* Understanding the routing rules
@ 2008-12-25 21:21 Daniel Huhardeaux
0 siblings, 0 replies; only message in thread
From: Daniel Huhardeaux @ 2008-12-25 21:21 UTC (permalink / raw)
To: netfilter
Good day all,
I set up a firewall with 3 network cards:
eth0 -> intranet 10.0.0.0/16
eth1 -> isp1
eth2 -> isp2
Outgoing traffic goes to isp1 except for net 10.0.0.0/24, incoming comes
from isp2. What is named as EXTERNAL_MAIN_xxx is a copy of EXTERNAL2_xxx
Now let's say I redirect port 80 to a server in intranet 10.0.0.40 port
80, I redirect port 2222 to the localhost 127.0.0.1, Finally I also
install a OpenVPN in tun mode proto tcp.
Base policy is:
# Deny all by default
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
I create my rules ALLOW_PORTS. In the variable TCP_PORTS_ALLOWED I put
_ALL_ authorized ports, doesn't matter if they are to preroute or not.
###############################################################################
## Special Chain ALLOW_PORTS
## Rules to allow packets based on port number. This sort of thing is
generally
## required only if you're running services on(!!!) the firewall or if
you have a
## FORWARD policy of DROP(which we don't right now).
$IPTABLES -N ALLOW_PORTS
$IPTABLES -F ALLOW_PORTS
##------------------------------------------------------------------------##
## ACCEPT TCP traffic based on port number.
for PORT in $TCP_PORTS_ALLOWED; do
$IPTABLES -A ALLOW_PORTS -m state --state NEW -p tcp \
--dport $PORT -j ACCEPT
done
##------------------------------------------------------------------------##
## ACCEPT UDP traffic based on port number.
for PORT in $UDP_PORTS_ALLOWED; do
$IPTABLES -A ALLOW_PORTS -m state --state NEW -p udp \
--dport $PORT -j ACCEPT
done
##------------------------------------------------------------------------##
## REJECT port 113 ident requests.
$IPTABLES -A ALLOW_PORTS -p tcp --dport 113 -j REJECT \
--reject-with tcp-reset
##------------------------------------------------------------------------##
From here I accept
# Accept what is from localhost
$IPTABLES -A INPUT -p ALL -i $LOCAL_DEVICE -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LOCAL_DEVICE -j ACCEPT
$IPTABLES -A FORWARD -p ALL -i $LOCAL_DEVICE -j ACCEPT
# Accept what is from intranet
$IPTABLES -A INPUT -p ALL -i $INTERNAL_DEVICE -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INTERNAL_DEVICE -j ACCEPT
$IPTABLES -A FORWARD -p ALL -i $INTERNAL_DEVICE -j ACCEPT
# Accept what is for VPN
$IPTABLES -A INPUT -p ALL -i $VPN_DEVICE -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $VPN_DEVICE -j ACCEPT
$IPTABLES -A FORWARD -p ALL -i $VPN_DEVICE -j ACCEPT
And now my 2 Internet connections, where $KEEPSTATE="ESTABLISHED,RELATED"
# Accept ports back from eth, flow return, all protocols.
# activate established mode on all protocols (statefull inspection)
$IPTABLES -A OUTPUT -o $EXTERNAL1_DEVICE -p ALL $KEEPSTATE -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL1_DEVICE -p ALL $KEEPSTATE -j ACCEPT
$IPTABLES -A FORWARD -i $EXTERNAL1_DEVICE -p ALL $KEEPSTATE -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL2_DEVICE -p ALL $KEEPSTATE -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL2_DEVICE -p ALL $KEEPSTATE -j ACCEPT
$IPTABLES -A FORWARD -i $EXTERNAL2_DEVICE -p ALL $KEEPSTATE -j ACCEPT
PREROUTING to the host
# SSH #
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_MAIN_DEVICE -p tcp -d
$EXTERNAL_MAIN_IP --dport 2222 -j DNAT --to 127.0.0.1:22
$IPTABLES -A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
PREROUTING to the webserver
# HTTP #
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_MAIN_DEVICE -p tcp -d
$EXTERNAL_MAIN_IP --dport 80 -j DNAT --to 10.0.0.40
$IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
INPUT allowed
# Accept Packets based on ports number
$IPTABLES -A INPUT -i $EXTERNAL_MAIN_DEVICE -s $ANY -j ALLOW_PORTS
For me this setup should open the ports PREROUTING, INPUT and FORWARD as
I need and want. But is *NOT*. To get this rules to work I _must_ add
the state NEW in $KEEPSTATE.
My question is: FORWARD is accepted after each PREROUTING, INPUT is
accepted for each allowed ports so why I also have to accept the NEW state?
Thanks for your lights :-)
Merry Christmas
--
Daniel
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2008-12-25 21:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-12-25 21:21 Understanding the routing rules Daniel Huhardeaux
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.