Help in IPTABLES

Help in IPTABLES

[Mohammad Shakir]

Dear Friends,

I have Installed Red Hat Linux 7.3 with hostname
SERVER1 ipaddress 192.168.0.1 and also configure
squid, DHCP, DNS services all are running well. I have
also 30 PCs of windows 98 as a client with auto ip and
set their gateway,dns,dhcpserver and so on from DHCP
192.168.0.1.
Now I want that any request for browsing come from
client automatically forward to my squid which is
running on 3128 port and all others request go on
direct ppp0 for this I configured one script which is
given below.

Is this script correct or not ?

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables --flush
/sbin/iptables --table nat --flush
/sbin/iptables --delete-chain
/sbin/iptables --table nat --delete-chain

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp
--dport 80 -j REDIRECT --to-port 3128
/sbin/iptables --table nat --append POSTROUTING -s
192.168.0.1/24 --out-interface ppp0 -j MASQUERADE
/sbin/iptables --append FORWARD --in-interface eth0 -j
ACCEPT

This is other setup. 

I have setup two servers hostname server1 ip address
192.168.0.1 and hostname server2 ipaddress 192.168.0.2
both servers are connected with dialup sepratly and
also configure squid, DHCP, DNS services. I have also
100 PCs of windows 98 as a client with auto ip and set
their gateway,dns,dhcpserver and so on from DHCP
192.168.0.1. 

Now I want that any request for browsing come from
client automatically forward to my squid which is
running on 3128 port on server 192.168.0.2 and all
others request go on direct ppp0 of 192.168.0.1.
Please help my what script I make for this.

I hope you will help me in this regard.

Thanks

MOHAMMAD SHAKIR


___________________________________________________________
Sent by ePrompter, the premier email notification
software.
Free download at http://www.ePrompter.com.

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Re: Help in IPTABLES

[hare ram]

Hi

yes thats works fine
instead of that, you can also try routing your block of local ip's rather
interface..

iptables -t nat -A PREROUTING -s 192.168.20.0/24 -p tcp --dport 80 -j
REDIRECT --to-port 3128

good luck

hare
----- Original Message -----
From: "Mohammad Shakir" <shakirz1@yahoo.com>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, January 11, 2003 11:16 AM
Subject: Help in IPTABLES


> Dear Friends,
>
> I have Installed Red Hat Linux 7.3 with hostname
> SERVER1 ipaddress 192.168.0.1 and also configure
> squid, DHCP, DNS services all are running well. I have
> also 30 PCs of windows 98 as a client with auto ip and
> set their gateway,dns,dhcpserver and so on from DHCP
> 192.168.0.1.
> Now I want that any request for browsing come from
> client automatically forward to my squid which is
> running on 3128 port and all others request go on
> direct ppp0 for this I configured one script which is
> given below.
>
> Is this script correct or not ?
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> /sbin/iptables --flush
> /sbin/iptables --table nat --flush
> /sbin/iptables --delete-chain
> /sbin/iptables --table nat --delete-chain
>
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp
> --dport 80 -j REDIRECT --to-port 3128
> /sbin/iptables --table nat --append POSTROUTING -s
> 192.168.0.1/24 --out-interface ppp0 -j MASQUERADE
> /sbin/iptables --append FORWARD --in-interface eth0 -j
> ACCEPT
>
> This is other setup.
>
> I have setup two servers hostname server1 ip address
> 192.168.0.1 and hostname server2 ipaddress 192.168.0.2
> both servers are connected with dialup sepratly and
> also configure squid, DHCP, DNS services. I have also
> 100 PCs of windows 98 as a client with auto ip and set
> their gateway,dns,dhcpserver and so on from DHCP
> 192.168.0.1.
>
> Now I want that any request for browsing come from
> client automatically forward to my squid which is
> running on 3128 port on server 192.168.0.2 and all
> others request go on direct ppp0 of 192.168.0.1.
> Please help my what script I make for this.
>
> I hope you will help me in this regard.
>
> Thanks
>
> MOHAMMAD SHAKIR
>
>
> ___________________________________________________________
> Sent by ePrompter, the premier email notification
> software.
> Free download at http://www.ePrompter.com.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
>
>

Re: Help in IPTABLES

[Arnt Karlsen]

On Fri, 10 Jan 2003 21:46:56 -0800 (PST), 
Mohammad Shakir <shakirz1@yahoo.com> wrote in message 
<20030111054656.20063.qmail@web40711.mail.yahoo.com>:

> Dear Friends,
> 
> I have Installed Red Hat Linux 7.3 with hostname
> SERVER1 ipaddress 192.168.0.1 and also configure
> squid, DHCP, DNS services all are running well. I have
> also 30 PCs of windows 98 as a client with auto ip and
> set their gateway,dns,dhcpserver and so on from DHCP
> 192.168.0.1.
> Now I want that any request for browsing come from
> client automatically forward to my squid which is
> running on 3128 port and all others request go on
> direct ppp0 for this I configured one script which is
> given below.
> 
> Is this script correct or not ?
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward

..echo 0 here...

> /sbin/iptables --flush
> /sbin/iptables --table nat --flush
> /sbin/iptables --delete-chain
> /sbin/iptables --table nat --delete-chain
> 
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp
> --dport 80 -j REDIRECT --to-port 3128
> /sbin/iptables --table nat --append POSTROUTING -s
> 192.168.0.1/24 --out-interface ppp0 -j MASQUERADE
> /sbin/iptables --append FORWARD --in-interface eth0 -j
> ACCEPT
> 

...and echo 1 here at the end, to close the barn door.

> This is other setup. 
> 
> I have setup two servers hostname server1 ip address
> 192.168.0.1 and hostname server2 ipaddress 192.168.0.2
> both servers are connected with dialup sepratly and
> also configure squid, DHCP, DNS services. I have also
> 100 PCs of windows 98 as a client with auto ip and set
> their gateway,dns,dhcpserver and so on from DHCP
> 192.168.0.1. 
> 
> Now I want that any request for browsing come from
> client automatically forward to my squid which is
> running on 3128 port on server 192.168.0.2 and all
> others request go on direct ppp0 of 192.168.0.1.
> Please help my what script I make for this.
> 
> I hope you will help me in this regard.
> 
> Thanks
> 
> MOHAMMAD SHAKIR

..unless you can afford to hire my firm, learn from  
http://tldp.org/HOWTO/HOWTO-INDEX/networking.html .

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: Help in IPTABLES

[Joel Newkirk]

On Saturday 11 January 2003 12:46 am, Mohammad Shakir wrote:
> Dear Friends,
>
> I have Installed Red Hat Linux 7.3 with hostname
> SERVER1 ipaddress 192.168.0.1 and also configure
> squid, DHCP, DNS services all are running well. I have
> also 30 PCs of windows 98 as a client with auto ip and
> set their gateway,dns,dhcpserver and so on from DHCP
> 192.168.0.1.
> Now I want that any request for browsing come from
> client automatically forward to my squid which is
> running on 3128 port and all others request go on
> direct ppp0 for this I configured one script which is
> given below.
>
> Is this script correct or not ?
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> /sbin/iptables --flush
> /sbin/iptables --table nat --flush
> /sbin/iptables --delete-chain
> /sbin/iptables --table nat --delete-chain
>
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp
> --dport 80 -j REDIRECT --to-port 3128
> /sbin/iptables --table nat --append POSTROUTING -s
> 192.168.0.1/24 --out-interface ppp0 -j MASQUERADE
> /sbin/iptables --append FORWARD --in-interface eth0 -j
> ACCEPT

You also need a rule (or rules) to allow reply traffic back through the 
FORWARD chain.  The following would probably suffice:
/sbin/iptables -A FORWARD -o ETH0 -m state   \
   --state ESTABLISHED,RELATED -j ACCEPT

In addition, to use the MASQUERADE target you also need to enable 
tracking of the interface's dynamic IP with:
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
If the IP is static, just use "-J SNAT --to " and the static IP.

I would _STRONGLY_ suggest that you set default DROP policy for all three 
filter chains, (INPUT, OUTPUT, and FORWARD with either "-t filter" or no 
table specified) and explicit ACCEPT rules for INPUT and OUTPUT that the 
server requires. (Don't forget that this includes dport3128 in and 
dport80 out for squid to work, as well as DHCP and DNS traffic)  This 
will also require ACCEPT rules for FORWARD traffic, but the one you have 
listed plus the one I noted should handle any traffic FROM the LAN and 
any replies TO the LAN.  Finally, to be safe, you should only enable 
forwarding (your first line above) AFTER you have set DROP policy, 
preferably after all rules are in place.

If you really trust your LAN, you can fly with the FORWARD rule you have, 
but you can also tighten things up quite a bit in the FORWARD chain by 
ACCEPTing only specific traffic.  If you do this, you can add another 
EST/REL rule for traffic from the LAN, or just remove the interface 
match from the one suggested above.

It's not vital to have DROP policy for OUTPUT, but it IS pretty much 
vital to DROP anything you don't explicitly need in INPUT, and probably 
FORWARD.  As this ruleset stands, anyone on the internet can connect to 
any port on this server, which is a really bad idea.

> This is other setup.
>
> I have setup two servers hostname server1 ip address
> 192.168.0.1 and hostname server2 ipaddress 192.168.0.2
> both servers are connected with dialup sepratly and
> also configure squid, DHCP, DNS services. I have also
> 100 PCs of windows 98 as a client with auto ip and set
> their gateway,dns,dhcpserver and so on from DHCP
> 192.168.0.1.
>
> Now I want that any request for browsing come from
> client automatically forward to my squid which is
> running on 3128 port on server 192.168.0.2 and all
> others request go on direct ppp0 of 192.168.0.1.
> Please help my what script I make for this.

Essentially the same setup on server1 as your previous scenario, all my 
comments apply here as well.  Clients should be configured with server1 
as their gateway, and instead of "-j REDIRECT --to-port 3128" you use 
"-j DNAT --to 192.168.0.2:3128".  Make sure that these packets are 
allowed through the FORWARD chain now.

Server2 will need to accept connections in INPUT from server1, but should 
probably REJECT others from the LAN.  It should have no need to forward 
at all, and anything but replies from the internet should just be 
DROPped.  It will also need a MASQUERADE rule for outbound traffic to 
the internet.

For redundancy, you could set up server2 with the DNS and DHCP 
configuration from server1, but not enable these services. (actually you 
could even let them run, if the firewall doesn't allow INPUT or OUTPUT 
for them) Also keep a copy of server1's firewall script (from first 
scenario above, or second scenario modified to use REDIRECT instead of 
DNAT) on server2.  This way if server1 goes down, or it's connection 
fails, server2 can take over with just an IP change, start DNS & DHCP, 
and run the alternate firewall script.  The same ability would work in 
reverse, but easier:   if server2 goes down you could delete the DNAT 
rule and insert a FORWARD rule to allow traffic through unhindered (and 
unproxied), or set up squid on server1 and replace the DNAT with 
REDIRECT.

> I hope you will help me in this regard.
>
> Thanks
>
> MOHAMMAD SHAKIR

j

Re: Help in IPTABLES

[Joel Newkirk]

On Saturday 11 January 2003 02:57 am, Arnt Karlsen wrote:
> On Fri, 10 Jan 2003 21:46:56 -0800 (PST),
> Mohammad Shakir <shakirz1@yahoo.com> wrote in message
>
> <20030111054656.20063.qmail@web40711.mail.yahoo.com>:
> > Dear Friends,

[snipped]

> > Please help my what script I make for this.
> >
> > I hope you will help me in this regard.
> >
> > Thanks
> >
> > MOHAMMAD SHAKIR
>
> ..unless you can afford to hire my firm, learn from
> http://tldp.org/HOWTO/HOWTO-INDEX/networking.html .

I think that's pretty unnecessary.  Referring to a useful reference is 
great.  Doing so with an attitude isn't.  This IS the neftilter user 
list.  People come here with questions, often with minimal experience 
and background.  In fact Mr Shakir's post included a script (which needs 
some work, which I noted in my reply) and then asked for advice on a 
second similar situation.  If all you have to offer is a link and a kick 
in the ass, why bother?

j

Re: Help in IPTABLES

[Arnt Karlsen]

On Sat, 11 Jan 2003 21:32:00 -0500, 
Joel Newkirk <netfilter@newkirk.us> wrote in message 
<200301112132.00991.netfilter@newkirk.us>:

> On Saturday 11 January 2003 02:57 am, Arnt Karlsen wrote:
> > On Fri, 10 Jan 2003 21:46:56 -0800 (PST),
> > Mohammad Shakir <shakirz1@yahoo.com> wrote in message
> >
> > <20030111054656.20063.qmail@web40711.mail.yahoo.com>:
> > > Dear Friends,
> 
> [snipped]
> 
> > > Please help my what script I make for this.
> > >
> > > I hope you will help me in this regard.
> > >
> > > Thanks
> > >
> > > MOHAMMAD SHAKIR
> >
> > ..unless you can afford to hire my firm, learn from
> > http://tldp.org/HOWTO/HOWTO-INDEX/networking.html .
> 
> I think that's pretty unnecessary.  Referring to a useful reference is
> great.  Doing so with an attitude isn't.  This IS the neftilter user 
> list.  People come here with questions, often with minimal experience 

..seeing what came here, I agree.  Mohammad, I apologize.  

> and background.  In fact Mr Shakir's post included a script (which

..yes, people often get into working close to the borders on our
competence and need help, and can pay for it, at other times we 
cannot pay for help, and need advice to know how to do it ourselves.

..the wee point I was trying to make, is an iptables firewall is
vulnerable while it is being set up, so echo "0" first to stop
forwarding, set up the firewall, and echo "1" at the end of the 
script to start forwarding again, a wee nit into your helpful 
responses to him.

> needs some work, which I noted in my reply) and then asked for advice
> on a second similar situation.  If all you have to offer is a link and
> a kick in the ass, why bother?

..I believe gentle kicks into the right direction are warranted. 
Like your kick here.  ;-)

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: Help in IPTABLES

[Joel Newkirk]

On Sunday 12 January 2003 03:01 am, Arnt Karlsen wrote:

> ..the wee point I was trying to make, is an iptables firewall is
> vulnerable while it is being set up, so echo "0" first to stop
> forwarding, set up the firewall, and echo "1" at the end of the
> script to start forwarding again, a wee nit into your helpful
> responses to him.

I do this myself in my script, but believe there is an additional 
solution, at least for some distros:

I'm running RedHat 7.3, and so everything runs off SysV-Init.  I was 
greatly bothered by the fact that the S07iptables startup link would get 
run quite a bit (well, a few seconds at least :^) before my firewall 
would.  Changing my firewall to a lower number in the sequence wouldn't 
work easily, since I'm on a Dynamic IP at the moment and had to start up 
ADSL to get the IP, since I use it 'statically' in SNAT.  It also would 
need (or at least want) syslog up and running.  Couldn't easily move 
ADSL up in the sequence, since it depended on networking in general.  
Everything is pretty much fixed in the sequence it already starts in.

Then it occurred to me:  Modify the /etc/init.d/iptables script to set 
DROP policies, instead of the horribly shortsighted ACCEPT default it 
uses.  As soon as this occurred to me I changed it, and I feel much more 
comfortable now, knowing that if the whole startup collapses right after 
iptables and network scripts, I'm still not wide open.

My sequence now is 
iptables->ip6tables->network->syslog->ADSL->firewall->ip6firewall->freenet
(freenet is the startup for the IPv6inIPv4 tunnel)

I modified the /etc/init.d/iptables script to set DROP policies in both 
the 'start' and 'stop' functions.

Despite being more comfortable with this, I'd like to hear if anyone sees 
a hole in my reasoning.

j

Re: Help in IPTABLES

[Andrew Smith]

> On Sunday 12 January 2003 03:01 am, Arnt Karlsen wrote:
> 
>> ..the wee point I was trying to make, is an iptables firewall is
>> vulnerable while it is being set up, so echo "0" first to stop
>> forwarding, set up the firewall, and echo "1" at the end of the
>> script to start forwarding again, a wee nit into your helpful
>> responses to him.
> 
> I do this myself in my script, but believe there is an additional 
> solution, at least for some distros:
> 
> I'm running RedHat 7.3, and so everything runs off SysV-Init.  I was 
> greatly bothered by the fact that the S07iptables startup link would
> get  run quite a bit (well, a few seconds at least :^) before my
> firewall  would.  Changing my firewall to a lower number in the
> sequence wouldn't  work easily, since I'm on a Dynamic IP at the moment
> and had to start up  ADSL to get the IP, since I use it 'statically' in
> SNAT.  It also would  need (or at least want) syslog up and running. 
> Couldn't easily move  ADSL up in the sequence, since it depended on
> networking in general.   Everything is pretty much fixed in the
> sequence it already starts in.
> 
> Then it occurred to me:  Modify the /etc/init.d/iptables script to set 
> DROP policies, instead of the horribly shortsighted ACCEPT default it 
> uses.  As soon as this occurred to me I changed it, and I feel much
> more  comfortable now, knowing that if the whole startup collapses
> right after  iptables and network scripts, I'm still not wide open.
> 
> My sequence now is 
> iptables->ip6tables->network->syslog->ADSL->firewall->ip6firewall-
>freenet
> (freenet is the startup for the IPv6inIPv4 tunnel)
> 
> I modified the /etc/init.d/iptables script to set DROP policies in both
>  the 'start' and 'stop' functions.
> 
> Despite being more comfortable with this, I'd like to hear if anyone
> sees  a hole in my reasoning.
> 
> j

Totally lacking in useful details but ...
I setup 2 client machines with RH7.3 back in August ...
I always modify the "network" script to run my own rc.firewall
(that's just how I do it ;-)
I used to do it before the interfaces came up, I've now changed
it to do so AFTER the interfaces come up
The reason is that 7.3 wouldn't forward packets to the internet
unless my firewall script was run after the interfaces started.
Internet connection using ADSL
(I liked the "before" option coz it avoided the short hole in
security while booting ... on ipchains)
I didn't go into the details of what was going on, but I worked it
out by reinstalling my own 6.2 firewall as 7.3 and then spotted the
solution to whatever problem I had caused (I never worked out
exactly what the problem was) by the fact that it worked if I AGAIN
ran my rc.firewall after it had finished booting
Anyway - just a hint if you happen to get the same problem with
your "iptables->ip6tables->network->syslog->AD
           SL->firewall->ip6firewall->freenet"
though it may never happen to you ...
I never did bother to work out the true cause :-)

-- 
-Cheers
-Andrew

MS ... if only he hadn't been hang gliding!