problem with iptables - wrong rules?

problem with iptables - wrong rules?

[Luca Ferrari]

Hi,
this is the situation:
192.168.1.7 linux firewall with eth0 on internet and eth1 on intranet
192.168.1.8 router for internal networks (192.168.4.0,192.168.2.0,ecc.)
The firewall is the main gateway of the whole network, so packets are sent to 
it and redirected to the internet or the other router (192.168.1.8).
I'd like to block connections to everything that is going to the router 
192.168.1.8 excepts for certain machines, thus I've defined the following 
rules:

$IPTABLES -A OUTPUT -o $INTIF  -d 192.168.1.8 -s 192.168.1.30 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF  -d 192.168.1.8 -s 192.168.1.37 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF  -d 192.168.1.8 -s 192.168.1.64 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF  -d 192.168.1.8 -s 192.168.1.3  -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF  -d 192.168.1.8 -s 0/0 -j DROP


but it is not working, and I can connect from other machine trhu 192.168.1.8. 
In the OUTPUT chain packets should be already be natted, thus my doubt is 
that the destination address is the final one (e.g., 192.168.4.100) and not 
the router one. Is there a way to lock the traffic to the router using 
iptables?

Thanks,
Luca
-- 
Luca Ferrari,
fluca1978@virgilio.it

Re: problem with iptables - wrong rules?

[Miguel González Castaños]

Hi,

 I am not sure what is your network architecture but i assume this:

 You have a LAN connected (lets call it LAN1) to the Internet through 
the linux firewall (192.168.1.7). This firewall acts also as a router 
being connected to the 192.168.1.8 router which is connected to 
different LANs.

 With the DROP rule you are blocking packets destined to 192.168.1.8 and 
come from anywhere (in this case Internet and LAN1).

 I assume when you say have NATTED the connection, you have NATTED 
connections from LAN1 to the Internet and maybe connections from the 
other LANs, am I wrong ? (maybe you should give us a picture or more 
details of what you have in your NAT rules). If so, then LAN1 and the 
other LANs are routed and not natted among them.

 Then, you should block destination to network 192.168.2.0, 192.168.4.0, 
etc...

 HTH

 BR,

 Miguel

>Hi,
>this is the situation:
>192.168.1.7 linux firewall with eth0 on internet and eth1 on intranet
>192.168.1.8 router for internal networks (192.168.4.0,192.168.2.0,ecc.)
>The firewall is the main gateway of the whole network, so packets are sent to 
>it and redirected to the internet or the other router (192.168.1.8).
>I'd like to block connections to everything that is going to the router 
>192.168.1.8 excepts for certain machines, thus I've defined the following 
>rules:
>
>$IPTABLES -A OUTPUT -o $INTIF  -d 192.168.1.8 -s 192.168.1.30 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF  -d 192.168.1.8 -s 192.168.1.37 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF  -d 192.168.1.8 -s 192.168.1.64 -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF  -d 192.168.1.8 -s 192.168.1.3  -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTIF  -d 192.168.1.8 -s 0/0 -j DROP
>
>
>but it is not working, and I can connect from other machine trhu 192.168.1.8. 
>In the OUTPUT chain packets should be already be natted, thus my doubt is 
>that the destination address is the final one (e.g., 192.168.4.100) and not 
>the router one. Is there a way to lock the traffic to the router using 
>iptables?
>
>Thanks,
>Luca
>  
>

Re: problem with iptables - wrong rules?

[Luca Ferrari]

On Wednesday 14 July 2004 09:36 Miguel González Castaños's cat walking on the 
keyboard  wrote:

> Hi,
>
>  I am not sure what is your network architecture but i assume this:
>
>  You have a LAN connected (lets call it LAN1) to the Internet through
> the linux firewall (192.168.1.7). This firewall acts also as a router
> being connected to the 192.168.1.8 router which is connected to
> different LANs.
>
>  With the DROP rule you are blocking packets destined to 192.168.1.8 and
> come from anywhere (in this case Internet and LAN1).
>
>  I assume when you say have NATTED the connection, you have NATTED
> connections from LAN1 to the Internet and maybe connections from the
> other LANs, am I wrong ? (maybe you should give us a picture or more
> details of what you have in your NAT rules). If so, then LAN1 and the
> other LANs are routed and not natted among them.
>
>  Then, you should block destination to network 192.168.2.0, 192.168.4.0,
> etc...
>.html

I believe you're right, since I've natted only packets from/to the internet 
and not another lan. Anyway, is there a way using iptables to intercepts 
packets that are going to the 192.168.1.8 router? I'd like to log those 
packets, but I believe that iptables acts before the kernel routing table, 
thus it is not easy to intercept those packets.
Any idea?

Thanks,
Luca

-- 
Luca Ferrari,
fluca1978@virgilio.it
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: problem with iptables - wrong rules?

[Miguel González Castaños]

Luca Ferrari escribió:

>On Wednesday 14 July 2004 09:36 Miguel González Castaños's cat walking on the 
>keyboard  wrote:
>
>  
>
>>Hi,
>>
>> I am not sure what is your network architecture but i assume this:
>>
>> You have a LAN connected (lets call it LAN1) to the Internet through
>>the linux firewall (192.168.1.7). This firewall acts also as a router
>>being connected to the 192.168.1.8 router which is connected to
>>different LANs.
>>
>> With the DROP rule you are blocking packets destined to 192.168.1.8 and
>>come from anywhere (in this case Internet and LAN1).
>>
>> I assume when you say have NATTED the connection, you have NATTED
>>connections from LAN1 to the Internet and maybe connections from the
>>other LANs, am I wrong ? (maybe you should give us a picture or more
>>details of what you have in your NAT rules). If so, then LAN1 and the
>>other LANs are routed and not natted among them.
>>
>> Then, you should block destination to network 192.168.2.0, 192.168.4.0,
>>etc...
>>.html
>>    
>>
>
>I believe you're right, since I've natted only packets from/to the internet 
>and not another lan. Anyway, is there a way using iptables to intercepts 
>packets that are going to the 192.168.1.8 router? I'd like to log those 
>packets, but I believe that iptables acts before the kernel routing table, 
>thus it is not easy to intercept those packets.
>Any idea?
>
>Thanks,
>Luca
>
>  
>
you can try using a sniffer in your firewall such as ethereal or 
somethink like that and you could see the packets. Anyway, I suppose 
packets coming from LAN1 to the other LANs will have in the destination 
IP an IP like 192.168.2.x 192.168.4.x , so you have to block packets 
that match this criteria. Something like this (i am writting these rules 
roughly to give you the idea) :

 

$IPTABLES -A OUTPUT -o $INTIF  -d 192.168.2.0 -s 192.168.1.0 -j DROP
$IPTABLES -A OUTPUT -o $INTIF  -d 192.168.4.0 -s 192.168.1.0 -j DROP

I do not know (since i dont know how you are natting) if these rules could block the packets coming from internet to 192.168.2.x, etc...Anyway your setup is a bit weird...Wouldnt be more easy to block these packets in the router for the LANs instead of doing that in the firewall? Why dont you set a different range of IPs for LAN1? I bet it would be much easier...

HTH

Miguel



 
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: problem with iptables - wrong rules?

[Miguel González Castaños]

By the way Lucca your mailbox is sending me reply emails saying that you 
have exceed your quota...

Re: problem with iptables - wrong rules?

[urgrue]

Your first problem is that you want -A FORWARD instead of -A OUTPUT.
"OUTPUT" refers to connections originating from your linux box. FORWARD
refers to traffic going through the router, which is what you want.

Second, -d 192.168.1.8 does not mean what you think it means. -d 192.168.1.8
would match packets destined to your 192.168.1.8. This does not mean traffic
ROUTED to 192.168.1.8, destined for places behind 192.168.1.8, it means
traffic whose final destination is 192.168.1.8. Probably not what you want.

So, if I understood you correctly, you have a network like this:
Your LAN, connected to your linux router on eth1. On eth0, you have the
internet, and on the same network, another router 192.168.1.8, behind which lie your other
networks.

You want to allow access to the internet but not to the networks behind
192.168.1.8, except for some special computers. 

If this is correct, based on that information I would do it like this:
iptables -P FORWARD DROP
iptables -A FORWARD -i eth1 -o eth0 -d ! 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i etho -i eth1 -s ! 192.168.0.0/16 -m state --state
RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.1.3 -j ACCEPT
iptables -A FORWARD -d 192.168.1.3 -s 192.168.0.0/16 -j ACCEPT

repeat the last two lines for all your hosts that you want to allow to your
networks.
Here, I'm assuming all your networks are in the 192.168.x.x block. 

What these rules do in plain english is:
1.default policy is to drop everything trying to go through our linux box
2.allow anything from eth1 going out of eth0 so long as its not headed to
192.168.x.x 
3.allow anything from eth0 to eth1 so long as its not from 192.168.x.x, and
the connection has been initiated from within the network (if your network
is already not accessible directly from the internet, the latter part, ie
the whole -m state part, is probably unnecessary)
4. allow 192.168.1.3 to go anywhere (if this is what you want. you can also
specify -d 192.168.0.0/16 for example, depending on your specific
situation)
5. allow anything from 192.168.0.0/16 to 192.168.1.3

This is just one way to do it, and depending on the specific circumstances
you might want to change things. But hopefully these examples will get you
on the right track.

urgrue


> Hi,
> this is the situation:
> 192.168.1.7 linux firewall with eth0 on internet and eth1 on intranet
> 192.168.1.8 router for internal networks (192.168.4.0,192.168.2.0,ecc.)
> The firewall is the main gateway of the whole network, so packets are sent to 
> it and redirected to the internet or the other router (192.168.1.8).
> I'd like to block connections to everything that is going to the router 
> 192.168.1.8 excepts for certain machines, thus I've defined the following 
> rules:
> 
> $IPTABLES -A OUTPUT -o $INTIF  -d 192.168.1.8 -s 192.168.1.30 -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTIF  -d 192.168.1.8 -s 192.168.1.37 -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTIF  -d 192.168.1.8 -s 192.168.1.64 -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTIF  -d 192.168.1.8 -s 192.168.1.3  -j ACCEPT
> $IPTABLES -A OUTPUT -o $INTIF  -d 192.168.1.8 -s 0/0 -j DROP
> 
> 
> but it is not working, and I can connect from other machine trhu 192.168.1.8. 
> In the OUTPUT chain packets should be already be natted, thus my doubt is 
> that the destination address is the final one (e.g., 192.168.4.100) and not 
> the router one. Is there a way to lock the traffic to the router using 
> iptables?
> 
> Thanks,
> Luca
> -- 
> Luca Ferrari,
> fluca1978@virgilio.it
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>