Very Computer

Hi all,

I have a home network with the following:

gateway & router - 192.168.2.1 (RH 6.2)
zeus - 192.168.2.2 (RH 7.1)
windows - 192.168.2.3 (win 2000)

I use a hub and a PPP connection from the router to dial out to the
internet, and then use masquerading to connect the internal machines
to the outside.

My problem is as follows:

Last week, I decided to install a ipchains firewall on router. I got
the chains from the Robert Ziegler website, and made a few changes at
the end to include masquerading. Then, I wanted to forward ports 80 &
8080 to my internal linux machine (zeus), so I added the lines using
'ipmasqadm portfw' after the masquerading. The current scene is that
the firewall is working, masquerading is working, but I am not able to
get to ports 80 & 8080 on the internal machines. I tried to access the
external ipaddress externally, not from within my network...says the
connection was refused.

So, I ran a nmap on the router machine to check on ports 80 & 8080 and
it reported that they were closed. So I ran ipchains from the command
line to accept data on 80 & 8080, but it still doesn't work. What am I
not doing?

The rc.firewall is as below.

Thanks very much for any help.

Krishna.

# Script generated Mon Oct 14 23:14:55 2002

# ----------------------------------------------------------------------------
# Copyright (C) 1997, 1998, 1999, 2000  Robert L. Ziegler
#
#  Permission to use, copy, modify, and distribute this software and
its
#  documentation for educational, research, private and non-profit
purposes,
#  without fee, and without a written agreement is hereby granted.
#  This software is provided as an example and basis for individual
firewall
#  development.  This software is provided without warranty.
#
#  Any material furnished by Robert L. Ziegler is furnished on an
#  "as is" basis.  He makes no warranties of any kind, either
expressed
#  or implied as to any matter including, but not limited to, warranty
#  of fitness for a particular purpose, exclusivity or results
obtained
#  from use of the material.
# ----------------------------------------------------------------------------

#  /etc/rc.d/rc.firewall
#  Invoked from /etc/ppp/ip-up, or
#  from /sbin/ifup-local, or
#  from /etc/sysconfig/network-scripts/ifup-post.

echo "Starting firewalling... "

# ----------------------------------------------------------------------------
#  Some definitions for easy maintenance.
#  EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="ppp0"             # Internet connected interface
LOOPBACK_INTERFACE="lo"                       # Loopback interface              
NETWORK_INTERFACE1="eth0"             # Primary network interface        

IPADDR=$(/sbin/ifconfig | /bin/grep P-t-P | /usr/bin/cut -c 21-38 |
/bin/awk '{print $1}' )

echo "IP Address = " $IPADDR
ANYWHERE="any/0"                      # match any IP address

DHCP_SERVER="any/0"
NAMESERVER_1="207.109.160.1"                  # everyone must have at least one
NAMESERVER_2="128.198.1.117"
NAMESERVER_3="128.198.1.51"

POP_SERVER="mail.uccs.edu"            # Your ISP pop mail server.
IMAP_SERVER="mail.uccs.edu"           # Your ISP imap mail server.
NEWS_SERVER="news.uswest.net"         # Your ISP news server

LOOPBACK="127.0.0.0/8"                        # reserved loopback address range
CLASS_A="10.0.0.0/8"                  # class A private networks
CLASS_B="172.16.0.0/12"                       # class B private networks
CLASS_C="192.168.0.0/16"              # class C private networks
BROADCAST_SRC="0.0.0.0"                       # broadcast source address
BROADCAST_DEST="255.255.255.255"      # broadcast destination address
PRIVPORTS="0:1023"                    # well known, privileged port range
UNPRIVPORTS="1024:65535"              # unprivileged port range

# ----------------------------------------------------------------------------

NFS_PORT="2049"                               # (TCP/UDP) NFS
SOCKS_PORT="1080"                     # (TCP) Socks

# X Windows port allocation begins at 6000 and increments to 6063
# for each additional server running.
XWINDOW_PORTS="6000:6063"             # (TCP) X windows
XWINDOWS_EXCEPTION="192.168.2.0/24"

# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

# ----------------------------------------------------------------------------
echo "Default policy is DENY...start"
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections

    # Remove all existing rules belonging to this filter
    ipchains -F

    # Set the default policy of the filter to deny.
    ipchains -P input  DENY
    ipchains -P output ACCEPT
    ipchains -P forward DENY

echo "Default policy is DENY....end."
# ----------------------------------------------------------------------------

echo "Echoing 1 to /proc/sys files...start"
    # Enable TCP SYN Cookie Protection
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    # Enable always defragging Protection
    echo 1 > /proc/sys/net/ipv4/ip_always_defrag

    # Enable broadcast echo  Protection
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    # Enable bad error message  Protection
    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

    # Enable IP spoofing protection
    # turn on Source Address Verification
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
    done
echo "Echoing 1 to /proc/sys files....end."

echo "Echoing 0 to /proc/sys files...start"
    # Disable ICMP Redirect Acceptance
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
    done

    for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
        echo 0 > $f
    done

    # Disable Source Routed Packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
    done

    # Log Spoofed Packets, Source Routed Packets, Redirect Packets
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo 1 > $f
    done
echo "Echoing 0 to /proc/sys files....end."

# ----------------------------------------------------------------------------
# LOOPBACK

echo "Unlimited traffic on the loopback interface...start"
    # Unlimited traffic on the loopback interface.

    ipchains -A input  -i $LOOPBACK_INTERFACE  -j ACCEPT
    ipchains -A output -i $LOOPBACK_INTERFACE  -j ACCEPT
echo "Unlimited traffic on the loopback interface....end."

# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.

echo "Refuse spoofed packets...start"
    # Refuse incoming packets pretending to be from the external
address.
    ipchains -A input   -s $IPADDR -j DENY -l
echo "Refuse spoofed packets....end."

# ----------------------------------------------------------------------------
# NOTE:
#      The symbolic names used in /etc/services for the port numbers
vary by
#      supplier.  Using them is less error prone and more meaningful,
though.

# ----------------------------------------------------------------------------
# TCP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
echo "TCP UNPRIVILEGED PORTS...start"

    # NFS: establishing a TCP connection
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
             --destination-port $NFS_PORT -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
             --destination-port $NFS_PORT -j REJECT

    # Xwindows: establishing a connection
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
             -s 192.168.2.0/24 \
             -d $IPADDR $XWINDOW_PORTS -j ACCEPT -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
             --destination-port $XWINDOW_PORTS -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y -d
192.168.2.0/24 $XWINDOW_PORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
             --destination-port $XWINDOW_PORTS -j REJECT

    # SOCKS: establishing a connection
    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp -y \
             --destination-port $SOCKS_PORT -j DENY -l
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
             --destination-port $SOCKS_PORT -j REJECT
echo "TCP UNPRIVILEGED PORTS....end."

# ----------------------------------------------------------------------------
# UDP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
echo "UDP UNPRIVILEGED PORTS...start"

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             --destination-port $NFS_PORT -j DENY -l

    # UDP INCOMING TRACEROUTE
    # traceroute usually uses -S 32769:65535 -D 33434:33523

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             -s 192.168.2.0/24 $TRACEROUTE_SRC_PORTS \
             -d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l
    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             --source-port $TRACEROUTE_SRC_PORTS \
             --destination-port $TRACEROUTE_DEST_PORTS -j DENY -l

# ----------------------------------------------------------------------------

    ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             -d $IPADDR -j ACCEPT

echo "UDP UNPRIVILEGED PORTS....end."
    # ------------------------------------------------------------------

    # DNS client (53)
    # ---------------
echo "DNS client (53)...start"
    ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_1 53 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             -s $NAMESERVER_1 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_1 53 -j ACCEPT

    ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
             -s $IPADDR $UNPRIVPORTS \
             -d $NAMESERVER_2 53 -j ACCEPT

    ipchains -A input  -i $EXTERNAL_INTERFACE -p udp  \
             -s $NAMESERVER_2 53 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT

    ipchains
...

read more »

My ipchains is similar to yours.  I default DENY and forward some outside
ports to internal machines.  Here's what I had to do for each port/protocol
combination on the ports I was forwarding (in addition to the portfw
commands):

(this lets the packets traverse the firewall inbound:)
1.  ACCEPT on input chain from any IP coming to external IP on external
interface for that port/proto.
2.  ACCEPT on output chain from any IP going to internal network for that
port/proto.
(this lets the packets traverse the firewall outbound:)
3.  ACCEPT on input chain from internal network on the internal interface
going to any IP for that port/proto.
4.  MASQ on forward chain on the external interface from the internal
network going to any IP for that port/proto.
5.  ACCEPT on output chain on the external interface from the external IP
going to any Ip address for that port/proto.

Here are the commands for port 80, the variable names are self-explanitory:

# Bad Forwards to Internal
# HTTP
# Protocol tcp / Port 80
ipchains -A input -i $BAD_INTERFACE -p tcp -s $UNIVERSE  -d $BAD_IP  80 -j
ACCEPT
ipchains -A output -i $DMZ_INTERFACE -p tcp -s $UNIVERSE  -d $DMZ_NET  80 -j
ACCEPT
# Coming back from DMZ server
ipchains -A input -i $DMZ_INTERFACE -p tcp -s $DMZ_NET  80 -d $UNIVERSE  -j
ACCEPT
ipchains -A forward -i $BAD_INTERFACE -p tcp -s $DMZ_NET  80 -d
UNIVERSE  -j MASQ
ipchains -A output -i $BAD_INTERFACE -p tcp -s $BAD_IP  80 -d $UNIVERSE  -j
ACCEPT

Hi,

Thanks for your reply.

I added the 5 rules before the ipmasqadm portfw commands, with
appropriate values. The values I used for the variables are:
BAD_INTERFACE=ppp0
UNIVERSE=any/0
BAD_IP=<external IP address assigned by my ISP>
DMZ_INTERFACE=eth0
DMZ_NET=192.168.2.2

Are these values ok?

Besides that, I commented out the following lines:

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp  \
             -d $IPADDR 80 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp  \
             -d $IPADDR 8080 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -j ACCEPT

For me, the $EXTERNAL_INTERFACE is ppp0 and the $IPADDR is the dynamic
address I am given by my ISP.

Its still not working. What else can I try?

Thanks for your help,
Krishna.

In my script I have my values surrounded by quotes, don't know if that
matters.

Quote:> I added the 5 rules before the ipmasqadm portfw commands, with
> appropriate values. The values I used for the variables are:
> BAD_INTERFACE=ppp0
> UNIVERSE=any/0

try:
UNIVERSE="0.0.0.0/0"

Quote:> BAD_IP=<external IP address assigned by my ISP>
> DMZ_INTERFACE=eth0

Is that the NIC that goes to your internal web server?  If not, change this
to the ethX that goes to your DMZ.

Quote:> DMZ_NET=192.168.2.2

Is this the network that your web server is on?  If yes it should look like
this:

DMZ_NET="192.168.2.0/24"

Hi,

Yes, my values are surrounded by quotes as well.

I didn't have the /24 for the DMZ_NET, so I tried the script with that
and it didn't work. Then I tried 192.168.2.2/32 and that didn't
either.

Do I put the ipmasqadm portfw commands before this or after? Also, I
already have masquerading working, so why do I need another rule for
masquerading?

Thanks again for your help,
Krishna.

Quote:> Do I put the ipmasqadm portfw commands before this or after?

it doesn't matter, but mine come last.

Quote:> Also, I
> already have masquerading working, so why do I need another rule for
> masquerading?

Because the traffic being forwarded is DNATed coming in by the port
forwarding.  If the destination address isn't changed to your DMZ server
your DMZ server would never pick the packet up off the network.  So the
return packets from your server will look like they are coming from
192.168.whatever, and when they get to the client that initiated the
connection out on the Internet they will be ignored because the client never
made a connection to 192.168.whatever, it connected to your public IP.  So
you MASQ the packets going outbound to perform the SNAT.