From mboxrd@z Thu Jan 1 00:00:00 1970 From: Madison Kelly Subject: Into NAT'ed server okay, can't get out... Date: Mon, 16 Feb 2004 19:44:07 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <403163D7.7080902@alteeve.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org Hi all, I have a test network here that I am trying to write a firewall script for with three NICs; eth0 = LAN, eth1 = NAT'ed serrvers and eth2 = Internet (Fedora Core 1, iptables 1.2.9, 2.4.2149 kernel). I have the LAN clients behind the firewall connecting to the internet fine (LAN is on 192.168.1.0/24 being SNAT'ed behind the firewall's static public IP) and from the outside world I can connect via SSH (port 22) to the public servers which are DNAT/SNAT'ed behind the firewall with one IP a piece (they are on a seperate local LAN subnet of 192.168.2.0/24) but for some reason I can't figure out I can not get the server client to get out onto the Internet itself. I have tried inserting rules at the top of the FORWARD chain to say; '/sbin/iptables -t filter -I FORWARD -i eth1 -o eth2 -j ACCEPT' '/sbin/iptables -t filter -I FORWARD -i eth2 -o eth1 -j ACCEPT' Which should have allowed communication through (though no protection I realize) but even that didn't work. I think I've got SNAT and DNAT setup right because I can SSH into a test server from the Internet (as I should) but I just can't get out on that same server. Here is the output (cleaned) from 'iptables-save'... Can anyone tell me where I have gaffed? Thanks!! Madison PS - The script I am using to create these rules is a -heavily- modified Monmotha firewall script. -= From 'iptables-savew >iptables.out' =- Generated by iptables-save v1.2.9 on Mon Feb 16 16:45:08 2004 *mangle :PREROUTING ACCEPT [66:3456] :INPUT ACCEPT [66:3456] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [66:13144] :POSTROUTING ACCEPT [66:13144] COMMIT # Completed on Mon Feb 16 16:45:08 2004 # Generated by iptables-save v1.2.9 on Mon Feb 16 16:45:08 2004 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -d 111.222.33.44 -j DNAT --to-destination 192.168.2.12 -A PREROUTING -d 111.222.33.45 -j DNAT --to-destination 192.168.2.11 -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth2 -j SNAT --to-source 111.222.33.43 -A POSTROUTING -s 192.168.2.12 -j SNAT --to-source 111.222.33.44 -A POSTROUTING -s 192.168.2.11 -j SNAT --to-source 111.222.33.45 COMMIT # Completed on Mon Feb 16 16:45:08 2004 # Generated by iptables-save v1.2.9 on Mon Feb 16 16:45:08 2004 *filter :INPUT DROP [2:116] :FORWARD DROP [0:0] :OUTPUT ACCEPT [46:11032] :INETIN - [0:0] :INETOUT - [0:0] :LDROP - [0:0] :LREJECT - [0:0] :LTREJECT - [0:0] :PUBIN - [0:0] :PUBOUT - [0:0] :TCPACCEPT - [0:0] :TREJECT - [0:0] :UDPACCEPT - [0:0] :ULDROP - [0:0] :ULREJECT - [0:0] :ULTREJECT - [0:0] -A INPUT -p tcp -m mac --mac-source 00:11:22:33:44:55 -m tcp --dport 22 -j TCPACCEPT -A INPUT -p tcp -m mac --mac-source 00:11:22:33:44:56 -m tcp --dport 22 -j TCPACCEPT -A INPUT -p tcp -m mac --mac-source 00:11:22:33:44:57 -m tcp --dport 22 -j TCPACCEPT -A INPUT -p udp -m mac --mac-source 00:11:22:33:44:55 -m udp --dport 22 -j UDPACCEPT -A INPUT -p udp -m mac --mac-source 00:11:22:33:44:56 -m udp --dport 22 -j UDPACCEPT -A INPUT -p udp -m mac --mac-source 00:11:22:33:44:57 -m udp --dport 22 -j UDPACCEPT -A INPUT -i eth2 -j INETIN -A INPUT -i eth1 -j INETIN -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j TCPACCEPT -A INPUT -i eth0 -p udp -m udp --dport 53 -j UDPACCEPT -A INPUT -i eth1 -p tcp -m tcp --dport 53 -j TCPACCEPT -A INPUT -i eth1 -p udp -m udp --dport 53 -j UDPACCEPT -A INPUT -s 192.168.1.0/255.255.255.0 -j INETIN -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT -A FORWARD -i eth2 -o eth0 -j INETIN -A FORWARD -i eth0 -o eth2 -j INETOUT -A FORWARD -i eth1 -o eth0 -j PUBOUT -A FORWARD -i eth0 -o eth1 -j PUBIN -A FORWARD -i eth2 -o eth1 -j PUBIN -A FORWARD -i eth1 -o eth2 -j PUBOUT -A FORWARD -s 192.168.1.0/255.255.255.0 -i ! eth2 -o ! eth2 -j ACCEPT -A OUTPUT -o eth2 -j INETOUT -A OUTPUT -o eth1 -j PUBOUT -A INETIN -m state --state INVALID -j TREJECT -A INETIN -p icmp -m icmp --icmp-type 5 -j TREJECT -A INETIN -p icmp -m icmp --icmp-type 9 -j TREJECT -A INETIN -p icmp -m icmp --icmp-type 10 -j TREJECT -A INETIN -p icmp -m icmp --icmp-type 15 -j TREJECT -A INETIN -p icmp -m icmp --icmp-type 16 -j TREJECT -A INETIN -p icmp -m icmp --icmp-type 17 -j TREJECT -A INETIN -p icmp -m icmp --icmp-type 18 -j TREJECT -A INETIN -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT -A INETIN -p icmp -m icmp --icmp-type 8 -j TREJECT -A INETIN -p icmp -m icmp ! --icmp-type 8 -j ACCEPT -A INETIN -m state --state ESTABLISHED -j ACCEPT -A INETIN -p tcp -m tcp --dport 1024:65535 -m state --state RELATED -j TCPACCEPT -A INETIN -p udp -m udp --dport 1024:65535 -m state --state RELATED -j UDPACCEPT -A INETIN -j TREJECT -A INETOUT -j ACCEPT -A LDROP -p tcp -m limit --limit 2/sec -j LOG --log-prefix "TCP Dropped " --log-level 6 -A LDROP -p udp -m limit --limit 2/sec -j LOG --log-prefix "UDP Dropped " --log-level 6 -A LDROP -p icmp -m limit --limit 2/sec -j LOG --log-prefix "ICMP Dropped " --log-level 6 -A LDROP -f -m limit --limit 2/sec -j LOG --log-prefix "FRAGMENT Dropped " -A LDROP -j DROP -A LREJECT -p tcp -m limit --limit 2/sec -j LOG --log-prefix "TCP Rejected " --log-level 6 -A LREJECT -p udp -m limit --limit 2/sec -j LOG --log-prefix "UDP Rejected " --log-level 6 -A LREJECT -p icmp -m limit --limit 2/sec -j LOG --log-prefix "ICMP Rejected " --log-level 6 -A LREJECT -f -m limit --limit 2/sec -j LOG --log-prefix "FRAGMENT Rejected " -A LREJECT -j REJECT --reject-with icmp-port-unreachable -A LTREJECT -p tcp -m limit --limit 2/sec -j LOG --log-prefix "TCP Rejected " --log-level 6 -A LTREJECT -p udp -m limit --limit 2/sec -j LOG --log-prefix "UDP Rejected " --log-level 6 -A LTREJECT -p icmp -m limit --limit 2/sec -j LOG --log-prefix "ICMP Rejected " --log-level 6 -A LTREJECT -f -m limit --limit 2/sec -j LOG --log-prefix "FRAGMENT Rejected " -A LTREJECT -j TREJECT -A PUBIN -d 192.168.2.12 -p tcp -m tcp --dport 22 -j TCPACCEPT -A PUBIN -d 192.168.2.12 -p tcp -m tcp --dport 25 -j TCPACCEPT -A PUBIN -d 192.168.2.12 -p tcp -m tcp --dport 53 -j TCPACCEPT -A PUBIN -d 192.168.2.12 -p tcp -m tcp --dport 80 -j TCPACCEPT -A PUBIN -d 192.168.2.12 -p tcp -m tcp --dport 110 -j TCPACCEPT -A PUBIN -d 192.168.2.12 -p tcp -m tcp --dport 443 -j TCPACCEPT -A PUBIN -d 192.168.2.12 -p udp -m udp --dport 22 -j UDPACCEPT -A PUBIN -d 192.168.2.12 -p udp -m udp --dport 25 -j UDPACCEPT -A PUBIN -d 192.168.2.12 -p udp -m udp --dport 53 -j UDPACCEPT -A PUBIN -d 192.168.2.12 -p udp -m udp --dport 80 -j UDPACCEPT -A PUBIN -d 192.168.2.12 -p udp -m udp --dport 110 -j UDPACCEPT -A PUBIN -d 192.168.2.12 -p udp -m udp --dport 443 -j UDPACCEPT -A PUBIN -d 192.168.2.11 -p tcp -m tcp --dport 22 -j TCPACCEPT -A PUBIN -d 192.168.2.11 -p tcp -m tcp --dport 25 -j TCPACCEPT -A PUBIN -d 192.168.2.11 -p tcp -m tcp --dport 53 -j TCPACCEPT -A PUBIN -d 192.168.2.11 -p tcp -m tcp --dport 80 -j TCPACCEPT -A PUBIN -d 192.168.2.11 -p tcp -m tcp --dport 110 -j TCPACCEPT -A PUBIN -d 192.168.2.11 -p udp -m udp --dport 22 -j UDPACCEPT -A PUBIN -d 192.168.2.11 -p udp -m udp --dport 25 -j UDPACCEPT -A PUBIN -d 192.168.2.11 -p udp -m udp --dport 53 -j UDPACCEPT -A PUBIN -d 192.168.2.11 -p udp -m udp --dport 80 -j UDPACCEPT -A PUBIN -d 192.168.2.11 -p udp -m udp --dport 110 -j UDPACCEPT -A PUBIN -j TREJECT -A PUBOUT -o eth1 -p tcp -m tcp --dport 53 -j TCPACCEPT -A PUBOUT -o eth1 -p udp -m udp --dport 53 -j UDPACCEPT -A PUBOUT -s 192.168.2.12 -d 192.168.2.1 -p tcp -m tcp --dport 22 -j TCPACCEPT -A PUBOUT -s 192.168.2.12 -d 192.168.2.1 -p udp -m udp --dport 22 -j UDPACCEPT -A PUBOUT -s 192.168.2.11 -o eth0 -p tcp -m tcp --dport 22 -j TCPACCEPT -A PUBOUT -s 192.168.2.11 -o eth0 -p udp -m udp --dport 22 -j UDPACCEPT -A PUBOUT -o eth0 -j INETIN -A PUBOUT -j ACCEPT -A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec -j ACCEPT -A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 2/sec -j LOG --log-prefix "Possible SynFlood " -A TCPACCEPT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j TREJECT -A TCPACCEPT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A TCPACCEPT -m limit --limit 2/sec -j LOG --log-prefix "Mismatch in TCPACCEPT " -A TCPACCEPT -j TREJECT -A TREJECT -p tcp -j REJECT --reject-with tcp-reset -A TREJECT -p udp -j REJECT --reject-with icmp-port-unreachable -A TREJECT -p icmp -j DROP -A TREJECT -j REJECT --reject-with icmp-port-unreachable -A UDPACCEPT -p udp -j ACCEPT -A UDPACCEPT -m limit --limit 2/sec -j LOG --log-prefix "Mismatch on UDPACCEPT " -A UDPACCEPT -j TREJECT -A ULDROP -p tcp -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_TCP" -A ULDROP -p udp -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_UDP" -A ULDROP -p icmp -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_ICMP" -A ULDROP -f -m limit --limit 2/sec -j ULOG --ulog-prefix "LDROP_FRAG" -A ULDROP -j DROP -A ULREJECT -p tcp -m limit --limit 2/sec -j ULOG --ulog-prefix "LREJECT_TCP" -A ULREJECT -p udp -m limit --limit 2/sec -j ULOG --ulog-prefix "LREJECT_UDP" -A ULREJECT -p icmp -m limit --limit 2/sec -j ULOG --ulog-prefix "LREJECT_UDP" -A ULREJECT -f -m limit --limit 2/sec -j ULOG --ulog-prefix "LREJECT_FRAG" -A ULREJECT -j REJECT --reject-with icmp-port-unreachable -A ULTREJECT -p tcp -m limit --limit 2/sec -j ULOG --ulog-prefix "LTREJECT_TCP" -A ULTREJECT -p udp -m limit --limit 2/sec -j ULOG --ulog-prefix "LTREJECT_UDP" -A ULTREJECT -p icmp -m limit --limit 2/sec -j ULOG --ulog-prefix "LTREJECT_ICMP" -A ULTREJECT -f -m limit --limit 2/sec -j ULOG --ulog-prefix "LTREJECT_FRAG" -A ULTREJECT -p tcp -j REJECT --reject-with tcp-reset -A ULTREJECT -p udp -j REJECT --reject-with icmp-port-unreachable -A ULTREJECT -p icmp -j DROP -A ULTREJECT -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Mon Feb 16 16:45:08 2004