simple, but not for me.

simple, but not for me.

[outspoken]

[-- Attachment #1: Type: text/plain, Size: 1554 bytes --]

ok, ill lay out a simple plan of what i need done. of course ive tried a lot of the options listed in this listeserv, and cant seem to get them working properly. also read some howtos and other various things but just came seem to get things working. there was one post that i thought was going to be helpful recently, but all they talked about was how its a security risk and they should really look into a dmz. well i cant right now since i don't have another ethernet card so please someone post simple iptables examples for me to use. =)


i have a machine = 192.168.0.8 which is behind the firewall = 192.168.0.1
what i need to do is have 192.168.0.8 be visible to the public for web serving, ssh, mysql.
that is all.

my nat setup currently works fine with 3 machines behind the firewall.

modules loaded:

insmod ip_tables
insmod ip_conntrack
insmod ipt_state
insmod ipt_limit
insmod iptable_filter.o
insmod iptable_mangle.o
insmod ipt_LOG.o
insmod ipt_MASQUERADE.o
insmod ipt_REDIRECT.o
insmod ipt_REJECT.o
insmod iptable_nat.o

there are only 2 NAT lines in use:

iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


please advice as to what is needed, this does not need to be a super solution, this is a temporary thing for someone i trust to login and test out some code he is doing for me on a web project. the reason these functions cant be done on the firewall machine is because the php/mysql/apache setup on there is god awful and i have not been able to fix that.

thanks a lot!



[-- Attachment #2: Type: text/html, Size: 3178 bytes --]

Re: simple, but not for me.

[Jack Bowling]

** Reply to message from outspoken <outspoken@gru.net> on Sun, 30 Jun 2002 00:04:09 -0400


> ok, ill lay out a simple plan of what i need done. of course ive tried a lot of the options listed in this listeserv, and cant seem to get them working properly. also read some howtos and other various things but just came seem to get things working. there was one post that i thought was going to be helpful recently, but all they talked about was how its a security risk and they should really look into a dmz. well i cant right now since i don't have another ethernet card so please someone post simple iptables examples for me to use. =)
> 
> 
> i have a machine = 192.168.0.8 which is behind the firewall = 192.168.0.1
> what i need to do is have 192.168.0.8 be visible to the public for web serving, ssh, mysql.
> that is all.
> 
> my nat setup currently works fine with 3 machines behind the firewall.
> 
> modules loaded:
<snip>

Just an aside - we are not likely to be much help unless you post your whole ruleset. We do not know your default chain policies for one which will determine a lot.

jb

Re: simple, but not for me.

[outspoken]

understood. i apologize for the sloppy script, i have been too busy to clean
it up and this was thrown together in the last couple days.
disregard the ACCEPT INPUT rule as its only a temporary solution and i know
its a bad security plan, but i have too much going on right now, over the
next few weeks i will resolve it. =)


#!/bin/bash
echo "[-----firewall module init-----]"
cd /lib/modules/2.4.10-4GB/kernel/net/ipv4/netfilter
insmod ip_tables
insmod ip_conntrack
insmod ipt_state
insmod ipt_limit
insmod iptable_filter.o
insmod iptable_mangle.o
insmod ipt_LOG.o
insmod ipt_MASQUERADE.o
insmod ipt_REDIRECT.o
insmod ipt_REJECT.o
insmod iptable_nat.o

echo "[-----clearing firewall rulesets-----]"
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

echo "[-----network address translation---]"

extif=eth0
intif=eth1

extip=xxx.xxx.xxx.xxx
intip=192.168.0.1
webip=192.168.0.8

iptables -t nat -F
#iptables -t nat -A prerouting -o $extif -j DNAT --to-destination $extip
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "[-----enabling spoof protection-----]"
#if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
#then
#for f in /proc/sys/net/ipv4/conf/*/rp_filter
#do
#echo 1 > $f
#done
#fi

for blah in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $blah
done

echo "[-----setting external rulesets-----]"
iptables -A INPUT -i eth0 -f -j DROP
iptables -A INPUT -i eth0 -p TCP --syn -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --tcp-flags SYN,ACK,FIN,RST RST -m
limit --limit 1/s -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --dport 32768:61000 -m state --state
ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p ICMP --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --dport 137 -j DROP
iptables -A INPUT -i eth0 -p UDP --dport 137 -j DROP
iptables -A INPUT -i eth0 -p TCP --dport 138 -j DROP
iptables -A INPUT -i eth0 -p UDP --dport 138 -j DROP
iptables -A INPUT -i eth0 -p TCP --dport 139 -j DROP
iptables -A INPUT -i eth0 -p UDP --dport 139 -j DROP

iptables -A INPUT -i eth0 -p TCP --dport 32768:61000 -m state --state
ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --sport 32768:61000 --dport 22 -m
state --state NEW,ESTABLISHED -j ACCEPT

echo "[-----setting internal rulesets-----]"
iptables -A FORWARD -i eth1 -d 10.0.0.0/8 -j DROP
iptables -A FORWARD -i eth1 -d 127.0.0.0/8 -j DROP
iptables -A FORWARD -i eth1 -p igmp -j DROP
iptables -A FORWARD -i eth1 -p TCP --syn -m limit --limit 10/s -j ACCEPT
iptables -A FORWARD -i eth1 -p TCP --tcp-flags SYN,ACK,FIN,RST RST -m
limit --limit 10/s -j ACCEPT
iptables -A INPUT -i eth1 -p TCP -s 0/0 -d 0/0 --dport 113 -m state --state
ESTABLISHED,NEW -j ACCEPT
iptables -A INPUT -i eth1 -p TCP -s 0/0 -d 0/0 --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT

echo "[-----setting internal rulesets-----]"
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -i eth1 -p ICMP -s 192.168.0.0/24 -j ACCEPT

echo "[-----setting forward rulesets-----]"
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 192.168.0.0/24 -p TCP -j
ACCEPT
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 192.168.0.0/24 -p UDP -j
ACCEPT


> --__--__--
>
> Message: 3
> Date: Sat, 29 Jun 2002 22:25:42 -0700
> From: Jack Bowling <jbinpg@shaw.ca>
> Subject: Re: simple, but not for me.
> To: netfilter@lists.samba.org
> Reply-To: Jack Bowling <jbinpg@shaw.ca>
>
> ** Reply to message from outspoken <outspoken@gru.net> on Sun, 30 Jun 2002
00:04:09 -0400
>
>
> > ok, ill lay out a simple plan of what i need done. of course ive tried a
lot of the options listed in this listeserv, and cant seem to get them
working properly. also read some howtos and other various things but just
came seem to get things working. there was one post that i thought was going
to be helpful recently, but all they talked about was how its a security
risk and they should really look into a dmz. well i cant right now since i
don't have another ethernet card so please someone post simple iptables
examples for me to use. =)
> >
> >
> > i have a machine = 192.168.0.8 which is behind the firewall =
192.168.0.1
> > what i need to do is have 192.168.0.8 be visible to the public for web
serving, ssh, mysql.
> > that is all.
> >
> > my nat setup currently works fine with 3 machines behind the firewall.
> >
> > modules loaded:
> <snip>
>
> Just an aside - we are not likely to be much help unless you post your
whole ruleset. We do not know your default chain policies for one which will
determine a lot.
>
> jb
>
>

Re: simple, but not for me.

[Jack Bowling]

** Reply to message from outspoken <outspoken@gru.net> on Sun, 30 Jun 2002 01:54:24 -0400


> understood. i apologize for the sloppy script, i have been too busy to clean
> it up and this was thrown together in the last couple days.
> disregard the ACCEPT INPUT rule as its only a temporary solution and i know
> its a bad security plan, but i have too much going on right now, over the
> next few weeks i will resolve it. =)
> 
> 
> #!/bin/bash
> echo "[-----firewall module init-----]"
> cd /lib/modules/2.4.10-4GB/kernel/net/ipv4/netfilter
> insmod ip_tables
> insmod ip_conntrack
> insmod ipt_state
> insmod ipt_limit
> insmod iptable_filter.o
> insmod iptable_mangle.o
> insmod ipt_LOG.o
> insmod ipt_MASQUERADE.o
> insmod ipt_REDIRECT.o
> insmod ipt_REJECT.o
> insmod iptable_nat.o

First off, lose the .o suffix from the above modules otherwise they won't load.
Second,  it's a good habit to use modprobe instead of insmod since modprobe takes care of dependencies.
 
> echo "[-----clearing firewall rulesets-----]"
> iptables -F INPUT
> iptables -F FORWARD
> iptables -F OUTPUT
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT

Hehehehe. I'll take you at your word that you know the above policies are A VERY BAD THING. Default policies on at least INPUT and FORWARD should be DROP, IMHO.

> 
> echo "[-----network address translation---]"
> 
> extif=eth0
> intif=eth1
> 
> extip=xxx.xxx.xxx.xxx
> intip=192.168.0.1
> webip=192.168.0.8
> 
> iptables -t nat -F
> #iptables -t nat -A prerouting -o $extif -j DNAT --to-destination $extip
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> echo "[-----enabling spoof protection-----]"
> #if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
> #then
> #for f in /proc/sys/net/ipv4/conf/*/rp_filter
> #do
> #echo 1 > $f
> #done
> #fi
> 
> for blah in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo "1" > $blah
> done
> 
> echo "[-----setting external rulesets-----]"
> iptables -A INPUT -i eth0 -f -j DROP
> iptables -A INPUT -i eth0 -p TCP --syn -m limit --limit 1/s -j ACCEPT
> iptables -A INPUT -i eth0 -p TCP --tcp-flags SYN,ACK,FIN,RST RST -m
> limit --limit 1/s -j ACCEPT
> iptables -A INPUT -i eth0 -p TCP --dport 32768:61000 -m state --state
> ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -p ICMP --icmp-type echo-reply -j ACCEPT
> iptables -A INPUT -i eth0 -p TCP --dport 137 -j DROP
> iptables -A INPUT -i eth0 -p UDP --dport 137 -j DROP
> iptables -A INPUT -i eth0 -p TCP --dport 138 -j DROP
> iptables -A INPUT -i eth0 -p UDP --dport 138 -j DROP
> iptables -A INPUT -i eth0 -p TCP --dport 139 -j DROP
> iptables -A INPUT -i eth0 -p UDP --dport 139 -j DROP
> 
> iptables -A INPUT -i eth0 -p TCP --dport 32768:61000 -m state --state
> ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -p TCP --sport 32768:61000 --dport 22 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> 
> echo "[-----setting internal rulesets-----]"
> iptables -A FORWARD -i eth1 -d 10.0.0.0/8 -j DROP
> iptables -A FORWARD -i eth1 -d 127.0.0.0/8 -j DROP
> iptables -A FORWARD -i eth1 -p igmp -j DROP
> iptables -A FORWARD -i eth1 -p TCP --syn -m limit --limit 10/s -j ACCEPT
> iptables -A FORWARD -i eth1 -p TCP --tcp-flags SYN,ACK,FIN,RST RST -m
> limit --limit 10/s -j ACCEPT

This is what you need to port forward (assuming standard ports):

#Forward web services to internal host
iptables -t nat -A PREROUTING -p tcp -d $extip --dport 80 -j DNAT--to 192.168.0.8:80

#Forward ssh to internal host
iptables -t nat -A PREROUTING -p tcp -d $extip --dport 22 -j DNAT--to 192.168.0.8:22

#Forward mysql to internal host
iptables -t nat -A PREROUTING -p tcp -d $extip --dport 3306 -j DNAT--to 192.168.0.8:3306

Remember to shut off the above services on your firewall box. And when you change your default FORWARD policy to DROP, you will have to add an explicit -j ACCEPT before each above port forward rule in the FORWARD chain.

> iptables -A INPUT -i eth1 -p TCP -s 0/0 -d 0/0 --dport 113 -m state --state
> ESTABLISHED,NEW -j ACCEPT
> iptables -A INPUT -i eth1 -p TCP -s 0/0 -d 0/0 --dport 22 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> 
> echo "[-----setting internal rulesets-----]"
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A FORWARD -i eth1 -p ICMP -s 192.168.0.0/24 -j ACCEPT
> 
> echo "[-----setting forward rulesets-----]"
> iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 192.168.0.0/24 -p TCP -j
> ACCEPT
> iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 192.168.0.0/24 -p UDP -j
> ACCEPT

jb

Re: simple, but not for me

[Marc Carter]

netfilter-request@lists.samba.org wrote:

[snip]

 > This is what you need to port forward (assuming standard ports):
 >
 > #Forward web services to internal host iptables -t nat -A PREROUTING
 > -p tcp -d $extip --dport 80 -j DNAT--to 192.168.0.8:80
 >
 > #Forward ssh to internal host iptables -t nat -A PREROUTING -p tcp -d
 > $extip --dport 22 -j DNAT--to 192.168.0.8:22
 >
 > #Forward mysql to internal host iptables -t nat -A PREROUTING -p tcp
 > -d $extip --dport 3306 -j DNAT--to 192.168.0.8:3306
 >
 > Remember to shut off the above services on your firewall box.

This last has me curious.  If I shut off ssh (port 22) on the firewall, 
then I can't get into it to work on it (it's headless and far far away 
from a chair -- and just now what seems more important, a fan).

Right now, ssh into the firewall box from the ext_if goes straight to 
one of the internal machines (but only allowed from one other trusted 
machine, 1.2.3.4 in the e.g.), but an ssh request from the internal 
network (into the int_if) stays on the firewall box.

Sort of looks like this:

All chains are flushed and set to default DROP

The nat chain rules are

$IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 1.2.3.4 \
   -d my.static.ip.address -p tcp --dport 22 -j DNAT \
   --to 192.168.1.2

$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s 192.168.1.2 \
   -p tcp --sport 22 -j SNAT --to my.static.ip.address

The FORWARD chain rule allows port 22 (originating from trusted machine) 
from the firewall to the internal box and then drops the rest

$IPTABLES -A FORWARD -s 1.2.3.4 -d 192.168.1.2 -p tcp -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 22 -j DROP

And then an INPUT rule to allow getting into the box from the internal 
network

$IPTABLES -A INPUT -s $INT_NET -i INT_IF -j ACCEPT

but disallows spoofing from the outside

$IPTABLES -A INPUT -s INT_NET -i EXT_IF -j DROP

This seems to work.  If anyone sees anything stupid here, let me know. 
I hate being stupid.

Thanks.

m



-- 
Marc Carter
Assistant Professor, Itinerant Scientist,
         Inveterate Skeptic, Former Surfer.
---
"You can't have a market system that really depends
on everybody behaving as saints."
------
Ken Rose, OSU's National Regulatory Research Institute

Re: simple, but not for me

[j davis]

if you are dnating from 192.168.0.1:80 to whatever:80 you do not
need to say port 80 again....whatever port you list as destination,
as long as you need to dnat to the same port, will be the port
traffic is dnated to.

jd
also rules needed....

iptables -A PREROUTING -d 192.168.0.1 -p tcp --dport 80 -j DNAT 
--to-destination 192.168.0.8

iptables -A FORWARD -d 192.168.0.8 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.0.8 -m state --state RELATED,ESTABLISHED


>From: Marc Carter <marccarter@speakeasy.net>
>To: netfilter@lists.samba.org
>Subject: Re: simple, but not for me
>Date: Sun, 30 Jun 2002 12:48:37 -0400
>MIME-Version: 1.0
>Received: from [198.186.203.85] by hotmail.com (3.2) with ESMTP id 
>MHotMailBEE882880019400431A4C6BACB55895D0; Sun, 30 Jun 2002 09:53:32 -0700
>Received: from va.samba.org (localhost [127.0.0.1])by lists.samba.org 
>(Postfix) with ESMTPid 879E9416F; Sun, 30 Jun 2002 09:53:30 -0700 (PDT)
>Received: from mail.speakeasy.net (mail14.speakeasy.net [216.254.0.214])by 
>lists.samba.org (Postfix) with ESMTP id 956F7411Bfor 
><netfilter@lists.samba.org>; Sun, 30 Jun 2002 09:52:06 -0700 (PDT)
>Received: (qmail 20398 invoked from network); 30 Jun 2002 16:51:59 -0000
>Received: from unknown (HELO speakeasy.net) ([66.93.84.18]) 
>(envelope-sender <marccarter@speakeasy.net>)          by 
>mail14.speakeasy.net (qmail-ldap-1.03) with RC4-MD5 encrypted SMTP          
>for <netfilter@lists.samba.org>; 30 Jun 2002 16:51:59 -0000
From netfilter-admin@lists.samba.org Sun, 30 Jun 2002 09:54:28 -0700
>Delivered-To: netfilter@lists.samba.org
>Message-ID: <3D1F3665.3020204@speakeasy.net>
>User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc3) 
>Gecko/20020523
>References: <20020630132725.896984212@lists.samba.org>
>Sender: netfilter-admin@lists.samba.org
>Errors-To: netfilter-admin@lists.samba.org
>X-BeenThere: netfilter@lists.samba.org
>X-Mailman-Version: 2.0.8
>Precedence: bulk
>List-Help: <mailto:netfilter-request@lists.samba.org?subject=help>
>List-Post: <mailto:netfilter@lists.samba.org>
>List-Subscribe: 
><http://lists.samba.org/listinfo/netfilter>,<mailto:netfilter-request@lists.samba.org?subject=subscribe>
>List-Id: netfilter user discussion list <netfilter.lists.samba.org>
>List-Unsubscribe: 
><http://lists.samba.org/listinfo/netfilter>,<mailto:netfilter-request@lists.samba.org?subject=unsubscribe>
>List-Archive: <http://lists.samba.org/pipermail/netfilter/>
>
>
>
>netfilter-request@lists.samba.org wrote:
>
>[snip]
>
> > This is what you need to port forward (assuming standard ports):
> >
> > #Forward web services to internal host iptables -t nat -A PREROUTING
> > -p tcp -d $extip --dport 80 -j DNAT--to 192.168.0.8:80
> >
> > #Forward ssh to internal host iptables -t nat -A PREROUTING -p tcp -d
> > $extip --dport 22 -j DNAT--to 192.168.0.8:22
> >
> > #Forward mysql to internal host iptables -t nat -A PREROUTING -p tcp
> > -d $extip --dport 3306 -j DNAT--to 192.168.0.8:3306
> >
> > Remember to shut off the above services on your firewall box.
>
>This last has me curious.  If I shut off ssh (port 22) on the firewall,
>then I can't get into it to work on it (it's headless and far far away
>from a chair -- and just now what seems more important, a fan).
>
>Right now, ssh into the firewall box from the ext_if goes straight to
>one of the internal machines (but only allowed from one other trusted
>machine, 1.2.3.4 in the e.g.), but an ssh request from the internal
>network (into the int_if) stays on the firewall box.
>
>Sort of looks like this:
>
>All chains are flushed and set to default DROP
>
>The nat chain rules are
>
>$IPTABLES -t nat -A PREROUTING -i $EXT_IF -s 1.2.3.4 \
>   -d my.static.ip.address -p tcp --dport 22 -j DNAT \
>   --to 192.168.1.2
>
>$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s 192.168.1.2 \
>   -p tcp --sport 22 -j SNAT --to my.static.ip.address
>
>The FORWARD chain rule allows port 22 (originating from trusted machine)
>from the firewall to the internal box and then drops the rest
>
>$IPTABLES -A FORWARD -s 1.2.3.4 -d 192.168.1.2 -p tcp -j ACCEPT
>$IPTABLES -A FORWARD -p tcp --dport 22 -j DROP
>
>And then an INPUT rule to allow getting into the box from the internal
>network
>
>$IPTABLES -A INPUT -s $INT_NET -i INT_IF -j ACCEPT
>
>but disallows spoofing from the outside
>
>$IPTABLES -A INPUT -s INT_NET -i EXT_IF -j DROP
>
>This seems to work.  If anyone sees anything stupid here, let me know.
>I hate being stupid.
>
>Thanks.
>
>m
>
>
>
>--
>Marc Carter
>Assistant Professor, Itinerant Scientist,
>         Inveterate Skeptic, Former Surfer.
>---
>"You can't have a market system that really depends
>on everybody behaving as saints."
>------
>Ken Rose, OSU's National Regulatory Research Institute
>
>


thanks,
jd

jd@taproot.bz
http://www.taproot.bz

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com