Re: simple questions to finally understand netfilter

Re: simple questions to finally understand netfilter

[Jamie Pratt]

Juan Hernandez wrote:
> Another question...
> 
> On Thu, 2003-11-27 at 12:04, Ralf Spenneberg wrote:
> 
>>Am Don, 2003-11-27 um 16.41 schrieb Juan Hernandez:
>>
>>
>>>1) This rule tells netfilter to drop any packet forwarding I guess
>>>iptables -P FORWARD DROP
>>
>>This is a default rule. All packets not accepted or dropped by other
>>rules will be dropped by this one.
> 
> 
> If this drops everything else, how come there's access to the webserver
> in that same machine?? It's not that I dont want it, its just that im
> curious on what does this rule drops exactly cause I can still access my
> webserver 
> 
> Juan
> 
> 


What kind of rules/policies are defined for INPUT? (if none, or -P 
ALLOW, thats why..)

jamie

> 
> 

-- 
/

simple questions to finally understand netfilter

[Juan Hernandez]

Hi there...

I'm using this script and I'd like to understand it a bit better...
This is redirecting everything that comes from to port 25 to another
server and this router is also a webserver.. Let me see if I understand
every step

1) This rule tells netfilter to drop any packet forwarding I guess
iptables -P FORWARD DROP

2) This one only accepts related and stablished packets
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

3) This one forwards everything from the mailserver to the outside i
guess
iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 25 -j ACCEPT

4) and this rule redirects everything in port 25 to the mailserver
iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 25 -j DNAT
--to-destination 192.168.0.2:25

Now these are the questions I have about netfilter

1) What does the first rules do exactly?? 

2) How come if I add this rule to redirect everything from port 666 to
the mailserver's ssh port it doesnt work?? 

iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 666 -j DNAT
--to-destination 192.168.0.2:22 

Is it because I have to make another rule to forward the packets comming
back from the mailserver's ssh? how come is not using the one alredy in
(number 2)? 

3) How do I use DROP with a range of port in oder to close everyhing
else to the outside? or is there other way to do it??

Thanks a lot for your help...

Juan

Re: simple questions to finally understand netfilter

[Ralf Spenneberg]

Am Don, 2003-11-27 um 16.41 schrieb Juan Hernandez:

> 1) This rule tells netfilter to drop any packet forwarding I guess
> iptables -P FORWARD DROP
This is a default rule. All packets not accepted or dropped by other
rules will be dropped by this one.

> 
> 2) This one only accepts related and stablished packets
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
correct.

> 3) This one forwards everything from the mailserver to the outside i
> guess
> iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 25 -j ACCEPT
No. This allows all packets destined for 192.168.0.2:25 through.

> 4) and this rule redirects everything in port 25 to the mailserver
> iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 25 -j DNAT
> --to-destination 192.168.0.2:25
This rule redirects all packets targeted at 192.168.0.1:25 to 192.168.0.2:25. 

> Now these are the questions I have about netfilter
> 
> 1) What does the first rules do exactly?? 
> 
> 2) How come if I add this rule to redirect everything from port 666 to
> the mailserver's ssh port it doesnt work?? 
> 
> iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 666 -j DNAT
> --to-destination 192.168.0.2:22 
You need a rule which will allow these packets through the FORWARD
chain:
iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 22 -j ACCEPT

> 3) How do I use DROP with a range of port in oder to close everyhing
> else to the outside? or is there other way to do it??
Everything else is closed by the Default rule (1)

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: VPN mit Linux
Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

Re: simple questions to finally understand netfilter

[Juan Hernandez]

Thank you pal...

Juan

On Thu, 2003-11-27 at 12:04, Ralf Spenneberg wrote:
> Am Don, 2003-11-27 um 16.41 schrieb Juan Hernandez:
> 
> > 1) This rule tells netfilter to drop any packet forwarding I guess
> > iptables -P FORWARD DROP
> This is a default rule. All packets not accepted or dropped by other
> rules will be dropped by this one.
> 
> > 
> > 2) This one only accepts related and stablished packets
> > iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> correct.
> 
> > 3) This one forwards everything from the mailserver to the outside i
> > guess
> > iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 25 -j ACCEPT
> No. This allows all packets destined for 192.168.0.2:25 through.
> 
> > 4) and this rule redirects everything in port 25 to the mailserver
> > iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 25 -j DNAT
> > --to-destination 192.168.0.2:25
> This rule redirects all packets targeted at 192.168.0.1:25 to 192.168.0.2:25. 
> 
> > Now these are the questions I have about netfilter
> > 
> > 1) What does the first rules do exactly?? 
> > 
> > 2) How come if I add this rule to redirect everything from port 666 to
> > the mailserver's ssh port it doesnt work?? 
> > 
> > iptables -t nat -A PREROUTING -d 192.168.0.1 -p tcp --dport 666 -j DNAT
> > --to-destination 192.168.0.2:22 
> You need a rule which will allow these packets through the FORWARD
> chain:
> iptables -A FORWARD -d 192.168.0.2 -p tcp --dport 22 -j ACCEPT
> 
> > 3) How do I use DROP with a range of port in oder to close everyhing
> > else to the outside? or is there other way to do it??
> Everything else is closed by the Default rule (1)
> 
> Cheers,
> 
> Ralf

Re: simple questions to finally understand netfilter

[Juan Hernandez]

Another question...

On Thu, 2003-11-27 at 12:04, Ralf Spenneberg wrote:
> Am Don, 2003-11-27 um 16.41 schrieb Juan Hernandez:
> 
> > 1) This rule tells netfilter to drop any packet forwarding I guess
> > iptables -P FORWARD DROP
> This is a default rule. All packets not accepted or dropped by other
> rules will be dropped by this one.

If this drops everything else, how come there's access to the webserver
in that same machine?? It's not that I dont want it, its just that im
curious on what does this rule drops exactly cause I can still access my
webserver 

Juan

Re: simple questions to finally understand netfilter

[Jeffrey Laramie]

On Thu, 2003-11-27 at 11:14, Juan Hernandez wrote:
> Another question...
> 
> On Thu, 2003-11-27 at 12:04, Ralf Spenneberg wrote:
> > Am Don, 2003-11-27 um 16.41 schrieb Juan Hernandez:
> > 
> > > 1) This rule tells netfilter to drop any packet forwarding I guess
> > > iptables -P FORWARD DROP
> > This is a default rule. All packets not accepted or dropped by other
> > rules will be dropped by this one.
> 
> If this drops everything else, how come there's access to the webserver
> in that same machine?? It's not that I dont want it, its just that im
> curious on what does this rule drops exactly cause I can still access my
> webserver 
> 

When you say same machine to do mean the same box as the firewall? The
rules you have are for forwarding packets to other machines. To filter
traffic going to the firewall box you need to have rules on your INPUT
chain.

Jeff

Re: simple questions to finally understand netfilter

[Ralf Spenneberg]

Am Don, 2003-11-27 um 17.14 schrieb Juan Hernandez:
> Another question...
> 
> On Thu, 2003-11-27 at 12:04, Ralf Spenneberg wrote:
> > Am Don, 2003-11-27 um 16.41 schrieb Juan Hernandez:
> > 
> > > 1) This rule tells netfilter to drop any packet forwarding I guess
> > > iptables -P FORWARD DROP
> > This is a default rule. All packets not accepted or dropped by other
> > rules will be dropped by this one.
> 
> If this drops everything else, how come there's access to the webserver
> in that same machine?? It's not that I dont want it, its just that im
> curious on what does this rule drops exactly cause I can still access my
> webserver 
Because the FORWARD chain only covers packets to be forwarded to other
machines. Packets destined to the local machine are filtered in the
INPUT chain. Do a 
iptables -P INPUT DROP 
and you webserver should stop responding (if there are no other INPUT
rules).

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: VPN mit Linux
Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

Re: simple questions to finally understand netfilter

[Juan Hernandez]

Thank you...

Juan

On Thu, 2003-11-27 at 13:49, Ralf Spenneberg wrote:
> Am Don, 2003-11-27 um 17.14 schrieb Juan Hernandez:
> > Another question...
> > 
> > On Thu, 2003-11-27 at 12:04, Ralf Spenneberg wrote:
> > > Am Don, 2003-11-27 um 16.41 schrieb Juan Hernandez:
> > > 
> > > > 1) This rule tells netfilter to drop any packet forwarding I guess
> > > > iptables -P FORWARD DROP
> > > This is a default rule. All packets not accepted or dropped by other
> > > rules will be dropped by this one.
> > 
> > If this drops everything else, how come there's access to the webserver
> > in that same machine?? It's not that I dont want it, its just that im
> > curious on what does this rule drops exactly cause I can still access my
> > webserver 
> Because the FORWARD chain only covers packets to be forwarded to other
> machines. Packets destined to the local machine are filtered in the
> INPUT chain. Do a 
> iptables -P INPUT DROP 
> and you webserver should stop responding (if there are no other INPUT
> rules).
> 
> Cheers,
> 
> Ralf