* Cannot go out the firewall
@ 2006-10-26 9:23 Marco Nicoloso
2006-10-26 9:41 ` Gáspár Lajos
0 siblings, 1 reply; 5+ messages in thread
From: Marco Nicoloso @ 2006-10-26 9:23 UTC (permalink / raw)
To: netfilter
Hello,
I am trying to set up a firewall via iptables on a Debian Sarge with
kernel 2.6.8.
There are many problems because I have a DNS Server on a Windows
Machine in the internal network. For now I want to keep this
configuration because installing a DNS cache on my Linux server would
be very difficult for me.
Clients and DNS server cannot resolve any name.
Worse, Clients of the internal network cannot connect to any of the
ports specified in the script. I don't know what to do, I read many
many sample self-explained configurations and it seems to me that I
have done everything correctly but, actually, that's not true. I post
my script.
Help me, please.
Thanks in advance
M. Nicoloso
eth0 is the public IP interface
eth1 is the private LAN interface
#!/bin/bash
## RESET DELLE REGOLE ##
iptables -F
iptables -t mangle -F
iptables -t nat -F
iptables -X
iptables -t mangle -X
iptables -t nat -X
## TABELLA FILTER ##
# Definizione criterio generale
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#Creazione nuove catene
#Definizione catena int->ext
iptables -N laninet
#Definizione catena ext->int
iptables -N inetlan
#Forward delle catene
iptables -A FORWARD -i eth1 -o eth0 -j laninet
iptables -A FORWARD -i eth0 -o eth1 -j inetlan
# Frammenti e pacchetti non validi
iptables -A INPUT -f -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -f -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Traffico di loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Traffico rete interna
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
## TABELLA FILTER - INGRESSO ##
# Accetta pacchetti di connessioni esistenti
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Drop di tutti pacchetti non facenti parte delle catene
iptables -A laninet -s ! 192.168.7.0/24 -j DROP
iptables -A inetlan -s 192.168.7.0/24 -j DROP
# Accettiamo il traffico in ingresso nelle porte del client
# Accetta connessioni per client P2P
#iptables -A INPUT -i ppp0 -p tcp --dport 4662 -j ACCEPT
#iptables -A INPUT -i ppp0 -p tcp --dport 4668 -j ACCEPT
#iptables -A INPUT -i ppp0 -p udp --dport 18745 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT
#iptables -A FORWARD -s 192.168.7.33 -j ACCEPT
#iptables -A OUTPUT -o eth0 -d pop.narod.ru -j ACCEPT
#iptables -A OUTPUT -o eth0 -d smtp.narod.ru -j ACCEPT
#Enabling some of the ICMP Packets
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT
iptables -A INPUT -p icmp --icmp-type router-advertisement -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
#Forward
iptables -A laninet -d 0/0 -j ACCEPT
#iptables -A laninet -p tcp --dport 110 -j ACCEPT
#iptables -A laninet -p tcp --dport 25 -j ACCEPT
#iptables -A laninet -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A laninet -p tcp -j REJECT --reject-with tcp-reset
iptables -A inetlan -p tcp --sport 53 -j ACCEPT
iptables -A inetlan -p udp --sport 53 -j ACCEPT
iptables -A inetlan -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A inetlan -p tcp -j REJECT --reject-with tcp-reset
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.7.0/24 -j SNAT --to
81.xx.xxx.xxx
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Cannot go out the firewall
2006-10-26 9:23 Cannot go out the firewall Marco Nicoloso
@ 2006-10-26 9:41 ` Gáspár Lajos
2006-10-26 9:55 ` Marco Nicoloso
0 siblings, 1 reply; 5+ messages in thread
From: Gáspár Lajos @ 2006-10-26 9:41 UTC (permalink / raw)
To: Marco Nicoloso; +Cc: netfilter
Marco Nicoloso írta:
> Hello,
>
...
>
> Help me, please.
Would you please post the output of these commands?
iptables -vnL
iptables -vnL -t nat
iptables -vnL -t mangle
Thanx
Swifty
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Cannot go out the firewall
2006-10-26 9:41 ` Gáspár Lajos
@ 2006-10-26 9:55 ` Marco Nicoloso
2006-10-26 10:15 ` Gáspár Lajos
0 siblings, 1 reply; 5+ messages in thread
From: Marco Nicoloso @ 2006-10-26 9:55 UTC (permalink / raw)
To: Gáspár Lajos; +Cc: netfilter
2006/10/26, Gáspár Lajos <swifty@freemail.hu>:
> Would you please post the output of these commands?
Immediately
> iptables -vnL
0 0 DROP all -f * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
8 528 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp spt:53
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3128
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 5
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 9
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 laninet all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 inetlan all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -f * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
5 540 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * eth0 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED
Chain inetlan (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 192.168.7.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
Chain laninet (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * !192.168.7.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
> iptables -vnL -t nat
iptables: Table does not exist (do you need to insmod?)
> iptables -vnL -t mangle
iptables: Table does not exist (do you need to insmod?)
But modules iptable_nat and iptable_mangle (although, I think,
iptable_mangle is not necessary for me) are loaded.
Do I need to create table nat, or it is built-in?
> Thanx
>
> Swifty
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Cannot go out the firewall
2006-10-26 9:55 ` Marco Nicoloso
@ 2006-10-26 10:15 ` Gáspár Lajos
2006-10-26 17:37 ` Marco Nicoloso
0 siblings, 1 reply; 5+ messages in thread
From: Gáspár Lajos @ 2006-10-26 10:15 UTC (permalink / raw)
To: Marco Nicoloso; +Cc: netfilter, Gáspár Lajos
Marco Nicoloso írta:
>> iptables -vnL
>
> 0 0 DROP all -f * * 0.0.0.0/0
> 0.0.0.0/0
...
hmmm...
Something wrong with your kernel or iptables...
Or you just entered these command right after your firewall script...
The counts of packets in the chains should be mostly more than 0 ! :)
>> iptables -vnL -t nat
> iptables: Table does not exist (do you need to insmod?)
Well...
You need it.
In this command:
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.7.0/24 -j SNAT --to
81.xx.xxx.xxx
Try this in the head of your script:
modprobe ip_conntrack >/dev/null 2>/dev/null
modprobe ip_conntrack_ftp >/dev/null 2>/dev/null
modprobe ip_conntrack_irc >/dev/null 2>/dev/null
modprobe ip_nat >/dev/null 2>/dev/null
modprobe ip_nat_ftp >/dev/null 2>/dev/null
modprobe ip_nat_irc >/dev/null 2>/dev/null
modprobe iptable_filter >/dev/null 2>/dev/null
modprobe iptable_mangle >/dev/null 2>/dev/null
modprobe iptable_nat >/dev/null 2>/dev/null
>> iptables -vnL -t mangle
> iptables: Table does not exist (do you need to insmod?)
>
Not now :) Maybe later... :)
> But modules iptable_nat and iptable_mangle (although, I think,
> iptable_mangle is not necessary for me) are loaded.
>
Are you sure?
> Do I need to create table nat, or it is built-in?
>
It is built-in, but should be loaded if you compiled as a module in you
kernel.
From "man iptables":
If the kernel is
configured with automatic module loading, an attempt
will be made to load the appropriate module for
that table if it is not already there.
Swifty
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Cannot go out the firewall
2006-10-26 10:15 ` Gáspár Lajos
@ 2006-10-26 17:37 ` Marco Nicoloso
0 siblings, 0 replies; 5+ messages in thread
From: Marco Nicoloso @ 2006-10-26 17:37 UTC (permalink / raw)
To: Gáspár Lajos; +Cc: netfilter
2006/10/26, Gáspár Lajos <swifty@freemail.hu>:
> Marco Nicoloso írta:
> >> iptables -vnL
> >
> > 0 0 DROP all -f * * 0.0.0.0/0
> > 0.0.0.0/0
> ...
>
> hmmm...
>
> Something wrong with your kernel or iptables...
> Or you just entered these command right after your firewall script...
> The counts of packets in the chains should be mostly more than 0 ! :)
>
> >> iptables -vnL -t nat
> > iptables: Table does not exist (do you need to insmod?)
> Well...
> You need it.
>
> In this command:
>
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.7.0/24 -j SNAT --to
> 81.xx.xxx.xxx
>
> Try this in the head of your script:
>
> modprobe ip_conntrack >/dev/null 2>/dev/null
> modprobe ip_conntrack_ftp >/dev/null 2>/dev/null
> modprobe ip_conntrack_irc >/dev/null 2>/dev/null
> modprobe ip_nat >/dev/null 2>/dev/null
> modprobe ip_nat_ftp >/dev/null 2>/dev/null
> modprobe ip_nat_irc >/dev/null 2>/dev/null
> modprobe iptable_filter >/dev/null 2>/dev/null
> modprobe iptable_mangle >/dev/null 2>/dev/null
> modprobe iptable_nat >/dev/null 2>/dev/null
>
I found out that module ip_nat isn't found, this is likely the cause
of the problem. Which options of the kernel enables it.
Thank you very much.
Dosto
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2006-10-26 17:37 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-26 9:23 Cannot go out the firewall Marco Nicoloso
2006-10-26 9:41 ` Gáspár Lajos
2006-10-26 9:55 ` Marco Nicoloso
2006-10-26 10:15 ` Gáspár Lajos
2006-10-26 17:37 ` Marco Nicoloso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox