iptables question

Lemming

Hey guys,

just getting my firewall box ready for tomorrow morning (getting an IBB install first thing), and a little unsure about a couple of the finer points of iptables port forwarding & NAT

The relevant rules are quoted below

EXTIP="x.x.x.x"
INTIP="xx.x.x"
EXTIF="eth0"
INTIF="eth1"
LAN="x.x.x.x/n"

/bin/echo "1" > /proc/sys/net/ipv4/ip_foward

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

[b][1][/b]
iptables -A FORWARD -i $EXTIF -m state --state RELATED, ESTABLISHED -j ACCEPT

[b][2][/b]
iptables -A FORWARD -i $INTIF -s $LAN -p all -j ACCEPT

[b][3][/b]
iptables -t nat -A POSTROUTING -s $LAN -o $EXTIF -j SNAT --to $EXTIP

1. This will only allow external traffic through to the internal network for requests which have been made by machines on the internal network.

2. This will allow external access to any traffic originating from within the internal network (I also have a spoofing rule defined elsewhere to discard incoming traffic on the external interface claming to be from the LAN)

3. This will NAT any traffic outbound from the internal network only


Can anyone spot any holes in there? Or can anyone see anythign that I'm overlooking. I'm intending to refine the rules further but I will need a basic script initially to avoid hassle getting (external) access running correctly. I'm planning to put in some ICMP rules later today.

If anyone's curious, here's the script in it's entirety:

#!/bin/sh
##-----------------------------------------------------

MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"

EXTIP="x.x.x.x"
INTIP="10.1.x.x"
EXTIF="eth0"
INTIF="eth1"
BROADCAST="255.255.0.0"

LAN="10.1.0.0/16"
REMOTE="0/0"
NAMESERVER="x.x.x.x"


##-----------------------------------------------------

$MODPROBE ip_tables
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp

/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "1" > /proc/sys/net/ipv4/icmp_gnore_bogus_error_responses

# disable icmp redirect acceptance
for iface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
	/bin/echo "0" > ${iface}
done

# log all spoofed, source-routed, & redirect packets
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

# enable ip forwarding
/bin/echo "1" > /proc/sys/net/ipv4/ip_foward


##-----------------------------------------------------
# Flush & Reset rules

$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z


#Create a rule to log and drop packets.
$IPTABLES -N LOGDROP 2>/dev/null
$IPTABLES -A LOGDROP --proto tcp -j LOG --log-prefix "TCP Drop:"
$IPTABLES -A LOGDROP --proto udp -j LOG --log-prefix "UDP Drop:"
$IPTABLES -A LOGDROP -f -j LOG --log-prefix "FRAG Drop:"
$IPTABLES -A LOGDROP -j DROP


$IPTABLES -P INPUT -j LOGDROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


# allow local interface traffic (Loopback)
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT


# allow related/established inbound traffic
$IPTABLES -A INPUT -i $EXTIF -m state --state RELATED, ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -m state --state RELATED, ESTABLISHED -j ACCEPT


# allow everything from internal network
$IPTABLES -A INPUT -i $INTIF -s $LAN -p all -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -d $LAN -p all -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -s $LAN -p all -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s ! 10.1.x.n -p tcp --dport ssh -j LOGDROP


# Prevent Spoofing
$IPTABLES -A INPUT -i $EXTIF -s $LAN -p all -j LOGDROP


# NAT outgoing traffic
$IPTABLES -t nat -A POSTROUTING -s $LAN -o $EXTIF -j SNAT --to $EXTIP


#SYN-Flood protection
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -i $EXTIF -p tcp --syn -j syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP

longword

Looks fine to me.

Lemming

Hmmm .. I had a minor problem last night which I suspect is in the /proc config somewhere - that permission isn't being allowed to or from the box (the all_source command I suspect)

ANd I need to add in my DNS & ICMP permissions....

weeeeeeeeeeeeeeeee

longword

Not allowed a space in RELATED,ESTABLISHED

Typedef

Lemming.

modprobe ip_nat_ftp

longword

Good call Typedef. And with a decent kernel...
modprobe ip_conntrack_irc ports=6667
modprobe ip_nat_irc ports=6667

Lemming

GAAAAAAAAAAAHHHHHHHHHHHHHHHHH


I've had a symmetrical 512kb uncapped service since 11.30 this morning and I can't f*cking use it!!!

One of my network cards decided to pack it in (onboard) and the only space I have left is an ISA slot ............

Someone is going to f*cking die!!


ps. incidentally, anyone got drivers for either a 3Com 3c509 b isa ethernet combo card or a genius ge2500 III SE isa ethernet combo card?

longword

Originally posted by Lemming
ps. incidentally, anyone got drivers for either a 3Com 3c509 b isa ethernet combo card or a genius ge2500 III SE isa ethernet combo card?

Both those cards are very well supported in every distribution by the 3c509 (used to be 3c5x9 ages ago) and ne modules respectively. However since you're in ISA land there may be some messing about with IRQs, IO ports, and PnP.

3c509 cards almost always auto-detect fine without any module parameters. Check that it's using the right port though (10Base2/10BaseT/AUI).

ne cards can be a bit tricky due to the sheer variety of them. If you're lucky and it's a well-behaved PnP card and your kernel support PnP, ne will also work without parameters. But more often than not you'll have to figure out the card's settings yourself and supply the module parameters io and irq.

Jaden

ISA + Linux = Coffee + Late Nights.

ISA Modems are like that girl you met when you were 14. Breaks your heart to think about it. Sniff Sniff.

Mandrake 9.1 incidently is a quantum leap in PNP, IMHO. You might try it.

Lemming

Originally posted by longword
Both those cards are very well supported in every distribution by the 3c509 (used to be 3c5x9 ages ago) and ne modules respectively. However since you're in ISA land there may be some messing about with IRQs, IO ports, and PnP.

3c509 cards almost always auto-detect fine without any module parameters. Check that it's using the right port though (10Base2/10BaseT/AUI).

I've had no problems getting the 3c509b cards picked up by linux. It's' just getting the b*stard(s) to send/accept packets.

I've gone so far as to disable PnP, specify IRQ (10) to the ISA slots in the BIOS, and then used a 3c5x9cfg.exe to access, configure, and test the ISA card, then set the IRQ and I/O levels in RedHat.

I can get a light on the network switch, but just no traffic.... GAHHHHHHHHHH

STRESSSSSSSSSS

ne cards can be a bit tricky due to the sheer variety of them. If you're lucky and it's a well-behaved PnP card and your kernel support PnP, ne will also work without parameters. But more often than not you'll have to figure out the card's settings yourself and supply the module parameters io and irq.

I think I'm about to abandon the Genius card to it's fate.

Anyone want a GE2500III SE ISA card?

Typedef

no

go, buy thine box a linksys.

peema

Originally posted by Jaden
ISA + Linux = Coffee + Late Nights.

ISA Modems are like that girl you met when you were 14. Breaks your heart to think about it. Sniff Sniff.

As opposed to the unbounded joy you had with a PCI Winmodem?

While I'm sure there are now perfectly workable drivers for certain PCI DSP based modems, I had one fight too many with winmodems in my time...

And yet people look at you funny when you say you use an external serial...

Jaden

I use :

Internal PCI Network Cards
External Serial Modems

3COM are best for both IMHO.

Nothing else.

ISA Modems + NiCs = Bad
USB Modems go asleep and don't wake up.
Internal PCI modems are almost always Winmodems.

ISDN devices nearly always behave themselves. Curious that.

quozl

Originally posted by Jaden

ISDN devices nearly always behave themselves. Curious that. [/B]

ISDN devices are very simple, simpler than a modem. It stays digital, it's low speed, and it's been a standard since the 80's. 56k modem's are much less standardised

longword

Originally posted by peema
While I'm sure there are now perfectly workable drivers for certain PCI DSP based modems, I had one fight too many with winmodems in my time...

I lost a battle just yesterday. Stupid Broadcom modem shipped with a high end Dell workstation (high end meaning a pair of 3GHz HT P4 CPUs!). Dell seem to have drivers that may work with one or two specific kernels on RedHat 7.2/7.3 but there seems to be no hope of getting the damn thing online in RedHat 8.0 let alone the forthcoming 9.0.

Gerry

Originally posted by Lemming


I can get a light on the network switch, but just no traffic.... GAHHHHHHHHHH

Most network cards don't need to be initialized to display a link light. When you boot the machine, does the card get detected yes/no ? If you try to initialize the card, do you get any errors in your logs?

I'd have to say at this point that I've never set up a 3c509 in linux, but I have 4 of them working in various netsoc machines in college under freebsd, no problems.

Lemming

Cheers for all the replies guys.

Ok - where things stand now. I went and ran ethreal on 2 of the three NIC's in the machine.

The Onboard (a Dec Tulip) which I thought had bjorked itself originally is in fact working, so I ripped the 3com ISA card out since I don't need it yet and will keep it for a rainy day (although it too appeared to be working)

My problem now seems to be some sort of routing issue.

I can't seem to get traffic out of my external nic (to the W-ISP) despite being able to via a laptop connection using windows. So I suspect it is an iptables/routing issue.

I have my default gateway set on the external card, and the internal card points to the external card, and network client machine(s) are pointing to the internal card address, so all seems logical there too.

ANy attempt to run, say,

[user@boxname]-> ping -I eth0 [url]www.urlname.com[/url]

seems to be met with something along the lines of:

Ping: sendmsg: Not permitted

longword

Sounds like an OUTPUT chain issue. Have a look there and see if it has the rules you think it should have. Maybe try setting the OUTPUT policy to ACCEPT.

A dead handy command is iptables -vnL which shows all of your rules in detail, but more importantly it shows a packet and byte counter beside each rule. Check that your packets are hitting the rules you think they should.

Lemming

Well .. here's the funny thing Longword.

I reset the firewall to:

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# INPUT rules
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s $LAN -p all -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $DNS1 -p tcp -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $DNS2 -p tcp -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

# OUTPUT rules

# FORWARD rules

# NAT outgoing traffic
$IPTABLES -t nat -A POSTROUTING -s $LAN -o $EXTIF -j SNAT --to $EXTIP

# Prevent Spoofing
$IPTABLES -A INPUT -i $EXTIF -s $LAN -p all -j DROP

So it's much more lax in it's controls, although still sufficiently strict to prevent any unauthorised external access. And I still can't get anything.

Running ethreal and attempting to ping my ISP's gateway from my external NIC gets ARP requests of "WHo has x.x.x.1 - Tell external nic ip"

Lemming

W

T

F ... ??!!!!

Ok .. check this out. I'm now using my broadband connection .....

for some BIZARRE reason one my nic's didn't like the fact that the wirless connection was 10BaseT and not 100BaseT. So all I basically did was swap the cables, and then reconfigure the ifconfig entries.

Typedef

that would be the iptables gnome... messing with your head.

Lemming

Originally posted by Typedef
that would be the iptables gnome... messing with your head.

hehe ... they want to mess with MY head?? Good luck to them


Nice to see the underpants gnomes have branched out to include the IT field ....