Still having problems...

Still having problems...

[Sam Loy]

[-- Attachment #1: Type: text/plain, Size: 986 bytes --]

I sorry to be such a newbie, but I still cannot get my firewall up and 
running.

Actually, I had it working with the enclosed script, until I generated 
/etc/sysconfig/iptables using /sbin/service iptables save.

After I tried to get things to spin up at boot time it quit 
working...not sure what I did.

I erased my tracks, can still ping and set the net before loading 
iptables. Afterwords, I can't even ping the 192.168.1.1 interface on 
the same machine!

Anyway, jason, antony, dick, a lot of you have been very helpful. Thank 
you so much for your continued help and patience.

It is starting to make sense, but I still don't get it. I'm also in 
processing of up2dating my linux. maybe that will help.

fwscript is the script I'm using (from Jason with slight mods). I run 
it after I connect ppp0 and get an ip from my isp, before running 
dhcpd. stillnowork is the output of iptables-save.

Like I said, it worked until I tried to get it to start at boot time.

Thanks,

Sam

[-- Attachment #2: fwscript --]
[-- Type: application/octet-stream, Size: 2382 bytes --]



PATH=/bin:/sbin:/usr/bin:/usr/sbin

# NOTES:
# 1) Assumes that eth0 is external interface, and eth1 is internal.  Adjust
#    to taste.

# Get current details:
EXT_IF=ppp0
INT_IF=eth0
EXTERNAL_IP=`ifconfig $EXT_IF | grep "inet addr:" | awk '{print $2}' | \
		cut -f 2 -d :`

# Clean out tables
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Set up source nat
iptables --table nat --append POSTROUTING --out-interface $EXT_IF \
		-j MASQUERADE

#iptables --append FORWARD --in-interface $EXT_IF -j ACCEPT
#iptables --table nat --append POSTROUTING -d 192.168.1.0/24 \
#		-j MASQUERADE
#iptables --append FORWARD -s 192.168.1.0/24  -j ACCEPT
iptables --append FORWARD --in-interface $EXT_IF -j ACCEPT

# Allow loopback traffic
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

# Internal DHCP
iptables -A INPUT -p tcp --syn -s 192.168.1.0/24 \
		--dport 67 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.0/24 \
		--dport 67 -j ACCEPT

iptables -A INPUT -p tcp -i $EXT_IF --dport 67 -j DROP
iptables -A INPUT -p udp -i $EXT_IF --dport 67 -j DROP

# ssh internal and external
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# samba internal
iptables -A INPUT -p tcp -i $INT_IF \
		--dport 139 -j ACCEPT

# Accept established connections
#iptables -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT 
#iptables -A INPUT -i $INT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A FORWARD -i $INT_IF -j ACCEPT

# Reject non-established connections.
#iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset

iptables -P INPUT DROP
		# Drop all other connection attempts. 
		# Only connections defined above are allowed.

echo 1 > /proc/sys/net/ipv4/ip_forward
#echo 1 > /proc/sys/net/ipv4/conf/${EXT_IF}/rp_filter

#iptables -A OUTPUT -p icmp -d 0/0 -j DROP 		# block all icmp

# ftp external
# iptables -A INPUT -p tcp -i $EXT_IF --dport 21 -j ACCEPT
# iptables -A INPUT -p udp -i $EXT_IF --dport 21 -j ACCEPT

# http external
# iptables -A INPUT -p tcp -i $EXT_IF --dport 80 -j ACCEPT
# iptables -A INPUT -p udp -i $EXT_IF --dport 80 -j ACCEPT

# DEBUG ONLY!
#iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
#iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
########################################################################


[-- Attachment #3: stillnowork --]
[-- Type: application/octet-stream, Size: 913 bytes --]

# Generated by iptables-save v1.2.7a on Wed Jun 30 12:01:04 2004
*nat
:PREROUTING ACCEPT [59:6784]
:POSTROUTING ACCEPT [7:588]
:OUTPUT ACCEPT [21:1466]
-A POSTROUTING -o ppp0 -j MASQUERADE 
COMMIT
# Completed on Wed Jun 30 12:01:04 2004
# Generated by iptables-save v1.2.7a on Wed Jun 30 12:01:04 2004
*filter
:INPUT DROP [1:48]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21:1309]
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 67 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -s 192.168.1.0/255.255.255.0 -p udp -m udp --dport 67 -j ACCEPT 
-A INPUT -i ppp0 -p tcp -m tcp --dport 67 -j DROP 
-A INPUT -i ppp0 -p udp -m udp --dport 67 -j DROP 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 139 -j ACCEPT 
-A FORWARD -i ppp0 -j ACCEPT 
-A FORWARD -i eth0 -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
COMMIT
# Completed on Wed Jun 30 12:01:04 2004

Re: Still having problems...

[David Cary Hart]

On Wed, 2004-06-30 at 14:30, Sam Loy wrote:
> I sorry to be such a newbie, but I still cannot get my firewall up and 
> running.
> 
> Actually, I had it working with the enclosed script, until I generated 
> /etc/sysconfig/iptables using /sbin/service iptables save.
> 

I'm  not sure what OS you are using but I have found that the easiest
way to configure netfilter is through the Webmin modules. Have you tried
it.
> After I tried to get things to spin up at boot time it quit 
> working...not sure what I did.
> 
> I erased my tracks, can still ping and set the net before loading 
> iptables. Afterwords, I can't even ping the 192.168.1.1 interface on 
> the same machine!
> 
> Anyway, jason, antony, dick, a lot of you have been very helpful. Thank 
> you so much for your continued help and patience.
> 
> It is starting to make sense, but I still don't get it. I'm also in 
> processing of up2dating my linux. maybe that will help.
> 
> fwscript is the script I'm using (from Jason with slight mods). I run 
> it after I connect ppp0 and get an ip from my isp, before running 
> dhcpd. stillnowork is the output of iptables-save.
> 
> Like I said, it worked until I tried to get it to start at boot time.
> 
> Thanks,
> 
> Sam
-- 
                            David Cary Hart
Hart's PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x58A60BB1