From: Brian Atkins <batkins@tlcdelivers.com>
To: netfilter@lists.netfilter.org
Subject: RE: Natting IPs hanging
Date: Thu, 19 May 2005 19:55:34 +0000 (UTC)
Date: Sat, 21 May 2005 15:48:16 -0700 [thread overview]
Message-ID: <428FBAB0.8030206@tlcdelivers.com> (raw)
Jason and John,
Again, thanks for the responses. I've finally had an opportunity to dig
back into it after a rather nightmare-ish week...
I tried a couple of different things, without much success. First,
seeing as how I'm realtively new at this, I went back to the docs on
Netfilter and pulled a script out of the appedices of one of the HOWTOs
and modified it for my use. Following their setup, I used it to create
several new chains and new rules that I hadn't thought of implementing.
Now, when I went back and checked out ip_tables_names and
ip_tables_targets, I get the following:
root@fw>cat /proc/net/ip_tables_names
mangle
nat
filter
root@fw>cat /proc/net/ip_tables_targets
REJECT
LOG
DNAT
SNAT
Also, I checked out the kernel config and got the following list of
modules that were created with the new build:
root@fw>grep _NF_ /usr/src/linux/.config
CONFIG_IP_NF_CONNTRACK=m
# CONFIG_IP_NF_CT_ACCT is not set
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
CONFIG_IP_NF_FTP=m
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_AMANDA is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_REALM=m
# CONFIG_IP_NF_MATCH_SCTP is not set
CONFIG_IP_NF_MATCH_COMMENT=m
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_CLASSIFY=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
Likewise, here is what is currently loaded:
root@fw>lsmod
Module Size Used by
ip_nat_ftp 3584 0
ip_conntrack_ftp 72976 1 ip_nat_ftp
ipt_state 2560 5
ipt_limit 3072 2
iptable_mangle 3328 0
ipt_REJECT 6528 1
ipt_LOG 7552 2
iptable_nat 23868 2 ip_nat_ftp
ip_conntrack 49992 4
ip_nat_ftp,ip_conntrack_ftp,ipt_state,iptable_nat
iptable_filter 3328 1
ip_tables 23296 7
ipt_state,ipt_limit,iptable_mangle,ipt_REJECT,ipt_LOG,iptable_nat,iptable_filter
BLADABLADABLADA
Here is my routing table (for what it's worth):
root@fw>route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
[OUTSIDE _NET] * 255.255.255.192 U 0 0 0 eth0
[INSIDE_NET] * 255.0.0.0 U 0 0 0 eth2
loopback localhost 255.0.0.0 UG 0 0 0 lo
default [OUTSIDE_GW] 0.0.0.0 UG 0 0 0 eth0
And, finally, my current ruleset (and I welcome all critiques):
root@fw>iptables-save
# Generated by iptables-save v1.3.1
*mangle
:PREROUTING ACCEPT [4431:597383]
:INPUT ACCEPT [4387:587673]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1709:222042]
:POSTROUTING ACCEPT [1686:202254]
COMMIT
*nat
:PREROUTING ACCEPT [2731:449771]
:POSTROUTING ACCEPT [13:950]
:OUTPUT ACCEPT [13:950]
-A PREROUTING -d [PUBLIC_IP] -i eth0 -j DNAT --to-destination [PRIVATE_IP]
-A PREROUTING -d [PUBLIC_IP] -i eth0 -j DNAT --to-destination [PRIVATE_IP]
-A POSTROUTING -s [PRIVATE_IP] -o eth0 -j SNAT --to-source [PUBLIC_IP]
-A POSTROUTING -s [PRIVATE_IP] -o eth0 -j SNAT --to-source [PUBLIC_IP]
COMMIT
*filter
:ALLOWED - [0:0]
:BAD_TCP_PACKETS - [0:0]
:ICMP_PACKETS - [0:0]
:INPUT DROP [2625:435028]
:FORWARD DROP [0:0]
:OUTPUT DROP [23:19788]
:POSTROUTING - [0:0]
:PREROUTING - [0:0]
:TCP_PACKETS - [0:0]
:UDP_PACKETS - [0:0]
-A ALLOWED -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A ALLOWED -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ALLOWED -p tcp -j DROP
-A BAD_TCP_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state
--state NEW -j REJECT --reject-with tcp-reset
-A BAD_TCP_PACKETS -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state
--state NEW -j DROP
-A ICMP_PACKETS -s [PRIVATE_NET]/255.0.0.0 -p icmp -j ACCEPT
-A ICMP_PACKETS -s [PUBLIC_NET]/255.255.255.192 -p icmp -j ACCEPT
-A ICMP_PACKETS -s 127.0.0.0/255.0.0.0 -p icmp -j ACCEPT
-A ICMP_PACKETS -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A INPUT -j PREROUTING
-A INPUT -p tcp -j BAD_TCP_PACKETS
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s [PRIVATE_IP_FW] -i lo -j ACCEPT
-A INPUT -s [PUBLIC_IP_FW] -i lo -j ACCEPT
-A INPUT -d [PUBLIC_IP_FW] -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -j TCP_PACKETS
-A INPUT -p udp -j UDP_PACKETS
-A INPUT -p icmp -j ICMP_PACKETS
-A FORWARD -p tcp -j BAD_TCP_PACKETS
-A FORWARD -d [PUBLIC_NET]/255.255.255.192 -p tcp -j PREROUTING
-A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ICMP_PACKETS
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix
"IPT FORWARD packet died: " --log-level 7
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s [PRIVATE_IP_FW] -j ACCEPT
-A OUTPUT -s [PUBLIC_IP_FW] -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix
"IPT OUTPUT packet died: " --log-level 7
-A TCP_PACKETS -p tcp -m tcp --dport 21 -j ALLOWED
-A TCP_PACKETS -p tcp -m tcp --dport 22 -j ALLOWED
-A TCP_PACKETS -p tcp -m tcp --dport 25 -j ALLOWED
-A TCP_PACKETS -p tcp -m tcp --dport 80 -j ALLOWED
-A TCP_PACKETS -p tcp -m tcp --dport 443 -j ALLOWED
-A TCP_PACKETS -p tcp -m tcp --dport 873 -j ALLOWED
-A TCP_PACKETS -p tcp -m tcp --dport 1999 -j ALLOWED
-A TCP_PACKETS -p tcp -m tcp --dport 4899 -j ALLOWED
-A TCP_PACKETS -p tcp -m tcp --dport 5666 -j ALLOWED
-A TCP_PACKETS -p tcp -m tcp --dport 8080 -j ALLOWED
-A TCP_PACKETS -p tcp -m tcp --dport 11371 -j ALLOWED
-A UDP_PACKETS -p udp -m udp --sport 53 -j ACCEPT
-A UDP_PACKETS -p udp -m udp --sport 123 -j ACCEPT
-A UDP_PACKETS -p udp -m udp --sport 873 -j ACCEPT
COMMIT
# Completed
I also tried FireHOL to build the rules from a config file. I liked how
*through* it appeared to be, but I went back to the original script for
troubleshooting purposes.
--
Brian Atkins
IT Services
The Library Corporation
http://TLCdelivers.com
Ph: 800.624.0559
next reply other threads:[~2005-05-19 19:55 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-19 19:55 Brian Atkins [this message]
2005-05-20 10:38 ` Natting IPs hanging Brian Atkins
2005-05-20 15:47 ` Jason Opperisano
[not found] <200505161949.j4GJnhXF027020@mail.tlcdelivers.com>
2005-05-23 20:45 ` Brian Atkins
-- strict thread matches above, loose matches on Subject: below --
2005-05-13 20:04 Brian Atkins
2005-05-14 15:26 ` Jason Opperisano
2005-05-16 15:40 ` Brian Atkins
2005-05-16 17:18 ` John Mok
2005-05-16 21:53 ` Jason Opperisano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=428FBAB0.8030206@tlcdelivers.com \
--to=batkins@tlcdelivers.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.