Case concerning iptables filtering traffic from the internet in a NATed scenario

Case concerning iptables filtering traffic from the internet in a NATed scenario

[Mattes Opel]

Hello everybody,

I'm new to this list, so I'm hoping not to break with any rules.

I've got a case concerning iptables. Please excuse this long posting.

Before explaining the scenario, here are my questions:
1) How do restrict internetworking traffic, which is originated by 
/destinated to the internet to a machine. Please read on, because it's 
sounds simple but is something special for me.

The main problem is, that I can access the hosts only remote. A mistake 
would hurt very much.

The Scenario is as follows:

a) I've got a host running iptables, which offers different services to 
the local subnet. The subnet is private, so it's addressed by a stack of 
192.* IP-Numbers.

b) Machine a) needs internet access for e.g. retrieving updates.

c) For administration tasks the machine described by a) is accessible 
from the internet. The internet firewall does PAT/NAT or something 
similar, which means that a certain port on the external router 
interface is forwarded to a certain TCP-Port/IP-Address combination on 
the local subnet (192.*).

d) Only three hosts in the local subnet (192.*) should access the 
machine a). Access strategy for this hosts to the machine a) is all or 
nothing, which means that filtering occurs based on IP-addresses (not 
TCP-Ports) or possibly MAC-Addresses.

e) I need the strongest security but simplest configurable security, 
which can be setup by onboard-tools like iptables.

So where's the prob?

# set policies
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

# allow the local interface of machine a)
iptables -A INPUT -p All -s 192.168.1.20 -j ACCEPT
iptables -A OUTPUT -p All -d 192.168.1.20 -j ACCEPT

# restricting access to the three machines on local subnet
iptables -A INPUT -p All -s 192.168.1.10 -j ACCEPT
iptables -A INPUT -p All -s 192.168.1.11 -j ACCEPT
iptables -A INPUT -p All -s 192.168.1.12 -j ACCEPT

iptables -A OUTPUT -p All -d 192.168.1.10 -j ACCEPT
iptables -A OUTPUT -p All -d 192.168.1.11 -j ACCEPT
iptables -A OUTPUT -p All -d 192.168.1.12 -j ACCEPT

# access the internet-router
iptables -A INPUT -p All -s 192.168.1.1 -j ACCEPT
iptables -A OUTPUT -p All -d 192.168.1.1 -j ACCEPT

# Log the rest
iptables -A INPUT -p All -s 0.0.0.0/255.255.255.255 -j LOG
iptables -A output -p All -s 0.0.0.0/255.255.255.255 -j LOG

Here's the prob.

I can't access internet-hosts from machine a), because packets for this 
purpose are destinated to registered IP-Numbers. They are rejected by 
the output chain, because they doesn't contain the routers internal IP 
as destination. Access to the three hosts on local subnet works fine.

The question to answer for solving the problem:
How do I indentify a packets sourced by machine a) destinated to 
anywhere, which have to got through the router?

And the other way around:
How do I indentify packets destinated to machine a) sourced from 
anywhere, which have passed the router?

Further a possibility to filter those packets in a second stage by 
protocol or port would be fine?

AND don't forget the administrator's access:
How do I identify packets, which where forwarded by the router. See c) 
in the secanrio description.

Hope that somebody can help me. Thanks in advance.

Greetings from Hamburg,

Mattes

Re: Case concerning iptables filtering traffic from the internet in a NATed scenario

[Chinh Nguyen]

Mattes Opel wrote:
> Hello everybody,
> 
> I'm new to this list, so I'm hoping not to break with any rules.
> 
> I've got a case concerning iptables. Please excuse this long posting.
> 
> Before explaining the scenario, here are my questions:
> 1) How do restrict internetworking traffic, which is originated by
> /destinated to the internet to a machine. Please read on, because it's
> sounds simple but is something special for me.
> 
> The main problem is, that I can access the hosts only remote. A mistake
> would hurt very much.

In which case, you might want to test out iptables rules on a local setup first.

> The question to answer for solving the problem:
> How do I indentify a packets sourced by machine a) destinated to
> anywhere, which have to got through the router?
> 
> And the other way around:
> How do I indentify packets destinated to machine a) sourced from
> anywhere, which have passed the router?
> 
> Further a possibility to filter those packets in a second stage by
> protocol or port would be fine?
> 
> AND don't forget the administrator's access:
> How do I identify packets, which where forwarded by the router. See c)
> in the secanrio description.

My two cents. Please refer to disclaimer above :). I am assuming you want rules
on machine A.

1. Internet-bound packets machine A should be filtered by a not source rule (or
simply accepted).
2. Replies coming back filtered by connection state (and possibly router MAC if
paranoid).
3. Administrative packets filtered by port (and possibly router MAC if paranoid).

1. -A OUTPUT -d ! 192.168.1.0/24 -j ACCEPT (or simply -A OUTPUT -j ACCEPT)
2. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT (you could add -m mac
--mac-source $ROUTER_MAC to rule)
3. -A INPUT [-d ! 192.168.1.0/24] --protocol tcp --dport $ADMIN_PORT -j ACCEPT
(you could add -m mac --mac-source $ROUTER_MAC to rule)

Re: Case concerning iptables filtering traffic from the internet in a NATed scenario

[Randy Grimshaw]

<><Randall Grimshaw
Room 203 Machinery Hall
Syracuse University
Syracuse, NY   13244
315-443-5779
rgrimsha@syr.edu

>>> Mattes Opel <mattes.opel@web.de> 3/14/2006 10:48:05 AM >>>

>I can't access internet-hosts from machine a), because packets for this 
>purpose are destinated to registered IP-Numbers. They are rejected by 
>the output chain, because they doesn't contain the routers internal IP 
>as destination. Access to the three hosts on local subnet works fine.

You don't have any FORWARD rules, where the acl logic would likely reside.

<><Randy