Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

iptables not working
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
fr3aker
n00b
n00b


Joined: 07 Nov 2008
Posts: 14
PostPosted: Sun Dec 11, 2011 11:27 pm    Post subject: iptables not working Reply with quote
Hey,

Solved so far, but one question remains. see: https://forums.gentoo.org/viewtopic-p-6898056.html#6898056

I've got a problem with my gentoo router and my iptables config.

The only thing iptables does as expected is routing my network traffic, but neither does locking up external ports work, nor does port forwarding.

I'm running 3.0.4-hardened-r4 (+selinux in permissive mode) with iptables v1.4.12.1.

interfaces:
wlan0 (192.168.2.1/24)
eth0 (no ip, modem connected)
ppp0 (dynamic public ip)


This is what my iptables looks like:
Code:
# iptables -L       
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       icmp --  anywhere             anywhere           
DROP       tcp  --  anywhere             anywhere             tcp dpt:domain

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  192.168.2.0/24      anywhere           
ACCEPT     all  --  anywhere             192.168.2.0/24     

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere           


port 53/domain is still publicly accessable. This is the command I used to block port 53 input:
Code:
iptables -A INPUT -p tcp --dport 53 -i ppp0 -j DROP


also I tried to setup port forwarding for ssh (listening on 192.168.2.1:22):
Code:
iptables -t nat -A PREROUTING -p tcp --dport 44444 -i ppp0 -j DNAT --to 192.168.2.1:22

but only got a "connection refused". Same happens with all other services i try to forward.
Binding ssh to all available interfaces works, though.


I simply don't see what goes wrong here. Can anyone assist me with this?


greez fr3aker

Last edited by fr3aker on Mon Dec 12, 2011 11:40 am; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23062
PostPosted: Sun Dec 11, 2011 11:44 pm    Post subject: Reply with quote
Those rules look very permissive. Is this a second-line firewall behind some other device?

Please post the output of iptables-save -c. Do I understand correctly that you want to have sshd listen on the internal interface and use a DNAT rule to rewrite the traffic? Why not just have it listen directly on the external interface?
Back to top
View user's profile Send private message
fr3aker
n00b
n00b


Joined: 07 Nov 2008
Posts: 14
PostPosted: Sun Dec 11, 2011 11:55 pm    Post subject: Reply with quote
thanks for your fast reply.

This is my only router/firewall. The rules are kept permissive because I'm right now debugging iptables ;) Also I don't believe in blocking ports to increase security.

Yes, you understood that ssh thing right. I want ssh to listen on the default port in the internal network but use a different port for my public interface. I could not find a possibility to configure sshd to do this directly. (it would listen on both specified ports on all interfaces only, or is there a way to bind sshd to an interface instead of an ip address?)

Code:
#iptables-save -c
# Generated by iptables-save v1.4.12.1 on Mon Dec 12 00:46:27 2011
*nat
:PREROUTING ACCEPT [889:124826]
:INPUT ACCEPT [416:26242]
:OUTPUT ACCEPT [78:5778]
:POSTROUTING ACCEPT [0:0]
[616596:36311338] -A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Mon Dec 12 00:46:27 2011
# Generated by iptables-save v1.4.12.1 on Mon Dec 12 00:46:27 2011
*mangle
:PREROUTING ACCEPT [39748983:32741800114]
:INPUT ACCEPT [11423428:12669195403]
:FORWARD ACCEPT [28182696:20012934468]
:OUTPUT ACCEPT [9016714:5749486176]
:POSTROUTING ACCEPT [37199360:25762422072]
COMMIT
# Completed on Mon Dec 12 00:46:27 2011
# Generated by iptables-save v1.4.12.1 on Mon Dec 12 00:46:27 2011
*filter
:INPUT ACCEPT [613:43625]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [259:34270]
[0:0] -A INPUT -i ppp0 -p icmp -j DROP
[0:0] -A INPUT -i ppp0 -p tcp -m tcp --dport 53 -j DROP
[6352:795889] -A FORWARD -s 192.168.2.0/24 -i wlan0 -j ACCEPT
[5616:3231436] -A FORWARD -d 192.168.2.0/24 -i ppp0 -j ACCEPT
COMMIT
# Completed on Mon Dec 12 00:46:27 2011
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23062
PostPosted: Mon Dec 12, 2011 3:06 am    Post subject: Reply with quote
fr3aker wrote:
I don't believe in blocking ports to increase security.
Then why do you use any DROP rules at all?
fr3aker wrote:
Yes, you understood that ssh thing right. I want ssh to listen on the default port in the internal network but use a different port for my public interface. I could not find a possibility to configure sshd to do this directly. (it would listen on both specified ports on all interfaces only, or is there a way to bind sshd to an interface instead of an ip address?)
You could run two sshd instances. Make one listen on the external IP address with a high port and the other listen on an internal IP address with the regular port.
Back to top
View user's profile Send private message
fr3aker
n00b
n00b


Joined: 07 Nov 2008
Posts: 14
PostPosted: Mon Dec 12, 2011 10:43 am    Post subject: Reply with quote
By
Code:
I don't believe in blocking ports to increase security.

I meant I don't believe in creating very restrictive blocking rules just in case there might by some service running somewhere i can lock up with this.

e.g. on port 53 dnsmasq is running which in binding to all interfaces. The manual says it will drop all packets from non-white listed interfaces, but I want to make sure it really does. (The generic DROP rule of the FORWARD chain is for testing only)

but anyways this is not what this thread should be about.


As already stated in my first both posts my public interface has no static ip and therefore sshd cannot easily listen on a specific ip address. Also this does not help anything with my iptables problem at all but only workarounds it.


update: Ok, got it working (with the rules from the first post). The problem actually wasn't iptables not working but iptables not applying the rules to traffic originating from my own network (i of course used my public ip for connection tests). Can anyone explain this behavior to me? My iptables knowledge regarding is quite limited.

I did a "ssh [myPublicIp] -p44444" from hosts 192.168.2.1 and 192.168.2.2 with both giving me a "connection refused", but using an external host the connection was successful.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy