Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Need a little help with IPTABLES
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Keg188
n00b
n00b


Joined: 19 Aug 2005
Posts: 13
Location: Manchester, UK
PostPosted: Wed May 31, 2006 10:14 pm    Post subject: Need a little help with IPTABLES Reply with quote
Hi guys,

Can someone please take a look at my firewall script and point out where im going wrong.

Code:


#KEG'S FIREWALL SCRIPT v1

#SET VARIABLES

IPTABLES="/sbin/iptables"

LAN="eth0"
WAN="eth1"

LANNET="192.168.0.0/24"
WANNET="192.168.1.0/29"

WANIP="192.168.1.253"
LANIP="192.168.0.26"


#ALLOW IP FORWARDING IN THE KERNEL
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

#SET DEFAULTS AND CLEAR EXISTING RULES
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X

#SET SERVICES FOR THE LAN


#ALLOW DHCP SERVER TO LAN
$IPTABLES -A INPUT -i $LAN -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $LAN -p udp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN -p tcp -s $LANIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN -p udp -s $LANIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT

#ALLOW DNS TO LAN
$IPTABLES -A INPUT -s $LANNET -i $LAN -p tcp --sport 53 --dport 53 -j ACCEPT
$IPTABLES -A INPUT -s $LANNET -i $LAN -p udp --sport 53 --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -d $LANNET -o $LAN -p tcp --sport 53 --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -d $LANNET -o $LAN -p udp --sport 53 --dport 53 -j ACCEPT

#SAMBA (137,138,139,445)
$IPTABLES -A INPUT -p tcp -s $LANNET -i $LAN -m multiport --dport 137,138,139,445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LANNET -i $LAN -m multiport --dport 137,138,139,445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -d $LANNET -o $LAN -m multiport --dport 137,138,139,445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $LANNET -o $LAN -m multiport --dport 137,138,139,445 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


#ALLOW HTTP SERVER & AND PROXY TO LAN
$IPTABLES -A INPUT -i $LAN -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 80 -d $LANIP -j ACCEPT
$IPTABLES -A INPUT -i $LAN -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 8080 -j ACCEPT

#ALLOW SSH
#ME
$IPTABLES -A INPUT -p tcp -m mac --mac-source ##-##-##-##-##-## --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m mac --mac-source ##-##-##-##-##-## --dport 22 -j ACCEPT

#PING (ICMP)
$IPTABLES -A INPUT -p icmp -s $LANNET -i $LAN -j ACCEPT
$IPTABLES -A INPUT -p icmp -i $WAN -j ACCEPT


#ALLOW ALL FROM LOCALHOST
$IPTABLES -A INPUT -i lo  -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT


#ALLOW SOME CONNECTIONS OUT AND ONLY EXISTING AND RELATED ONES IN
$IPTABLES -A FORWARD -i $WAN -m state --state ESTABLISHED,RELATED -j ACCEPT

#ALLOW AOL - tcp & udp
$IPTABLES -A FORWARD -s $LANNET -i $LAN -p tcp --sport 5190 -o $WAN -j ACCEPT
$IPTABLES -A FORWARD -s $LANNET -i $LAN -p udp --sport 5190 -o $WAN -j ACCEPT
$IPTABLES -A FORWARD -s $LANNET -i $LAN -p tcp --sport 5191 -o $WAN -j ACCEPT
$IPTABLES -A FORWARD -s $LANNET -i $LAN -p udp --sport 5191 -o $WAN -j ACCEPT
$IPTABLES -A FORWARD -s $LANNET -i $LAN -p tcp --sport 5192 -o $WAN -j ACCEPT
$IPTABLES -A FORWARD -s $LANNET -i $LAN -p udp --sport 5192 -o $WAN -j ACCEPT
$IPTABLES -A FORWARD -s $LANNET -i $LAN -p tcp --sport 5193 -o $WAN -j ACCEPT
$IPTABLES -A FORWARD -s $LANNET -i $LAN -p udp --sport 5193 -o $WAN -j ACCEPT

#EMAIL
#ALLOW POP3 & SMTP OUT
$IPTABLES -A FORWARD -s $LANNET -i $LAN -p tcp --sport 110 -o $WAN -j ACCEPT
$IPTABLES -A FORWARD -s $LANNET -i $LAN -p tcp --sport 25 -o $WAN -j ACCEPT

#ALLOW WoW
$IPTABLES -A FORWARD -s $LANNET -i $LAN -p tcp --sport 3724 -o $WAN -j ACCEPT

#ALLOW NAT
$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE



My samba shares work fine using the IP address but name resolution doesnt work.

Everything else doesnt work as name resolution is screwed.
_________________
Gentoo ROCKS..............Oh wait no, I broke it.
Back to top
View user's profile Send private message
troymc
Guru
Guru


Joined: 22 Mar 2006
Posts: 553
PostPosted: Thu Jun 01, 2006 1:40 am    Post subject: Reply with quote
Ok, first question. Does name resolution work w/o the firewall up?



OH, BTW, I found the problem!

#ALLOW AOL - tcp & udp <----- YIKE! 8O

Just kidding! I didn't think anyone used AOL anymore. I haven't seen one of those damned CDs in years.



troymc
Back to top
View user's profile Send private message
tutaepaki
Apprentice
Apprentice


Joined: 11 Nov 2003
Posts: 279
Location: New Zealand
PostPosted: Thu Jun 01, 2006 2:25 am    Post subject: Reply with quote
So you are running a DNS server on this firewall too?

DNS lookups should be from high port (>1023) to port 53 UDP and TCP rather than source port 53.

Also, your WANNET/WANIP variables are inconsistent, the 192.168.1.0/29 mask does not include the 192.168.1.253 IP address :?

Don't think the latter will cause any problems with those rules but it may do in the future.
Back to top
View user's profile Send private message
casso
Tux's lil' helper
Tux's lil' helper


Joined: 12 Mar 2006
Posts: 107
Location: Newcastle, NSW, Australia
PostPosted: Thu Jun 01, 2006 2:53 am    Post subject: Reply with quote
Hi,
First you will probably want to review your DHCP traffic. I have a setup that requires a bit more data from the network in. Unfortunately I can't find it atm, but a start might be to just log some simple traffic in and out of your box (using -j LOG) to your internal network to gain some idea of what ports are being used. Make sure you get a DHCP client to gain a new IP by releasing the current IP and then performing a new request, as well as performing a renew.
Command for windows for release:
    ipconfig /release *
    ipconfig /renew *

For renew under windows just use the last line.
For Linux just perform
Code:
/etc/init.d/net.eth0 restart
which will release the IP and gain another.

Next problem you said you had was samba name resolution. This is performed with port 137 for memory. Linux connects by port >1023 to 137 for this connection, but windows performs 137 to 137. Both are done over UDP. I still think that you will need to have ports 138, 139 and 445 all active for a proper samba connection. The port names may help you to understand this:
    NetBIOS Name Service (137 - UDP)
    NetBIOS Datagram Service (138 - UDP)
    NetBIOS Session Service (139 - TCP)
    Microsoft Directory Services (445 - TCP)

Since Samba 3 will still need NetBIOS active when it is a server, but can do without it as a client on an Active Directory domain, then it is highly likely you will need the above four ports, not just 445 for your firewall. Go to www.grc.com/port_137.htm for more information. Continue to search each of these ports so you get an understanding of their use.

I would suggest that you always use logging of some sort with your firewall. It will always help you to find what you forgot to allow.

Once you get this far, you should hopefully have more of an understanding of how the communication with either TCP or UDP works, and will be able to solve your DNS lookup problem. If you don't have a DNS server, you will need to forward the DNS traffic. Allowing DNS through the INPUT chain will not solve your problem.

Good luck, keep us posted
Back to top
View user's profile Send private message
DNAspark99
Guru
Guru


Joined: 03 Sep 2004
Posts: 321
PostPosted: Thu Jun 01, 2006 3:38 am    Post subject: Reply with quote
Just have to point out that this could be simplified with the use of firehol http://firehol.sourceforge.net
I'll never write another iptables ruleset by hand again.


Code:

$LAN="192.168.0.0/24"
$WAN="192.168.1.0/29"
 
interface eth0 lan src "$LAN"
   server dhcp       accept
   server dns       accept
   server microsoft_ds     accept
   server samba            accept
   server http      accept
   server https      accept
   server webcache      accept
   server icmp      accept
   client "pop3 smtp"   accept   
   client custom wow tcp/3724 default accept

interface eth1 wan
   policy drop
   server ident      reject with tcp-reset
   client all      accept

router inside_out inface eth0 outface eth1
   masquerade
   route all      accept

router outside_in inface eth1 outface eth0
   route ident       reject with tcp-reset



(just a quick guess at a basic firehol config for your desired setup, probably require tweaking)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy