Re: Iptables

[Jason Opperisano <opie@817west.com>]

On Thu, May 19, 2005 at 07:45:22PM +0200, Chadley Wilson wrote:
> Greetings,
> 
> Sort of still a newbie with iptables! I ve been at it for a while, but 
> struggle to understand when things don't work when I think they are right.
> 
> OK heres the problem:
> 
> I have a dns server configure, master zone int network, slave is external dns 
> box.
> 
> Dhcp server only internal.
> 
> Iptables must do the following:
> allow one int ip (me) to the external int face for everything. (the external 
> interface is actually our other internal network which has the gateway to the 
> internet)
> 
> when I set my default policy to drop, my DNS and windows file sharing from the 
> ext network doesn't work. My mail and internet still work. I have removed the 
> broken lines and set my policy back to ACCEPT. But I would feel much safer if 
> it were drop and only allow services that I choose. As it is now, I can 
> access the net, mail and windows file shares, the dns for the FTP server is 
> working and all is bliss.
> How do I make this more secure?
> 
> etel is our gateway
> my router has 6 cards in it. 5 are bond0 1 eth0 int and ext respectively.  
> 
> Attached is my iptables file, 
> 
> Please could some one show me what is wrong I can't figure it out.

> ########    Firewall Setup     ##################
> ########      Config           ##################
> #set -x
> ipt="/usr/sbin/iptables"
> ext="eth0"
> int="bond0"
> lo="127.0.0.1"
> chad="192.168.2.5"
> etel="196.25.100.28"
> #################################################
> 
> #################################################
> ####                                         ####
> ####               BASIC SETUP               ####
> ####                                         ####
> #################################################
> 
> #Enable IP Forwarding
> echo "1" >> /proc/sys/net/ipv4/ip_forward
> 
> #Clear All Tables
> ${ipt} -t filter -F
> ${ipt} -t nat -F

there's also a mangle table...

  iptables -t mangle -F

> ##  Allow all from local interfaces [localhost]
> ${ipt} -t filter -A INPUT -s ${lo} -j ACCEPT
> 
> 
> ##  Allow all prerouting
> ${ipt} -t nat -A PREROUTING -s 192.168.2.0/255.255.255.0 -j ACCEPT
> ${ipt} -t nat -A PREROUTING -s 196.25.100.5/255.255.255.0 -j ACCEPT

um--what exactly are you trying to accomplish with these?

> ##  Allow all forwarding
> ${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -m state --state RELATED,ESTABLISHED -j ACCEPT
> ${ipt} -t filter -A FORWARD -i ${ext} -o ${int} -m state --state RELATED,ESTABLISHED -j ACCEPT

how about just:

  iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

> ##  Allow pings 
> ${ipt} -t filter -A INPUT -p icmp -j ACCEPT
> 
> ##  Keep established connections on all interfaces
> ${ipt} -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

we just did this above...

> ${ipt} -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> ##  Accept www from internet {ext}
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 80 -j ACCEPT

you run a web server on your firewall?

> #################################################
> ####                                         ####
> ####                RULES                    ####
> ####                                         ####
> #################################################
> 
> ##  Masquerade {chad} outgoing to internet
> ${ipt} -t nat -A POSTROUTING -o ${ext} -s ${chad} -j MASQUERADE
> ${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -s ${chad} -j ACCEPT
> 
> ##  Accept SSH from {etel}
> ${ipt} -t filter -A INPUT -i ${ext} -s ${etel} -p tcp --dport 22 -j ACCEPT
> 
> ##  Accept ssh from all internal
> ${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 22 -j ACCEPT
> 
> ## Accept telnet
> ${ipt} -t filter -A INPUT -p tcp --dport 23 -j ACCEPT
> ${ipt} -t filter -A INPUT -p udp --dport 23 -j ACCEPT

1) telnet only uses TCP, not UDP.
2) telnet?  c'mon, what is this?  1997?

> ##  Accept incoming SMTP
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 25 -j ACCEPT
> 
> ##  Accept external POP3
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 110 -j ACCEPT

you run SMTP and POP3 servers on your firewall too?  i'm sensing a
pattern here...

> ##  Allow mail from ext to int
> ${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d 196.25.100.21 -o ${ext} --sport 25 --state NEW,ESTABLISHED,RELATED -j ACCEPT
> ${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d 196.25.100.21 -o ${ext} --sport 110 --state NEW,ESTABLISHED,RELATED -j ACCEPT

um--we've already ACCEPTed all ESTABLISHED,RELATED packets in
FORWARD--so it's redundant to keep using them in rules.  so we need to
create rules that allow packets that are NEW.  if you're trying to allow
$chad to connect to 196.25.100.21 on SMTP and POP3--those should be
dport, not sport:

  iptables -A FORWARD -i $int -o $ext -p tcp -s $chad \
    -d 196.25.100.21 --dport 25 -j ACCEPT

  iptables -A FORWARD -i $int -o $ext -p tcp -s $chad \
    -d 196.25.100.21 --dport 110 -j ACCEPT

from the text of you message, you want to allow $chad out on any
service, though--right?  then how about:

  iptables -A FORWARD -i $int -o $ext -p tcp -s $chad -j ACCEPT

(which you already have in here if we scroll back up a bit)

> ##  Allow DNS updates
> ${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 53 -j ACCEPT
> ${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 53 -j ACCEPT

the DNS server runs on the firewall too, eh?  how's about:

  iptables -A INPUT -p tcp --dport 53 -j ACCEPT
  iptables -A INPUT -p udp --dport 53 -j ACCEPT

(you need TCP for zone transfers, and UDP for regular name resolution
requests)

> ## Accept all from local interfaces
> ${ipt} -t filter -A INPUT -i ${int} -j ACCEPT
> ${ipt} -t filter -A INPUT -i ${int} -j ACCEPT

a rule so nice, we need it twice?

> ## Drop all the rest, incoming , and forward between interfaces
> #${ipt} -t filter -A INPUT -j DROP
> #${ipt} -t filter -A FORWARD -j DROP

-j

--
"Peter: Hey, Brian. If cops are pigs, does that make you a Snausage?
 Brian: Clever, Peter. Did you stay up all night writing that?
 Peter: No, I got to bed around two, two-thirty."
        --Family Guy