I need some Iptables usage advice

I need some Iptables usage advice

Post by Paul » Wed, 08 May 2002 04:12:36



 Hi..

 Well,, I have setup a slow linux machine to act as a router for my other
machines connected to it. I have my own private news server running on it's
own internal address of 192.168.0.20, and have the main router box (static
ip) forwarding any requests to port 119 to the news server. Instead of
rewriting all of the firewall rules, I just kept the linux default running
and added these lines to my rc.firewall;

## Masq
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

$IPTABLES -A FORWARD -s 192.168.0.0/24 -j ACCEPT
$IPTABLES -A FORWARD -d 192.168.0.0/24 -j ACCEPT
$IPTABLES -A FORWARD -s ! 192.168.0.0/24 -j DROP

## Make sure to turn on ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

echo " Route incoming ppp0 at port 119 NEWS SERVER, to 192.168.0.20:119"
$IPTABLES -A PREROUTING -t nat -p tcp -i ppp0 --dport 119 -j DNAT --to
192.168.0.20:119

# DROP HTTP packets related to CodeRed and Nimda viruses silently
$IPTABLES -t filter -A INPUT -i ppp0 -p tcp -d 66.149.133.40 --dport 80 -m
string \
   --string "/default.ida?" -j DROP
$IPTABLES -t filter -A INPUT -i ppp0 -p tcp -d 66.149.133.40 --dport 80 -m
string \
   --string ".exe?/c+dir" -j DROP
$IPTABLES -t filter -A INPUT -i ppp0 -p tcp -d 66.149.133.40 --dport 80 -m
string \
   --string ".exe?/c+tftp" -j DROP

 My 2 problems are that I can not access the newsserver from inside my own
network, but can from the outside. How do I fix this so I can access it
from any machine inside AND out?

 Also,  with this forwarding;

echo " Route incoming ppp0 at port 119 NEWS SERVER, to 192.168.0.20:119"
$IPTABLES -A PREROUTING -t nat -p tcp -i ppp0 --dport 119 -j DNAT --to
192.168.0.20:119

 Does the above say to allow both in and out? (receive from news peers and
send back to peers), or do I need to add something I missed for both
in-out??

 Any HELP will be greatly appreciated..

 Paul

 
 
 

1. Moving to iptables from ipchains - need advice

For some time I was running ipchains on a RedHat box (7.2, now 7.3) but it
always had problems.  Although I seemed to have configured ipchains
correctly to act as a NAT, client PC's would stop downloading web pages
before they were complete.  I goggle'd for the problem, and eventually found
a forum post stating that this was a bug in ipchains, and was never going to
be fixed.  So I installed the Dante socks daemon and forgot about ipchains'
web problems.

Unfortunately, a problem with RealPlayer sparked my decision to finally fix
it, by switching to iptables.  After figuring out how to stop ipchains from
starting, so that iptables would start instead, I got a quick 'n' unsafe
iptables config running thanks to the iptables howto.  Wheee, thought I, it
works.  Web pages loaded perfectly sans Dante.

I eventually came up with the following script, based on my knowledge of
ipchains.  However, reading through a few of the iptables howto's it looks
like this may be inadequate.  I'd be grateful if somebody could let me know
what I've missed.

Thanks,
Mark Lord.

#!/bin/sh
IPTABLES="/sbin/iptables"

# Reset default policies...
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

# Flush all chains
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Remove all custom chains
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

# Enable masquerade
$IPTABLES -t nat -A POSTROUTING -j MASQUERADE

# Ensure ACCEPT policy
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# eth0 is trusted (internal network)
$IPTABLES -A INPUT -i eth0 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -j ACCEPT

# Give lo free reign
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A FORWARD -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Explicitly allow icmp through eth1 (cable modem)
$IPTABLES -A INPUT -p icmp -i eth1 -j ACCEPT

# Drop any input to port <= 1024
$IPTABLES -A INPUT -i eth1 -p tcp --dport 0:1024 -j DROP

# Allow any output through eth1 (cable modem)
$IPTABLES -A OUTPUT -o eth1 -j ACCEPT

# Accept forwarding to/from 192.168.0.0/16
$IPTABLES -A FORWARD -s 192.168.0.0/16 -j ACCEPT
$IPTABLES -A FORWARD -d 192.168.0.0/16 -j ACCEPT

# Drop any other forward requests
$IPTABLES -A FORWARD -j DROP

2. Help on 30+ modems / 1 box

3. I need some advice of a wise person and iptables

4. DB

5. my iptables rules, need suggestions and advice

6. xdm and OBEYSESS_DISPLAY error (please help)

7. Need some expert advice with iptables port 25 (rate limiting) or using tcp_wrappers

8. Cant Mount CD on Gateway 4DX2-50v

9. Please give a simple sample about LOG usage in iptables!

10. Getting CPU usage info in C code on Solaris 7 - advice would be nice :-)

11. Advice on cutting memory usage

12. need advice needed on partioning

13. Quota-like limit on cpu-usage/memory-usage...