From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
To: "John P. Lang" <john@langherd.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Help with a firewall script
Date: Sat, 24 Dec 2005 14:37:55 -0500 [thread overview]
Message-ID: <1135453076.2584.7.camel@localhost> (raw)
In-Reply-To: <002701c608bc$92a9e740$6f64a8c0@langherd.com>
On Sat, 2005-12-24 at 11:02 -0800, John P. Lang wrote:
> Good Morning,
>
> I am definitely not understanding something after reading a handful of
> tutorials and mail threads. I though I'd ask the experts for a hand.
>
> I have a web server that sits behind the firewall. I need the web server to
> have access to the internet (http traffic).
>
> I have a handful of dnat rules sending http traffic and a couple of others
> to our internal web server.
> The web server cannot access the internet. I believe that web requests are
> being sent back to the web server?
>
> Are there any special rules that I would need to add to allow the web server
> access to DNS and HTTP?
>
> Thanks,
>
> John
>
>
> #=================================
> # Set some variables
> #=================================
> IPT=/sbin/iptables
> LOGOPT="--log-level=3 -m limit --limit 1/second --limit-burst 10"
> EXTIP="xxx.xxx.xxx.xxx"
> WEBIP="192.168.100.254"
> EXTNIC="eth2"
> INTNIC="eth0"
> SHUNIP=""
> echo "Done with variables"
>
> #=================================
> #Load modules
> #=================================
> modprobe iptable_nat
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo "Finished loading modules"
>
> #=================================
> # Check if we can run iptables
> #=================================
> if [ ! -x $IPT ]
> then
> echo "firewall: can't execute \IPTABLES"
> exit 1
> fi
>
>
> #=================================
> # Flush and build chains
> #=================================
>
> $IPT --flush
> $IPT --table nat --flush
> $IPT --delete-chain
> $IPT --table nat --delete-chain
>
> # LOGGING CHAIN
> $IPT -N LDROP
> $IPT -A LDROP -j LOG --log-prefix "IPT Drop: " $LOGOPT
> $IPT -A LDROP -j DROP
>
> $IPT -N LFLOOD
> $IPT -A LFLOOD -j LOG --log-prefix "IPT Flood: " $LOGOPT
> $IPT -A LFLOOD -j DROP
>
> $IPT -N LFLAGS
> $IPT -A LFLAGS -j LOG --log-prefix "IPT Flags: " $LOGOPT
> $IPT -A LFLAGS -j DROP
>
> $IPT -N LSHUN
> $IPT -A LSHUN -j LOG --log-prefix "IPT Shun: " $LOGOPT
> $IPT -A LSHUN -j DROP
>
>
> $IPT -N LPRE
> $IPT -A LPRE -j LOG --log-prefix "IPT PreRoute: " $LOGOPT
> echo "Chains flushed and created"
>
>
>
>
> #=================================
> #Take care of the shun'd IP's
> #=================================
> $IPT -N SHUN
> for ip in $SHUNIP; do
> $IPT -A SHUN -s $ip -j LSHUN
> $IPT -A SHUN -d $ip -j LSHUN
> done
>
> $IPT -A INPUT -j SHUN
> $IPT -A INPUT -j ACCEPT
>
> $IPT -A OUTPUT -j SHUN
> $IPT -A OUTPUT -j ACCEPT
>
> $IPT --table nat --append POSTROUTING --out-interface $EXTNIC -j MASQUERADE
>
> $IPT --append FORWARD --in-interface $INTNIC -j ACCEPT
> echo "Done with SHUN IP's"
>
> #=================================
> # Forwards
> #=================================
>
> #$IPT -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128 #
> Put through squid
> $IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 3389 -j DNAT
> --to-destination $WEBIP # Term Svc
> $IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 80 -j DNAT
> --to-destination $WEBIP # HTTP Traffic
> $IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 20 -j DNAT
> --to-destination $WEBIP # FTP
> $IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 21 -j DNAT
> --to-destination $WEBIP # FTP
> $IPT -t nat -A PREROUTING -i $EXTNIC -p tcp -d $EXTIP --dport 1755 -j DNAT
> --to-destination $WEBIP # Windows Media
> $IPT -t nat -A PREROUTING -i $EXTNIC -p udp -d $EXTIP --dport 1755 -j DNAT
> --to-destination $WEBIP # Windows Media
>
> echo "Done with Forwards"
> echo "Firewall Complete"
> iptables-errors
>
>
>
After a very quick look, it appears that you are allowing outbound
traffic from the internal NIC but where are you allowing the reply
packets? Do you have a RELATED,ESTABLISHED rule anywhere? - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net
next prev parent reply other threads:[~2005-12-24 19:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-12-24 19:02 Help with a firewall script John P. Lang
2005-12-24 19:37 ` John A. Sullivan III [this message]
2005-12-24 22:29 ` John P. Lang
2005-12-25 0:11 ` John A. Sullivan III
2005-12-25 6:04 ` John P. Lang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1135453076.2584.7.camel@localhost \
--to=jsullivan@opensourcedevel.com \
--cc=john@langherd.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox