| View previous topic :: View next topic |
| Author |
Message |
mxa055
n00b
Joined: 09 Oct 2005
Posts: 38
|
 Posted: Tue Nov 01, 2005 8:21 am Post subject: iptables... are the ports open? |
 |
|
Hi there,
I have turned my gentoo box into a router firewall. Everything works quite well except when trying to open ports for non-common programs. For instance the PCs behind the gentoo box have www, email, ftp etc. When I tried to open the ports for emule though it was a whole different story.
here is my setup:
Gentoo box -> two interfaces -> 10.0.0.10 (eth0)-> speedtouch 530 i (have set 10.0.0.10 as multinat address & server)
-> 192.168.0.1 (eth1) -> 192.168.0.10 (this is the PC trying to connect to emule through ports 4662 & 4672 but ports are closed)
my iptables have been configured by these rules:
| Code: |
iptables -F
iptables -t nat -F
#Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
export LAN=eth1
export WAN=eth0
#Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
#(Optional) Allow access to our ssh server from the WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport 5900 -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport 5901 -i ${WAN} -j ACCEPT
#Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
#Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/24 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
#emule
#forward the required ports from the Gentoo box to the emule-client-box: Serverport (4661), clientport (4662), exchangeport
#(4672)and the webport (4771):
iptables -t nat -I PREROUTING -i ${WAN} -p tcp --dport 4662 -j DNAT --to 192.168.0.10:4662
iptables -t nat -I PREROUTING -i ${WAN} -p udp --dport 4672 -j DNAT --to 192.168.0.10:4672
iptables -t nat -I PREROUTING -i ${WAN} -p tcp --dport 4771 -j DNAT --to 192.168.0.10:4771
#Enable forwarding rules to allow the above port forwarding connections to progress through the gentoo-box
iptables -I FORWARD -i ${WAN} -p tcp -d 192.168.0.10/24 --dport 4662 -j ACCEPT
iptables -I FORWARD -i ${WAN} -p udp -d 192.168.0.10/24 --dport 4672 -j ACCEPT
iptables -I FORWARD -i ${WAN} -p tcp -d 192.168.0.10/24 --dport 4771 -j ACCEPT
#Enable forwarding rules to allow our internal client to get to allowed ports
iptables -I FORWARD -i ${WAN} -p tcp -s 192.168.0.10/24 --dport 4661 -j ACCEPT
iptables -I FORWARD -i ${WAN} -p tcp -s 192.168.0.10/24 --dport 4662 -j ACCEPT
iptables -I FORWARD -i ${WAN} -p udp -s 192.168.0.10/24 --dport 4672 -j ACCEPT
iptables -I FORWARD -i ${WAN} -p tcp -s 192.168.0.10/24 --dport 4771 -j ACCEPT
#Allow any established or related connections on to the external interface be forwarded on
iptables -I FORWARD -i ${WAN} -m state --state ESTABLISHED,RELATED -j ACCEPT
|
Any idea what's wrong with this?
PS: btw is there any frontend for iptables that you can edit the rules similarly to a hardware router's interface? |
|
| Back to top |
|
 |
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Wed Nov 02, 2005 5:18 am Post subject: |
|
|
| For a web-based interface, you could try webmin. For other firewall software, see net-firewall category. |
|
| Back to top |
|
|
badchien
Guru
Joined: 16 Feb 2004
Posts: 415
Location: doghouse
|
| Posted: Wed Nov 02, 2005 5:31 am Post subject: |
|
|
You have a lot of superfluous rules. You allow forwarding everything from WAN to 192.168.0.0/24, and then you go about allowing it again with specific rules to specific ports. Do one or the other.
This is a problem:
| Quote: | | iptables -I FORWARD -i ${WAN} -p tcp -d 192.168.0.10/24 --dport 4662 -j ACCEPT |
You are specifying a single destination IP, so you don't need or want /24 there.
You have some rules that don't match up with your comments. What are you trying to do here?
| Quote: | #Enable forwarding rules to allow our internal client to get to allowed ports
iptables -I FORWARD -i ${WAN} -p tcp -s 192.168.0.10/24 --dport 4661 -j ACCEPT
iptables -I FORWARD -i ${WAN} -p tcp -s 192.168.0.10/24 --dport 4662 -j ACCEPT |
192.168.0.0/24 shouldn't be coming in the WAN side at all; those addresses are on the LAN side.
You've made your script rather hard to follow. The -I flag tells iptables to insert the given rule at the head of the list. That means much of your script reads backwards compared to the order the rules are processed. Use the -A flag (for append) when scripting rules, so they will be considered in the order you read them in your script. Also, the destination nat port does not need to be specified when it's the same as the source nat port.
I would rework the 2nd half of your script to look something like this:
| Code: |
#Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/24 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/24 -j ACCEPT
#Allow any established or related connections on to the external interface be forwarded on
iptables -A FORWARD -i ${WAN} -m state --state ESTABLISHED,RELATED -j ACCEPT
#Do source nat for outbound connections through WAN interface
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
#emule
#forward the required ports from the Gentoo box to the emule-client-box:
#Serverport (4661), clientport (4662), exchangeport (4672)and the webport (4771)
#Forward connections from WAN on specified ports to progress
iptables -A FORWARD -i ${WAN} -p tcp -d 192.168.0.10 --dport 4662 -j ACCEPT
iptables -A FORWARD -i ${WAN} -p udp -d 192.168.0.10 --dport 4672 -j ACCEPT
iptables -A FORWARD -i ${WAN} -p tcp -d 192.168.0.10 --dport 4771 -j ACCEPT
#Do destination nat for connections on forwarded ports above
iptables -t nat -A PREROUTING -i ${WAN} -p tcp --dport 4662 -j DNAT --to 192.168.0.10
iptables -t nat -A PREROUTING -i ${WAN} -p udp --dport 4672 -j DNAT --to 192.168.0.10
iptables -t nat -A PREROUTING -i ${WAN} -p tcp --dport 4771 -j DNAT --to 192.168.0.10
|
I don't do frontends. I use a script like you have there. |
|
| Back to top |
|
|
kands
Tux's lil' helper
Joined: 01 Apr 2003
Posts: 138
Location: Vancouver Island, Canada
|
| Posted: Wed Nov 02, 2005 7:17 am Post subject: |
|
|
There are some neat sites that do different sorts of online scans against systems. Here are a few:
www.grc.com -> Use the Shields up tool
http://scan.sygatetech.com -> Has a variety of scans
There are many others but I have found these two to work quite well.
Two frontends that I have found to work well are FwBuilder and Guarddog. FwBuilder works in a similar manner to the Cisco PIX PDM and CheckPoint FW1 interfaces. It is good for creating quick rule sets that have a decent level of complexity.
Guarddog is very easy to use. The only downfall is that it abstracts the IPTables config even more than the FwBuilder application and has a tendancy to introduce more extraneous code than other tools (IMHO).
They're both good tools but out of the two I prefer FwBuilder.
badchien has a good point though. Writing the rules by hand is generally the most efficient if you understand IPTables well. If you're in doubt use a tool, understand what it does, and then modify the code accordingly.
_________________
http://www.brokenspoke.ca
Have you broken your spoke today? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
