* Cannot go out the firewall from internal network (NAT)
@ 2006-11-13 15:15 Marco Nicoloso
2006-11-13 15:39 ` Tommy W
2006-11-14 11:34 ` Pradeep Jindal
0 siblings, 2 replies; 7+ messages in thread
From: Marco Nicoloso @ 2006-11-13 15:15 UTC (permalink / raw)
To: netfilter
Hi there,
I have already written before, but still my firewall doesn''t work at
all (or, from another point of view, works too much!!!!). That is, I
resolved a big problem (my kernel did not load modules for nat and now
it does), but still there is another.
I want machines in my internal network resolve by themselves IP
addresses and can connect to some server (like SMTP and PPP belonging
to the ISP who is serving my company).
Both of my desires are not realised for now.
I post my configuration files and the output of command iptables.
Will you help me, please?
Thanks in advance.
Marco Nicoloso.
Configuration script
#!/bin/bash
## RESET DELLE REGOLE ##
iptables -F
iptables -t mangle -F
iptables -t nat -F
iptables -X
iptables -t mangle -X
iptables -t nat -X
## TABELLA FILTER ##
# Definizione criterio generale
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#Creazione nuove catene
#Definizione catena int->ext
iptables -N laninet
#Definizione catena ext->int
iptables -N inetlan
#Forward delle catene
iptables -A FORWARD -i eth1 -o eth0 -j laninet
iptables -A FORWARD -i eth0 -o eth1 -j inetlan
# Frammenti e pacchetti non validi
iptables -A INPUT -f -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -f -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Traffico di loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Traffico rete interna
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
## TABELLA FILTER - INGRESSO ##
# Accetta pacchetti di connessioni esistenti
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Drop di tutti pacchetti non facenti parte delle catene
iptables -A laninet -s ! 192.168.7.0/24 -j DROP
iptables -A inetlan -s 192.168.7.0/24 -j DROP
# Accettiamo il traffico in ingresso nelle porte del client
iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT
#Enabling some of the ICMP Packets
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT
iptables -A INPUT -p icmp --icmp-type router-advertisement -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
#Forward from the internal network
iptables -A laninet -d 0/0 -j ACCEPT
#Forward from the internet
iptables -A inetlan -p tcp --sport 53 -j ACCEPT
iptables -A inetlan -p udp --sport 53 -j ACCEPT
iptables -A inetlan -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A inetlan -p tcp -j REJECT --reject-with tcp-reset
#Setting up NAT
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.7.0/24 -j SNAT --to
81.22.222.236
Output of common instances of iptables.
#iptables -vnL
Chain INPUT (policy DROP 32 packets, 3605 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -f * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
16791 729K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
33506 46M ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp spt:53
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3128
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
1 48 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 5
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 9
2 122 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
341 22672 laninet all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 inetlan all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -f * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
31529 46M ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
22566 1409K ACCEPT all -- * eth0 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED
Chain inetlan (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 192.168.7.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
Chain laninet (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * !192.168.7.0/24 0.0.0.0/0
341 22672 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 263K packets, 22M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 195K packets, 11M bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * eth1 192.168.7.0/24
0.0.0.0/0 to:81.22.222.236
Chain OUTPUT (policy ACCEPT 186K packets, 11M bytes)
pkts bytes target prot opt in out source destination
#iptables -vnL -t mangle
Chain PREROUTING (policy ACCEPT 4253K packets, 2003M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 4157K packets, 1996M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 25604 packets, 1239K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4708K packets, 2448M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 4733K packets, 2449M bytes)
pkts bytes target prot opt in out source destination
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Cannot go out the firewall from internal network (NAT)
2006-11-13 15:15 Cannot go out the firewall from internal network (NAT) Marco Nicoloso
@ 2006-11-13 15:39 ` Tommy W
2006-11-13 16:09 ` Marco Nicoloso
2006-11-14 11:34 ` Pradeep Jindal
1 sibling, 1 reply; 7+ messages in thread
From: Tommy W @ 2006-11-13 15:39 UTC (permalink / raw)
To: netfilter
Have you done this ?
echo "1" > /proc/sys/net/ipv4/ip_forward
In order to activate forwarding.
On Monday 13 November 2006 16:15, Marco Nicoloso wrote:
> Hi there,
>
> I have already written before, but still my firewall doesn''t work at
> all (or, from another point of view, works too much!!!!). That is, I
> resolved a big problem (my kernel did not load modules for nat and now
> it does), but still there is another.
>
> I want machines in my internal network resolve by themselves IP
> addresses and can connect to some server (like SMTP and PPP belonging
> to the ISP who is serving my company).
>
> Both of my desires are not realised for now.
>
> I post my configuration files and the output of command iptables.
>
> Will you help me, please?
>
> Thanks in advance.
>
> Marco Nicoloso.
>
> Configuration script
> #!/bin/bash
>
> ## RESET DELLE REGOLE ##
> iptables -F
> iptables -t mangle -F
> iptables -t nat -F
> iptables -X
> iptables -t mangle -X
> iptables -t nat -X
>
>
> ## TABELLA FILTER ##
>
> # Definizione criterio generale
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
>
> #Creazione nuove catene
>
> #Definizione catena int->ext
> iptables -N laninet
> #Definizione catena ext->int
> iptables -N inetlan
>
> #Forward delle catene
> iptables -A FORWARD -i eth1 -o eth0 -j laninet
> iptables -A FORWARD -i eth0 -o eth1 -j inetlan
>
> # Frammenti e pacchetti non validi
> iptables -A INPUT -f -j DROP
> iptables -A INPUT -m state --state INVALID -j DROP
> iptables -A OUTPUT -f -j DROP
> iptables -A OUTPUT -m state --state INVALID -j DROP
>
> # Traffico di loopback
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> #Traffico rete interna
> iptables -A INPUT -i eth1 -j ACCEPT
> iptables -A OUTPUT -o eth1 -j ACCEPT
>
> ## TABELLA FILTER - INGRESSO ##
> # Accetta pacchetti di connessioni esistenti
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j
> ACCEPT
>
> #Drop di tutti pacchetti non facenti parte delle catene
> iptables -A laninet -s ! 192.168.7.0/24 -j DROP
> iptables -A inetlan -s 192.168.7.0/24 -j DROP
>
>
> # Accettiamo il traffico in ingresso nelle porte del client
> iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --sport 53 -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT
>
> #Enabling some of the ICMP Packets
> iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type router-advertisement -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
>
> #Forward from the internal network
> iptables -A laninet -d 0/0 -j ACCEPT
>
> #Forward from the internet
> iptables -A inetlan -p tcp --sport 53 -j ACCEPT
> iptables -A inetlan -p udp --sport 53 -j ACCEPT
> iptables -A inetlan -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A inetlan -p tcp -j REJECT --reject-with tcp-reset
>
> #Setting up NAT
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.7.0/24 -j SNAT --to
> 81.22.222.236
>
> Output of common instances of iptables.
>
> #iptables -vnL
>
> Chain INPUT (policy DROP 32 packets, 3605 bytes)
> pkts bytes target prot opt in out source
> destination 0 0 DROP all -f * * 0.0.0.0/0
> 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 state INVALID
> 0 0 ACCEPT all -- lo * 0.0.0.0/0
> 0.0.0.0/0 16791 729K ACCEPT all -- eth1 * 0.0.0.0/0
> 0.0.0.0/0 33506 46M ACCEPT all -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 udp spt:53
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:53
> 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:3128
> 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80
> 1 48 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:22
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:25
> 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:25
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 3
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 4
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 11
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 12
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 5
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 9
> 2 122 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 8
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 0
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination 341 22672 laninet all -- eth1 eth0 0.0.0.0/0
> 0.0.0.0/0 0 0 inetlan all -- eth0 eth1 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination 0 0 DROP all -f * * 0.0.0.0/0
> 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 state INVALID
> 0 0 ACCEPT all -- * lo 0.0.0.0/0
> 0.0.0.0/0 31529 46M ACCEPT all -- * eth1 0.0.0.0/0
> 0.0.0.0/0 22566 1409K ACCEPT all -- * eth0 0.0.0.0/0
> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
>
> Chain inetlan (1 references)
> pkts bytes target prot opt in out source
> destination 0 0 DROP all -- * * 192.168.7.0/24
> 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:53
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:53
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 REJECT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 reject-with tcp-reset
>
> Chain laninet (1 references)
> pkts bytes target prot opt in out source
> destination 0 0 DROP all -- * * !192.168.7.0/24
> 0.0.0.0/0 341 22672 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> #iptables -vnL -t nat
>
> Chain PREROUTING (policy ACCEPT 263K packets, 22M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 195K packets, 11M bytes)
> pkts bytes target prot opt in out source
> destination 0 0 SNAT all -- * eth1 192.168.7.0/24
> 0.0.0.0/0 to:81.22.222.236
>
> Chain OUTPUT (policy ACCEPT 186K packets, 11M bytes)
> pkts bytes target prot opt in out source
> destination
>
> #iptables -vnL -t mangle
>
> Chain PREROUTING (policy ACCEPT 4253K packets, 2003M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain INPUT (policy ACCEPT 4157K packets, 1996M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy ACCEPT 25604 packets, 1239K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 4708K packets, 2448M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 4733K packets, 2449M bytes)
> pkts bytes target prot opt in out source
> destination
>
>
> !DSPAM:1000,45588c56202181277382813!
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Cannot go out the firewall from internal network (NAT)
2006-11-13 15:39 ` Tommy W
@ 2006-11-13 16:09 ` Marco Nicoloso
0 siblings, 0 replies; 7+ messages in thread
From: Marco Nicoloso @ 2006-11-13 16:09 UTC (permalink / raw)
To: Tommy W, netfilter
> Have you done this ?
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> In order to activate forwarding.
>
Yes, I had already done.
I found the file /proc/sys/net/ipv4/ip_nonlocal_bind which is set to
0, it is normal? NAT should bind IP addresses from the internal
network... it does anyway with this setting?
Marco Nicoloso
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Cannot go out the firewall from internal network (NAT)
2006-11-13 15:15 Cannot go out the firewall from internal network (NAT) Marco Nicoloso
2006-11-13 15:39 ` Tommy W
@ 2006-11-14 11:34 ` Pradeep Jindal
2006-11-14 19:58 ` Marco Nicoloso
1 sibling, 1 reply; 7+ messages in thread
From: Pradeep Jindal @ 2006-11-14 11:34 UTC (permalink / raw)
To: Marco Nicoloso; +Cc: netfilter
Marco Nicoloso wrote:
> Hi there,
>
> I have already written before, but still my firewall doesn''t work at
> all (or, from another point of view, works too much!!!!). That is, I
> resolved a big problem (my kernel did not load modules for nat and now
> it does), but still there is another.
>
> I want machines in my internal network resolve by themselves IP
> addresses and can connect to some server (like SMTP and PPP belonging
> to the ISP who is serving my company).
>
> Both of my desires are not realised for now.
>
> I post my configuration files and the output of command iptables.
>
> Will you help me, please?
>
> Thanks in advance.
>
> Marco Nicoloso.
>
> Configuration script
> #!/bin/bash
>
> ## RESET DELLE REGOLE ##
> iptables -F
> iptables -t mangle -F
> iptables -t nat -F
> iptables -X
> iptables -t mangle -X
> iptables -t nat -X
>
>
> ## TABELLA FILTER ##
>
> # Definizione criterio generale
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
>
> #Creazione nuove catene
>
> #Definizione catena int->ext
> iptables -N laninet
> #Definizione catena ext->int
> iptables -N inetlan
>
> #Forward delle catene
> iptables -A FORWARD -i eth1 -o eth0 -j laninet
> iptables -A FORWARD -i eth0 -o eth1 -j inetlan
>
> # Frammenti e pacchetti non validi
> iptables -A INPUT -f -j DROP
> iptables -A INPUT -m state --state INVALID -j DROP
> iptables -A OUTPUT -f -j DROP
> iptables -A OUTPUT -m state --state INVALID -j DROP
>
> # Traffico di loopback
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> #Traffico rete interna
> iptables -A INPUT -i eth1 -j ACCEPT
> iptables -A OUTPUT -o eth1 -j ACCEPT
>
> ## TABELLA FILTER - INGRESSO ##
> # Accetta pacchetti di connessioni esistenti
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j
> ACCEPT
>
> #Drop di tutti pacchetti non facenti parte delle catene
> iptables -A laninet -s ! 192.168.7.0/24 -j DROP
> iptables -A inetlan -s 192.168.7.0/24 -j DROP
>
>
> # Accettiamo il traffico in ingresso nelle porte del client
> iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --sport 53 -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT
>
> #Enabling some of the ICMP Packets
> iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type router-advertisement -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
>
> #Forward from the internal network
> iptables -A laninet -d 0/0 -j ACCEPT
>
> #Forward from the internet
> iptables -A inetlan -p tcp --sport 53 -j ACCEPT
> iptables -A inetlan -p udp --sport 53 -j ACCEPT
> iptables -A inetlan -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A inetlan -p tcp -j REJECT --reject-with tcp-reset
>
> #Setting up NAT
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.7.0/24 -j SNAT --to
> 81.22.222.236
>
> Output of common instances of iptables.
>
> #iptables -vnL
>
> Chain INPUT (policy DROP 32 packets, 3605 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -f * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 state INVALID
> 0 0 ACCEPT all -- lo * 0.0.0.0/0
> 0.0.0.0/0
> 16791 729K ACCEPT all -- eth1 * 0.0.0.0/0
> 0.0.0.0/0
> 33506 46M ACCEPT all -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 udp spt:53
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:53
> 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:3128
> 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80
> 1 48 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:22
> 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:25
> 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:25
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 3
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 4
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 11
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 12
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 5
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 9
> 2 122 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 8
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmp type 0
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 341 22672 laninet all -- eth1 eth0 0.0.0.0/0
> 0.0.0.0/0
> 0 0 inetlan all -- eth0 eth1 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -f * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 state INVALID
> 0 0 ACCEPT all -- * lo 0.0.0.0/0
> 0.0.0.0/0
> 31529 46M ACCEPT all -- * eth1 0.0.0.0/0
> 0.0.0.0/0
> 22566 1409K ACCEPT all -- * eth0 0.0.0.0/0
> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
>
> Chain inetlan (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- * * 192.168.7.0/24
> 0.0.0.0/0
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:53
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:53
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 REJECT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 reject-with tcp-reset
>
> Chain laninet (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- * * !192.168.7.0/24
> 0.0.0.0/0
> 341 22672 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> #iptables -vnL -t nat
>
> Chain PREROUTING (policy ACCEPT 263K packets, 22M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 195K packets, 11M bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 SNAT all -- * eth1 192.168.7.0/24
> 0.0.0.0/0 to:81.22.222.236
>
> Chain OUTPUT (policy ACCEPT 186K packets, 11M bytes)
> pkts bytes target prot opt in out source
> destination
>
> #iptables -vnL -t mangle
>
> Chain PREROUTING (policy ACCEPT 4253K packets, 2003M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain INPUT (policy ACCEPT 4157K packets, 1996M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy ACCEPT 25604 packets, 1239K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 4708K packets, 2448M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 4733K packets, 2449M bytes)
> pkts bytes target prot opt in out source
> destination
>
>
#Forward delle catene
iptables -A FORWARD -i eth1 -o eth0 -j laninet
iptables -A FORWARD -i eth0 -o eth1 -j inetlan
Above shows eth1 is your LAN interface and eth0 is your WAN interface.
but....
#Setting up NAT
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.7.0/24 -j SNAT --to
81.22.222.236
this shows eth1 is your WAN interface, please clarify on this thing.
Pradeep
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Cannot go out the firewall from internal network (NAT)
2006-11-14 11:34 ` Pradeep Jindal
@ 2006-11-14 19:58 ` Marco Nicoloso
2006-11-15 8:02 ` Gáspár Lajos
2006-11-15 17:44 ` Pradeep Jindal
0 siblings, 2 replies; 7+ messages in thread
From: Marco Nicoloso @ 2006-11-14 19:58 UTC (permalink / raw)
To: Pradeep Jindal, netfilter
> #Forward delle catene
> iptables -A FORWARD -i eth1 -o eth0 -j laninet
> iptables -A FORWARD -i eth0 -o eth1 -j inetlan
>
> Above shows eth1 is your LAN interface and eth0 is your WAN interface.
>
> but....
>
> #Setting up NAT
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.7.0/24 -j SNAT --to
> xxx.xxx.xxx.xxx
>
> this shows eth1 is your WAN interface, please clarify on this thing.
>
> Pradeep
>
Yes, thnk you very much Pradeep, I was wrong, I corrected it but...
...anyway still it doesn't work as I want. For now it is acting only
like a NAT, I want to understand how NAT + Packet Filtering work
together, I read the howtos provided by netfilter.org. And
particularly I didn't understand:
1) POSTROUTING chain is processed after the FORWARD chain, isn't it?
But do I really need the FORWARD chain? If yes, do I need to setup my
rules for filtering the packets coming from my LAN which I want to
pass through the firewall (using a DROP policy) in the FORWARD or just
in the INPUT chain, or in both of them?
2) Which is the right place for the NATting rules in my script? That
is, NAT rules must be placed before or after PF rules (for me after,
but as NAT controls different chains because `nat' is a different
table... maybe it's the same)
3) Someone can verify the following sentence if I understood
correctly: "Packet coming from any network connected to the firewall
enters the chain INPUT: rules are processed from the first in order to
the end, if a suiting rule for it is found, then the faith of the
packet depends only on that rule; if not packet is either dropped or
accepted, depending on the general policy of the chain above
mentioned"
Thanks.
Marco Nicoloso
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Cannot go out the firewall from internal network (NAT)
2006-11-14 19:58 ` Marco Nicoloso
@ 2006-11-15 8:02 ` Gáspár Lajos
2006-11-15 17:44 ` Pradeep Jindal
1 sibling, 0 replies; 7+ messages in thread
From: Gáspár Lajos @ 2006-11-15 8:02 UTC (permalink / raw)
To: Marco Nicoloso, Netfilter IPtableMailinglist
Marco Nicoloso írta:
>
> 1) POSTROUTING chain is processed after the FORWARD chain, isn't it?
Yes
> But do I really need the FORWARD chain? If yes, do I need to setup my
> rules for filtering the packets coming from my LAN which I want to
> pass through the firewall (using a DROP policy) in the FORWARD or just
> in the INPUT chain, or in both of them?
In the FORWARD chain you filter the packets passing througth the firewall...
In the INPUT chain you filter the packets sent to your firewall... (For
example to a DNS server that sits on your firewalling machine...)
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html
>
> 2) Which is the right place for the NATting rules in my script? That
> is, NAT rules must be placed before or after PF rules (for me after,
> but as NAT controls different chains because `nat' is a different
> table... maybe it's the same)
There are chains (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING) and
tables (-t raw, -t mangle, -t nat, -t filter <-(default) )
http://www.faqs.org/docs/iptables/traversingoftables.html
NAT rules ARE placed before (PREROUTING) and after (POSTROUTING) PF rules...
Take a look on what you have already done with these commands:
iptables -vnL -t nat
iptables -vnL
iptables -vnL -t mangle
>
> 3) Someone can verify the following sentence if I understood
> correctly: "Packet coming from any network connected to the firewall
> enters the chain INPUT:
The correct route:
mangle PREROUTING
nat PREROUTING
[Routing decision]
mangle INPUT
filter INPUT
[Local process]
> rules are processed from the first in order to
> the end,
yes
> if a suiting rule for it is found, then the faith of the
> packet depends only on that rule;
yes
> if not packet is either dropped or
> accepted, depending on the general policy of the chain
yes
Rules that you may think about (What I prefer :D ):
- The chain policy should be always ACCEPT except in the filter tables...
- DROP-ing or REJECT-ing should me always done in the filter tables...
- Using user-defined chains makes the iptables run faster...
Also take a look on my script.... :)
https://lists.netfilter.org/pipermail/netfilter/2006-August/066404.html
Swifty
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Cannot go out the firewall from internal network (NAT)
2006-11-14 19:58 ` Marco Nicoloso
2006-11-15 8:02 ` Gáspár Lajos
@ 2006-11-15 17:44 ` Pradeep Jindal
1 sibling, 0 replies; 7+ messages in thread
From: Pradeep Jindal @ 2006-11-15 17:44 UTC (permalink / raw)
To: Marco Nicoloso; +Cc: netfilter
Marco Nicoloso wrote:
>> #Forward delle catene
>> iptables -A FORWARD -i eth1 -o eth0 -j laninet
>> iptables -A FORWARD -i eth0 -o eth1 -j inetlan
>>
>> Above shows eth1 is your LAN interface and eth0 is your WAN interface.
>>
>> but....
>>
>> #Setting up NAT
>> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.7.0/24 -j SNAT --to
>> xxx.xxx.xxx.xxx
>>
>> this shows eth1 is your WAN interface, please clarify on this thing.
>>
>> Pradeep
>>
>
> Yes, thnk you very much Pradeep, I was wrong, I corrected it but...
>
> ...anyway still it doesn't work as I want. For now it is acting only
> like a NAT, I want to understand how NAT + Packet Filtering work
> together, I read the howtos provided by netfilter.org. And
> particularly I didn't understand:
>
> 1) POSTROUTING chain is processed after the FORWARD chain, isn't it?
> But do I really need the FORWARD chain? If yes, do I need to setup my
> rules for filtering the packets coming from my LAN which I want to
> pass through the firewall (using a DROP policy) in the FORWARD or just
> in the INPUT chain, or in both of them?
firewall machine = the machine where you are setting up the iptables rules.
Packet filtering rules should always be in filter table (if there is no
special case).
Filter table doesn't have POSTROUTING chain, that is FORWARD is required.
INPUT chain sees only those packets which are destined for the firewall
machine.
FORWARD chain sees the packets which the firewall machine routes either from
LAN to WAN or from WAN to LAN.
OUTPUT chain sees the packets which the firewall machine generates.
Assuming you how the routing works. (I mean operations related to that).
PREROUTING chain of nat table sees the packets before the routing decision
has been done.
POSTROUTING chain of nat table sees the packets after the routing decision
has been done.
So, ultimately this is all about which packets you want to act upon
and where (in kernel network stack). Further which operation you want to
do. Either filtering or
network address translation (NAT).
>
> 2) Which is the right place for the NATting rules in my script? That
> is, NAT rules must be placed before or after PF rules (for me after,
> but as NAT controls different chains because `nat' is a different
> table... maybe it's the same)
I think the above description answers this also.
>
> 3) Someone can verify the following sentence if I understood
> correctly: "Packet coming from any network connected to the firewall
> enters the chain INPUT: rules are processed from the first in order to
> the end, if a suiting rule for it is found, then the faith of the
> packet depends only on that rule; if not packet is either dropped or
> accepted, depending on the general policy of the chain above
> mentioned"
>
> Thanks.
>
> Marco Nicoloso
>
All in all, netfilter framework is all about hooks in the kernel's
network stack.
Regards,
Pradeep
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2006-11-15 17:44 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-13 15:15 Cannot go out the firewall from internal network (NAT) Marco Nicoloso
2006-11-13 15:39 ` Tommy W
2006-11-13 16:09 ` Marco Nicoloso
2006-11-14 11:34 ` Pradeep Jindal
2006-11-14 19:58 ` Marco Nicoloso
2006-11-15 8:02 ` Gáspár Lajos
2006-11-15 17:44 ` Pradeep Jindal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.