| View previous topic :: View next topic |
| Author |
Message |
josh
Guru
Joined: 05 Feb 2003
Posts: 473
Location: Milky Way: Solar System: Earth: North America: USA: NY: Buffalo
|
 Posted: Sun Jan 08, 2006 4:52 pm Post subject: [SOLVED] Iptables general help... |
 |
|
Sorry I couldn't be more descriptive in the subject but I'm not sure how to word this.
I need a pretty basic firewall setup. It seems like I'd see this all over the place but I haven't really. Here's the specs on what I have and want my firewall to do:
It has 2 nics. One comes in from the internet. the other one is for my internal lan. I need everyone on the inside to be able to get out to the internet no problem. Behind my firewall I have one box which I use for ssh,http,etc. I only want select IPs to be able to reach that box. Everyone else I want dropped. This is what I came up with that makes logical sense (to me) but it isn't working:
| Code: | #!/bin/bash
IPTABLES=/sbin/iptables
INTIF=eth1
EXTIF=eth0
WHITELIST=whitelist.txt.orig
${IPTABLES} -X
echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
${IPTABLES} -P OUTPUT ACCEPT
${IPTABLES} -P FORWARD ACCEPT
${IPTABLES} -P INPUT DROP
${IPTABLES} -F
${IPTABLES} -A INPUT -i ! ${EXTIF} -j ACCEPT
${IPTABLES} -A FORWARD -i ! ${EXTIF} -j ACCEPT
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -A POSTROUTING -t nat -o ${EXTIF} -j MASQUERADE
${IPTABLES} -t nat -A PREROUTING -i $EXTIF -p tcp --destination-port 22 -j DNAT --to 192.168.13.216
for x in `grep -v ^# $WHITELIST |awk '{print $1}'`; do
echo "Permitting $x..."
iptables -t nat -A PREROUTING -s $x -d 192.168.13.216 -i $EXTIF -j DNAT --to-destination 192.168.13.216
done |
whitelist.txt.org contains (you guessed it) a list of ip addresses that are OK. I've got a few boxes I can use elsewhere on the internet. I've been trying to block some and allow others to test this out. But I can always get back in. I can get out to the internet fine also. Any suggesrtions?
_________________
-Josh
Last edited by josh on Wed Jan 11, 2006 4:04 pm; edited 1 time in total |
|
| Back to top |
|
 |
Jogie214
Apprentice
Joined: 15 Aug 2004
Posts: 159
Location: Cologne / Germany
|
| Posted: Sun Jan 08, 2006 8:49 pm Post subject: |
|
|
First guess, do you have a dsl connection or something similar (ppp0 etc), because in that case you need to change your EXTIF to ppp0.
What's the output of and ifconfig?
Sebastian
_________________
Desktop: Ryzen7 1700x / x370 / Radeon RX 550 / Gentoo amd64 |
|
| Back to top |
|
|
CriminalMastermind
Tux's lil' helper
Joined: 19 Nov 2003
Posts: 132
Location: toronto
|
| Posted: Sun Jan 08, 2006 9:59 pm Post subject: |
|
|
i think your problem is you are doing the dnat in the nat table, but then not allowing those packet through your firewall (the filter table).
| josh wrote: | | Code: | | ${IPTABLES} -t nat -A PREROUTING -i $EXTIF -p tcp --destination-port 22 -j DNAT --to 192.168.13.216 |
|
you may want to give a destination ip = your external interface ip here... but that is not required.
| josh wrote: | | Code: |
for x in `grep -v ^# $WHITELIST |awk '{print $1}'`; do
echo "Permitting $x..."
iptables -t nat -A PREROUTING -s $x -d 192.168.13.216 -i $EXTIF -j DNAT --to-destination 192.168.13.216
done
|
|
i'm not makeing much sense of this rule. i think you want to be playing with -t filter -A FORWARD here. that would be the allowing packets through your firewall part.
another, slightly more paranoid thing you could do would be to only dnat traffic in your white list. meaning only traffic from whiltelist ip's would even get to the filter table.
i didn't really look too closely at your rules, nor can i check mine at the moment. this is just an off the top of my head. there could be other problems. in general, a very good way to trouble shoot iptables problems is to enable logging and log all packets before they are dropped. that and tcpdump.
hope that made sense and helped.
_________________
"I can picture a perfect world that knows of no war... and I can picture me attacking that world, because they'd never expect it." |
|
| Back to top |
|
|
josh
Guru
Joined: 05 Feb 2003
Posts: 473
Location: Milky Way: Solar System: Earth: North America: USA: NY: Buffalo
|
| Posted: Sun Jan 08, 2006 9:59 pm Post subject: |
|
|
| Jogie214 wrote: | First guess, do you have a dsl connection or something similar (ppp0 etc), because in that case you need to change your EXTIF to ppp0.
What's the output of and ifconfig?
Sebastian |
Its actually a T1. So they both come up as eth? plus some :? aliases that I will be using at some point. Here is some out put.
| Code: | [root@sabrevois ~]# iptables -L -v
Chain INPUT (policy ACCEPT 8119 packets, 894K bytes)
pkts bytes target prot opt in out source destination
23 1478 ACCEPT all -- !eth0 any anywhere anywhere
151 12660 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
622 50472 ACCEPT all -- !eth0 any anywhere anywhere
627 182K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 129 packets, 17367 bytes)
pkts bytes target prot opt in out source destination
[root@sabrevois ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:43:E6:9A:C5
inet addr:192.168.100.240 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::211:43ff:fee6:9ac5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:299245 errors:0 dropped:0 overruns:0 frame:0
TX packets:78321 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:83570761 (79.6 MiB) TX bytes:46095608 (43.9 MiB)
Base address:0xecc0 Memory:dfae0000-dfb00000
eth0:0 Link encap:Ethernet HWaddr 00:11:43:E6:9A:C5
inet addr:192.168.100.244 Bcast:192.168.100.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Base address:0xecc0 Memory:dfae0000-dfb00000
eth1 Link encap:Ethernet HWaddr 00:11:43:E6:9A:C6
inet addr:192.168.13.1 Bcast:192.168.13.255 Mask:255.255.255.0
inet6 addr: fe80::211:43ff:fee6:9ac6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:87757 errors:0 dropped:0 overruns:0 frame:0
TX packets:78968 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:43242268 (41.2 MiB) TX bytes:56288327 (53.6 MiB)
Base address:0xdcc0 Memory:df8e0000-df900000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:40 errors:0 dropped:0 overruns:0 frame:0
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4237 (4.1 KiB) TX bytes:4237 (4.1 KiB) |
For now this is inside my .100. subnet. Eventually it will be my firewall and have an external IP and NATing IP's into my .100. subnet.
_________________
-Josh |
|
| Back to top |
|
|
josh
Guru
Joined: 05 Feb 2003
Posts: 473
Location: Milky Way: Solar System: Earth: North America: USA: NY: Buffalo
|
| Posted: Tue Jan 10, 2006 11:08 pm Post subject: |
|
|
Thanks mastermind. My problem is that I don't really understand iptables 'rules'. I'm not clear on what all of the tables do. From a programming perspective it makes sense to me, but then it doesn't work out. So I've been studying up and reading the iptables man page. I'm not 100% clear but... baby steps. So I started out simple. I can now allow all traffic out and specific hosts in. However, I cannot get these specific hosts to forward to another machine in my network. Here is the script (IP's have been changed to protect the guilty)
| Code: | #!/bin/bash
IPTABLES=/sbin/iptables
INTIF=eth1
EXTIF=eth0
#WHITELIST=/root/fw/whitelist.txt.orig
WHITELIST=/root/fw/whitelist.txt
echo "Starting Firewall..."
# Drop all rules:
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
# Start rules:
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
# Allow unlimited traffic on the loopback device
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Extrapolate: Allow all traffic on $INTIF:
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -j ACCEPT
# Allow all traffic with an Established or Related Connection:
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Masq all traffic from $INTIF to $EXTIF
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
$IPTABLES -A FORWARD -i $INTIF -j ACCEPT
echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
##################################################
# Let in individual IP's
$IPTABLES -A INPUT -t filter -s 1.2.3.4 -j ACCEPT
# Drop everything else and log it:
#$IPTABLES -A INPUT -j LOG
$IPTABLES -A INPUT -j REJECT |
So now I can:
1.) get out to the internet
2.) get in from 1.2.3.4
3.) not get in from 5.6.7.8
So I'm almost there. I just need 1.2.3.4 to forward (every port; 22,80,443,etc) to an internal machine. Any suggestions? I've tried a few different things but I always end up either blocking everything or allowing everything on a certain port. Obviously I'll put the ip's in a loop later, but for now I'm just starting with one till I get this going. All of these IP's will forward to the same machine. But in the future I may need certain IP's and/or certain ports on certain ips to go to certain machines. So if anyone has some insight on that that'd be sweet. But my main thing for now is getting all of the ip's into one machine. Thanks in advance!
_________________
-Josh |
|
| Back to top |
|
|
splooge
l33t
Joined: 30 Aug 2002
Posts: 636
|
| Posted: Tue Jan 10, 2006 11:53 pm Post subject: |
|
|
iptables -t nat -A PREROUTING -i eth0 -s 1.2.3.4 -p tcp --dport 22 -j DNAT --to 192.168.0.100
aka: If a TCP packet destined for port 22 comes in eth0 with the source address of 1.2.3.4, dnat it to 192.168.0.100
_________________
http://get.a.clue.de |
|
| Back to top |
|
|
josh
Guru
Joined: 05 Feb 2003
Posts: 473
Location: Milky Way: Solar System: Earth: North America: USA: NY: Buffalo
|
| Posted: Tue Jan 10, 2006 11:57 pm Post subject: |
|
|
And on a side note: Maybe this is coincidence or maybe I messed something up on my PC. But it is taking forever for packets to get to and from my machine to the internet. Once a connection is established it is quick (ie download) and other machines are fine. Just thought maybe someone would know this off the top of their head
| Code: | root@mars:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0D:61:40:7A:44
inet addr:192.168.100.216 Bcast:192.168.100.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16520 errors:0 dropped:0 overruns:0 frame:0
TX packets:14313 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3218354 (3.0 Mb) TX bytes:1016021 (992.2 Kb)
Interrupt:11 Base address:0xe000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:772 (772.0 b) TX bytes:772 (772.0 b)
root@mars:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.100.0 * 255.255.255.0 U 0 0 0 eth0
loopback localhost.local 255.0.0.0 UG 0 0 0 lo
default 192.168.100.240 0.0.0.0 UG 0 0 0 eth0 |
_________________
-Josh |
|
| Back to top |
|
|
josh
Guru
Joined: 05 Feb 2003
Posts: 473
Location: Milky Way: Solar System: Earth: North America: USA: NY: Buffalo
|
| Posted: Wed Jan 11, 2006 1:39 am Post subject: |
|
|
Thanks splooge. Do I need the 'filter' rule as well? Should one come before the other?
PS. Figured out my problem with 'slowness'. I forgot to change /etc/resolve.conf back around after I moved the firewall. In case anyone was hanging on the edge of their seat.
_________________
-Josh |
|
| Back to top |
|
|
josh
Guru
Joined: 05 Feb 2003
Posts: 473
Location: Milky Way: Solar System: Earth: North America: USA: NY: Buffalo
|
| Posted: Wed Jan 11, 2006 1:48 pm Post subject: |
|
|
That didn't seem to work. I tried it before and after the filter rule and I also tried it without the filter rule. I couldn't get in on that address. There is something kind of weird going on though. I figured that the firewall wouldn't really discriminate between public ips and private ips. but when I used to have this firewall behind my other firewall I could successfully nat ports from within my network, through this firewall, and to another machine behind it like this:
| Code: | $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp \
-m multiport --destination-port 22,80,443 \
-s $ip -j DNAT --to 192.168.13.216 |
And then I had that filter rule before it.
Does it make a difference that the firewall now has an actual ip address and not just a 192.168.*?
Do I need a FORWARD rule for INPUT packets somewhere?
_________________
-Josh |
|
| Back to top |
|
|
josh
Guru
Joined: 05 Feb 2003
Posts: 473
Location: Milky Way: Solar System: Earth: North America: USA: NY: Buffalo
|
| Posted: Wed Jan 11, 2006 4:02 pm Post subject: |
|
|
Got it! Just in case anyone else stumbles across this thread, this is the final script I came with (sans loop for simplicity).
1.2.3.4 is a remote host.
5.6.7.8 is my external ip address.
and the 192.168 is, of course, the internal machine.
| Code: | #!/bin/bash
IPTABLES=/sbin/iptables
INTIF=eth1
EXTIF=eth0
echo "Starting Firewall..."
# Drop all rules:
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
# Start rules:
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
# Allow unlimited traffic on the loopback device
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Extrapolate: Allow all traffic on $INTIF:
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -j ACCEPT
# Allow all traffic with an Established or Related Connection:
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Masq all traffic from $INTIF to $EXTIF
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
$IPTABLES -A FORWARD -i $INTIF -j ACCEPT
echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
##################################################
# Let in individual IP's
$IPTABLES -t nat -A PREROUTING -s 1.2.3.4 -d 5.6.7.8 -i $EXTIF -j DNAT --to-destination 192.168.100.242
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d 192.168.100.242 \
-m multiport --dport 443,22,80 \
-m state --state NEW -j ACCEPT
# Drop everything else and log it:
#$IPTABLES -A INPUT -j LOG
$IPTABLES -A INPUT -j REJECT |
I do have one more question though: How can I log to a file? My second to last line logs to the tty. Even if I start the script in tty1 and then move to tty2 it will continue outputting to the screen.
[EDIT]It *does* log it /var/log/messages. But I'd like it to *not* go to console (which it does whether I like it or not). I've been looking in /etc/syslog.conf but nothing pops out at me.[/EDIT]
Thanks again for all of the help!
_________________
-Josh |
|
| Back to top |
|
|
|
Networking & Security
