'm reading
(only one chapter dedicated to iptables......."Real World Linux
Security" by Bob Toxin btw.)
> (and why you're using 2 scripts) because I think your script can
> be a lot shorter than the main script you're using right now.
> (Btw, I didn't read all of the script.)
>
One script is the one I'm "working with" the smaller one is a bare bones
"I know this works" script so when I hit a hitch in the other one and
the roommates get ancy from not internet I can bring it up quick.
> There's a lot of DROPping going on while in the same time you have set
> policy to DROP for the INPUT, OUTPUT and FORWARD chains. That means
> *everything* is closed already : you can't get in, out or through the
> box. Only packets you have set an ACCEPT rule for can be received, sent
> or forwarded/routed.
>
From what I read, this is to prevent a "hole" from opening up. By having
a default policy of DROP, anything overlooked is by default dropped. I
was under the impression that having only explicitly accepted packets
allowed is a good thing.
> Setting OUTPUT policy to DROP is good. Only it might be easier to
> troubleshoot your script if you first set it to ACCEPT, do some testing
> untill it works. Then set OUTPUT to DROP and get it working again (if it
> doesn't, because then only the iptables box won't be able to send
> packets so your clients on eth1 and eth2 shouldn't notice it).
>
When I first built the script, I did it very piecemeal...taking one
section at a time. Started with the bare minimum forward script and
built the DENY and DROP rules one by one. Testing as I went along and
correcting syntax errors etc etc. I only set the initial DROP policies
at the very end after the script was done. To test if this was the
problem I commented out the initial DROP Policies....the same problem
persisted. Since the only remedy I've found for getting it working again
after initially running the script is a hard reboot, it greatly
complicates the troubleshooting. In essence I would have to reboot after
every added line until I found the trouble maker (ugh). I was hoping
there was some glaring error in procedure that would be caught so I
wouldn't have to do this. On a side note, I eliminated all of the DROP
and REJECT rules "just to see" and it does work that way. It would seem
that there is some policy being set which my -X and -F loop is not
catching.
> You have the RELATED/ESTABLISHED rules at the bottom of your script.
> As most (accepted) packets will be matched by these rules, put these
> close to the top of your script.
>
> Put : echo 0 > /proc/sys/net/ipv4/ip_forward
> at the top of your script, so there won't be any packet forwarding, even
> if there are rules already.
> Put : echo 1 > /proc/sys/net/ipv4/ip_forward
> at the bottom of your script so forwarding starts when all rules are in
> place.
>
Thank you for the suggestions, they make perfect sense....I've made the
adjustments.
> You realize that the :
> - INPUT chain is for incoming packets, DESTINED FOR the iptables box.
> - OUTPUT chain is for outgoing packets, COMING FROM the iptables box.
> - FORWARD chain is for packets going through the iptables box in either
> way.
> Every packet will *only* go through one chain.
>
> Did you read Oskar's iptables tutorial ?
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
I'm in the process of reading it now, I've read several other tutorials...but this is the most thorough
I've seen yet.
Thank you.
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Curious problem with my iptable rules.....detailed postinside, help appreciated.
2004-04-18 18:10 ` Krunk
@ 2004-04-18 19:47 ` Rob Sterenborg
2004-04-18 22:59 ` Krunk
0 siblings, 1 reply; 7+ messages in thread
From: Rob Sterenborg @ 2004-04-18 19:47 UTC (permalink / raw)
To: 'Netfilter'
> From what I read, this is to prevent a "hole" from opening up. By
> having
> a default policy of DROP, anything overlooked is by default
> dropped. I was under the impression that having only
> explicitly accepted packets allowed is a good thing.
That is indeed what you're doing when you set policy to DROP and then write
rules to accept what you want to accept. (Or any other rule, like REJECT
packets on port 113/tcp instead of DROPping them, which might speed up
connecting to certain ftp sites.)
What I saw in your script was logging and dropping together in a user chain.
Nothing wrong with that but you seem to be logging a lot :-). I don't know
if you want all that information.
At the end of your script there is :
$IPT -A INPUT -j DROPl
$IPT -A OUTPUT -j REJECTl
$IPT -A FORWARD -j DROPl
Which effectively becomes your "policy" : log and DROP/REJECT, since it
matches everything.
(Again, it's not wrong.)
> problem I commented out the initial DROP Policies....the same
> problem persisted. Since the only remedy I've found for
> getting it working again after initially running the script
> is a hard reboot, it greatly complicates the troubleshooting.
Well, I don't know exactly what you tried but don't filter in the nat table.
It's easy to forget that you do and although it's possible ; you have the
filter table for that.
Flushing all rules and setting policy to ACCEPT should keep you from
rebooting.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
(iptables -X)
But I suppose you already tried this..
If it doesn't I'm curious what the output is of "iptables -nvL" and
"iptables -t nat -nvL".
> I'm in the process of reading it now, I've read several other
> tutorials...but this is the most thorough I've seen yet.
Yeah, it's good and it's free ;-)..
> Thank you.
You're welcome.
Reading your first post, one problem was : "eth1 can access the internet,
but eth2 cannot". I took another look at your script, and I'll focus on nat
only.
This should nat clients on both eth1 and eth2 :
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -i eth1 -o ppp0 -s <net_lan_1> -j ACCEPT
iptables -A FORWARD -i eth2 -o ppp0 -s <net_lan_2> -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -s <net_lan_1> -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -s <net_lan_2> -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Of course, you have to make sure your routing table on the iptables box as
well as on the clients is correct.
In my experience (I also have a ppp0 for internet) you cannot use SNAT for
ppp interfaces.
Gr,
Rob
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Curious problem with my iptable rules.....detailed postinside, help appreciated.
2004-04-18 19:47 ` Curious problem with my iptable rules.....detailed postinside, " Rob Sterenborg
@ 2004-04-18 22:59 ` Krunk
2004-04-19 0:11 ` Curious problem with my iptable rules.....detailed postinside,help appreciated Rob Sterenborg
0 siblings, 1 reply; 7+ messages in thread
From: Krunk @ 2004-04-18 22:59 UTC (permalink / raw)
To: 'Netfilter'
> Well, I don't know exactly what you tried but don't filter in the nat table.
> It's easy to forget that you do and although it's possible ; you have the
> filter table for that.
> Flushing all rules and setting policy to ACCEPT should keep you from
> rebooting.
>
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -F
> (iptables -X)
>
> But I suppose you already tried this..
> If it doesn't I'm curious what the output is of "iptables -nvL" and
> "iptables -t nat -nvL".
I rebooted and ran the main script. As expected, the second client
couldn't connect. I ran the above series of commands and the output of
iptables -t nat -nvL was as follows:
Chain PREROUTING (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 293 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ppp0 192.168.1.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ppp0 192.168.2.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
After seeing the commands did not clear my nat tables I took the liberty of trying:
iptables -P INPUT ACCEPT;
iptables -P OUTPUT ACCEPT;
iptables -P FORWARD ACCEPT;
iptables -t nat -P PREROUTING ACCEPT;
iptables -t nat -P OUTPUT ACCEPT;
iptables -t nat -P POSTROUTING ACCEPT;
iptables -t nat -F;
iptables -t nat -X;
iptables -F;
iptables -X
After which iptables -t nat -nvL output is:
Chain PREROUTING (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
This still did not enable me to bring the second client back online with the
bare minimum script.
> Reading your first post, one problem was : "eth1 can access the internet,
> but eth2 cannot". I took another look at your script, and I'll focus on nat
> only.
> This should nat clients on both eth1 and eth2 :
>
> echo 0 > /proc/sys/net/ipv4/ip_forward
> iptables -P FORWARD DROP
> iptables -F FORWARD
> iptables -A FORWARD -i eth1 -o ppp0 -s <net_lan_1> -j ACCEPT
> iptables -A FORWARD -i eth2 -o ppp0 -s <net_lan_2> -j ACCEPT
> iptables -t nat -A POSTROUTING -o ppp0 -s <net_lan_1> -j MASQUERADE
> iptables -t nat -A POSTROUTING -o ppp0 -s <net_lan_2> -j MASQUERADE
> echo 1 > /proc/sys/net/ipv4/ip_forward
Continuing in my attempts to find a way to troubleshoot without
rebooting each time, I prepended the more extensive
flush/delete/policy=ACCEPT string of commands to to this script (to
ensure a clean slate. Still no connection with the second client. For
good measure I added: iptables -A INPUT --protocol tcp --dport 80 -j
ACCEPT
The script now looks like:
1 #!/bin/bash
2 iptables -P INPUT ACCEPT
3 iptables -P OUTPUT ACCEPT
4 iptables -P FORWARD ACCEPT
5 iptables -t nat -P PREROUTING ACCEPT
6 iptables -t nat -P OUTPUT ACCEPT
7 iptables -t nat -P POSTROUTING ACCEPT
8 iptables -t nat -F
9 iptables -t nat -X
10 iptables -F
11 iptables -X
12
13 echo 0 > /proc/sys/net/ipv4/ip_forward
14 iptables -P FORWARD DROP
15 iptables -F FORWARD
16 iptables -A FORWARD -i eth1 -o ppp0 -s -j ACCEPT
17 iptables -A FORWARD -i eth2 -o ppp0 -s 192.168.2.78 -j ACCEPT
18 iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.xxx/255.255.255.0 -j MASQUERADE
19 iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.2.xxx/255.255.255.0 -j MASQUERADE
20 iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT
21 echo 1 > /proc/sys/net/ipv4/ip_forward
So for completeness, I than reboot and run the "multieth" script:
#!/bin/bash
IPTABLES='/sbin/iptables'
# Set interface values
EXTIF='ppp0'
INTIF1='eth1'
INTIF2='eth2'
# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# flush rules and delete chains
iptables -F
iptables -X
# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# forward LAN traffic from $INTIF1 to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
# forward LAN traffic from $INTIF2 to Internet interace $EXTIF
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
#echo -e " - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
#echo -e " - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
# block out all other Internet access on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
And the connection works fine all have access:
iptables -nvL:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
181 15548 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
3 144 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
1 78 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
Chain FORWARD (policy ACCEPT 88 packets, 50603 bytes)
pkts bytes target prot opt in out source destination
1 65 ACCEPT all -- eth1 ppp0 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
93 9286 ACCEPT all -- eth2 ppp0 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
Chain OUTPUT (policy ACCEPT 112 packets, 13829 bytes)
pkts bytes target prot opt in out source destination
iptables -t nat -nvL:
Chain PREROUTING (policy ACCEPT 25 packets, 1526 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
20 1244 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
I than run my main script and voila, everything back to normal. Output of
iptables -t nat -nvL:
Chain PREROUTING (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ppp0 192.168.1.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * ppp0 192.168.2.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
As you can see the output from this list and that of the previous -t nat -nvL output is
exactly the same (unless I am missing something). So I'm still quite confused.
> Well, I don't know exactly what you tried but don't filter in the nat table.
> It's easy to forget that you do and although it's possible ; you have the
> filter table for that.
When you say "don't filter the nat table", are you referring to the setting of drop policies
or the appending of ACCEPT policies? I have very few commands that are directed toward
nat table:
$IPT -t nat -P PREROUTING DROP
$IPT -t nat -P POSTROUTING DROP
$IPT -t nat -P OUTPUT DROP
$IPT -t nat -A PREROUTING -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j MASQUERADE
$IPT -t nat -A POSTROUTING -j ACCEPT
$IPT -t nat -A OUTPUT -j ACCEPT
I just want to be absolutely clear.
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Curious problem with my iptable rules.....detailed postinside,help appreciated.
2004-04-18 22:59 ` Krunk
@ 2004-04-19 0:11 ` Rob Sterenborg
2004-04-19 1:58 ` Krunk
0 siblings, 1 reply; 7+ messages in thread
From: Rob Sterenborg @ 2004-04-19 0:11 UTC (permalink / raw)
To: 'Krunk', 'Netfilter'
> I rebooted and ran the main script. As expected, the second
> client couldn't connect. I ran the above series of commands
> and the output of iptables -t nat -nvL was as follows:
>
> Chain PREROUTING (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 6 293 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain POSTROUTING (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 MASQUERADE all -- * ppp0
> 192.168.1.0/24 0.0.0.0/0
> 0 0 MASQUERADE all -- * ppp0
> 192.168.2.0/24 0.0.0.0/0
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
Policy is set to DROP and there are rules in place that may interfere with
normal networking.
> After seeing the commands did not clear my nat tables I took
> the liberty of trying:
>
> iptables -P INPUT ACCEPT;
> iptables -P OUTPUT ACCEPT;
> iptables -P FORWARD ACCEPT;
> iptables -t nat -P PREROUTING ACCEPT;
> iptables -t nat -P OUTPUT ACCEPT;
> iptables -t nat -P POSTROUTING ACCEPT;
> iptables -t nat -F;
> iptables -t nat -X;
> iptables -F;
> iptables -X
>
>
> After which iptables -t nat -nvL output is:
> Chain PREROUTING (policy ACCEPT 1 packets, 76 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
Yes, this is what it should look like if you want to go "back to normal".
> This still did not enable me to bring the second client back
> online with the bare minimum script.
...
> Continuing in my attempts to find a way to troubleshoot without
> rebooting each time, I prepended the more extensive
> flush/delete/policy=ACCEPT string of commands to to this script (to
> ensure a clean slate. Still no connection with the second client. For
> good measure I added: iptables -A INPUT --protocol tcp --dport 80 -j
> ACCEPT
This is only useful if you're running a webserver. If you don't and scan the
port it'll be closed.
> The script now looks like:
> 1 #!/bin/bash
> 2 iptables -P INPUT ACCEPT
> 3 iptables -P OUTPUT ACCEPT
> 4 iptables -P FORWARD ACCEPT
> 5 iptables -t nat -P PREROUTING ACCEPT
> 6 iptables -t nat -P OUTPUT ACCEPT
> 7 iptables -t nat -P POSTROUTING ACCEPT
The normal setting for policy already is ACCEPT so it's up to you if you
want to keep these three lines.
> 8 iptables -t nat -F
> 9 iptables -t nat -X
> 10 iptables -F
> 11 iptables -X
> 12
> 13 echo 0 > /proc/sys/net/ipv4/ip_forward
It's best to put this line right on top of the script.
> 14 iptables -P FORWARD DROP
> 15 iptables -F FORWARD
> 16 iptables -A FORWARD -i eth1 -o ppp0 -s -j ACCEPT
-s has no parameter ; it's a typo. It should read 192.168.1.0/24 ?
> 17 iptables -A FORWARD -i eth2 -o ppp0 -s 192.168.2.78 -j ACCEPT
> 18 iptables -t nat -A POSTROUTING -o ppp0 -s
> 192.168.1.xxx/255.255.255.0 -j MASQUERADE
> 19 iptables -t nat -A POSTROUTING -o ppp0 -s
> 192.168.2.xxx/255.255.255.0 -j MASQUERADE
> 20 iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT
You have set INPUT policy to ACCEPT, so this rule has nothing to do.
> 21 echo 1 > /proc/sys/net/ipv4/ip_forward
>
> So for completeness, I than reboot and run the "multieth" script:
I'm confused now. You're having multiple scripts ?? What for ?
The above does :
- Set policy to default, flush all chains and delete user chains.
- Disable IP forwarding
- Set FORWARD policy to DROP
- Allow 192.168.1.0/24 on eth1 to be forwarded to the internet
- Allow 192.168.2.78 on eth2 to be forwarded to the internet
- MASQEURADE 192.168.1.0/24
- MASQUERADE 192.168.2.0/24
- Allow http port
- Enable IP forwarding
> #!/bin/bash
> IPTABLES='/sbin/iptables'
>
> # Set interface values
> EXTIF='ppp0'
> INTIF1='eth1'
> INTIF2='eth2'
>
> # enable ip forwarding in the kernel
> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # flush rules and delete chains
> iptables -F
> iptables -X
>
> # enable masquerading to allow LAN internet access
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
>
>
> # forward LAN traffic from $INTIF1 to Internet interface $EXTIF
> $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> # forward LAN traffic from $INTIF2 to Internet interace $EXTIF
> $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> #echo -e " - Allowing access to the SSH server"
> $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
>
> #echo -e " - Allowing access to the HTTP server"
> $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
>
> # block out all other Internet access on $EXTIF
> $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
> $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
>
> And the connection works fine all have access:
And this does :
- Enable IP forwarding
- Flush all chains and delete user chains
- MASQUERADE everything to the internet
- ACCEPT RELATED and ESTABLISHED to be forwarded from eth<1|2> to ppp0
- ACCEPT ssh access
- ACCEPT http access
- DROP all NEW and INVALID in the INPUT and FORWARD chain
> iptables -nvL:
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> 181 15548 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:22
> 3 144 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80
> 1 78 DROP all -- ppp0 * 0.0.0.0/0
> 0.0.0.0/0 state INVALID,NEW
>
> Chain FORWARD (policy ACCEPT 88 packets, 50603 bytes)
> pkts bytes target prot opt in out source
> destination
>
> 1 65 ACCEPT all -- eth1 ppp0 0.0.0.0/0
> 0.0.0.0/0 state NEW,ESTABLISHED
> 93 9286 ACCEPT all -- eth2 ppp0 0.0.0.0/0
> 0.0.0.0/0 state NEW,ESTABLISHED
> 0 0 DROP all -- ppp0 * 0.0.0.0/0
> 0.0.0.0/0 state INVALID,NEW
>
> Chain OUTPUT (policy ACCEPT 112 packets, 13829 bytes)
> pkts bytes target prot opt in out source
> destination
>
> iptables -t nat -nvL:
> Chain PREROUTING (policy ACCEPT 25 packets, 1526 bytes)
> pkts bytes target prot opt in out source
> destination
>
>
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> 20 1244 MASQUERADE all -- * ppp0 0.0.0.0/0
> 0.0.0.0/0
>
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
>
> I than run my main script and voila, everything back to
> normal. Output of
>
>
> iptables -t nat -nvL:
>
> Chain PREROUTING (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
> Chain POSTROUTING (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> 0 0 MASQUERADE all -- * ppp0
> 192.168.1.0/24 0.0.0.0/0
>
> 0 0 MASQUERADE all -- * ppp0
> 192.168.2.0/24 0.0.0.0/0
>
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
> As you can see the output from this list and that of the
> previous -t nat -nvL output is
> exactly the same (unless I am missing something). So I'm
> still quite confused.
Yes. Read the policy. The first time it's ACCEPT and the second time it's
DROP in the nat table.
I don't know what is working for you. You're executing 2 scripts, where the
second is overruling the first in some points, some not.
> > Well, I don't know exactly what you tried but don't filter
> in the nat table.
> > It's easy to forget that you do and although it's possible
> ; you have the
> > filter table for that.
>
> When you say "don't filter the nat table", are you referring
> to the setting of drop policies
Yes. Setting the policy to DROP means filtering.
You set rules in the chains which have policy set to DROP and everything
that doesn't match gets dropped.
Do yourself a favour and **DON'T** set policy to DROP in the nat or mangle
table.
> or the appending of ACCEPT policies? I have very few commands
> that are directed toward
> nat table:
>
> $IPT -t nat -P PREROUTING DROP
> $IPT -t nat -P POSTROUTING DROP
> $IPT -t nat -P OUTPUT DROP
See above. Default is ACCEPT. Leave it that way. Don't set it to DROP.
If you want to drop packets, use the filter table (INPUT, OUTPUT and FORWARD
chains). That really is enough.
> $IPT -t nat -A PREROUTING -j ACCEPT
First, you set policy to DROP, next you allow everything with this rule. Why
are you doing this ?
> $IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
> $IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j MASQUERADE
Yup, this is what POSTROUTING is for.
> $IPT -t nat -A POSTROUTING -j ACCEPT
If you just set policy of POSTROUTING to ACCEPT (leave the default value
alone) you don't need this rule.
> $IPT -t nat -A OUTPUT -j ACCEPT
See PREROUTING.
> I just want to be absolutely clear.
Me too ;-).
- Reboot the PC.
- Don't execute your firewall scripts.
- Leave the policies of the nat and mangle table alone. Default is ACCEPT
and that is correct in most cases. AFAICS in your case too.
- Use filtering rules in the filter table (you can explicitly use -t filter
or omit it)
- Use NAT rules in the nat table (-t nat)
- Use packet altering rules in the mangle table (-t mangle)
- Don't mix the three above.
- Start with a small script (only one) and expand the script when it's
working. What I understand is that you biggest problem is getting NAT to
work.
Start with a small script like this (I forgot the RELATED,ESTABLISHED rules
before) :
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o ppp0 -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -i eth2 -o ppp0 -s 192.168.2.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.2.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Gr,
Rob
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Curious problem with my iptable rules.....detailed postinside,help appreciated.
2004-04-19 0:11 ` Curious problem with my iptable rules.....detailed postinside,help appreciated Rob Sterenborg
@ 2004-04-19 1:58 ` Krunk
0 siblings, 0 replies; 7+ messages in thread
From: Krunk @ 2004-04-19 1:58 UTC (permalink / raw)
To: Rob Sterenborg; +Cc: 'Netfilter'
On Sun, 2004-04-18 at 19:11, Rob Sterenborg wrote:
> -s has no parameter ; it's a typo. It should read 192.168.1.0/24 ?
>
Sorry, the actual script does have that, error in copying over.
> You have set INPUT policy to ACCEPT, so this rule has nothing to do.
I did this since the second client still couldn't connect...I was making
"double sure" that http access was ACCEPTED.
> I don't know what is working for you. You're executing 2 scripts, where the
> second is overruling the first in some points, some not.
I know that's exactly what my problem is. I have this little script that I wrote
just get things up and going...sort of a "ok, now everything is working
lets build some rules script". But my real script (the larger one) does
not allow internet access to my second client unless I run this little
script first. The reason I'm confused is that before each script is run
all the rules and chains are deleted.....so they *shouldn't* be
affecting one another. This is covered in the intial post.
> Yes. Setting the policy to DROP means filtering.
Cool, that's what I thought...just making sure.
>
> > $IPT -t nat -A PREROUTING -j ACCEPT
>
> First, you set policy to DROP, next you allow everything with this rule. Why
> are you doing this ?
I was following the general security guideline of "Deny, than ACCEPT".
Setting Policy to DROP intially, than later on..when more packet
filtering rules are in place, setting to accept.
>
> - Reboot the PC.
> - Don't execute your firewall scripts.
> - Leave the policies of the nat and mangle table alone. Default is ACCEPT
> and that is correct in most cases. AFAICS in your case too.
> - Use filtering rules in the filter table (you can explicitly use -t filter
> or omit it)
> - Use NAT rules in the nat table (-t nat)
> - Use packet altering rules in the mangle table (-t mangle)
> - Don't mix the three above.
> - Start with a small script (only one) and expand the script when it's
> working. What I understand is that you biggest problem is getting NAT to
> work.
> Start with a small script like this (I forgot the RELATED,ESTABLISHED rules
> before) :
>
> echo 0 > /proc/sys/net/ipv4/ip_forward
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -F FORWARD
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i eth1 -o ppp0 -s 192.168.1.0/24 -j ACCEPT
> iptables -A FORWARD -i eth2 -o ppp0 -s 192.168.2.0/24 -j ACCEPT
> iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0/24 -j MASQUERADE
> iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.2.0/24 -j MASQUERADE
> echo 1 > /proc/sys/net/ipv4/ip_forward
After a fresh reboot, the script above enables access to my first client
on eth1 but NOT my second on eth2. However, I've eliminated the nat DROP
policy and now my main script works at boot up. So I can carry on with
my incremental troubleshooting minus the irritating
reboots........Thanks!
The book I'm reading didn't go into detail on why it set the policy of
the nat chains int particular to DROP but included it in the section
which suggested setting all policies to drop before flushing at the
beginning of a script.
Flushing is done to ensure a clean slate for the rule set (obviously)
and setting to Drop is to ensure no packets are passed while the rules
are flushed.
I understand this is unnecessary/excessive in a soho set-up, but
wouldn't filtering the nat table be a good thing in large networks where
you would want to prevent unauthorized internal ip's from passing
through the nat chain?
Thanks for all the help.
James
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-04-19 1:58 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-16 23:35 Curious problem with my iptable rules.....detailed post inside, help appreciated Krunk
2004-04-17 19:09 ` Rob Sterenborg
2004-04-18 18:10 ` Krunk
2004-04-18 19:47 ` Curious problem with my iptable rules.....detailed postinside, " Rob Sterenborg
2004-04-18 22:59 ` Krunk
2004-04-19 0:11 ` Curious problem with my iptable rules.....detailed postinside,help appreciated Rob Sterenborg
2004-04-19 1:58 ` Krunk
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.