Understanding the routing rules

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Daniel Huhardeaux <daniel.huhardeaux@tootai.com>
To: netfilter@vger.kernel.org
Subject: Understanding the routing rules
Date: Thu, 25 Dec 2008 22:21:20 +0100	[thread overview]
Message-ID: <4953F950.9040009@tootai.com> (raw)

Good day all,

I set up a firewall with 3 network cards:

eth0 -> intranet 10.0.0.0/16
eth1 -> isp1
eth2 -> isp2

Outgoing traffic goes to isp1 except for net 10.0.0.0/24, incoming comes 
from isp2. What is named as EXTERNAL_MAIN_xxx is a copy of EXTERNAL2_xxx

Now let's say I redirect port 80 to a server in intranet 10.0.0.40 port 
80, I redirect port 2222 to the localhost 127.0.0.1, Finally I also 
install a OpenVPN in tun mode proto tcp.

Base policy is:
# Deny all by default
$IPTABLES -P INPUT      DROP
$IPTABLES -P OUTPUT     DROP
$IPTABLES -P FORWARD    DROP


I create my rules ALLOW_PORTS. In the variable TCP_PORTS_ALLOWED I put 
_ALL_ authorized ports, doesn't matter if they are to preroute or not.

###############################################################################
## Special Chain ALLOW_PORTS
## Rules to allow packets based on port number. This sort of thing is 
generally
## required only if you're running services on(!!!) the firewall or if 
you have a
## FORWARD policy of DROP(which we don't right now).

$IPTABLES -N ALLOW_PORTS
$IPTABLES -F ALLOW_PORTS

   
##------------------------------------------------------------------------##
   ## ACCEPT TCP traffic based on port number.

for PORT in $TCP_PORTS_ALLOWED; do
 $IPTABLES -A ALLOW_PORTS -m state --state NEW -p tcp \
 --dport $PORT -j ACCEPT
done
   
##------------------------------------------------------------------------##
   ## ACCEPT UDP traffic based on port number.
for PORT in $UDP_PORTS_ALLOWED; do
 $IPTABLES -A ALLOW_PORTS -m state --state NEW -p udp \
 --dport $PORT -j ACCEPT
done

   
##------------------------------------------------------------------------##
   ## REJECT port 113 ident requests.
$IPTABLES -A ALLOW_PORTS -p tcp --dport 113 -j REJECT \
--reject-with tcp-reset
   
##------------------------------------------------------------------------##

 From here I accept

    # Accept what is from localhost
    $IPTABLES -A INPUT   -p ALL -i $LOCAL_DEVICE -j ACCEPT
    $IPTABLES -A OUTPUT  -p ALL -o $LOCAL_DEVICE -j ACCEPT
    $IPTABLES -A FORWARD -p ALL -i $LOCAL_DEVICE -j ACCEPT

    # Accept what is from intranet
    $IPTABLES -A INPUT   -p ALL -i $INTERNAL_DEVICE -j ACCEPT
    $IPTABLES -A OUTPUT  -p ALL -o $INTERNAL_DEVICE -j ACCEPT
    $IPTABLES -A FORWARD -p ALL -i $INTERNAL_DEVICE -j ACCEPT

    # Accept what is for VPN
    $IPTABLES -A INPUT   -p ALL -i $VPN_DEVICE -j ACCEPT
    $IPTABLES -A OUTPUT  -p ALL -o $VPN_DEVICE -j ACCEPT
    $IPTABLES -A FORWARD -p ALL -i $VPN_DEVICE -j ACCEPT

And now my 2 Internet connections, where $KEEPSTATE="ESTABLISHED,RELATED"

    # Accept ports back from eth, flow return, all protocols.
    # activate established mode on all protocols  (statefull inspection)
    $IPTABLES -A OUTPUT  -o $EXTERNAL1_DEVICE -p ALL $KEEPSTATE -j ACCEPT
    $IPTABLES -A INPUT   -i $EXTERNAL1_DEVICE -p ALL $KEEPSTATE -j ACCEPT
    $IPTABLES -A FORWARD -i $EXTERNAL1_DEVICE -p ALL $KEEPSTATE -j ACCEPT

    $IPTABLES -A OUTPUT  -o $EXTERNAL2_DEVICE -p ALL $KEEPSTATE -j ACCEPT
    $IPTABLES -A INPUT   -i $EXTERNAL2_DEVICE -p ALL $KEEPSTATE -j ACCEPT
    $IPTABLES -A FORWARD -i $EXTERNAL2_DEVICE -p ALL $KEEPSTATE -j ACCEPT

PREROUTING to the host

    # SSH #
    $IPTABLES -t nat -A PREROUTING -i $EXTERNAL_MAIN_DEVICE -p tcp -d 
$EXTERNAL_MAIN_IP --dport 2222 -j DNAT --to 127.0.0.1:22
    $IPTABLES -A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT

PREROUTING to the webserver

    # HTTP #
    $IPTABLES -t nat -A PREROUTING -i $EXTERNAL_MAIN_DEVICE -p tcp -d 
$EXTERNAL_MAIN_IP --dport 80 -j DNAT --to 10.0.0.40
    $IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT

INPUT allowed
    # Accept Packets based on ports number
    $IPTABLES -A INPUT -i $EXTERNAL_MAIN_DEVICE -s $ANY -j ALLOW_PORTS

For me this setup should open the ports PREROUTING, INPUT and FORWARD as 
I need and want. But is *NOT*. To get this rules to work I _must_ add 
the state NEW in $KEEPSTATE.

My question is: FORWARD is accepted after each PREROUTING, INPUT is 
accepted for each allowed ports so why I also have to accept the NEW state?

Thanks for your lights :-)

Merry Christmas

-- 
Daniel

                 reply	other threads:[~2008-12-25 21:21 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4953F950.9040009@tootai.com \
    --to=daniel.huhardeaux@tootai.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox