Help with a firewall script

Help with a firewall script

[John P. Lang]

Good Morning,

I am definitely not understanding something after reading a handful of
tutorials and mail threads.  I though I'd ask the experts for a hand.

I have a web server that sits behind the firewall.  I need the web server to
have access to the internet (http traffic).

I have a handful of dnat rules sending http traffic and a couple of others
to our internal web server.
The web server cannot access the internet. I believe that web requests are
being sent back to the web server?

Are there any special rules that I would need to add to allow the web server
access to DNS and HTTP?

Thanks,

John


#=================================
# Set some variables
#=================================
IPT=/sbin/iptables
LOGOPT="--log-level=3 -m limit --limit 1/second --limit-burst 10"
EXTIP="xxx.xxx.xxx.xxx"
WEBIP="192.168.100.254"
EXTNIC="eth2"
INTNIC="eth0"
SHUNIP=""
echo "Done with variables"

#=================================
#Load modules
#=================================
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Finished loading modules"

#=================================
# Check if we can run iptables
#=================================
if [ ! -x $IPT ]
        then
        echo "firewall:  can't execute \IPTABLES"
        exit 1
fi


#=================================
# Flush and build chains
#=================================

$IPT --flush
$IPT --table nat --flush
$IPT --delete-chain
$IPT --table nat --delete-chain

# LOGGING CHAIN
$IPT -N LDROP
$IPT -A LDROP -j LOG --log-prefix "IPT Drop: " $LOGOPT
$IPT -A LDROP -j DROP

$IPT -N LFLOOD
$IPT -A LFLOOD -j LOG --log-prefix "IPT Flood: " $LOGOPT
$IPT -A LFLOOD -j DROP

$IPT -N LFLAGS
$IPT -A LFLAGS -j LOG --log-prefix "IPT Flags: " $LOGOPT
$IPT -A LFLAGS -j DROP

$IPT -N LSHUN
$IPT -A LSHUN -j LOG --log-prefix "IPT Shun: " $LOGOPT
$IPT -A LSHUN -j DROP


$IPT -N LPRE
$IPT -A LPRE -j LOG --log-prefix "IPT PreRoute: " $LOGOPT
echo "Chains flushed and created"




#=================================
#Take care of the shun'd IP's
#=================================
$IPT -N SHUN
for ip in $SHUNIP; do
        $IPT -A SHUN -s $ip -j LSHUN
        $IPT -A SHUN -d $ip -j LSHUN
done

$IPT -A INPUT -j SHUN
$IPT -A INPUT -j ACCEPT

$IPT -A OUTPUT -j SHUN
$IPT -A OUTPUT -j ACCEPT

$IPT --table nat --append POSTROUTING --out-interface $EXTNIC -j MASQUERADE

$IPT --append FORWARD --in-interface $INTNIC -j ACCEPT
echo "Done with SHUN IP's"

#=================================
# Forwards
#=================================

#$IPT -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128 #
Put through squid
$IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 3389 -j DNAT
--to-destination $WEBIP # Term Svc
$IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 80 -j DNAT
--to-destination $WEBIP   # HTTP Traffic
$IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 20 -j DNAT
--to-destination $WEBIP   # FTP
$IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 21 -j DNAT
--to-destination $WEBIP   # FTP
$IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 1755 -j DNAT
--to-destination $WEBIP # Windows Media
$IPT -t nat -A PREROUTING -i $EXTNIC -p udp -d $EXTIP --dport 1755 -j DNAT
--to-destination $WEBIP # Windows Media

echo "Done with Forwards"
echo "Firewall Complete"
iptables-errors

Re: Help with a firewall script

[John A. Sullivan III]

On Sat, 2005-12-24 at 11:02 -0800, John P. Lang wrote:
> Good Morning,
> 
> I am definitely not understanding something after reading a handful of
> tutorials and mail threads.  I though I'd ask the experts for a hand.
> 
> I have a web server that sits behind the firewall.  I need the web server to
> have access to the internet (http traffic).
> 
> I have a handful of dnat rules sending http traffic and a couple of others
> to our internal web server.
> The web server cannot access the internet. I believe that web requests are
> being sent back to the web server?
> 
> Are there any special rules that I would need to add to allow the web server
> access to DNS and HTTP?
> 
> Thanks,
> 
> John
> 
> 
> #=================================
> # Set some variables
> #=================================
> IPT=/sbin/iptables
> LOGOPT="--log-level=3 -m limit --limit 1/second --limit-burst 10"
> EXTIP="xxx.xxx.xxx.xxx"
> WEBIP="192.168.100.254"
> EXTNIC="eth2"
> INTNIC="eth0"
> SHUNIP=""
> echo "Done with variables"
> 
> #=================================
> #Load modules
> #=================================
> modprobe iptable_nat
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo "Finished loading modules"
> 
> #=================================
> # Check if we can run iptables
> #=================================
> if [ ! -x $IPT ]
>         then
>         echo "firewall:  can't execute \IPTABLES"
>         exit 1
> fi
> 
> 
> #=================================
> # Flush and build chains
> #=================================
> 
> $IPT --flush
> $IPT --table nat --flush
> $IPT --delete-chain
> $IPT --table nat --delete-chain
> 
> # LOGGING CHAIN
> $IPT -N LDROP
> $IPT -A LDROP -j LOG --log-prefix "IPT Drop: " $LOGOPT
> $IPT -A LDROP -j DROP
> 
> $IPT -N LFLOOD
> $IPT -A LFLOOD -j LOG --log-prefix "IPT Flood: " $LOGOPT
> $IPT -A LFLOOD -j DROP
> 
> $IPT -N LFLAGS
> $IPT -A LFLAGS -j LOG --log-prefix "IPT Flags: " $LOGOPT
> $IPT -A LFLAGS -j DROP
> 
> $IPT -N LSHUN
> $IPT -A LSHUN -j LOG --log-prefix "IPT Shun: " $LOGOPT
> $IPT -A LSHUN -j DROP
> 
> 
> $IPT -N LPRE
> $IPT -A LPRE -j LOG --log-prefix "IPT PreRoute: " $LOGOPT
> echo "Chains flushed and created"
> 
> 
> 
> 
> #=================================
> #Take care of the shun'd IP's
> #=================================
> $IPT -N SHUN
> for ip in $SHUNIP; do
>         $IPT -A SHUN -s $ip -j LSHUN
>         $IPT -A SHUN -d $ip -j LSHUN
> done
> 
> $IPT -A INPUT -j SHUN
> $IPT -A INPUT -j ACCEPT
> 
> $IPT -A OUTPUT -j SHUN
> $IPT -A OUTPUT -j ACCEPT
> 
> $IPT --table nat --append POSTROUTING --out-interface $EXTNIC -j MASQUERADE
> 
> $IPT --append FORWARD --in-interface $INTNIC -j ACCEPT
> echo "Done with SHUN IP's"
> 
> #=================================
> # Forwards
> #=================================
> 
> #$IPT -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128 #
> Put through squid
> $IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 3389 -j DNAT
> --to-destination $WEBIP # Term Svc
> $IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 80 -j DNAT
> --to-destination $WEBIP   # HTTP Traffic
> $IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 20 -j DNAT
> --to-destination $WEBIP   # FTP
> $IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 21 -j DNAT
> --to-destination $WEBIP   # FTP
> $IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 1755 -j DNAT
> --to-destination $WEBIP # Windows Media
> $IPT -t nat -A PREROUTING -i $EXTNIC -p udp -d $EXTIP --dport 1755 -j DNAT
> --to-destination $WEBIP # Windows Media
> 
> echo "Done with Forwards"
> echo "Firewall Complete"
> iptables-errors
> 
> 
> 
After a very quick look, it appears that you are allowing outbound
traffic from the internal NIC but where are you allowing the reply
packets? Do you have a RELATED,ESTABLISHED rule anywhere? - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

RE: Help with a firewall script

[John P. Lang]

John,

This is exactly where my confusion lies... I thought that

> $IPT --table nat --append POSTROUTING --out-interface $EXTNIC -j
MASQUERADE
> 
> $IPT --append FORWARD --in-interface $INTNIC -j ACCEPT

Would basically allow all of the traffic to go through.
Can you point me to a proper tutorial or example on how to properly do this?

Thanks,
John

> 
After a very quick look, it appears that you are allowing outbound
traffic from the internal NIC but where are you allowing the reply
packets? Do you have a RELATED,ESTABLISHED rule anywhere? - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

RE: Help with a firewall script

[John A. Sullivan III]

The first rule changes the source address so the packet can traverse the
internet. The second rule is allowing the outbound packet but you will
need a rule to allow the reply packets such as:

iptables -I FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT

You can find an excellent tutorial at
http://iptables-tutorial.frozentux.net
There are also some slightly dated training slide shows in the training
section of the ISCS network security management project web site at
http://iscs.sourceforge.net

Hope it helps - John

On Sat, 2005-12-24 at 14:29 -0800, John P. Lang wrote:
> John,
> 
> This is exactly where my confusion lies... I thought that
> 
> > $IPT --table nat --append POSTROUTING --out-interface $EXTNIC -j
> MASQUERADE
> > 
> > $IPT --append FORWARD --in-interface $INTNIC -j ACCEPT
> 
> Would basically allow all of the traffic to go through.
> Can you point me to a proper tutorial or example on how to properly do this?
> 
> Thanks,
> John
> 
> > 
> After a very quick look, it appears that you are allowing outbound
> traffic from the internal NIC but where are you allowing the reply
> packets? Do you have a RELATED,ESTABLISHED rule anywhere? - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

RE: Help with a firewall script

[John P. Lang]

John,

Thanks a million.  That was exactly what I was looking for. (and the
examples made sense)

Merry Christmas!

John

-----Original Message-----
From: John A. Sullivan III [mailto:jsullivan@opensourcedevel.com] 
Sent: Saturday, December 24, 2005 4:11 PM
To: John P. Lang
Cc: netfilter@lists.netfilter.org
Subject: RE: Help with a firewall script

The first rule changes the source address so the packet can traverse the
internet. The second rule is allowing the outbound packet but you will
need a rule to allow the reply packets such as:

iptables -I FORWARD 1 -m state --state ESTABLISHED,RELATED -j ACCEPT

You can find an excellent tutorial at
http://iptables-tutorial.frozentux.net
There are also some slightly dated training slide shows in the training
section of the ISCS network security management project web site at
http://iscs.sourceforge.net

Hope it helps - John

On Sat, 2005-12-24 at 14:29 -0800, John P. Lang wrote:
> John,
> 
> This is exactly where my confusion lies... I thought that
> 
> > $IPT --table nat --append POSTROUTING --out-interface $EXTNIC -j
> MASQUERADE
> > 
> > $IPT --append FORWARD --in-interface $INTNIC -j ACCEPT
> 
> Would basically allow all of the traffic to go through.
> Can you point me to a proper tutorial or example on how to properly do
this?
> 
> Thanks,
> John
> 
> > 
> After a very quick look, it appears that you are allowing outbound
> traffic from the internal NIC but where are you allowing the reply
> packets? Do you have a RELATED,ESTABLISHED rule anywhere? - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com