Gateway with Iptables

Gateway with Iptables

[Tarak Ranjan]

Hi List,
i have a proxy server, when i enable the proxy my mail clients are not 
able to send/receive mail. here is my iptables. please help me with the 
necessary changes.

#############################################################################

# Internet Interface
INET_IFACE="eth1"
INET_ADDRESS="x.x.x.x"
# Local Interface Information
LOCAL_IFACE="eth0"
LOCAL_IP="192.168.1.3"
LOCAL_NET="192.168.1.0/24"
LOCAL_BCAST="192.168.1.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
#SQUID
SQUID_SERVER=“192.168.1.3?
SQUID_PORT="8080"
echo "SSH Blocking.........."
$IPT -A INPUT -p tcp -s 192.168.1.210 -d 0/0 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.1.123 -d 0/0 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.1.37 -d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.123 
-d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.37 -d 
0/0 --dport 22 -j ACCEPT
#$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.37 
-d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.210 
-d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.0/24 
-d 0/0 --dport 22 -j DROP
#$IPT -A OUTPUT -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.38 -d 
0/0 --dport 22 -j ACCEP

$IPT -A FORWARD -p tcp -s 0/0 -d x.x.x.y/32 --destination-port 25 --syn 
-j ACCEPT
#$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to 
192.168.1.100:25
#$IPT -A FORWARD -p tcp -d 192.168.1.100 --dport 25 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 22 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 3306 -j DROP
#$IPT -A FORWARD -p tcp -d 0/0 -s 0/0 --dport 80 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 111 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 199 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT

# Block IRC
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 194 -j REJECT

# Block Outbound Telnet
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 23 -j REJECT

# Block SSH
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 22 -j REJECT

# Block Usenet Access
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 119 -j REJECT


# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to# Rules for the private network (accessing gateway system 
itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT


# Inbound Internet Packet Rules

# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

# Log packets that still don't match
$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
# Used if forwarding for a private network

# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets

# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound

# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT

# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# Log packets that still don't match
$IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
############################################################################
#Redirect all 80 port request to 8080 SQUID PROXY Added By TARAK
# DNAT port 80 request comming from LAN systems to squid 3128 
($SQUID_PORT) aka transparent proxy

#$IPT -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT 
--to-ports $SQUID_PORT
#$IPT -t nat -A POSTROUTING -o eth1 -s $LOCAL_NET -j MASQUERADE
#$IPT -A FORWARD -s $LOCAL_NET -d $SQUID_SERVER -i eth1 -o eth0 -p tcp 
--dport $SQUID_PORT -j ACCEPT
$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT 
--to-port $SQUID_PORT
###############################################################################
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

# Log packets that still don't match
$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "


-- 
Thanks & Regards,

Tarak Ranjan
___________________________
IS-Team
Liqwid Krystal

T:   +91 80  2509 1790 Ext. 107
E@:  tarak.ranjan@liqwidkrystal.com
IM:  reachtarak@hotmail.com

Online Learning|Certification|Learning Solutions: http://www.liqwidkrystal.com 

Re: Gateway with Iptables

[Amos Jeffries]

Tarak Ranjan wrote:
> Hi List,
> i have a proxy server, when i enable the proxy my mail clients are not 
> able to send/receive mail. here is my iptables. please help me with the 
> necessary changes.
> 
> ############################################################################# 
> 
> 
> # Internet Interface
> INET_IFACE="eth1"
> INET_ADDRESS="x.x.x.x"
> # Local Interface Information
> LOCAL_IFACE="eth0"
> LOCAL_IP="192.168.1.3"
> LOCAL_NET="192.168.1.0/24"
> LOCAL_BCAST="192.168.1.255"
> # Localhost Interface
> LO_IFACE="lo"
> LO_IP="127.0.0.1"
> #SQUID
> SQUID_SERVER=“192.168.1.3?
> SQUID_PORT="8080"
> echo "SSH Blocking.........."
> $IPT -A INPUT -p tcp -s 192.168.1.210 -d 0/0 --dport 22 -j ACCEPT
> $IPT -A INPUT -p tcp -s 192.168.1.123 -d 0/0 --dport 22 -j ACCEPT
> $IPT -A INPUT -p tcp -s 192.168.1.37 -d 0/0 --dport 22 -j ACCEPT
> $IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.123 
> -d 0/0 --dport 22 -j ACCEPT
> $IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.37 -d 
> 0/0 --dport 22 -j ACCEPT
> #$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.37 
> -d 0/0 --dport 22 -j ACCEPT
> $IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.210 
> -d 0/0 --dport 22 -j ACCEPT
> $IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.0/24 
> -d 0/0 --dport 22 -j DROP
> #$IPT -A OUTPUT -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.38 -d 
> 0/0 --dport 22 -j ACCEP
> 
> $IPT -A FORWARD -p tcp -s 0/0 -d x.x.x.y/32 --destination-port 25 --syn 
> -j ACCEPT
> #$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to 
> 192.168.1.100:25
> #$IPT -A FORWARD -p tcp -d 192.168.1.100 --dport 25 -j ACCEPT
> $IPT -A INPUT -p tcp -s 0/0 --dport 22 -j DROP
> $IPT -A INPUT -p tcp -s 0/0 --dport 3306 -j DROP
> #$IPT -A FORWARD -p tcp -d 0/0 -s 0/0 --dport 80 -j DROP
> $IPT -A INPUT -p tcp -s 0/0 --dport 111 -j DROP
> $IPT -A INPUT -p tcp -s 0/0 --dport 199 -j DROP
> $IPT -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
> #
> # This chain is used with a private network to prevent forwarding for
> # requests on specific protocols. Applied to the FORWARD rule from
> # the internal network. Ends with an ACCEPT
> 
> # Block IRC
> $IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 194 -j REJECT
> 
> # Block Outbound Telnet
> $IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 23 -j REJECT
> 
> # Block SSH
> $IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 22 -j REJECT
> 
> # Block Usenet Access
> $IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 119 -j REJECT
> 
> 
> # No match, so ACCEPT
> $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
> 
> # Allow all on localhost interface
> $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
> 
> # Drop bad packets
> $IPT -A INPUT -p ALL -j bad_packets
> $IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
> # The rule to# Rules for the private network (accessing gateway system 
> itself)
> $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
> $IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
> 
> 
> # Inbound Internet Packet Rules
> 
> # Accept Established Connections
> $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
> -j ACCEPT
> 
> # broadcast protocols.
> $IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
> 
> # Log packets that still don't match
> $IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
> # Used if forwarding for a private network
> 
> # Drop bad packets
> $IPT -A FORWARD -p ALL -j bad_packets
> 
> # Accept TCP packets we want to forward from internal sources
> $IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
> 
> # Accept UDP packets we want to forward from internal sources
> $IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
> 
> # If not blocked, accept any other packets from the internal interface
> $IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
> 
> # Deal with responses from the internet
> $IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
> -j ACCEPT
> 
> # Log packets that still don't match
> $IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
> ############################################################################ 
> 
> #Redirect all 80 port request to 8080 SQUID PROXY Added By TARAK
> # DNAT port 80 request comming from LAN systems to squid 3128 
> ($SQUID_PORT) aka transparent proxy
> 

I believe you need to exempt the traffic from squid (local machine IPA) 
from the REDIRECT about here.

$IPT -A PREROUTING -p tcp -s $SQUID_SERVER --dport 80 -j ACCEPT

... And use "http port 8080 transparent" in the squid.conf

> #$IPT -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT 
> --to-ports $SQUID_PORT
> #$IPT -t nat -A POSTROUTING -o eth1 -s $LOCAL_NET -j MASQUERADE
> #$IPT -A FORWARD -s $LOCAL_NET -d $SQUID_SERVER -i eth1 -o eth0 -p tcp 
> --dport $SQUID_PORT -j ACCEPT
> $IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT 
> --to-port $SQUID_PORT
> ############################################################################### 
> 
> $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
> $IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
> $IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
> 
> # To internet
> $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
> 
> # Log packets that still don't match
> $IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
> 
> 

Amos

Re: Gateway with Iptables

[Tarak Ranjan]

> Amos wrote:
> I believe you need to exempt the traffic from squid (local machine 
> IPA) from the REDIRECT about here.
>
> $IPT -A PREROUTING -p tcp -s $SQUID_SERVER --dport 80 -j ACCEPT
>
> ... And use "http port 8080 transparent" in the squid.conf
>
>
> > $IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT 
> --to-port $SQUID_PORT
> > 
> ###############################################################################
but after applying this users are able to connect to the Internet 
directly without enable proxy. what else i have to do to stop direct 
connection , they must use proxy.

-- 
Thanks & Regards,

Tarak Ranjan
___________________________
IS-Team
Liqwid Krystal

T:   +91 80  2509 1790 Ext. 107
E@:  tarak.ranjan@liqwidkrystal.com
IM:  reachtarak@hotmail.com

Online Learning|Certification|Learning Solutions: http://www.liqwidkrystal.com 

RE: Gateway with Iptables

[Rob Sterenborg]

> i have a proxy server, when i enable the proxy my mail clients are
> not able to send/receive mail. here is my iptables. please help me
> with the necessary changes.

[...]

> but after applying this users are able to connect
> to the Internet directly without enable proxy.

How do you test this? If you configured Squid for transparent proxying
and allow http (AFAIK you can't transparent proxy https) inbound, your
users don't have to configure a proxy in their browser and will use the
proxy "transparently".

> what else i have to do to stop direct connection , they must use
> proxy.

No offense, but I can't understand your ruleset. It looks like you
scraped things together from other rulesets (which by itself doesn't
have to be not wrong).
I was going to rewrite the script to make sense of it, but I'm not clear
on what is running where and what exactly is allowed. Also:
- AFAICS some user defined chains are not defined so some rules should
generate an error
- some rules seem to allow too much
- rules from the FORWARD chain call a user defined chain for the OUTPUT
chain
- it's easier to set the chain policies to DROP and specifically ACCEPT
what you want to

Perhaps someone else can make sense of this based on current
information, but for me it's impossible (well, I would be able to make
something out of it, but I have no illusion that such ruleset would be
working).


Grts,
Rob

kernel warning NAT: no longer support implicit source local NAT

[Jeffrey Glass]

Hi Everyone,

Starting with kernel 2.6.11 we started getting this kernel warning:

kernel: NAT: no longer support implicit source local NAT
kernel: NAT: packet src 10.92.1.200 -> dst 10.9.0.2

We have some special rules for routing packets (DNAT) and based on the
error message I would say that we are not explicitly defining something
that we should for future compatibility.

Does anyone have any insight on why "implicit source local NAT" is not
going to be supported and what a typical "source local NAT" definition
would look like?

Thanks.

Richard Glass

Re: Gateway with Iptables

[Amos Jeffries]

Tarak Ranjan wrote:
> 
>> Amos wrote:
>> I believe you need to exempt the traffic from squid (local machine 
>> IPA) from the REDIRECT about here.
>>
>> $IPT -A PREROUTING -p tcp -s $SQUID_SERVER --dport 80 -j ACCEPT
>>
>> ... And use "http port 8080 transparent" in the squid.conf
>>
>>
>> > $IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT 
>> --to-port $SQUID_PORT
>> > 
>> ############################################################################### 
>>
> but after applying this users are able to connect to the Internet 
> directly without enable proxy. what else i have to do to stop direct 
> connection , they must use proxy.
> 

Huh? that should ONLY exempt the proxy, not the client machines. I'm not 
100% certain of the rule as I use shorewall to simplify the config a lot.

Do you mean the users are actually logged into the proxy server?

Or that it _looks_ like clients can connect directly. Check the 
access.log of squid to be sure.

The entire point of transparent is so clients don't do any config, the 
proxy silently makes internet 'just work' for any allowed browsing.

Amos

Re: Gateway with Iptables

[Tarak Ranjan]

Rob Sterenborg wrote:
> i have a proxy server, when i enable the proxy my mail clients are
> > not able to send/receive mail. here is my iptables. please help me
> > with the necessary changes.
>   
  but i'm not able to understand why my mail clients are not responding. 
it's saying connection timed out.
>
> How do you test this? If you configured Squid for transparent proxying
> and allow http (AFAIK you can't transparent proxy https) inbound, your
> users don't have to configure a proxy in their browser and will use the
> proxy "transparently".
>
>   
i have monitor the log /var/log/squid/access.log---- those user's has 
enable "Direct Connection/Automatic detection  " in their respective 
browser, their log is not coming in the access.log
>> what else i have to do to stop direct connection , they must use
>> proxy.
>>     
>
>
> I was going to rewrite the script to make sense of it, but I'm not clear
> on what is running where and what exactly is allowed. Also:
>  
>   
1  i want to block ssh from outside, but it will only allow from 203.x.x.x.
2  any internet request should pass through squid(8080).
3  and if anything wrong in my existing rule set please let me know.



-- 
Thanks & Regards,

Tarak Ranjan
___________________________
IS-Team
Liqwid Krystal

T:   +91 80  2509 1790 Ext. 107
E@:  tarak.ranjan@liqwidkrystal.com
IM:  reachtarak@hotmail.com

Online Learning|Certification|Learning Solutions: http://www.liqwidkrystal.com