Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

iptables problem
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
elestedt
Guru
Guru


Joined: 13 Mar 2005
Posts: 383
PostPosted: Fri Nov 25, 2005 9:33 am    Post subject: iptables problem Reply with quote
I have a problem with iptables which I do not know how to solve.
I've set it up for NAT - which works perfectly, but...
If the external interface goes down uncontrolled (i.e cable is unplugged but interface is not stopped) then the services on the local network (such as NFS) become unavailable.
I'm guessing that something in my forwarding rules are incorrect - but i don't know what...
Here is my firewall script:
Code:

# External interface
EXTIF=eth0
# Internal interface
INTIF1=eth1

# Loop device/localhost
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"

# Text tools variables
IPT='/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'

echo ">>> Setting default policies to deny:"
for P in INPUT OUTPUT FORWARD; do
        echo " $P"
        $IPT -P $P   DROP
done
echo ""

CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
echo ">>> Flushing chains:"
for i in $CHAINS; do
        echo " $i"
        $IPT -t $i -F;
done
echo ""
echo ">>> Deleting chains (if userdefined):"
for i in $CHAINS; do
        echo " $i"
        $IPT -t $i -X;
done
echo ""

echo ">>> Enabling tcp_syncookies"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo ">>> Ignoring ICMP echo broadcasts"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo ">>> Enabling Source Address Verification:"
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
        echo " $f"
done
echo ""
echo ">>> Disable IP source routing:"
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
        echo " $f"
done
echo ""
echo ">>> Disable ICMP redirects:"
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
        echo " $f"
done
echo ""

echo ">>> Enabling IP forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
EXTBC="255.255.255.255"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
echo ">>> External interface variables: EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"

# Setting up environment variables for internal interface one
INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET1="$INTIP1/$INTMSK1"
echo ">>> Internal interface variables: INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"

echo ">>> Creating custom chains: DROP1 REJECT1"
$IPT    -N DROPl 2> /dev/null
$IPT    -A DROPl        -j DROP
$IPT    -N REJECTl 2> /dev/null
$IPT    -A REJECTl      -j REJECT
if [ -n "$1" ]; then if [[ "$1" = "-l" ]]; then
        echo "  Activating logging on custom chain DROP1"
        $IPT    -A DROPl        -j LOG          --log-prefix 'DROPl:'
        echo "  Activating logging on custom chain REJECT1"
        $IPT    -A REJECTl      -j LOG          --log-prefix 'REJECTl:'
fi fi

echo -n ">>> Opening ports on external interface:"
TOOPEN="22 25 imaps 40000 60000:60200 svn 6060:6069 6881:6999"
for PORT in $TOOPEN; do
        $IPT    -A INPUT        -i $EXTIF       -j ACCEPT -p tcp --dport $PORT
        echo -n " $PORT"
done
echo ""

echo ">>> Allowing all on internal interface"
$IPT    -A INPUT        -i $INTIF1      -j ACCEPT
$IPT    -A OUTPUT       -o $INTIF1      -j ACCEPT

echo ">>> Allowing input on $LPDIF if source is $LPDIP"
$IPT    -A INPUT        -i $LPDIF       -s $LPDIP       -j ACCEPT
echo ">>> Allowing input on $LPDIF if source is $EXTIP"
$IPT    -A INPUT        -i $LPDIF       -s $EXTIP       -j ACCEPT
echo ">>> Allowing input on $LPDIF if source is $INTIP1"
$IPT    -A INPUT        -i $LPDIF       -s $INTIP1      -j ACCEPT
echo ">>> Allowing input on $INTIF1 if source is $INTIF1"
$IPT    -A INPUT        -i $INTIF1      -s $INTIP1      -j ACCEPT

echo ">>> Blocking broadcasts coming in on $EXTIF"
$IPT    -A INPUT        -i $EXTIF       -s $EXTBC       -j DROPl

echo ">>> If packet coming in to $EXTIF does not have destination $EXTIP - then drop"
$IPT    -A INPUT        -i $EXTIF       -d ! $EXTIP     -j DROPl

echo ">>> Drop packets coming in to or going out from $INTIF1 which do not originate/have a destination in $INTNET1"
$IPT    -A INPUT        -i $INTIF1      -s ! $INTNET1   -j DROPl
$IPT    -A OUTPUT       -o $INTIF1      -d ! $INTNET1   -j DROPl
$IPT    -A FORWARD      -i $INTIF1      -s ! $INTNET1   -j DROPl
$IPT    -A FORWARD      -o $INTIF1      -d ! $INTNET1   -j DROPl

echo ">>> Drop packets going out thru $EXTIF with a destination net other than $EXTNET"
$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl

echo ">>> Block outbound ICMP (except for PING)"
$IPT -A OUTPUT  -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
$IPT -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl

COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
UDPBLOCK="$COMBLOCK 161:162 520 517:518 1427 9000"

echo -n ">>> Blocking attacks to TCP ports:"
for i in $TCPBLOCK; do
        echo -n " $i"
        $IPT -A INPUT   -p tcp --dport $i  -j DROPl
        $IPT -A OUTPUT  -p tcp --dport $i  -j DROPl
        $IPT -A FORWARD -p tcp --dport $i  -j DROPl
done
echo ""
echo -n ">>> Blocking attacks to UDP ports:"
for i in $UDPBLOCK; do
        echo -n " $i"
        $IPT -A INPUT   -p udp --dport $i  -j DROPl
        $IPT -A OUTPUT  -p udp --dport $i  -j DROPl
        $IPT -A FORWARD -p udp --dport $i  -j DROPl
done
echo ""

echo -n ">>> Opening and forwarding ports:"
for I in 80 3389; do
        echo -n " $I"
        $IPT -A FORWARD -j ACCEPT -p tcp --dport $I
        $IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport $I -j DNAT --to 192.168.0.1:$I
done
echo ""

echo ">>> Allow outgoing traffic from loopback network"
$IPT    -A OUTPUT       -o lo   -j ACCEPT

echo ">>> Opening for traffic from the inside to the outside on $EXTIF"
$IPT    -A OUTPUT       -o $EXTIF       -m state --state NEW -j ACCEPT
$IPT    -A FORWARD      -i $INTIF1      -s $INTNET1     -m state --state NEW -j ACCEPT

#echo ">>> Allow to ping out"
#$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT
#$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT

echo ">>> Enable NAT"
$IPT -t nat -A PREROUTING                       -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
$IPT -t nat -A POSTROUTING                      -j ACCEPT
$IPT -t nat -A OUTPUT                           -j ACCEPT

echo ">>> Always allow packets from ESTABLISHED or RELATED connections"
$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

echo ">>> Block and log what may have been forgotten"
$IPT -A INPUT             -j DROPl
$IPT -A OUTPUT            -j REJECTl
$IPT -A FORWARD           -j DROPl

Thanks for any help
Back to top
View user's profile Send private message
dambacher
Apprentice
Apprentice


Joined: 11 Feb 2003
Posts: 290
Location: Germany
PostPosted: Fri Nov 25, 2005 5:30 pm    Post subject: Reply with quote
I made the observation that some _device_drivers_ react badly if you unplug the cable.
None of my iptables made a problem with networking connections going down by hardware.
And I use eth and ppp devices wich keep comming and going.

To find out, try this:

unplug the cable - watch your connection not working
issue #ifconfig <your interface> down up
watch wat happens: if it works after this, your driver is the problem, not your firewall.

bye
Ulf
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy