| View previous topic :: View next topic |
| Author |
Message |
joePRL
n00b
Joined: 26 Jul 2004
Posts: 45
|
 Posted: Fri Dec 10, 2004 5:36 pm Post subject: iptables NAT problem or something more basic? |
 |
|
Hello All:
I'm having a routing problem that I think is an iptables problem BUT it might not be. I'm hoping somebody can offer a suggestion. Because iptables is running and not complaining.
We have our webserver inside our firewall and want it reachable by both the people within our LAN and the outside world. Therefore I am using iptables and doing NAT.
I am using a script which did the job on redhat box and it is doing several jobs correctly, such as forwarding email to our mail server, but 1 thing isn't working. External access to our website is NOT working. We can surf it fine inside but keep getting a 'connection timed out' message when it is viewed from outside the LAN.
I don't think the iptables script is the problem because it did work under RH. But I haven't updated the code in almost 2 years so maybe some things have changed. I will show the specific parts of the code.
| Code: |
LAN_IP_NET='192.168.0.1/24'
LAN_NIC='eth0'
PRIV="1:1023"
# enable Masquerade and forwarding
/sbin/iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
/sbin/iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#This opens the www port on firewall
/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 80
#Opening a route to webserver
/sbin/iptables -t nat -A PREROUTING -i eth1 -d www.princerupertlibrary.ca -p tcp --dport 80 \
-j DNAT --to 192.168.0.211:80
|
Also I know that iptables is running the script because when I give the command:
iptables -L
I see:
| Code: |
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
REJECT tcp -- anywhere anywhere tcp dpt:afs3-fileserver reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:5050
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:5050
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
The only other thing I can think of is that I turn off some functionality when I was following the Security guide, specificallly disabling source routed packets.
So I re-enabled this functionality with:
| Code: |
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/accept_source_route
and
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
|
So what would you do to solve this problem?
Any and all advice is really appreciated.
Joe |
|
| Back to top |
|
 |
neilhwatson
l33t
Joined: 06 Feb 2003
Posts: 719
Location: Canada
|
| Posted: Fri Dec 10, 2004 5:52 pm Post subject: |
|
|
If those rules are for your firewall then it is not a firewall. You do not have accept policies for firewalls.
Did you enable IP forwarding in the kernel (somewhere in /proc). Also, I think you should use SNAT instead of MASQUERADE). I suggest you use tcpdump to help determine where the packets are going.
_________________
The true guru is a teacher.
Neil Watson |
|
| Back to top |
|
|
joePRL
n00b
Joined: 26 Jul 2004
Posts: 45
|
| Posted: Fri Dec 10, 2004 6:15 pm Post subject: |
|
|
Thanks for the reply:
I do have the rules you mention, but I didn't know how much to post at the start. The code follows your words
[quote="neilhwatson"]If those rules are for your firewall then it is not a firewall. You do not have accept policies for firewalls.
[/quote ="neilwatson"]
| Code: |
#The following command deletes all chains
/sbin/iptables -X
# Flush the chains
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F OUTPUT
/sbin/iptables -F
#Setting default policy.
#By setting the default policy to 'ACCEPT', masqueraded connections
#are preserved when the script is rerun, thereby allowing changes
#to be made without terminating any active connections.
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
|
| Quote: |
Did you enable IP forwarding in the kernel (somewhere in /proc). Also, I think you should use SNAT instead of MASQUERADE). I suggest you use tcpdump to help determine where the packets are going. |
I do enable IP forwarding with this statement in the script:
| Code: |
# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
| Back to top |
|
|
neilhwatson
l33t
Joined: 06 Feb 2003
Posts: 719
Location: Canada
|
| Posted: Fri Dec 10, 2004 6:30 pm Post subject: |
|
|
| Code: |
#Setting default policy.
#By setting the default policy to 'ACCEPT', masqueraded connections
#are preserved when the script is rerun, thereby allowing changes
#to be made without terminating any active connections.
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
|
That is wrong and just plain dangerous.
_________________
The true guru is a teacher.
Neil Watson |
|
| Back to top |
|
|
joePRL
n00b
Joined: 26 Jul 2004
Posts: 45
|
| Posted: Fri Dec 10, 2004 6:36 pm Post subject: |
|
|
| neilhwatson wrote: | | Code: |
#Setting default policy.
#By setting the default policy to 'ACCEPT', masqueraded connections
#are preserved when the script is rerun, thereby allowing changes
#to be made without terminating any active connections.
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
|
That is wrong and just plain dangerous. |
Why? I put it in so that when I rerun scripts our users can keep doing what they're doing.
I believe that I am only allowing certain activities while not allowing anything else with the following statement:
| Code: |
#Catch all rule(s) to deny all other traffic
/sbin/iptables -A INPUT -i eth1 -j DROP
|
|
|
| Back to top |
|
|
neilhwatson
l33t
Joined: 06 Feb 2003
Posts: 719
Location: Canada
|
| Posted: Fri Dec 10, 2004 6:42 pm Post subject: |
|
|
A true firewall denies everything by default. The rules you have listed do deny packets but, not by default. This is wrong.
Netfilter
_________________
The true guru is a teacher.
Neil Watson |
|
| Back to top |
|
|
joePRL
n00b
Joined: 26 Jul 2004
Posts: 45
|
| Posted: Fri Dec 10, 2004 6:47 pm Post subject: |
|
|
So if I had the following as one of my first commands, would that be denying all packets by default?
| Code: |
#Catch all rule(s) to deny all other traffic
/sbin/iptables -A INPUT -i eth1 -j DROP
|
|
|
| Back to top |
|
|
neilhwatson
l33t
Joined: 06 Feb 2003
Posts: 719
Location: Canada
|
| Posted: Fri Dec 10, 2004 6:53 pm Post subject: |
|
|
No. You need to set the POLICY to deny be default. All you've done is added a rule to the table that drops packets. I suggest you take the time to read the Netfilter documentation. Perhaps consider running a preconfigured firewall. It is unwise to gamble with network security.
_________________
The true guru is a teacher.
Neil Watson |
|
| Back to top |
|
|
joePRL
n00b
Joined: 26 Jul 2004
Posts: 45
|
| Posted: Fri Dec 10, 2004 7:11 pm Post subject: |
|
|
I understand. Rereading the netfilter guide is a good idea and I will be doing that.
A preconfigured firewall might be a better option for us and I will research that.
Could I ask how you would capture the packet info with tcpdump specific to our internal webserver. I'm trying tcpdump -i eth1 host www.princerupertlibrary.ca but I'm not getting a lot of information |
|
| Back to top |
|
|
neilhwatson
l33t
Joined: 06 Feb 2003
Posts: 719
Location: Canada
|
| Posted: Fri Dec 10, 2004 7:16 pm Post subject: |
|
|
See the tcpdump man page. There are clauses for expressions and ports.
_________________
The true guru is a teacher.
Neil Watson |
|
| Back to top |
|
|
|
Networking & Security
