Gentoo Forums :: View topic

IPtables

View unanswered posts
View posts from last 24 hours

Gentoo Forums Forum Index

Networking & Security

View previous topic :: View next topic

Author

Message

cold
n00b
n00b

Joined: 23 Feb 2003
Posts: 66

Posted: Tue Jan 13, 2004 11:12 pm Post subject: IPtables

i just get my wireless nic working

but now i have a problem with my firewall
i can ping www.gentoo.org
but when i try to open the page on my client
it hangs at Website Founf Waiting for Reply

this is my firewall
can someone tell me what i am doeing wrong?

Code:

#!/bin/sh

# Masquerading firewall (relatief veilig)

# Een hele relatief veilige masquerading firewall waarmee het mogelijk ommet
# het hele achterliggende LAN het internet op te kunnen. De default policy
# wordt op 'weiger alles' gezet, waarna er gaten in de firewall worden
# gemaakt. Alleen de variabelen moeten aan de omgeving worden aangepast.
#

# Uitgebracht onder GPL, copyright 2001, Bart Geverts.

############################################################################
# variabelen

## variabelen die moeten worden aangepast aan omgeving

# pad naar iptables
IPTABLES="/sbin/iptables"

# interfaces (aanpassen aan eigen omgeving)

# interface waarmee gateway aan lokale netwerk zit
INTERNAL_INTERFACE="eth0"
INT="eth0"
WLAN_INTERFACE="wlan0"

# interface waarmee gateway aan het internet zit
EXTERNAL_INTERFACE="ppp0"

# ipadressen / netwerken
LAN="192.168.0.0/24" # lokale netwerk (aanpassen aan eigen omgeving)
WLAN="10.10.10.0/3"
# overige
MASQ="yes"
HTTP_SERVER="no"
FTP_SERVER="no"
SSH_SERVER="yes"
NAME_SERVER="no"
SMTP_SERVER="no"
TELNET_SERVER="no"
LOG="yes"
WEBMIN="yes"

## variabelen die NIET moeten worden aangepast

#${IPTABLES} -A FORWARD -i ppp0 -o eth0 -p tcp --dport 4662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#${IPTABLES} -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -j DNAT --to 192.168.0.2

#${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp \
# --source-port ${UNPRIVPORTS} \
# --destination-port 90 -j ACCEPT
#
#${IPTABLES} --table nat -A PREROUTING -i ppp0 -p tcp --dport 90 -j DNAT --to 192.168.0.2

# interfaces
LOOPBACK_INTERFACE="lo" # loopback interface

# ipadressen / netwerken
ANYWHERE="0.0.0.0/0" # elk ip adres valt hierbinnen
LOOPBACK="127.0.0.1" # ip adres van localhost
CLASS_A="10.0.0.0/8" # klasse A prive netwerk
CLASS_B="172.16.0.0/12" # klasse B prive netwerk
CLASS_C="192.168.0.0/24" # klasse C prive netwerk

# poorten
PRIVPORTS="0:5000"
UNPRIVPORTS="5000:65535"

############################################################################
# clean-up + init

# flush en clear alle rules en zet de tellers op 0
${IPTABLES} -F
${IPTABLES} -X
${IPTABLES} -Z
${IPTABLES} -t nat -F
${IPTABLES} -t nat -X
${IPTABLES} -t nat -Z

# set de default policies
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT DROP
${IPTABLES} -t nat -P PREROUTING ACCEPT
${IPTABLES} -t nat -P POSTROUTING ACCEPT
${IPTABLES} -t nat -P OUTPUT ACCEPT

############################################################################
# initialiseren van de kernel

## Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

## Enable IP-spoofing beveiliging
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 1 > $f
done

## Disable ICMP redirect acceptatie
for f in /proc/sys/net/ipv4/conf/*/accept_redirects ; do
echo 0 > $f
done

## Disable ICMP send_redirects
for f in /proc/sys/net/ipv4/conf/*/send_redirects ; do
echo 0 > $f
done

## Source routed pakketten niet accepteren
for f in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
echo 0 > $f
done

## Log spoofed pakketten, source routed pakketten en redirected pakketten
for f in /proc/sys/net/ipv4/conf/*/log_martians ; do
echo 1 > $f
done

## Enable TCP SYN cookie beveiliging
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies

## Enable ICMP broadcasting protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

## Enable ICMP dead error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

## Enable dynamic TCP/IP address hacking
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

############################################################################
# op de loopback interface kunnen (en moeten) we alles toelaten

## Onbeperkt verkeer op lo toestaan
${IPTABLES} -A INPUT -i ${LOOPBACK_INTERFACE} -j ACCEPT
${IPTABLES} -A OUTPUT -o ${LOOPBACK_INTERFACE} -j ACCEPT

############################################################################
# in de gemiddelde HTK-environment kunnen we ook alles op het lokale netwerk
# toelaten

## Onbeperkt verkeer op interne interface toestaan
${IPTABLES} -A INPUT -i ${INTERNAL_INTERFACE} -j ACCEPT
${IPTABLES} -A OUTPUT -o ${INTERNAL_INTERFACE} -j ACCEPT

${IPTABLES} -A INPUT -i ${WLAN_INTERFACE} -j ACCEPT
${IPTABLES} -A OUTPUT -o ${WLAN_INTERFACE} -j ACCEPT

############################################################################
# sommige pakketten resoluut weigeren

## Weiger (en log) alle gefragmenteerde pakketten
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -f -j LOG \
--log-prefix "FRAGMENT! "
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -f -j DROP

## Weiger (en log) alles van privenetwerken op externe iface
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${LOOPBACK} -j LOG \
--log-prefix "SPOOFING! "
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${CLASS_A} -j LOG \
--log-prefix "CLASS A ADDRESS! "
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${CLASS_B} -j LOG \
--log-prefix "CLASS B ADDRESS! "
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${CLASS_C} -j LOG \
--log-prefix "CLASS C ADDRESS! "
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${LOOPBACK} -j DROP
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${CLASS_A} -j DROP
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${CLASS_B} -j DROP
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${CLASS_C} -j DROP

############################################################################
# masquerade

## Alles met afkomst van of bestemming lokale netwerk heeft forwarden
if [ "${MASQ}" = "yes" ] ; then

${IPTABLES} -A POSTROUTING -t nat -o ${EXTERNAL_INTERFACE} -j MASQUERADE

${IPTABLES} -A FORWARD -i ${INTERNAL_INTERFACE} \
-o ${EXTERNAL_INTERFACE} -s ${LAN} -d ! ${LAN} -j ACCEPT

${IPTABLES} -A FORWARD -o ${INTERNAL_INTERFACE} \
-i ${EXTERNAL_INTERFACE} -d ${LAN} -s ! ${LAN} -j ACCEPT

${IPTABLES} -A FORWARD -i ${WLAN_INTERFACE} \
-o ${EXTERNAL_INTERFACE} -s ${WLAN} -d ! ${WLAN} -j ACCEPT

${IPTABLES} -A FORWARD -o ${WLAN_INTERFACE} \
-i ${EXTERNAL_INTERFACE} -d ${WLAN} -s ! ${WLAN} -j ACCEPT

fi

############################################################################
# accepteer bepaalde ICMP pakketten

## Een aantal typen ICMP pakketten accepteren
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p icmp \
--icmp-type 0 -s ${ANYWHERE} \
-m limit --limit 2/s -j ACCEPT

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p icmp \
--icmp-type 3 -s ${ANYWHERE} \
-m limit --limit 2/s -j ACCEPT

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p icmp \
--icmp-type 5 -s ${ANYWHERE} \
-m limit --limit 2/s -j ACCEPT

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p icmp \
--icmp-type 8 -s ${ANYWHERE} \
-m limit --limit 2/s -j ACCEPT

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p icmp \
--icmp-type 11 -s ${ANYWHERE} \
-m limit --limit 10/s -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p icmp \
--icmp-type 3 -d ${ANYWHERE} \
-m limit --limit 2/s -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p icmp \
--icmp-type 8 -d ${ANYWHERE} \
-m limit --limit 2/s -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p icmp \
--icmp-type 0 -d ${ANYWHERE} \
-m limit --limit 2/s -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p icmp \
--icmp-type 11 -d ${ANYWHERE} \
-m limit --limit 10/s -j ACCEPT

############################################################################
# TCP connecties gestart vanuit lokale netwerk accepteren

## accepteer TCP connecties vlgs SYS, ACK+SYN, ACK principe
${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \
-m state --state ESTABLISHED,RELATED -j ACCEPT

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp \
-m state --state ESTABLISHED,RELATED -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \
--tcp-flags ACK,SYN SYN -j ACCEPT

## auth aanvragen accepteren (voorkomt timeouts)
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp \
--source-port ${UNPRIVPORTS} \
--destination-port 113 -j ACCEPT

############################################################################
# UDP

## dns aanvragen vanuit lokale netwerk toestaan
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p udp \
--source-port 53 --destination-port ${UNPRIVPORTS} -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p udp \
--source-port ${UNPRIVPORTS} --destination-port 53 -j ACCEPT

## traceroute toestaan
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p udp \
--source-port 32769:65535 --destination-port 33434:33523 \
-j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p udp \
--source-port 32769:65535 --destination-port 33434:33523 \
-j ACCEPT

## time toestaan
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p udp \
--source-port ${UNPRIVPORTS} --destination-port 37 -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p udp \
--source-port 37 --destination-port ${UNPRIVPORTS} -j ACCEPT

# andere UDP poorten hier toevoegen

############################################################################
# zelf servers draaien

## http server openstellen voor buitenwereld
if [ "${HTTP_SERVER}" = "yes" ] ; then
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp \
--source-port ${UNPRIVPORTS} \
--destination-port 80 -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \
--source-port 80 \
--destination-port ${UNPRIVPORTS} -j ACCEPT
fi

## nameserver openstellen voor buitenwereld
if [ "${NAME_SERVER}" = "yes" ] ; then
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp \
--source-port ${UNPRIVPORTS} \
--destination-port 53 -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \
--source-port 53 \
--destination-port ${UNPRIVPORTS} -j ACCEPT
fi

## ssh server openstellen voor buitenwereld
if [ "${SSH_SERVER}" = "yes" ] ; then
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp \
--source-port ${UNPRIVPORTS} \
--destination-port 22 -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \
--source-port 22 \
--destination-port ${UNPRIVPORTS} -j ACCEPT
fi

## telnet server openstellen voor buitenwereld
if [ "${TELNET_SERVER}" = "yes" ] ; then
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp \
--source-port ${UNPRIVPORTS} \
--destination-port 21 -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \
--source-port 21 \
--destination-port ${UNPRIVPORTS} -j ACCEPT
fi

## webmin intern
if [ "${WEBMIN}" = "yes" ] ; then
${IPTABLES} -A INPUT -i ${INT} -p tcp \
--source-port ${UNPRIVPORTS} \
--destination-port 10000 -j ACCEPT

${IPTABLES} -A OUTPUT -o ${INT} -p tcp \
--source-port 10000 \
--destination-port ${UNPRIVPORTS} -j ACCEPT
fi

## smtp server openstellen voor buitenwereld
if [ "${SMTP_SERVER}" = "yes" ] ; then
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp \
--source-port ${UNPRIVPORTS} \
--destination-port 25 -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \
--source-port 25 \
--destination-port ${UNPRIVPORTS} -j ACCEPT
fi

## ftp server openstellen voor buitenwereld
if [ "${FTP_SERVER}" = "yes" ] ; then
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp \
-m state --state NEW,ESTABLISHED \
--source-port ${UNPRIVPORTS} --destination-port 21 -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \
-m state --state ESTABLISHED,RELATED \
--source-port 21 --destination-port ${UNPRIVPORTS} -j ACCEPT

## ftp server - active
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp \
-m state --state ESTABLISHED,RELATED ! --syn \
--destination-port 20 -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \
-m state --state ESTABLISHED,RELATED \
--source-port 20 -j ACCEPT

## ftp server - passive
${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp \
-m state --state ESTABLISHED,RELATED \
--destination-port ${UNPRIVPORTS} -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \
-m state --state ESTABLISHED,RELATED \
--source-port ${UNPRIVPORTS} -j ACCEPT
fi

${IPTABLES} --table nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -j DNAT --to 192.168.0.2

############################################################################
# trash opvangen

# alles dat nu nog wordt opgevangen loggen
if [ "${LOG}" = "yes" ] ; then
${IPTABLES} -A INPUT -j LOG --log-prefix "filtered on INPUT "
${IPTABLES} -A OUTPUT -j LOG --log-prefix "filtered on OUTPUT "
${IPTABLES} -A FORWARD -j LOG --log-prefix "filtered on FORWARD "
fi

cold
n00b
n00b

Joined: 23 Feb 2003
Posts: 66

Posted: Tue Jan 13, 2004 11:57 pm Post subject:

it is possible to connect to MSN and use it but webpages are still not working

scout
Veteran
Veteran

Joined: 08 Mar 2003
Posts: 1991
Location: France, Paris en Semaine / Metz le W-E

Posted: Wed Jan 14, 2004 2:51 am Post subject:

I don't even understand why your msn is working ... see you should have a line ${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp --dport port -j ACCEPT where port is http or 80 I dont's see any of these lines ... but I don't understand why you can connect with msn. is it because msn uses udp ? could you please post the result of iptables -vL once your firewall is started _________________ http://petition.eurolinux.org/ - Petition against ePatents L'essence de la finesse

cold
n00b
n00b

Joined: 23 Feb 2003
Posts: 66

Posted: Wed Jan 14, 2004 6:06 am Post subject:

scout wrote:

I don't even understand why your msn is working ...
see you should have a line
${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp --dport port -j ACCEPT
where port is http or 80
I dont's see any of these lines ... but I don't understand why you can connect with msn. is it because msn uses udp ? could you please post the result of iptables -vL once your firewall is started

Code:

bash-2.05b# iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
bash-2.05b#

this firewall does work for the rest of the network !

scout
Veteran
Veteran

Joined: 08 Mar 2003
Posts: 1991
Location: France, Paris en Semaine / Metz le W-E

Posted: Wed Jan 14, 2004 7:17 am Post subject:

cold wrote:

Code:

You haven't got any firewall here !
_________________
http://petition.eurolinux.org/ - Petition against ePatents
L'essence de la finesse

dreamer
Apprentice

Joined: 16 Aug 2003
Posts: 236

Posted: Wed Jan 14, 2004 9:43 am Post subject:

Hi! First of all, why all this complex rules in your forward chain? Just do something like this: -A FORWARD -i eth0 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT AFAICS this is more effective and more secure. If it still doesn't work you can observe your networktraffic with netstat -ant or a similar tool. That way you can find out where things go wrong. cheers

Crg
Guru
Guru

Joined: 29 May 2002
Posts: 345
Location: London

Posted: Wed Jan 14, 2004 10:00 am Post subject:

dreamer wrote:

-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

AFAICS this is more effective and more secure.

It'd be better to be:

Code:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -F
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT # If you want to be able to access the fw
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

dreamer
Apprentice

Joined: 16 Aug 2003
Posts: 236

Posted: Wed Jan 14, 2004 10:22 am Post subject:

Crg wrote:

It'd be better to be:

Code:

yup, i've something similar over here. in my example i was just referring to the FORWARD chain.

@TS : why not create your own ruleset? IMHO it gives you more control, overview en understanding.

Display posts from previous:

	Gentoo Forums Forum Index Networking & Security	All times are GMT
Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy