From: Brian Atkins <batkins@tlcdelivers.com>
To: netfilter@lists.netfilter.org
Subject: Re: Natting IPs hanging
Date: Fri, 20 May 2005 10:38:47 +0000 (UTC)
Date: Sun, 22 May 2005 06:28:55 -0700 [thread overview]
Message-ID: <42908917.40407@tlcdelivers.com> (raw)
In-Reply-To: <428FBAB0.8030206@tlcdelivers.com>
Brian Atkins wrote:
> Jason and John,
>
> Again, thanks for the responses. I've finally had an opportunity to
> dig back into it after a rather nightmare-ish week...
>
> I tried a couple of different things, without much success. First,
> seeing as how I'm realtively new at this, I went back to the docs on
> Netfilter and pulled a script out of the appedices of one of the
> HOWTOs and modified it for my use. Following their setup, I used it
> to create several new chains and new rules that I hadn't thought of
> implementing. Now, when I went back and checked out ip_tables_names
> and ip_tables_targets, I get the following:
>
> root@fw>cat /proc/net/ip_tables_names
> mangle
> nat
> filter
>
> root@fw>cat /proc/net/ip_tables_targets
> REJECT
> LOG
> DNAT
> SNAT
>
> Also, I checked out the kernel config and got the following list of
> modules that were created with the new build:
> root@fw>grep _NF_ /usr/src/linux/.config
> CONFIG_IP_NF_CONNTRACK=m
> # CONFIG_IP_NF_CT_ACCT is not set
> # CONFIG_IP_NF_CONNTRACK_MARK is not set
> # CONFIG_IP_NF_CT_PROTO_SCTP is not set
> CONFIG_IP_NF_FTP=m
> # CONFIG_IP_NF_IRC is not set
> # CONFIG_IP_NF_TFTP is not set
> # CONFIG_IP_NF_AMANDA is not set
> # CONFIG_IP_NF_QUEUE is not set
> CONFIG_IP_NF_IPTABLES=m
> CONFIG_IP_NF_MATCH_LIMIT=m
> CONFIG_IP_NF_MATCH_IPRANGE=m
> CONFIG_IP_NF_MATCH_MAC=m
> CONFIG_IP_NF_MATCH_PKTTYPE=m
> CONFIG_IP_NF_MATCH_MARK=m
> CONFIG_IP_NF_MATCH_MULTIPORT=m
> CONFIG_IP_NF_MATCH_TOS=m
> CONFIG_IP_NF_MATCH_RECENT=m
> CONFIG_IP_NF_MATCH_ECN=m
> CONFIG_IP_NF_MATCH_DSCP=m
> CONFIG_IP_NF_MATCH_AH_ESP=m
> CONFIG_IP_NF_MATCH_LENGTH=m
> CONFIG_IP_NF_MATCH_TTL=m
> CONFIG_IP_NF_MATCH_TCPMSS=m
> CONFIG_IP_NF_MATCH_HELPER=m
> CONFIG_IP_NF_MATCH_STATE=m
> CONFIG_IP_NF_MATCH_CONNTRACK=m
> CONFIG_IP_NF_MATCH_OWNER=m
> CONFIG_IP_NF_MATCH_ADDRTYPE=m
> CONFIG_IP_NF_MATCH_REALM=m
> # CONFIG_IP_NF_MATCH_SCTP is not set
> CONFIG_IP_NF_MATCH_COMMENT=m
> # CONFIG_IP_NF_MATCH_HASHLIMIT is not set
> CONFIG_IP_NF_FILTER=m
> CONFIG_IP_NF_TARGET_REJECT=m
> CONFIG_IP_NF_TARGET_LOG=m
> CONFIG_IP_NF_TARGET_ULOG=m
> CONFIG_IP_NF_TARGET_TCPMSS=m
> CONFIG_IP_NF_NAT=m
> CONFIG_IP_NF_NAT_NEEDED=y
> CONFIG_IP_NF_TARGET_MASQUERADE=m
> CONFIG_IP_NF_TARGET_REDIRECT=m
> CONFIG_IP_NF_TARGET_NETMAP=m
> CONFIG_IP_NF_TARGET_SAME=m
> CONFIG_IP_NF_NAT_SNMP_BASIC=m
> CONFIG_IP_NF_NAT_FTP=m
> CONFIG_IP_NF_MANGLE=m
> CONFIG_IP_NF_TARGET_TOS=m
> CONFIG_IP_NF_TARGET_ECN=m
> CONFIG_IP_NF_TARGET_DSCP=m
> CONFIG_IP_NF_TARGET_MARK=m
> CONFIG_IP_NF_TARGET_CLASSIFY=m
> CONFIG_IP_NF_RAW=m
> CONFIG_IP_NF_TARGET_NOTRACK=m
> CONFIG_IP_NF_ARPTABLES=m
> CONFIG_IP_NF_ARPFILTER=m
> CONFIG_IP_NF_ARP_MANGLE=m
>
> Likewise, here is what is currently loaded:
> root@fw>lsmod
> Module Size Used by
> ip_nat_ftp 3584 0
> ip_conntrack_ftp 72976 1 ip_nat_ftp
> ipt_state 2560 5
> ipt_limit 3072 2
> iptable_mangle 3328 0
> ipt_REJECT 6528 1
> ipt_LOG 7552 2
> iptable_nat 23868 2 ip_nat_ftp
> ip_conntrack 49992 4
> ip_nat_ftp,ip_conntrack_ftp,ipt_state,iptable_nat
> iptable_filter 3328 1
> ip_tables 23296 7
> ipt_state,ipt_limit,iptable_mangle,ipt_REJECT,ipt_LOG,iptable_nat,iptable_filter
>
> BLADABLADABLADA
>
> Here is my routing table (for what it's worth):
> root@fw>route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref
> Use Iface
> [OUTSIDE _NET] * 255.255.255.192 U 0 0
> 0 eth0
> [INSIDE_NET] * 255.0.0.0 U 0 0
> 0 eth2
> loopback localhost 255.0.0.0 UG 0 0
> 0 lo
> default [OUTSIDE_GW] 0.0.0.0 UG 0 0
> 0 eth0
>
> And, finally, my current ruleset (and I welcome all critiques):
> root@fw>iptables-save
> # Generated by iptables-save v1.3.1
> *mangle
> :PREROUTING ACCEPT [4431:597383]
> :INPUT ACCEPT [4387:587673]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1709:222042]
> :POSTROUTING ACCEPT [1686:202254]
> COMMIT
> *nat
> :PREROUTING ACCEPT [2731:449771]
> :POSTROUTING ACCEPT [13:950]
> :OUTPUT ACCEPT [13:950]
> -A PREROUTING -d [PUBLIC_IP] -i eth0 -j DNAT --to-destination
> [PRIVATE_IP]
> -A PREROUTING -d [PUBLIC_IP] -i eth0 -j DNAT --to-destination
> [PRIVATE_IP]
> -A POSTROUTING -s [PRIVATE_IP] -o eth0 -j SNAT --to-source [PUBLIC_IP]
> -A POSTROUTING -s [PRIVATE_IP] -o eth0 -j SNAT --to-source [PUBLIC_IP]
> COMMIT
> *filter
> :ALLOWED - [0:0]
> :BAD_TCP_PACKETS - [0:0]
> :ICMP_PACKETS - [0:0]
> :INPUT DROP [2625:435028]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [23:19788]
> :POSTROUTING - [0:0]
> :PREROUTING - [0:0]
> :TCP_PACKETS - [0:0]
> :UDP_PACKETS - [0:0]
> -A ALLOWED -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A ALLOWED -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A ALLOWED -p tcp -j DROP
> -A BAD_TCP_PACKETS -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state
> --state NEW -j REJECT --reject-with tcp-reset
> -A BAD_TCP_PACKETS -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m
> state --state NEW -j DROP
> -A ICMP_PACKETS -s [PRIVATE_NET]/255.0.0.0 -p icmp -j ACCEPT
> -A ICMP_PACKETS -s [PUBLIC_NET]/255.255.255.192 -p icmp -j ACCEPT
> -A ICMP_PACKETS -s 127.0.0.0/255.0.0.0 -p icmp -j ACCEPT
> -A ICMP_PACKETS -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
> -A INPUT -j PREROUTING
> -A INPUT -p tcp -j BAD_TCP_PACKETS
> -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
> -A INPUT -s [PRIVATE_IP_FW] -i lo -j ACCEPT
> -A INPUT -s [PUBLIC_IP_FW] -i lo -j ACCEPT
> -A INPUT -d [PUBLIC_IP_FW] -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -j TCP_PACKETS
> -A INPUT -p udp -j UDP_PACKETS
> -A INPUT -p icmp -j ICMP_PACKETS
> -A FORWARD -p tcp -j BAD_TCP_PACKETS
> -A FORWARD -d [PUBLIC_NET]/255.255.255.192 -p tcp -j PREROUTING
> -A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ICMP_PACKETS
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix
> "IPT FORWARD packet died: " --log-level 7
> -A OUTPUT -s 127.0.0.1 -j ACCEPT
> -A OUTPUT -s [PRIVATE_IP_FW] -j ACCEPT
> -A OUTPUT -s [PUBLIC_IP_FW] -j ACCEPT
> -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix
> "IPT OUTPUT packet died: " --log-level 7
> -A TCP_PACKETS -p tcp -m tcp --dport 21 -j ALLOWED
> -A TCP_PACKETS -p tcp -m tcp --dport 22 -j ALLOWED
> -A TCP_PACKETS -p tcp -m tcp --dport 25 -j ALLOWED
> -A TCP_PACKETS -p tcp -m tcp --dport 80 -j ALLOWED
> -A TCP_PACKETS -p tcp -m tcp --dport 443 -j ALLOWED
> -A TCP_PACKETS -p tcp -m tcp --dport 873 -j ALLOWED
> -A TCP_PACKETS -p tcp -m tcp --dport 1999 -j ALLOWED
> -A TCP_PACKETS -p tcp -m tcp --dport 4899 -j ALLOWED
> -A TCP_PACKETS -p tcp -m tcp --dport 5666 -j ALLOWED
> -A TCP_PACKETS -p tcp -m tcp --dport 8080 -j ALLOWED
> -A TCP_PACKETS -p tcp -m tcp --dport 11371 -j ALLOWED
> -A UDP_PACKETS -p udp -m udp --sport 53 -j ACCEPT
> -A UDP_PACKETS -p udp -m udp --sport 123 -j ACCEPT
> -A UDP_PACKETS -p udp -m udp --sport 873 -j ACCEPT
> COMMIT
> # Completed
>
> I also tried FireHOL to build the rules from a config file. I liked
> how *through* it appeared to be, but I went back to the original
> script for troubleshooting purposes.
>
Now, even more strange is that I stripped everything out right down to
just the natting piece and I still can't traverse the fw:
# Generated by iptables-save v1.3.1 on Fri May 20 06:23:40 2005
*raw
:PREROUTING ACCEPT [185327:123272626]
:OUTPUT ACCEPT [71616:17819696]
COMMIT
# Completed on Fri May 20 06:23:40 2005
# Generated by iptables-save v1.3.1 on Fri May 20 06:23:40 2005
*nat
:PREROUTING ACCEPT [20964:3942558]
:POSTROUTING ACCEPT [54:3564]
:OUTPUT ACCEPT [53:3480]
-A PREROUTING -d [PUBLIC_IP] -i eth0 -j DNAT --to-destination [PRIVATE_IP]
-A PREROUTING -d [PUBLIC_IP] -i eth0 -j DNAT --to-destination [PRIVATE_IP]
-A POSTROUTING -s [PRIVATE_IP] -o eth0 -j SNAT --to-source [PUBLIC_IP]
-A POSTROUTING -s [PRIVATE_IP] -o eth0 -j SNAT --to-source [PUBLIC_IP]
COMMIT
# Completed on Fri May 20 06:23:40 2005
# Generated by iptables-save v1.3.1 on Fri May 20 06:23:40 2005
*filter
:INPUT ACCEPT [955:375232]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1219:191838]
:POSTROUTING - [0:0]
:PREROUTING - [0:0]
-A FORWARD -i eth1 -j POSTROUTING
COMMIT
# Completed on Fri May 20 06:23:40 2005
By all intents I should be vulnerable to the world. From the outside, I
can hit the external facing NIC, but I can't get to the public IP of one
of my webservers. From the inside, I can hit both NICs (inside/outside)
on the firewall, but not the internal facing NIC on the ex-router. From
the firewall, I can see both WWW and my internal network.
Is there a tool to debug iptables to see if any of the rules are being
used by incoming traffic?
--
Brian Atkins
IT Services
The Library Corporation
http://TLCdelivers.com
Ph: 800.624.0559
next prev parent reply other threads:[~2005-05-20 10:38 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-19 19:55 Natting IPs hanging Brian Atkins
2005-05-20 10:38 ` Brian Atkins [this message]
2005-05-20 15:47 ` Jason Opperisano
[not found] <200505161949.j4GJnhXF027020@mail.tlcdelivers.com>
2005-05-23 20:45 ` Brian Atkins
-- strict thread matches above, loose matches on Subject: below --
2005-05-13 20:04 Brian Atkins
2005-05-14 15:26 ` Jason Opperisano
2005-05-16 15:40 ` Brian Atkins
2005-05-16 17:18 ` John Mok
2005-05-16 21:53 ` Jason Opperisano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42908917.40407@tlcdelivers.com \
--to=batkins@tlcdelivers.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.