ESTABLISHED makes possible to connect to internal servers

ESTABLISHED makes possible to connect to internal servers

[Anton Sidorov]

Hi,

I have a slight problem and can not find any answers myself or in the
Internet.

I run iptables on Debian based router/firewall.

I do not use nat and private IP addresses.
vlan2 and vlan3 are external connections to ISPs
vlan101 and vlan82 are internal interfaces.

The problem is that if I put
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
or just
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT

it is possible to access my internal web server (and not only web
server) from outside
despite I did not open port 80 in FORWARD chain and policy for FORWARD
is DROP.

As soon as I remove those lines I can not connect to the Internet from
behind the firewall.

I've been fighting with that problem for two weeks now.
I rewrite my script several times and brought it to bare basic but
nothing has fixed the problem.

kernel 2.6.18-4-686
iptables v1.3.6

Please any hints or tips would be really appreciated.

Best regards,

Anton.

Re: ESTABLISHED makes possible to connect to internal servers

[Maximilian Wilhelm]

Am Tuesday, den 10. April hub Anton Sidorov folgendes in die Tasten:

Hi!

> The problem is that if I put
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> or just
> iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
[...]
> it is possible to access my internal web server (and not only web
> server) from outside
> despite I did not open port 80 in FORWARD chain and policy for FORWARD
> is DROP.
[...]
> I've been fighting with that problem for two weeks now.
> I rewrite my script several times and brought it to bare basic but
> nothing has fixed the problem.

Maybe it would help to see the "bare basic" script, so we could get the
"big picture".

Ciao
Max
-- 
|           |                 Follow the white penguin.
|  |\/|  |  |-----------------------------------------------------------.
|  |  |/\|  |  Rechnerbetrieb Mathematik  |   Meine Baustellen:  TSM    |
|           |  Universitaet Paderborn     |   Hostmaster, Linux, LDAP   | 

Re: ESTABLISHED makes possible to connect to internal servers

[Anton Sidorov]

Anton Sidorov wrote:
> Hi,
>
> I have a slight problem and can not find any answers myself or in the
> Internet.
>
> I run iptables on Debian based router/firewall.
>
> I do not use nat and private IP addresses.
> vlan2 and vlan3 are external connections to ISPs
> vlan101 and vlan82 are internal interfaces.
>
> The problem is that if I put
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> or just
> iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
>
> it is possible to access my internal web server (and not only web
> server) from outside
> despite I did not open port 80 in FORWARD chain and policy for FORWARD
> is DROP.
>
> As soon as I remove those lines I can not connect to the Internet from
> behind the firewall.
>
> I've been fighting with that problem for two weeks now.
> I rewrite my script several times and brought it to bare basic but
> nothing has fixed the problem.
>
> kernel 2.6.18-4-686
> iptables v1.3.6
>
> Please any hints or tips would be really appreciated.
>
> Best regards,
>
> Anton.
>   
*>Maximilian Wilhelm wrote:
*

>Maybe it would help to see the "bare basic" script, so we could get the
>"big picture".

>Ciao
>Max
>-- 
>[...]


Here is the iptables-restore configuration (I tried t put the same
commands from console - the result is the same).

I have 4 interfaces vlan2 and vlan3 - are external, vlan101 and vlan82 -
internal ones.

Cheers,

Anton.


*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -i vlan101 -j ACCEPT
-A INPUT -i vlan82 -j ACCEPT

-A INPUT -p 47 -j ACCEPT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p tcp --dport 179 -j ACCEPT

-A INPUT -j DROP

-A FORWARD -i vlan101 -j ACCEPT
-A FORWARD -i vlan82 -j ACCEPT

-A FORWARD -p 47 -j ACCEPT

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -j DROP

COMMIT

Re: ESTABLISHED makes possible to connect to internal servers

[Arnd-Hendrik Mathias]

Hi Anton,

>>it is possible to access my internal web server (and not only web
>>server) from outside
>>    
>>
sorry, for the silly question: How exactly do you test this and where 
are your server and your test client running?

>>despite I did not open port 80 in FORWARD chain and policy for FORWARD
>>is DROP.
>>    
>>
By the way DROP is your last rule and thus a somewhat "implicit policy". 
Corresponding to your script your policy is ACCEPT. But that won't 
affect the behavior you described. Anyway it will be more secure to set 
your real policies to DROP and as a following of this you can omit the 
last rules of each chain.

>*filter
>:INPUT ACCEPT [0:0]
>:FORWARD ACCEPT [0:0]
>:OUTPUT ACCEPT [0:0]
>
>-A INPUT -i lo -j ACCEPT
>-A INPUT -i vlan101 -j ACCEPT
>-A INPUT -i vlan82 -j ACCEPT
>
>-A INPUT -p 47 -j ACCEPT
>
>-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>-A INPUT -p tcp --dport 179 -j ACCEPT
>
>-A INPUT -j DROP
>
>-A FORWARD -i vlan101 -j ACCEPT
>-A FORWARD -i vlan82 -j ACCEPT
>
>-A FORWARD -p 47 -j ACCEPT
>
>-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>-A FORWARD -j DROP
>
>COMMIT
>  
>
Maybe messing around with other protocols like "Border Gateway Protocol" 
or "General Routing Encapsulation" is unlikely to ease debugging your 
HTTP connections. So I'd disable these rules temporaryly for debugging 
purposes.
One other silly question: Do you flush your tables before appending 
these rules? Sorry for this kind of questions, but we're all humans and 
sometimes the problems are closer (and easier) than we expect them to be 
;°) At least these information will help to judge your scenario and find 
out the nature of your problem.
Cheers

Arnd-Hendrik