IPTables help pleeeeeease

IPTables help pleeeeeease

Post by Dav » Fri, 01 Mar 2002 06:18:53



Hi,
I upgraded to the 2.4 kernel (RedHat) and getting my old firewall
script to function at all has been very difficult. I'm a beginner, but
was able to successfully create my ipchains script by following
examples of others, but no such luck with iptables. Can someone please
take a look at my simple script and see if they can spot any problems.
Nothing seems to work after my repeated trial and error debugging
attempts. Version below is my attempt at absolute simplicity, no
spoofing protection, etc., which I plan to add on after core is
functional. Cannot currently ping Internet or internal network or
access web server from outside with this script in place. IP addresses
have been changed, but I can confirm that actual IPs are all correct.

TIA,

Dave

######################## IPTABLES SCRIPT ########################

INTERNAL_INTERFACE="eth1"
INTERNAL_NETWORK="192.168.1.10/24"
EXTERNAL_INTERFACE="eth0"
LOOPBACK='lo'
LO_IP='127.0.0.0'
BROADCAST_0="66.139.882.255"
BROADCAST_1="192.168.10.255"
ANYWHERE="0.0.0.0/0"
INTERNAL_WEBSERVER="192.168.10.48"
INTERNAL_DATABASE="192.168.10.81"
IPADDR=`/sbin/ifconfig eth0 |  grep "inet addr" | awk -F":"
'{print$2}' | awk '{print $1}'`

TCPIN="80,443,8080,1433"
TCPOUT="80,443,8080"
TCPWEB="20,21,80,443,8080"
TCPDB="1433"

# the name and location of the iptables program
IPTABLES='/usr/local/bin/iptables'

# load kernel modules
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe iptable_filter

# flush any existing chains
IPTABLES -F
IPTABLES -Z
IPTABLES -t filter -F INPUT
IPTABLES -t filter -F OUTPUT
IPTABLES -t filter -F FORWARD
IPTABLES -t nat -F
IPTABLES -t nat -F PREROUTING
IPTABLES -t nat -F POSTROUTING
IPTABLES -t nat -F OUTPUT
IPTABLES -t nat -Z
IPTABLES -t mangle -F
IPTABLES -t mangle -F PREROUTING
IPTABLES -t mangle -F OUTPUT
IPTABLES -t mangle -Z

# set default policies
IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT DROP
IPTABLES -P FORWARD DROP

IPTABLES -t nat -P PREROUTING DROP
IPTABLES -t nat -P POSTROUTING DROP
IPTABLES -t nat -P OUTPUT DROP

IPTABLES -t mangle -P PREROUTING DROP
IPTABLES -t mangle -P POSTROUTING DROP
IPTABLES -t mangle -P OUTPUT DROP

# Accept incoming web requests from anywhere
iptables        --append                INPUT                   \
                --protocol              TCP                     \
                --source                $ANYWHERE               \
                --destination           $INTERNAL_WEBSERVER     \
                --destination-port      $TCPIN                  \
                --in-interface          $EXTERNAL_INTERFACE     \
                --jump                  ACCEPT

iptables        --append                OUTPUT                  \
                --protocol              TCP                     \
                --source                $ANYWHERE               \
                --destination           $INTERNAL_WEBSERVER     \
                --destination-port      $TCPIN                  \
                --in-interface          $EXTERNAL_INTERFACE     \
                --jump                  ACCEPT

# Accept internal traffic
iptables        --append                INPUT                   \
                --source                $INTERNAL_NETWORK       \
                --in-interface          $INTERNAL_INTERFACE     \
                --jump                  ACCEPT

iptables        --append                OUTPUT                  \
                --source                $INTERNAL_NETWORK       \
                --in-interface          $INTERNAL_INTERFACE     \
                --jump                  ACCEPT

# Accept loopback traffic
iptables        --append                INPUT                   \
                --in-interface          $loopback               \
                --jump                  ACCEPT

iptables        --append                OUTPUT                  \
                --in-interface          $loopback               \
                --jump                  ACCEPT

# Port forwarding rules
iptables        -t                      nat                     \
                -A                      PREROUTING              \
                -i                      $EXTERNAL_INTERFACE     \
                -p                      tcp                     \
                --dport                 "80,443,8080"         \
                -j                      DNAT                    \
                --to-destination        $INTERNAL_WEBSERVER:80  

iptables        -t                      nat                     \
                -A                      PREROUTING              \
                -i                      $EXTERNAL_INTERFACE     \
                -p                      tcp                     \
                --dport                 "1443"                \
                -j                      DNAT                    \
                --to-destination        $INTERNAL_DATABASE:1433

iptables        -t                      nat                     \
                -A                      PREROUTING              \
                -i                      $EXTERNAL_INTERFACE     \
                -p                      tcp                     \
                --dport                 20                      \
                -j                      DNAT                    \
                --to-destination        $INTERNAL_WEBSERVER:20  

iptables        -t                      nat                     \
                -A                      PREROUTING              \
                -i                      $EXTERNAL_INTERFACE     \
                -p                      tcp                     \
                --dport                 21                      \
                -j                      DNAT                    \
                --to-destination        $INTERNAL_WEBSERVER:21

 
 
 

IPTables help pleeeeeease

Post by Ravi Parim » Fri, 01 Mar 2002 06:51:55


On 27 Feb 2002, Dave wrote:

> Hi,
> I upgraded to the 2.4 kernel (RedHat) and getting my old firewall
> script to function at all has been very difficult. I'm a beginner, but
> was able to successfully create my ipchains script by following
> examples of others, but no such luck with iptables. Can someone please
> take a look at my simple script and see if they can spot any problems.
> Nothing seems to work after my repeated trial and error debugging
> attempts. Version below is my attempt at absolute simplicity, no
> spoofing protection, etc., which I plan to add on after core is
> functional. Cannot currently ping Internet or internal network or
> access web server from outside with this script in place. IP addresses
> have been changed, but I can confirm that actual IPs are all correct.

> TIA,

> Dave

> ######################## IPTABLES SCRIPT ########################

> INTERNAL_INTERFACE="eth1"
> INTERNAL_NETWORK="192.168.1.10/24"
> EXTERNAL_INTERFACE="eth0"
> LOOPBACK='lo'
> LO_IP='127.0.0.0'
> BROADCAST_0="66.139.882.255"
> BROADCAST_1="192.168.10.255"
> ANYWHERE="0.0.0.0/0"
> INTERNAL_WEBSERVER="192.168.10.48"
> INTERNAL_DATABASE="192.168.10.81"
> IPADDR=`/sbin/ifconfig eth0 |  grep "inet addr" | awk -F":"
> '{print$2}' | awk '{print $1}'`

> TCPIN="80,443,8080,1433"
> TCPOUT="80,443,8080"
> TCPWEB="20,21,80,443,8080"
> TCPDB="1433"

> # the name and location of the iptables program
> IPTABLES='/usr/local/bin/iptables'

> # load kernel modules
> modprobe iptable_nat
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> modprobe ip_tables
> modprobe iptable_filter

> # flush any existing chains
> IPTABLES -F
> IPTABLES -Z
> IPTABLES -t filter -F INPUT
> IPTABLES -t filter -F OUTPUT
> IPTABLES -t filter -F FORWARD
> IPTABLES -t nat -F
> IPTABLES -t nat -F PREROUTING
> IPTABLES -t nat -F POSTROUTING
> IPTABLES -t nat -F OUTPUT
> IPTABLES -t nat -Z
> IPTABLES -t mangle -F
> IPTABLES -t mangle -F PREROUTING
> IPTABLES -t mangle -F OUTPUT
> IPTABLES -t mangle -Z

> # set default policies
> IPTABLES -P INPUT DROP
> IPTABLES -P OUTPUT DROP

Your output policy is DROP. And I don't see any special rules for your
output chain. No wonder you can't ping any machine ..

> IPTABLES -P FORWARD DROP

If your forward chain's policy is DROP, packets from your internal network
will not go out of the gateway.

- Show quoted text -

> IPTABLES -t nat -P PREROUTING DROP
> IPTABLES -t nat -P POSTROUTING DROP
> IPTABLES -t nat -P OUTPUT DROP

> IPTABLES -t mangle -P PREROUTING DROP
> IPTABLES -t mangle -P POSTROUTING DROP
> IPTABLES -t mangle -P OUTPUT DROP

> # Accept incoming web requests from anywhere
> iptables   --append                INPUT                   \
>            --protocol              TCP                     \
>            --source                $ANYWHERE               \
>            --destination           $INTERNAL_WEBSERVER     \
>            --destination-port      $TCPIN                  \
>            --in-interface          $EXTERNAL_INTERFACE     \
>            --jump                  ACCEPT

destination port should either be a single number or a range of numbers
separated with a : . something like this -> 80:1000. Your comma delimited
list of ports is a violation of the syntax.
$INTERNAL_WEBSERVER doesn't make sense here. No packet with a destination
address of 192.168.10.48 would ever get routed in the internet. You have
to accpet connections to port 80 of you gateway and then suitably redirect
them to the INTERNAL_WESERVER. Get rid of the $INTERNAL_WEBSERVER in your
INPUT chain. It is totally ineffective.

 > iptables  --append                OUTPUT                  \

- Show quoted text -

>            --protocol              TCP                     \
>            --source                $ANYWHERE               \
>            --destination           $INTERNAL_WEBSERVER     \
>            --destination-port      $TCPIN                  \
>            --in-interface          $EXTERNAL_INTERFACE     \
>            --jump                  ACCEPT
> # Accept internal traffic
> iptables   --append                INPUT                   \
>            --source                $INTERNAL_NETWORK       \
>            --in-interface          $INTERNAL_INTERFACE     \
>            --jump                  ACCEPT

> iptables   --append                OUTPUT                  \
>            --source                $INTERNAL_NETWORK       \
>            --in-interface          $INTERNAL_INTERFACE     \
>            --jump                  ACCEPT

> # Accept loopback traffic
> iptables   --append                INPUT                   \
>            --in-interface          $loopback               \
>            --jump                  ACCEPT

> iptables   --append                OUTPUT                  \
>            --in-interface          $loopback               \
>            --jump                  ACCEPT

> # Port forwarding rules
> iptables   -t                      nat                     \
>            -A                      PREROUTING              \
>            -i                      $EXTERNAL_INTERFACE     \
>            -p                      tcp                     \
>            --dport                 "80,443,8080"         \
>            -j                      DNAT                    \
>            --to-destination        $INTERNAL_WEBSERVER:80

> iptables   -t                      nat                     \
>            -A                      PREROUTING              \
>            -i                      $EXTERNAL_INTERFACE     \
>            -p                      tcp                     \
>            --dport                 "1443"                \
>            -j                      DNAT                    \
>            --to-destination        $INTERNAL_DATABASE:1433

> iptables   -t                      nat                     \
>            -A                      PREROUTING              \
>            -i                      $EXTERNAL_INTERFACE     \
>            -p                      tcp                     \
>            --dport                 20                      \
>            -j                      DNAT                    \
>            --to-destination        $INTERNAL_WEBSERVER:20

> iptables   -t                      nat                     \
>            -A                      PREROUTING              \
>            -i                      $EXTERNAL_INTERFACE     \
>            -p                      tcp                     \
>            --dport                 21                      \
>            -j                      DNAT                    \
>            --to-destination        $INTERNAL_WEBSERVER:21

A word of advice : Start writing your rules one at a time and test them
before you come up with such scripts.

--ravi

 
 
 

IPTables help pleeeeeease

Post by Dav » Sat, 02 Mar 2002 23:03:03


Thanks so much Ravi, I'll try your changes tonight. The
"192.168.10.48" was just me poorly modifying the post to mask actual
numbers.
Quote:

> destination port should either be a single number or a range of numbers
> separated with a : . something like this -> 80:1000. Your comma delimited
> list of ports is a violation of the syntax.
> $INTERNAL_WEBSERVER doesn't make sense here. No packet with a destination
> address of 192.168.10.48 would ever get routed in the internet. You have
> to accpet connections to port 80 of you gateway and then suitably redirect
> them to the INTERNAL_WESERVER. Get rid of the $INTERNAL_WEBSERVER in your
> INPUT chain. It is totally ineffective.

> A word of advice : Start writing your rules one at a time and test them
> before you come up with such scripts.

> --ravi

 
 
 

1. Help with iptables - RH 8.0 - stopped working after "iptables -F"

Hello, I setup Redhat 8.0 as a gateway for VPN. VPN part (CIPE) worked
well and I was able to connect to the other network via VPN, but
clients won't connect to any Internet sites. I thought I will play
with the iptables to see if there was anything to do there. I ran
"iptables -t nat -F" and "iptables -F" thinking it will flush and
restart with default settings as earler.

Now, I can not connect to the Internet from the server as well as the
clients and obviousely my VPN does not work either. I re-installed
iptables rpm as mentioned in another post and that did not help
either.

Any help is greatly appreciated and Thanks in Advance.

DK

2. cd images

3. Help Setting Up IPTABLES. HELP!!!

4. libc.so.4 library problem

5. IPTABLES problem with iptables: Index of insertion too big

6. SONY RMOS-580 External SCSI-2 MOD Drive HELP!

7. iptables v1.2.2: can't initialize iptables table `filter': Table does not exist

8. PPP and Slackware

9. iptables "can't initialize iptables table `filter'"

10. iptables & iptables-save

11. Iptables & rc.firewall from Iptables-Tutorial

12. iptables 1.2.7a "iptables-save" bug?

13. IPTables vs. DNS (or : iptables doesn't change sourceport when MASQ'ing)