Very Computer

Hi,
I upgraded to the 2.4 kernel (RedHat) and getting my old firewall
script to function at all has been very difficult. I'm a beginner, but
was able to successfully create my ipchains script by following
examples of others, but no such luck with iptables. Can someone please
take a look at my simple script and see if they can spot any problems.
Nothing seems to work after my repeated trial and error debugging
attempts. Version below is my attempt at absolute simplicity, no
spoofing protection, etc., which I plan to add on after core is
functional. Cannot currently ping Internet or internal network or
access web server from outside with this script in place. IP addresses
have been changed, but I can confirm that actual IPs are all correct.

TIA,

Dave

######################## IPTABLES SCRIPT ########################

INTERNAL_INTERFACE="eth1"
INTERNAL_NETWORK="192.168.1.10/24"
EXTERNAL_INTERFACE="eth0"
LOOPBACK='lo'
LO_IP='127.0.0.0'
BROADCAST_0="66.139.882.255"
BROADCAST_1="192.168.10.255"
ANYWHERE="0.0.0.0/0"
INTERNAL_WEBSERVER="192.168.10.48"
INTERNAL_DATABASE="192.168.10.81"
IPADDR=`/sbin/ifconfig eth0 |  grep "inet addr" | awk -F":"
'{print$2}' | awk '{print $1}'`

TCPIN="80,443,8080,1433"
TCPOUT="80,443,8080"
TCPWEB="20,21,80,443,8080"
TCPDB="1433"

# the name and location of the iptables program
IPTABLES='/usr/local/bin/iptables'

# load kernel modules
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe iptable_filter

# flush any existing chains
IPTABLES -F
IPTABLES -Z
IPTABLES -t filter -F INPUT
IPTABLES -t filter -F OUTPUT
IPTABLES -t filter -F FORWARD
IPTABLES -t nat -F
IPTABLES -t nat -F PREROUTING
IPTABLES -t nat -F POSTROUTING
IPTABLES -t nat -F OUTPUT
IPTABLES -t nat -Z
IPTABLES -t mangle -F
IPTABLES -t mangle -F PREROUTING
IPTABLES -t mangle -F OUTPUT
IPTABLES -t mangle -Z

# set default policies
IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT DROP
IPTABLES -P FORWARD DROP

IPTABLES -t nat -P PREROUTING DROP
IPTABLES -t nat -P POSTROUTING DROP
IPTABLES -t nat -P OUTPUT DROP

IPTABLES -t mangle -P PREROUTING DROP
IPTABLES -t mangle -P POSTROUTING DROP
IPTABLES -t mangle -P OUTPUT DROP

# Accept incoming web requests from anywhere
iptables        --append                INPUT                   \
                --protocol              TCP                     \
                --source                $ANYWHERE               \
                --destination           $INTERNAL_WEBSERVER     \
                --destination-port      $TCPIN                  \
                --in-interface          $EXTERNAL_INTERFACE     \
                --jump                  ACCEPT

iptables        --append                OUTPUT                  \
                --protocol              TCP                     \
                --source                $ANYWHERE               \
                --destination           $INTERNAL_WEBSERVER     \
                --destination-port      $TCPIN                  \
                --in-interface          $EXTERNAL_INTERFACE     \
                --jump                  ACCEPT

# Accept internal traffic
iptables        --append                INPUT                   \
                --source                $INTERNAL_NETWORK       \
                --in-interface          $INTERNAL_INTERFACE     \
                --jump                  ACCEPT

iptables        --append                OUTPUT                  \
                --source                $INTERNAL_NETWORK       \
                --in-interface          $INTERNAL_INTERFACE     \
                --jump                  ACCEPT

# Accept loopback traffic
iptables        --append                INPUT                   \
                --in-interface          $loopback               \
                --jump                  ACCEPT

iptables        --append                OUTPUT                  \
                --in-interface          $loopback               \
                --jump                  ACCEPT

# Port forwarding rules
iptables        -t                      nat                     \
                -A                      PREROUTING              \
                -i                      $EXTERNAL_INTERFACE     \
                -p                      tcp                     \
                --dport                 "80,443,8080"         \
                -j                      DNAT                    \
                --to-destination        $INTERNAL_WEBSERVER:80  

iptables        -t                      nat                     \
                -A                      PREROUTING              \
                -i                      $EXTERNAL_INTERFACE     \
                -p                      tcp                     \
                --dport                 "1443"                \
                -j                      DNAT                    \
                --to-destination        $INTERNAL_DATABASE:1433

iptables        -t                      nat                     \
                -A                      PREROUTING              \
                -i                      $EXTERNAL_INTERFACE     \
                -p                      tcp                     \
                --dport                 20                      \
                -j                      DNAT                    \
                --to-destination        $INTERNAL_WEBSERVER:20  

iptables        -t                      nat                     \
                -A                      PREROUTING              \
                -i                      $EXTERNAL_INTERFACE     \
                -p                      tcp                     \
                --dport                 21                      \
                -j                      DNAT                    \
                --to-destination        $INTERNAL_WEBSERVER:21

On 27 Feb 2002, Dave wrote:

Your output policy is DROP. And I don't see any special rules for your
output chain. No wonder you can't ping any machine ..

If your forward chain's policy is DROP, packets from your internal network
will not go out of the gateway.

destination port should either be a single number or a range of numbers
separated with a : . something like this -> 80:1000. Your comma delimited
list of ports is a violation of the syntax.
$INTERNAL_WEBSERVER doesn't make sense here. No packet with a destination
address of 192.168.10.48 would ever get routed in the internet. You have
to accpet connections to port 80 of you gateway and then suitably redirect
them to the INTERNAL_WESERVER. Get rid of the $INTERNAL_WEBSERVER in your
INPUT chain. It is totally ineffective.

 > iptables  --append                OUTPUT                  \

A word of advice : Start writing your rules one at a time and test them
before you come up with such scripts.

--ravi

Thanks so much Ravi, I'll try your changes tonight. The
"192.168.10.48" was just me poorly modifying the post to mask actual
numbers.

Quote:

> destination port should either be a single number or a range of numbers
> separated with a : . something like this -> 80:1000. Your comma delimited
> list of ports is a violation of the syntax.
> $INTERNAL_WEBSERVER doesn't make sense here. No packet with a destination
> address of 192.168.10.48 would ever get routed in the internet. You have
> to accpet connections to port 80 of you gateway and then suitably redirect
> them to the INTERNAL_WESERVER. Get rid of the $INTERNAL_WEBSERVER in your
> INPUT chain. It is totally ineffective.

> A word of advice : Start writing your rules one at a time and test them
> before you come up with such scripts.

> --ravi