LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-12-2001, 07:11 PM   #1
sundown
LQ Newbie
 
Registered: May 2001
Posts: 2

Rep: Reputation: 0
Unhappy


I am having real problems understanding Iptables. Listed below is the current rc.firewall running on my system. This is a modified copy of the firewall from
http://www.boingworld.com/workshops/...c.firewall.txt
This uses PPP as its internet connection. the problem i am having is that the linux box with the modem on it can NOT see the internet but all the other machines on the internal network can all use the internet with out any problems

I sure im an just missing a rule for the firewall any help would be appreached

Thanks


Tim

ps. i thinks its a DNS problem (Maybe)

LAN_IP_RANGE="192.168.200.0/24"
LAN_IP="192.168.200.2/32"
LAN_BCAST_ADRESS="192.168.200.255/32"
LOCALHOST_IP="192.168.200.190/32"
STATIC_IP="192.168.200.2/32"
INET_IFACE="ppp0"
LAN_IFACE="eth1"
IPTABLES="/usr/local/sbin/iptables"

#########
# Load all required IPTables modules
#

#
# Needed to initially load modules
#
/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

#
# Support for owner matching
#
#/sbin/modprobe ipt_owner

#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc


#CRITICAL: Enable IP forwarding since it is disabled by default.
#
echo "1" > /proc/sys/net/ipv4/ip_forward


# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
# option. This enables dynamic-ip address hacking in IP MASQ, making the connection
# with Diald and similar programs much easier.
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Enable simple IP FORWARDing and Masquerading
#
# NOTE: The following is an example for an internal LAN, where the lan
# runs on eth1, and the Internet is on eth0.
#
# Please change the network devices to match your own configuration.
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# set default policies for the INPUT, FORWARD and OUTPUT chains
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# the allowed chain for TCP connections
#
# This chain will be utilised if someone tries to connect to an allowed
# port from the internet. If they are opening the connection, or if it's
# already established we ACCEPT the packages, if not we don't. This is
# where the state matching is performed also, we allow ESTABLISHED and
# RELATED packets.

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# PREROUTING chain.
#
# Do some checks for obviously spoofed IP's
#

$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP


#
# INPUT chain
#
# establish the basic INPUT chain and filter the packets onto the correct
# chains.
#


$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $STATIC_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# OUTPUT chain
#
# establish the basic OUTPUT chain and filter them onto the correct chain
#

$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
 
Old 05-31-2001, 08:44 AM   #2
drjimstuckinwin
Member
 
Registered: Mar 2001
Location: Manchester UK
Distribution: Mainly Fedora
Posts: 496

Rep: Reputation: 30
Hi
Did anyone come up with an answer to this? I've managed to sort a firewall script that works, but now have this same problem. Do I need to specify my DNS somewhere in the script?
Jim
 
Old 06-04-2001, 02:11 PM   #3
ektoric
LQ Newbie
 
Registered: Jun 2001
Location: Austin, TX
Distribution: FC5/6
Posts: 23

Rep: Reputation: 15
Same symptom!! I've been hunting for a solution for months now!! Any luck here?

Symptom: Linux box as gateway. Machines behind linux can see out just fine. the box itself can't. When pinging from the box, I've also noticed 98% packet drop (but some do get through).

All I know is that it *CAN* be resolved. I accidentally solved it once. i have absolutely *no* idea what I did =(
 
Old 06-05-2001, 01:38 AM   #4
mcleodnine
Senior Member
 
Registered: May 2001
Location: Left Coast - Canada
Distribution: s l a c k w a r e
Posts: 2,731

Rep: Reputation: 45
While I am also waiting to be illuminated, I was wondering if iptables support has been declared secure yet? The last I heard there were a few bugz and the recommendation was to go to the old ipcahins route(no pun) unless you really needed statueful inspection (which I still haven't wrapped my tiny brain around).

I'm no expert on iptables, and what I see in the script does not offend me in any way, but it doesn't appear to do much more than ipchains. The fact that 'some' packets get through is really quite odd.

I'm guessing that when ipchains is stopped the host gateway behaves normally? If not I would have a look at the routing tables.

DNS sholdn't matter AFIK as we are dealing in ip addresses, not names.
 
Old 06-12-2001, 04:39 AM   #5
drjimstuckinwin
Member
 
Registered: Mar 2001
Location: Manchester UK
Distribution: Mainly Fedora
Posts: 496

Rep: Reputation: 30
Hi
Still can's figure this. Have Emailed Oskar Andreasson who wrote the tutorial, and am waiting to hear back. Anyone figured it yet?
Jim
 
Old 06-12-2001, 05:44 AM   #6
drjimstuckinwin
Member
 
Registered: Mar 2001
Location: Manchester UK
Distribution: Mainly Fedora
Posts: 496

Rep: Reputation: 30
OK
Oskar got back with a suggestion.

My current FW script is this...

#!/bin/sh

#firewall310501
#LAN_IP_RANGE="192.168.1.0/24"
#LAN_IP="192.168.1.1"
#LAN_B'CAST_ADDRESS="192.168.1.255/32"
#LOCALHOST_IP="172.0.0.1/32"
#INET_IFACE="ppp0"
#LAN_IFACE="eth0"
#IPTABLES="sbin/iptables"



echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_dynaddr
##echo "1" > /proc/sys/net/ipv4/ip_always_defrag
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/send_redirects

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:"

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -N icmp_packets
iptables -N tcp_packets
iptables -N udpincoming_packets

iptables -N allowed
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP

iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT


iptables -t nat -A PREROUTING -i ppp0 -s 192.168.1.0/16 -j DROP
iptables -t nat -A PREROUTING -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i ppp0 -s 172.16.0.0/12 -j DROP

iptables -A INPUT -p ICMP -i ppp0 -j icmp_packets
iptables -A INPUT -p TCP -i ppp0 -j tcp_packets
iptables -A INPUT -p UDP -i ppp0 -j udpincoming_packets

iptables -A INPUT -p ALL -i eth0 -d 192.168.1.255/32 -j ACCEPT
iptables -A INPUT -p ALL -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -d 192.168.1.1 -j ACCEPT
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "


exit 0




Oskar got back to me with this...

Found your problem, and it was not a problem of the default rc.firewall file=)

First of all you do:

iptables -P OUTPUT DROP

Then further on you configure the OUTPUT chain:

iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

In other words, you set the default policy to DROP, then you allow localhost
+ your LAN IP to send packets. Problem is, you dont allow your internet
connection to send packets. Add something like the following and I hope it
will work:

iptables -A OUTPUT -p ALL -o ppp0 -j ACCEPT

This is a bit open, but heck, it'll allow your outgoing packets to go out.

I hope this will solve your problem.




So I did what he suggested. Now I can ping yahoo successfully, but Netscape etc, while clearly able to lookup the IP adds, don't seem to get anything back from the server. I think I need an input rule to allow stuff back, but remain bewildered! I guess Oskars original script works for his static IP. I've mailed him back again with the latest, and await further developments.

If Network Guru type Raz reads this, what do you think of the script (though I know you don't use IPTables)???

Regards
Jim





 
Old 06-12-2001, 06:05 AM   #7
drjimstuckinwin
Member
 
Registered: Mar 2001
Location: Manchester UK
Distribution: Mainly Fedora
Posts: 496

Rep: Reputation: 30
Latest from Oskar


Sent: Tuesday, June 12, 2001 11:57 AM
Subject: Re: IPTables tutorial


> Oopsy, my fault since i didn't test your script edited before replying.
> Anyways, you're not allowing replies back in again to your own connections.
> The best way I can see to fix this problem would be:
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> However, this way is flawed in several ways. It does rely on the
> statematching code though and it should be fairly secure. It is up to you to
> think about this though. The above proposed way will work, but might be a
> security risc.... perhaps add an state matching code for each port you will
> want to use, such as:
>
> iptables -A INPUT --source-port 80 -m state --state ESTABLISHED,RELATED -j \
> ACCEPT
>
>
> etc. That way you'll only allow certain ports, but it'll require yourself to
> open them etc.


Have to go in to work now, but will try this on my return.
 
Old 06-12-2001, 11:02 AM   #8
drjimstuckinwin
Member
 
Registered: Mar 2001
Location: Manchester UK
Distribution: Mainly Fedora
Posts: 496

Rep: Reputation: 30
Thumbs up

Problem solved!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Accessing a Linux Box From My PC Uberseehandel Linux - Newbie 3 04-21-2005 04:23 AM
Accessing my linux box by name on the LAN (from Windows) malbery Linux - Networking 2 12-07-2004 05:42 AM
Password Message Box when accessing linux box from Window Machine mikeccs Linux - Networking 1 08-04-2004 05:47 AM
Accessing internet from win98 through a linux box Usalabs Linux - Networking 31 02-16-2004 10:45 AM
accessing a windows box from linux Ůmegaflops Linux - Networking 3 07-26-2002 01:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration