Default deny rule

Default deny rule

[Gopinath]

Good day everyone,
I am very new to this list. I am running FC3 and want to convert my
server to act as firewall, which does static NAT. I had setup
everything and works fine in simulation. But the only thing is i am
not able to make restriction in the FORWARD chain. The basic
functionality of firewall, the DEFAULT DENYING FUNCTIONALITY is
missing in my firewall. I tried to make it by applicy DROP policy to
the FORWARD chain & also appending a default DROP rule to the end of
the FORWARD chain. But when i do so, all the packets were getting
dropped at the firewall. I have pasted my firewall script below. I
have enabled ip_conntrack & iptable_nat modules during bootup.

OS: Fedora Core 3
IPtables Version: v1.2.11

# Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007
*filter
:INPUT ACCEPT [364:57615]
:FORWARD ACCEPT [1:52]
:OUTPUT ACCEPT [211:18044]
-A INPUT -s 10.44.x.x -p icmp -j ACCEPT
-A INPUT -s 10.44.x.x -p icmp -j ACCEPT
-A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.1.x.x -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j ACCEPT
-A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j ACCEPT
-A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Fri Apr 27 08:16:21 2007
# Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007
*nat
:PREROUTING ACCEPT [289:55706]
:POSTROUTING ACCEPT [77:6468]
:OUTPUT ACCEPT [77:6468]
-A PREROUTING -d 10.1.x.x -i eth0 -j DNAT --to-destination 10.44.x.x
-A PREROUTING -d 10.1.x.x. -i eth0 -j DNAT --to-destination 10.44.x.x
-A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x
-A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x
COMMIT
# Completed on Fri Apr 27 08:16:21 2007

Output of iptables -nv -L

Chain INPUT (policy ACCEPT 73 packets, 13040 bytes)

pkts bytes target prot opt in out source destination
501 30228 ACCEPT icmp -- * * 10.44.x.x 0.0.0.0/0
8648 576K ACCEPT tcp -- * * 10.44.x.x 0.0.0.0/0 tcp dpt:22
52464 9344K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 68 packets, 5648 bytes)

pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW
0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW
0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 10236 packets, 1175K bytes)
pkts bytes target prot opt in out source destination

Any help would be highly appreciated.

Thanks & Regards,
Gopinath.U

Re: Default deny rule

[Gáspár Lajos]

Gopinath írta:
> Good day everyone,
> I am very new to this list. I am running FC3 and want to convert my
> server to act as firewall, which does static NAT. I had setup
> everything and works fine in simulation. But the only thing is i am
> not able to make restriction in the FORWARD chain. The basic
> functionality of firewall, the DEFAULT DENYING FUNCTIONALITY is
> missing in my firewall. I tried to make it by applicy DROP policy to
> the FORWARD chain & also appending a default DROP rule to the end of
> the FORWARD chain. But when i do so, all the packets were getting
> dropped at the firewall. I have pasted my firewall script below. I
> have enabled ip_conntrack & iptable_nat modules during bootup.
>
> OS: Fedora Core 3
> IPtables Version: v1.2.11
It is kind of old... :D
>
> # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007
> *filter
> :INPUT ACCEPT [364:57615]
> :FORWARD ACCEPT [1:52]
> :OUTPUT ACCEPT [211:18044]
The DEFAULT DENYING FUNCTIONALITY is achieved by using these commands:
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
> -A INPUT -s 10.44.x.x -p icmp -j ACCEPT
> -A INPUT -s 10.44.x.x -p icmp -j ACCEPT
> -A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -s 10.1.x.x -p tcp -m tcp --dport 22 -j ACCEPT
> -A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j 
> ACCEPT
> -A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j 
> ACCEPT
> -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> COMMIT
> # Completed on Fri Apr 27 08:16:21 2007
> # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007
> *nat
> :PREROUTING ACCEPT [289:55706]
> :POSTROUTING ACCEPT [77:6468]
> :OUTPUT ACCEPT [77:6468]
> -A PREROUTING -d 10.1.x.x -i eth0 -j DNAT --to-destination 10.44.x.x
> -A PREROUTING -d 10.1.x.x. -i eth0 -j DNAT --to-destination 10.44.x.x
> -A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x
> -A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x
> COMMIT
> # Completed on Fri Apr 27 08:16:21 2007
>
> Output of iptables -nv -L
>
> Chain INPUT (policy ACCEPT 73 packets, 13040 bytes)
>
> pkts bytes target prot opt in out source destination
> 501 30228 ACCEPT icmp -- * * 10.44.x.x 0.0.0.0/0
> 8648 576K ACCEPT tcp -- * * 10.44.x.x 0.0.0.0/0 tcp dpt:22
> 52464 9344K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state 
> NEW,RELATED,ESTABLISHED
>
> Chain FORWARD (policy ACCEPT 68 packets, 5648 bytes)
>
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW
> 0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW
> 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state 
> NEW,RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
There is no packet that matches your rules....
What are these destinations : 10.44.x.x ???
Do you mean 10.44.0.0/16 ???

fw1:~# whois 10.44.0.0
...
NetRange:   10.0.0.0 - 10.255.255.255
CIDR:       10.0.0.0/8
NetName:    RESERVED-10
NetHandle:  NET-10-0-0-0-1
Parent:
NetType:    IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment:    This block is reserved for special purposes.
Comment:    Please see RFC 1918 for additional information.
Comment:
RegDate:
Updated:    2002-09-12

>
> Chain OUTPUT (policy ACCEPT 10236 packets, 1175K bytes)
> pkts bytes target prot opt in out source destination
>
> Any help would be highly appreciated.
>
> Thanks & Regards,
> Gopinath.U
>
>

Re: Default deny rule

[Gopinath]

Please find the correct IP details below... Is it neccessary to
upgrade my kernel and iptables to achieve NAT and Default deny
functionality ?

# vi /etc/iptables.conf

# Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007
*filter
:INPUT ACCEPT [364:57615]
:FORWARD ACCEPT [1:52]
:OUTPUT ACCEPT [211:18044]
-A INPUT -s 10.44.20.70 -p icmp -j ACCEPT
-A INPUT -s 10.44.2.140 -p icmp -j ACCEPT
-A INPUT -s 10.44.2.140 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.44.20.70 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.1.0.246 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 10.2.10.240 -d 10.44.2.140 -i eth0 -o eth1 -p tcp -m
state --state NEW -j ACCEPT
-A FORWARD -s 10.2.10.240 -d 10.44.2.100 -i eth0 -o eth1 -p tcp -m
state --state NEW -j ACCEPT
-A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Fri Apr 27 08:16:21 2007
# Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007
*nat
:PREROUTING ACCEPT [289:55706]
:POSTROUTING ACCEPT [77:6468]
:OUTPUT ACCEPT [77:6468]
-A PREROUTING -d 10.1.60.240 -i eth0 -j DNAT --to-destination 10.44.2.100
-A PREROUTING -d 10.1.60.245 -i eth0 -j DNAT --to-destination 10.44.2.140
-A POSTROUTING -s 10.44.2.100 -o eth0 -j SNAT --to-source 10.1.60.240
-A POSTROUTING -s 10.44.2.140 -o eth0 -j SNAT --to-source 10.1.60.245
COMMIT
# Completed on Fri Apr 27 08:16:21 2007


# iptables -nv -L

Chain INPUT (policy ACCEPT 100 packets, 14882 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     icmp --  *      *       10.44.20.70
0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       10.44.2.140
0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       10.44.2.140
0.0.0.0/0           tcp dpt:22
  356 24672 ACCEPT     tcp  --  *      *       10.44.20.70
0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       10.1.0.246
0.0.0.0/0           tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     tcp  --  eth0   eth1    10.2.10.240
10.44.2.140         state NEW
    0     0 ACCEPT     tcp  --  eth0   eth1    10.2.10.240
10.44.2.100         state NEW
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0
0.0.0.0/0           state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 302 packets, 34150 bytes)
 pkts bytes target     prot opt in     out     source               destination

Regards,
Gopinath.U

On 5/11/07, Gáspár Lajos <swifty@freemail.hu> wrote:
> Gopinath írta:
> > Good day everyone,
> > I am very new to this list. I am running FC3 and want to convert my
> > server to act as firewall, which does static NAT. I had setup
> > everything and works fine in simulation. But the only thing is i am
> > not able to make restriction in the FORWARD chain. The basic
> > functionality of firewall, the DEFAULT DENYING FUNCTIONALITY is
> > missing in my firewall. I tried to make it by applicy DROP policy to
> > the FORWARD chain & also appending a default DROP rule to the end of
> > the FORWARD chain. But when i do so, all the packets were getting
> > dropped at the firewall. I have pasted my firewall script below. I
> > have enabled ip_conntrack & iptable_nat modules during bootup.
> >
> > OS: Fedora Core 3
> > IPtables Version: v1.2.11
> It is kind of old... :D
> >
> > # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007
> > *filter
> > :INPUT ACCEPT [364:57615]
> > :FORWARD ACCEPT [1:52]
> > :OUTPUT ACCEPT [211:18044]
> The DEFAULT DENYING FUNCTIONALITY is achieved by using these commands:
> iptables -t filter -P INPUT DROP
> iptables -t filter -P FORWARD DROP
> iptables -t filter -P OUTPUT DROP
> > -A INPUT -s 10.44.x.x -p icmp -j ACCEPT
> > -A INPUT -s 10.44.x.x -p icmp -j ACCEPT
> > -A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT
> > -A INPUT -s 10.44.x.x -p tcp -m tcp --dport 22 -j ACCEPT
> > -A INPUT -s 10.1.x.x -p tcp -m tcp --dport 22 -j ACCEPT
> > -A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j
> > ACCEPT
> > -A FORWARD -d 10.44.x.x -i eth0 -o eth1 -p tcp -m state --state NEW -j
> > ACCEPT
> > -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> > -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> > COMMIT
> > # Completed on Fri Apr 27 08:16:21 2007
> > # Generated by iptables-save v1.2.11 on Fri Apr 27 08:16:21 2007
> > *nat
> > :PREROUTING ACCEPT [289:55706]
> > :POSTROUTING ACCEPT [77:6468]
> > :OUTPUT ACCEPT [77:6468]
> > -A PREROUTING -d 10.1.x.x -i eth0 -j DNAT --to-destination 10.44.x.x
> > -A PREROUTING -d 10.1.x.x. -i eth0 -j DNAT --to-destination 10.44.x.x
> > -A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x
> > -A POSTROUTING -s 10.44.x.x -o eth0 -j SNAT --to-source 10.1.x.x
> > COMMIT
> > # Completed on Fri Apr 27 08:16:21 2007
> >
> > Output of iptables -nv -L
> >
> > Chain INPUT (policy ACCEPT 73 packets, 13040 bytes)
> >
> > pkts bytes target prot opt in out source destination
> > 501 30228 ACCEPT icmp -- * * 10.44.x.x 0.0.0.0/0
> > 8648 576K ACCEPT tcp -- * * 10.44.x.x 0.0.0.0/0 tcp dpt:22
> > 52464 9344K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state
> > NEW,RELATED,ESTABLISHED
> >
> > Chain FORWARD (policy ACCEPT 68 packets, 5648 bytes)
> >
> > pkts bytes target prot opt in out source destination
> > 0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW
> > 0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 10.44.x.x state NEW
> > 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state
> > NEW,RELATED,ESTABLISHED
> > 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> There is no packet that matches your rules....
> What are these destinations : 10.44.x.x ???
> Do you mean 10.44.0.0/16 ???
>
> fw1:~# whois 10.44.0.0
> ...
> NetRange:   10.0.0.0 - 10.255.255.255
> CIDR:       10.0.0.0/8
> NetName:    RESERVED-10
> NetHandle:  NET-10-0-0-0-1
> Parent:
> NetType:    IANA Special Use
> NameServer: BLACKHOLE-1.IANA.ORG
> NameServer: BLACKHOLE-2.IANA.ORG
> Comment:    This block is reserved for special purposes.
> Comment:    Please see RFC 1918 for additional information.
> Comment:
> RegDate:
> Updated:    2002-09-12
>
> >
> > Chain OUTPUT (policy ACCEPT 10236 packets, 1175K bytes)
> > pkts bytes target prot opt in out source destination
> >
> > Any help would be highly appreciated.
> >
> > Thanks & Regards,
> > Gopinath.U
> >
> >
>
>
>

Re: Default deny rule

[Gáspár Lajos]

Gopinath írta:
> Please find the correct IP details below... Is it neccessary to
> upgrade my kernel and iptables to achieve NAT and Default deny
> functionality ?
Not neccessary but suggested... At least you should upgrade your 
iptables to 1.3.7.

Now I comment your rules... :D
> :INPUT ACCEPT [364:57615]
> :FORWARD ACCEPT [1:52]
> :OUTPUT ACCEPT [211:18044]
If there is no matching rule then EVERYTHING is ACCEPTED because your 3 
policies above is set to ACCEPT.
In DEFAULT DENY mode you should set these policies to DROP as mentioned 
in the previos mail of mine:

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP


> -A INPUT -s 10.44.20.70 -p icmp -j ACCEPT
> -A INPUT -s 10.44.2.140 -p icmp -j ACCEPT
Here you enable 2 IPs to use ICMP (ping) on your host.
> -A INPUT -s 10.44.2.140 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -s 10.44.20.70 -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -s 10.1.0.246 -p tcp -m tcp --dport 22 -j ACCEPT
The above 3 IPs are enabled to SSH to your host.
BUT IF YOU DO NOT SET THE DEFAULT POLICY TO DROP THEN THESE RULES ARE 
MEANINGLESS!!!

> -A FORWARD -s 10.2.10.240 -d 10.44.2.140 -i eth0 -o eth1 -p tcp -m
> state --state NEW -j ACCEPT
> -A FORWARD -s 10.2.10.240 -d 10.44.2.100 -i eth0 -o eth1 -p tcp -m
> state --state NEW -j ACCEPT
10.2.10.240 can create NEW connections to 10.44.2.100 and 10.44.2.140...

10.2.10.240 should be on eth0
10.44.2.100 should be on eth1
10.44.2.140 should be on eth1
> -A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
ANY host that sends ANY (NEW,RELATED,ESTABLISHED) packets through eth0 
(not only to 10.2.10.240) is ACCEPTED.
> -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ANY host thar sends RELATED or ESTABLISED packets from eth0 (not only 
from 10.2.10.240) is ACCEPTED.
AGAIN IF YOU DO NOT SET THE DEFAULT POLICY TO DROP THEN THESE RULES ARE 
MEANINGLESS!!!

> *nat
> :PREROUTING ACCEPT [289:55706]
> :POSTROUTING ACCEPT [77:6468]
> :OUTPUT ACCEPT [77:6468]
These ACCEPTs are ok.
> -A PREROUTING -d 10.1.60.240 -i eth0 -j DNAT --to-destination 10.44.2.100
> -A PREROUTING -d 10.1.60.245 -i eth0 -j DNAT --to-destination 10.44.2.140
Anything that comes form eth0 and would go to 10.1.60.240 should go to 
10.44.2.100.
Anything that comes form eth0 and would go to 10.1.60.245 should go to 
10.44.2.140.

> -A POSTROUTING -s 10.44.2.100 -o eth0 -j SNAT --to-source 10.1.60.240
> -A POSTROUTING -s 10.44.2.140 -o eth0 -j SNAT --to-source 10.1.60.245
Anything that goes out on eth0 and comes from 10.44.2.100 should appear 
as it would come from 10.1.60.240.
Anything that goes out on eth0 and comes from 10.44.2.140 should appear 
as it would come from 10.1.60.245.

Maybe you do not need these last two rules at all because a DNAT rule 
simply does the reverse SNAT is most cases.
> # iptables -nv -L
>
> Chain INPUT (policy ACCEPT 100 packets, 14882 bytes)
You had 100 packets that did not matched ANY rule in the INPUT chain.
> pkts bytes target     prot opt in     out     source
> destination
>    0     0 ACCEPT     icmp --  *      *       10.44.20.70
> 0.0.0.0/0
>    0     0 ACCEPT     icmp --  *      *       10.44.2.140
> 0.0.0.0/0
>    0     0 ACCEPT     tcp  --  *      *       10.44.2.140
> 0.0.0.0/0           tcp dpt:22
>  356 24672 ACCEPT     tcp  --  *      *       10.44.20.70
> 0.0.0.0/0           tcp dpt:22
>    0     0 ACCEPT     tcp  --  *      *       10.1.0.246
> 0.0.0.0/0           tcp dpt:22
No connection, no ping yet ???
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source
> destination
>    0     0 ACCEPT     tcp  --  eth0   eth1    10.2.10.240
> 10.44.2.140         state NEW
>    0     0 ACCEPT     tcp  --  eth0   eth1    10.2.10.240
> 10.44.2.100         state NEW
>    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0           state NEW,RELATED,ESTABLISHED
>    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0           state RELATED,ESTABLISHED
>
No NAT yet ???
> Chain OUTPUT (policy ACCEPT 302 packets, 34150 bytes)
> pkts bytes target     prot opt in     out     source               
> destination
>
Just 302 packet that went out and no rule. Btw. maybe you do not want to 
filter your outgoing traffic.
In that case you should leave your OUTPUT policy as ACCEPT.
> Regards,
> Gopinath.U

I think that you want something else then what you did in your rules.
I would restart the whole project from the ground.

!!!
Please describe the connected networks and the target of the firewalling.
!!!

Here is a core script that may help you:
 (A bit long but can be usefull. And of course not working in current 
state... :D )

#!/bin/bash
echo "Setting up FIREWALL rules:"

core_set="/proc/sys/net/core"
ip_set="/proc/sys/net/ipv4"
echo                 0 > $ip_set/conf/all/rp_filter
echo                 1 > $ip_set/conf/all/proxy_arp
echo                 1 > $ip_set/icmp_echo_ignore_broadcasts
echo                 1 > $ip_set/ip_forward
echo             32768 > $ip_set/netfilter/ip_conntrack_max
echo                 1 > $ip_set/tcp_abort_on_overflow
echo                10 > $ip_set/tcp_fin_timeout
echo                 1 > $ip_set/tcp_rfc1337
echo                 1 > $ip_set/tcp_sack
echo                 2 > $ip_set/tcp_synack_retries
echo                 1 > $ip_set/tcp_syncookies
echo 16384 16384 16384 > $ip_set/tcp_wmem
echo             16384 > $core_set/rmem_default
echo             16384 > $core_set/wmem_default
echo             16384 > $core_set/wmem_max
sysctl -w net.ipv4.tcp_ecn=0 >/dev/null 2>/dev/null


modprobe ip_conntrack >/dev/null 2>/dev/null
modprobe ip_nat >/dev/null 2>/dev/null
modprobe iptable_nat >/dev/null 2>/dev/null

clean_subchain() {
 $table -F $subchain >/dev/null 2>/dev/null
 $table -X $subchain >/dev/null 2>/dev/null
 $table -Z $subchain >/dev/null 2>/dev/null
 }

create_subchain() {
 subchain=$1
 clean_subchain
 $table -N $subchain
 }

clean_table() {
 subchain=""
 clean_subchain
 }

table="iptables -t nat"
clean_table

chain="PREROUTING"
$table -P $chain ACCEPT

create_subchain "DNAT_of_eth0"
$table -A $chain -j $subchain -i eth0
$table -A $subchain -j DNAT -d 10.1.60.240 --to-destination 10.44.2.100
$table -A $subchain -j DNAT -d 10.1.60.245 --to-destination 10.44.2.140

chain="POSTROUTING"
$table -P $chain ACCEPT

chain="OUTPUT"
$table -P $chain ACCEPT


table="iptables -t filter"
clean_table

create_subchain "send_reject"
$table -A $subchain -j REJECT -p tcp --reject-with tcp-reset
$table -A $subchain -j REJECT --reject-with icmp-admin-prohibited
$table -A $subchain -j DROP

create_subchain "log_invalid"
$table -A $subchain -j LOG  --log-prefix "INVALID: " --log-level debug --log-tcp-sequence --log-tcp-options --log-ip-options
$table -A $subchain -j send_reject

create_subchain "con_icmp"
$table -A $subchain -j RETURN -p icmp --icmp-type echo-reply
$table -A $subchain -j RETURN -p icmp --icmp-type destination-unreachable
$table -A $subchain -j RETURN -p icmp --icmp-type source-quench
$table -A $subchain -j RETURN -p icmp --icmp-type echo-request -m hashlimit --hashlimit-name icmp --hashlimit 1/s --hashlimit-mode srcip
$table -A $subchain -j RETURN -p icmp --icmp-type time-exceeded
$table -A $subchain -j DROP -p icmp

create_subchain "con_udp"
#TODO

create_subchain "con_tcp"
$table -A $subchain -j RETURN -p tcp --syn -m conntrack --ctstate NEW
$table -A $subchain -j RETURN -m conntrack --ctstatus EXPECTED
$table -A $subchain -j log_invalid

create_subchain "connected"
$table -A $subchain -j ACCEPT -m conntrack --ctstate ESTABLISHED
$table -A $subchain -j ACCEPT -m conntrack --ctstate RELATED
$table -A $subchain -j RETURN -i lo -o lo
$table -A $subchain -j con_icmp -p icmp
$table -A $subchain -j RETURN -p icmp
$table -A $subchain -j con_udp -p udp
$table -A $subchain -j RETURN -p udp
$table -A $subchain -j con_tcp -p tcp
$table -A $subchain -j RETURN -p tcp

chain="INPUT"

$table -P $chain DROP

$table -A $chain -j connected

create_subchain "ICMP_ok"
$table -A $chain -j $subchain -p icmp
$table -j ACCEPT -s 10.44.20.70
$table -j ACCEPT -s 10.44.2.140

create_subchain "SSH_ok"
$table -A $chain -j $subchain -p tcp --dport 22
$table -j ACCEPT -s 10.1.0.246
$table -j ACCEPT -s 10.44.2.140
$table -j ACCEPT -s 10.44.20.70

chain="FORWARD"
$table -P $chain DROP

$table -A $chain -j connected

create_chain "enable_DNAT_to_eth1"
$table -A $chain -j $subchain -o eth1
$table -A $subchain -j ACCEPT -d 10.44.2.100
$table -A $subchain -j ACCEPT -d 10.44.2.140


chain="OUTPUT"
$table -P $chain ACCEPT

echo "done."



Swifty

Re: Default deny rule

[Gáspár Lajos]

Hi,

Gopinath írta:
> Hi,
>
> My objective is to replace my existing firewall with a Linux firewall.
> We have point to point connectivity through VSAT with one of our
> customer. The only major thing which the firewall need to do is STATIC
> NAT. As you may see since this is a point to point connectiviy all the
> IPs employed are Private IPs. While checking the f/w in simulation
> mode, things were working fine (except default denying). I already
> tried to achieve DEFAULT DENY by changing the default behaviour of
> FORWARD policy to DROP by issuing the command "iptables -P FORWARD
> DROP". But when i do this all the traffic were getting dropped. So
If EVERYTHING is dropped then your rules do not get hit by the traffic. 
(Your rules are wrong.)
Try to capture the traffic. Maybe you can find the problem.
>
> again i tried by appending a policy in forward chain (last rule) to
(policy is always the last rule... :D )
> drop all the packets by default. But even this didn't worked out. Hope
> you can understand my requirement & how i do the NATTing from my
> previous mail.
>
> Even though i have worked a bit with iptables before, I am a begginer
> in building a linux firewall with iptables :-)
>
> Cheers :)
> Gopinath.U

Swifty

Re: Default deny rule

[Gopinath]

Hi Lajos,

Thanks for your suggestion.

I had upgraded my OS  to fedora 6, and also enabled logging option for
the DROP packets. Now the Default denying functionality is working
fine. But this time I face another problem. ie., i have applied static
NAT on my firewall. In my simulation setup i am able to connect the
other end (INTERNAL) machine using the NAT IP assigned, from the
EXTERNAL machine as well through the actual IP of the
machine(INTERNAL). This spoil my purpose for NATTING. I don't know why
this happen. I suspect that there could be some problem with my NAT
module. Please suggest...

Is there any need to upgrade my kernel to add further support ?

Regards,
Gopinath. U

On 5/21/07, Gáspár Lajos <swifty@freemail.hu> wrote:
> Hi,
>
> Gopinath írta:
> > Hi,
> >
> > My objective is to replace my existing firewall with a Linux firewall.
> > We have point to point connectivity through VSAT with one of our
> > customer. The only major thing which the firewall need to do is STATIC
> > NAT. As you may see since this is a point to point connectiviy all the
> > IPs employed are Private IPs. While checking the f/w in simulation
> > mode, things were working fine (except default denying). I already
> > tried to achieve DEFAULT DENY by changing the default behaviour of
> > FORWARD policy to DROP by issuing the command "iptables -P FORWARD
> > DROP". But when i do this all the traffic were getting dropped. So
> If EVERYTHING is dropped then your rules do not get hit by the traffic.
> (Your rules are wrong.)
> Try to capture the traffic. Maybe you can find the problem.
> >
> > again i tried by appending a policy in forward chain (last rule) to
> (policy is always the last rule... :D )
> > drop all the packets by default. But even this didn't worked out. Hope
> > you can understand my requirement & how i do the NATTing from my
> > previous mail.
> >
> > Even though i have worked a bit with iptables before, I am a begginer
> > in building a linux firewall with iptables :-)
> >
> > Cheers :)
> > Gopinath.U
>
> Swifty
>
>

Re: Default deny rule

[Gáspár Lajos]

Hi Gopinath,
> Hi Lajos,
>
> Thanks for your suggestion.
>
> I had upgraded my OS  to fedora 6, and also enabled logging option for
> the DROP packets. Now the Default denying functionality is working
> fine. But this time I face another problem. ie., i have applied static
> NAT on my firewall. In my simulation setup i am able to connect the
> other end (INTERNAL) machine using the NAT IP assigned, from the
> EXTERNAL machine as well through the actual IP of the
> machine(INTERNAL). This spoil my purpose for NATTING. I don't know why
> this happen. I suspect that there could be some problem with my NAT
> module. Please suggest...
I think that this is not a NATing but a routing problem.
I do not know your current script but maybe there is an accept that 
allows this state.
I would add the following option to the ACCEPT rule in the FORWARD chain:

-m conntrack --ctstate DNAT

>
> Is there any need to upgrade my kernel to add further support ?
>
I do not think so but it is good to have an up-to-date system.
> Regards,
> Gopinath. U

Swifty

Re: Default deny rule

[Gopinath]

Thank your very much Lajos !!!!!!!!!!!!!!!

It is working fine now after adding the line "-m conntrack --ctstate
DNAT" in the ACCEPT statement of the FORWARD chain as you've said in
previous mail.

Could you please explain how it works after adding the line "-m
conntrack --ctstate DNAT" in the ACCEPT stmt of FORWARD chain ? I'm
very eager to know this :-)

Regards,
Gopinath.U


I have also upgraded my iptables to version 1.3.7

On 5/29/07, Gáspár Lajos <swifty@freemail.hu> wrote:
> Hi Gopinath,
> > Hi Lajos,
> >
> > Thanks for your suggestion.
> >
> > I had upgraded my OS  to fedora 6, and also enabled logging option for
> > the DROP packets. Now the Default denying functionality is working
> > fine. But this time I face another problem. ie., i have applied static
> > NAT on my firewall. In my simulation setup i am able to connect the
> > other end (INTERNAL) machine using the NAT IP assigned, from the
> > EXTERNAL machine as well through the actual IP of the
> > machine(INTERNAL). This spoil my purpose for NATTING. I don't know why
> > this happen. I suspect that there could be some problem with my NAT
> > module. Please suggest...
> I think that this is not a NATing but a routing problem.
> I do not know your current script but maybe there is an accept that
> allows this state.
> I would add the following option to the ACCEPT rule in the FORWARD chain:
>
> -m conntrack --ctstate DNAT
>
> >
> > Is there any need to upgrade my kernel to add further support ?
> >
> I do not think so but it is good to have an up-to-date system.
> > Regards,
> > Gopinath. U
>
> Swifty
>

Re: Default deny rule

[Gáspár Lajos]

[-- Attachment #1: Type: text/plain, Size: 1017 bytes --]

Gopinath írta:
> Thank your very much Lajos !!!!!!!!!!!!!!!
>
> It is working fine now after adding the line "-m conntrack --ctstate
> DNAT" in the ACCEPT statement of the FORWARD chain as you've said in
> previous mail.
>
> Could you please explain how it works after adding the line "-m
> conntrack --ctstate DNAT" in the ACCEPT stmt of FORWARD chain ? I'm
> very eager to know this :-)
>
Okay... :D

I have attached an image that shows the route of the packet.

In the PREROUTING nat table the destination address gets DNATed IF the 
client wants to talk to the EXTERNAL address.
But if the INTERNAL address is used at a new connection then this rule 
does not get hit !!! (No DNAT!!!)

In the FORWARD filter table you were accepting EVERY connection that has 
an INTERNAL destination address.
If you use the conntrack module then ONLY the DNATed packets gets 
accepted!!!

> Regards,
> Gopinath.U
>
>
> I have also upgraded my iptables to version 1.3.7
Good to hear... :D

Swifty

Re: Default deny rule

[Gopinath]

Hi Lajos,

That's a good explanation. I got the point :-)

Thanks & Regards,
Gopinath.U

On 5/30/07, Gáspár Lajos <swifty@freemail.hu> wrote:
> Gopinath írta:
> > Thank your very much Lajos !!!!!!!!!!!!!!!
> >
> > It is working fine now after adding the line "-m conntrack --ctstate
> > DNAT" in the ACCEPT statement of the FORWARD chain as you've said in
> > previous mail.
> >
> > Could you please explain how it works after adding the line "-m
> > conntrack --ctstate DNAT" in the ACCEPT stmt of FORWARD chain ? I'm
> > very eager to know this :-)
> >
> Okay... :D
>
> I have attached an image that shows the route of the packet.
>
> In the PREROUTING nat table the destination address gets DNATed IF the
> client wants to talk to the EXTERNAL address.
> But if the INTERNAL address is used at a new connection then this rule
> does not get hit !!! (No DNAT!!!)
>
> In the FORWARD filter table you were accepting EVERY connection that has
> an INTERNAL destination address.
> If you use the conntrack module then ONLY the DNATed packets gets
> accepted!!!
>
> > Regards,
> > Gopinath.U
> >
> >
> > I have also upgraded my iptables to version 1.3.7
> Good to hear... :D
>
> Swifty
>
>