Re: Help with Masquerading

[Joel Newkirk <netfilter@newkirk.us>]

On Sunday 05 January 2003 10:19 am, Subba Rao wrote:
> Hi
>
> My system is running kernel 2.4.20 with iptables compiled into the
> kernel. The system has 2 interfaces. ETH0 is connected to the Internet
> (via cablemodem) and ETH1 is connected to my home LAN which has only
> one W2K laptop.
>
> My W2K is configured with the Linux system as the gateway. Both
> systems can ping each other.
> However my laptop is not able to go out to the Internet.
>
> I am desperately trying to make my W2K laptop connect to the Internet.
>
> Please let me know how to make this work.
>
> Thank you in advance.
>
> Subba Rao
> subba3@cablespeed.com
>
> #!/bin/sh
>
> echo "Starting Firewall....."
>
> INTERNAL_NET="10.0.0.0/24"
>
> INTERNET=`ifconfig eth0 | grep inet | cut -d : -f 2 | cut -d \  -f 1`

This is extracting the IP address of your external connection from the 
output of 'ifconfig eth0' - Are you on a dynamic IP with a long 
lease-time?  If so you may get away with using this with SNAT.  If 
you're on a static IP this is unnecessary, just use the actual IP in the 
script.  If your IP changes fairly frequently, don't bother with this 
and just use MASQUERADE target.

> # Flush the tables
> /usr/sbin/iptables -F INPUT
> /usr/sbin/iptables -F OUTPUT
> /usr/sbin/iptables -F FORWARD
> /usr/sbin/iptables -t nat -F
>
> # Set default policies for packet entering this box
>
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT

Set FORWARD policy to DROP as well.  The only things you want this box to 
forward are those you explicitly allow.  Try using these rules for a 
start:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp --dport 53 -j ACCEPT

these should allow the laptop to browse the web.  For other services, 
like email, add appropriate rules for the needed ports.  The first rule 
here accepts any packet that is part of and ESTABLISHED connection, or 
RELATED to one, regardless of it's source.  The remainder allow 
explicitly defined connections from the LAN to be forwarded to the 
internet.  With these three rules the laptop can connect out, but the 
internet cannot connect in, only respond to a connection initiated by 
the laptop.

> # Allow some packets in but accept all those on the internal interface
> /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
> /usr/sbin/iptables -A INPUT -i eth0 -j ACCEPT
> /usr/sbin/iptables -A INPUT -i eth1 -j ACCEPT

The second one means anyone on the internet can connect to your firewall 
box on any port, bypassing the DROP policy you set.  Bad idea.  The 
third means any connection from local network to the firewall machine 
directly is accepted, which is OK since only your laptop is on the local 
network, but is a bad idea for a large network.

> # Masquerade internal system with the public IP address
>
> iptables -t nat -A POSTROUTING -d $INTERNAL_NET -o $INTERNET -j ACCEPT
> iptables -t nat -A POSTROUTING -o $INTERNET -s $INTERNAL_NET -j
> MASQUERADE

First rule here is bad.  
A - Destination IP of local network should never be going out internet 
connection, so it should never match anything. 
B - If your intention is to ACCEPT anything from internet going TO local 
network, you shouldn't because:
C - PREROUTING and POSTROUTING chains of NAT table are for NAT only, not 
filtering, so you should just rely on accept policy.  Only time you 
should ACCEPT in a NAT chain rule is if you want to bypass a later rule, 
IE you can ACCEPT specific traffic, then NAT whatever remains.
D - INTERNET is set to be the IP address of eth1, your external 
connection.  "-o" and "-i" matches are for interfaces, not IPs, so you 
should use something like "-o eth1" or "-i eth0" here.

Second rule here is bad as well, for reason D above.  Also, you are using 
MASQUERADE target, which is fine if you have a dynamic IP, but you are 
going to the trouble of determining your public IP at the start, which 
leads me to think you intend to use it directly in a SNAT.  If you are 
on dynamic IP stick with MASQUERADE, if static IP use "-j SNAT --to 
$INTERNET", based on your assignment above, or better yet just assign 
the IP in the script instead of extracting it from the output of 
'ifconfig eth1' at the top.

> # Block inbound connections
>
> /usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j DROP
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies

The first one here turns on forwarding, but if you're using MASQUERADE 
target you need to enable dynamic IP tracking as well, with:

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

j