Understanding the routing rules

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel Huhardeaux <daniel.huhardeaux@tootai.com>
To: netfilter@vger.kernel.org
Subject: Understanding the routing rules
Date: Thu, 25 Dec 2008 22:21:20 +0100	[thread overview]
Message-ID: <4953F950.9040009@tootai.com> (raw)

Good day all,

I set up a firewall with 3 network cards:

eth0 -> intranet 10.0.0.0/16
eth1 -> isp1
eth2 -> isp2

Outgoing traffic goes to isp1 except for net 10.0.0.0/24, incoming comes 
from isp2. What is named as EXTERNAL_MAIN_xxx is a copy of EXTERNAL2_xxx

Now let's say I redirect port 80 to a server in intranet 10.0.0.40 port 
80, I redirect port 2222 to the localhost 127.0.0.1, Finally I also 
install a OpenVPN in tun mode proto tcp.

Base policy is:
# Deny all by default
$IPTABLES -P INPUT      DROP
$IPTABLES -P OUTPUT     DROP
$IPTABLES -P FORWARD    DROP


I create my rules ALLOW_PORTS. In the variable TCP_PORTS_ALLOWED I put 
_ALL_ authorized ports, doesn't matter if they are to preroute or not.

###############################################################################
## Special Chain ALLOW_PORTS
## Rules to allow packets based on port number. This sort of thing is 
generally
## required only if you're running services on(!!!) the firewall or if 
you have a
## FORWARD policy of DROP(which we don't right now).

$IPTABLES -N ALLOW_PORTS
$IPTABLES -F ALLOW_PORTS

   
##------------------------------------------------------------------------##
   ## ACCEPT TCP traffic based on port number.

for PORT in $TCP_PORTS_ALLOWED; do
 $IPTABLES -A ALLOW_PORTS -m state --state NEW -p tcp \
 --dport $PORT -j ACCEPT
done
   
##------------------------------------------------------------------------##
   ## ACCEPT UDP traffic based on port number.
for PORT in $UDP_PORTS_ALLOWED; do
 $IPTABLES -A ALLOW_PORTS -m state --state NEW -p udp \
 --dport $PORT -j ACCEPT
done

   
##------------------------------------------------------------------------##
   ## REJECT port 113 ident requests.
$IPTABLES -A ALLOW_PORTS -p tcp --dport 113 -j REJECT \
--reject-with tcp-reset
   
##------------------------------------------------------------------------##

 From here I accept

    # Accept what is from localhost
    $IPTABLES -A INPUT   -p ALL -i $LOCAL_DEVICE -j ACCEPT
    $IPTABLES -A OUTPUT  -p ALL -o $LOCAL_DEVICE -j ACCEPT
    $IPTABLES -A FORWARD -p ALL -i $LOCAL_DEVICE -j ACCEPT

    # Accept what is from intranet
    $IPTABLES -A INPUT   -p ALL -i $INTERNAL_DEVICE -j ACCEPT
    $IPTABLES -A OUTPUT  -p ALL -o $INTERNAL_DEVICE -j ACCEPT
    $IPTABLES -A FORWARD -p ALL -i $INTERNAL_DEVICE -j ACCEPT

    # Accept what is for VPN
    $IPTABLES -A INPUT   -p ALL -i $VPN_DEVICE -j ACCEPT
    $IPTABLES -A OUTPUT  -p ALL -o $VPN_DEVICE -j ACCEPT
    $IPTABLES -A FORWARD -p ALL -i $VPN_DEVICE -j ACCEPT

And now my 2 Internet connections, where $KEEPSTATE="ESTABLISHED,RELATED"

    # Accept ports back from eth, flow return, all protocols.
    # activate established mode on all protocols  (statefull inspection)
    $IPTABLES -A OUTPUT  -o $EXTERNAL1_DEVICE -p ALL $KEEPSTATE -j ACCEPT
    $IPTABLES -A INPUT   -i $EXTERNAL1_DEVICE -p ALL $KEEPSTATE -j ACCEPT
    $IPTABLES -A FORWARD -i $EXTERNAL1_DEVICE -p ALL $KEEPSTATE -j ACCEPT

    $IPTABLES -A OUTPUT  -o $EXTERNAL2_DEVICE -p ALL $KEEPSTATE -j ACCEPT
    $IPTABLES -A INPUT   -i $EXTERNAL2_DEVICE -p ALL $KEEPSTATE -j ACCEPT
    $IPTABLES -A FORWARD -i $EXTERNAL2_DEVICE -p ALL $KEEPSTATE -j ACCEPT

PREROUTING to the host

    # SSH #
    $IPTABLES -t nat -A PREROUTING -i $EXTERNAL_MAIN_DEVICE -p tcp -d 
$EXTERNAL_MAIN_IP --dport 2222 -j DNAT --to 127.0.0.1:22
    $IPTABLES -A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT

PREROUTING to the webserver

    # HTTP #
    $IPTABLES -t nat -A PREROUTING -i $EXTERNAL_MAIN_DEVICE -p tcp -d 
$EXTERNAL_MAIN_IP --dport 80 -j DNAT --to 10.0.0.40
    $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT

INPUT allowed
    # Accept Packets based on ports number
    $IPTABLES -A INPUT -i $EXTERNAL_MAIN_DEVICE -s $ANY -j ALLOW_PORTS

For me this setup should open the ports PREROUTING, INPUT and FORWARD as 
I need and want. But is *NOT*. To get this rules to work I _must_ add 
the state NEW in $KEEPSTATE.

My question is: FORWARD is accepted after each PREROUTING, INPUT is 
accepted for each allowed ports so why I also have to accept the NEW state?

Thanks for your lights :-)

Merry Christmas

-- 
Daniel

                 reply	other threads:[~2008-12-25 21:21 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4953F950.9040009@tootai.com \
    --to=daniel.huhardeaux@tootai.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.