error - but I don't know where....

error - but I don't know where....

[warpme]

Hi *

I just try setup firewall. Config is following:

Desktop               Firewll  
(192.168.1.1) ------Eth0   Eth1(91.189.74.10)---------ISP

Script below is working OK for all LAN hosts, but not for for firewall PC itself (i tested it with i.e. ping www.ibm.com)
Commenting line "iptables -P INPUT DROP" allows to ping from firewall, but it effectivelly turning off firewall....
It is probably simple error - but I can't find where it is...
Can somebody verify thid script and tell me what is wrong ?

thx in advance
  

#Config area BEGIN--------------------------------------------------------------

LAN_intf=eth0
LAN_subnetwork=192.168.1.0/255.255.255.0

WAN_intf=eth1
WAN_ip=91.189.74.10

Open_WAN_TCP_ports=20,21,80,500,1352,4500
Open_WAN_UDP_ports=500,1352,4500,5060
Open_WAN_RTP_port_range=7070:7080


#Config area END----------------------------------------------------------------




#--Flushing all iptables tables-------------------------------------------------
iptables -F
iptables -X 
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X




#--Setting up SNAT for outgoing to WAN DATA connections------------------------
iptables -t nat -A POSTROUTING -s $LAN_subnetwork -o $WAN_intf -j SNAT --to-source $WAN_ip
  
  
#--Allowing self access by loopback interface----------------------------------
iptables -A INPUT -i lo -p all -j ACCEPT



#--Allowing local access to LAN------------------------------------------------
iptables -A INPUT -i $LAN_intf -p all -j ACCEPT



#--Allowing WAN incoming traffic form already established connections----------
iptables -A INPUT -i WAN_intf -m state --state ESTABLISHED,RELATED -j ACCEPT


#--Allowing WAN incoming traffic for desired services--------------------------
#Open WAN TCP ports
iptables -A INPUT -p tcp -i $WAN_intf -m multiport --dport $Open_WAN_TCP_ports -j ACCEPT

#Open WAN UDP ports
iptables -A INPUT -p udp -i $WAN_intf -m multiport --dport $Open_WAN_UDP_ports -j ACCEPT

#Open VoIP UDP port ranges
iptables -A INPUT -p udp -i $WAN_intf --dport $Open_WAN_RTP_port_range -j ACCEPT


#--Drop all other incoming connection. Only above will be allowed-------------
iptables -P INPUT DROP
    

Re: error - but I don't know where....

[Gáspár Lajos]

warpme írta:
> Hi *
>
> I just try setup firewall. Config is following:
>
> Desktop               Firewll  
> (192.168.1.1) ------Eth0   Eth1(91.189.74.10)---------ISP
>
> Script below is working OK for all LAN hosts, but not for for firewall PC itself (i tested it with i.e. ping www.ibm.com)
> Commenting line "iptables -P INPUT DROP" allows to ping from firewall, but it effectivelly turning off firewall....
> It is probably simple error - but I can't find where it is...
> Can somebody verify thid script and tell me what is wrong ?
>
> thx in advance
>   
>
> #Config area BEGIN--------------------------------------------------------------
>
> LAN_intf=eth0
> LAN_subnetwork=192.168.1.0/255.255.255.0
>
> WAN_intf=eth1
> WAN_ip=91.189.74.10
>
> Open_WAN_TCP_ports=20,21,80,500,1352,4500
> Open_WAN_UDP_ports=500,1352,4500,5060
> Open_WAN_RTP_port_range=7070:7080
>
>
> #Config area END----------------------------------------------------------------
>
>
>
>
> #--Flushing all iptables tables-------------------------------------------------
> iptables -F
> iptables -X 
> iptables -t nat -F
> iptables -t nat -X
> iptables -t mangle -F
> iptables -t mangle -X
>
>
>
>
> #--Setting up SNAT for outgoing to WAN DATA connections------------------------
> iptables -t nat -A POSTROUTING -s $LAN_subnetwork -o $WAN_intf -j SNAT --to-source $WAN_ip 
I would write like this:

iptables -t nat -A POSTROUTING ! -s $WAN_ip -o $WAN_intf -j SNAT 
--to-source $WAN_ip
>   
> #--Allowing self access by loopback interface----------------------------------
> iptables -A INPUT -i lo -p all -j ACCEPT
>
>   
"-p all" not needed...  And I would rather set up the OUTPUT rule than 
the INPUT rule because the "lo" interface only accepts connections from 
itself... if a new connection is made then first step is to send OUT 
something to the other host... :D
iptables -A OUTPUT -o lo -j ACCEPT
>
> #--Allowing local access to LAN------------------------------------------------
> iptables -A INPUT -i $LAN_intf -p all -j ACCEPT
>
>   
no need for "-p all"
>
> #--Allowing WAN incoming traffic form already established connections----------
> iptables -A INPUT -i WAN_intf -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> #--Allowing WAN incoming traffic for desired services--------------------------
> #Open WAN TCP ports
> iptables -A INPUT -p tcp -i $WAN_intf -m multiport --dport $Open_WAN_TCP_ports -j ACCEPT
>
> #Open WAN UDP ports
> iptables -A INPUT -p udp -i $WAN_intf -m multiport --dport $Open_WAN_UDP_ports -j ACCEPT
>
> #Open VoIP UDP port ranges
> iptables -A INPUT -p udp -i $WAN_intf --dport $Open_WAN_RTP_port_range -j ACCEPT
>
>   
For "ping" you need the following line:
iptables -A INPUT -p icmp -j ACCEPT
> #--Drop all other incoming connection. Only above will be allowed-------------
> iptables -P INPUT DROP
>     
>
>
>   

Re: error - but I don't know where....

[Warpme]

[-- Attachment #1: Type: text/plain, Size: 4467 bytes --]

Gaspar,

Thanx for trying help !
It looks like I found problem. Probably somewhere in file was non-ASCII 
chars which are not visible in my editor and causing problem.
I rewrite manually script and now works as expected :-)
I also change little bit approach: default policy for FORWARD chain is 
now DROP.
I'm allowing forwarding only new connections from LAN to WAN and accept 
only already established
connections from WAN to LAN:
iptables -A FORWARD -i $WAN_intf -o $LAN_intf -m state --state 
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN_intf -o $WAN_intf -m state --state 
NEW,ESTABLISHED,RELATED -j ACCEPT
 

BTW: I have some comments to Your hints (see inline):

br

Gáspár Lajos wrote:
> warpme írta:
>> Hi *
>>
>> I just try setup firewall. Config is following:
>>
>> Desktop               Firewll  (192.168.1.1) ------Eth0   
>> Eth1(91.189.74.10)---------ISP
>>
>> Script below is working OK for all LAN hosts, but not for for 
>> firewall PC itself (i tested it with i.e. ping www.ibm.com)
>> Commenting line "iptables -P INPUT DROP" allows to ping from 
>> firewall, but it effectivelly turning off firewall....
>> It is probably simple error - but I can't find where it is...
>> Can somebody verify thid script and tell me what is wrong ?
>>
>> thx in advance
>>  
>> #Config area 
>> BEGIN--------------------------------------------------------------
>>
>> LAN_intf=eth0
>> LAN_subnetwork=192.168.1.0/255.255.255.0
>>
>> WAN_intf=eth1
>> WAN_ip=91.189.74.10
>>
>> Open_WAN_TCP_ports=20,21,80,500,1352,4500
>> Open_WAN_UDP_ports=500,1352,4500,5060
>> Open_WAN_RTP_port_range=7070:7080
>>
>>
>> #Config area 
>> END----------------------------------------------------------------
>>
>>
>>
>>
>> #--Flushing all iptables 
>> tables-------------------------------------------------
>> iptables -F
>> iptables -X iptables -t nat -F
>> iptables -t nat -X
>> iptables -t mangle -F
>> iptables -t mangle -X
>>
>>
>>
>>
>> #--Setting up SNAT for outgoing to WAN DATA 
>> connections------------------------
>> iptables -t nat -A POSTROUTING -s $LAN_subnetwork -o $WAN_intf -j 
>> SNAT --to-source $WAN_ip 
> I would write like this:
>
> iptables -t nat -A POSTROUTING ! -s $WAN_ip -o $WAN_intf -j SNAT 
> --to-source $WAN_ip
I'm understand advantage of such approach is that any non WAN_ip host 
will be NAT'ed. But for non-LAN addressed hosts it will require 
additional entries in routing table for packets received from WAN and 
destinated to LAN host. Effectively  it will require  touch to firewall 
- and by this I'm considering this as no beneficial.
>>   #--Allowing self access by loopback 
>> interface----------------------------------
>> iptables -A INPUT -i lo -p all -j ACCEPT
>>
>>   
> "-p all" not needed...  And I would rather set up the OUTPUT rule than 
> the INPUT rule because the "lo" interface only accepts connections 
> from itself... if a new connection is made then first step is to send 
> OUT something to the other host... :D
> iptables -A OUTPUT -o lo -j ACCEPT
Well, default iptables policy for all chains is ACCEPT, so this rule is 
redundant.
>
>>
>> #--Allowing local access to 
>> LAN------------------------------------------------
>> iptables -A INPUT -i $LAN_intf -p all -j ACCEPT
>>
>>   
> no need for "-p all"
Right !
>
>>
>> #--Allowing WAN incoming traffic form already established 
>> connections----------
>> iptables -A INPUT -i WAN_intf -m state --state ESTABLISHED,RELATED -j 
>> ACCEPT
>>
>>
>> #--Allowing WAN incoming traffic for desired 
>> services--------------------------
>> #Open WAN TCP ports
>> iptables -A INPUT -p tcp -i $WAN_intf -m multiport --dport 
>> $Open_WAN_TCP_ports -j ACCEPT
>>
>> #Open WAN UDP ports
>> iptables -A INPUT -p udp -i $WAN_intf -m multiport --dport 
>> $Open_WAN_UDP_ports -j ACCEPT
>>
>> #Open VoIP UDP port ranges
>> iptables -A INPUT -p udp -i $WAN_intf --dport 
>> $Open_WAN_RTP_port_range -j ACCEPT
>>
>>   
> For "ping" you need the following line:
> iptables -A INPUT -p icmp -j ACCEPT
Well - it is not needed when only outgoing pings are allowed (my case).
I think incoming pings should be rather disabled - it will  help to 
protect host from potential DoS via ping flood.
>> #--Drop all other incoming connection. Only above will be 
>> allowed-------------
>> iptables -P INPUT DROP
>>    
>>
>>   
>
>
>