Networking Firewall -> Iptables

This is a discussion on Networking Firewall -> Iptables within the Linux Networking forums, part of the Linux Forums category; Hello, all. I'm rather new to Iptables and have been working on a firewall script. All was going well ...


Go Back   Usenet Forums > Linux Forums > Linux Networking

Reload this Page Networking Firewall -> Iptables

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 09-14-2004
Akede
 
Posts: n/a
Default Networking Firewall -> Iptables
Hello, all.
I'm rather new to Iptables and have been working on a firewall script.
All was going well for a while, but it appears that lately I've been
unable to forward some traffic to client machines on the network.
Essentially, I need to redirect specific ports off to specific clients
on the network. I've attached my currenty script.

Quick run down on my network setup; for those of you whom know
Iptables or are willing to throw in your 1/50th of a dollar to help
out:

Gateway's IP is 192.168.1.1,
Client IPs range from 192.168.1.100 to 192.168.1.200.
Virtual IPs (Vmware clients, etc) Range from 192.168.1.10 to
192.168.1.50.

eth1 is my network card that's connected to the internet.
eth0 is the internal card, that all the clients are connected to.


All machines are directly connected to the gateway; I don't have a
specific cluster linked to another client, which then links to
another, and so on. That's pretty messy. Anyway, here is the script:

#!/bin/sh

ACTION=$1

IPT="/usr/sbin/iptables"

#interface to protect from, external network
INT="eth1"
LOC="eth0"

#Clear old crap
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

#Create default policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

#enable IP forwarding for internal networking
echo 1 > /proc/sys/net/ipv4/ip_forward

$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE

# This rule protects fowarding rule.
$IPT -A FORWARD -i $INT -m state --state INVALID -j DROP


#Redirect some ports
#--BEGIN_REDIRECT
$IPT -t nat -A PREROUTING -i $INT -d 0.0.0.0/32 -p tcp --dport 6346 -j
DNAT --to 192.168.1.100:6346
$IPT -t nat -A PREROUTING -i $INT -d 0.0.0.0/32 -p tcp --dport 35 -j
DNAT --to 192.168.1.100:22
#--END


# Now, our firewall chain. We use the limit commands to
# cap the rate at which it alerts to 15 log messages per minute.
$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix
Firewall:
$IPT -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter.
$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix
Dropwall:
$IPT -A dropwall -j DROP

# Our "hey, thems some bad tcp flags!" chain.
$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix
Badflags:
$IPT -A badflags -j DROP

# And our silent logging chain.
$IPT -N silent
$IPT -A silent -j DROP

# This rule will accept connections from local(net) machines.
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -s 192.168.1.0/0 -d 0/0 -p all -j ACCEPT
$IPT -A INPUT -s 192.168.0.0/0 -d 0/0 -p all -j ACCEPT

# Drop those nasty packets! These are all TCP flag
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that
# are used to attack a box in various ways, so we
# just drop them and log them here.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j
ACCEPT
$IPT -A INPUT -p icmp -j firewall


#first: enable SSH from LAN only, second: allow from anywhere
#$IPT -A INPUT -i $INT -s 192.168.1.0/0 -d 0/0 -p tcp --dport 22 -j
ACCEPT
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT

#open ports to the world
# ports must be opened if you're going to forward it off
# to another machine within the network.
#--BEGIN_OPEN
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 20 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 35 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 6346 -j ACCEPT

#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 7002 -j ACCEPT
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 6003 -j ACCEPT
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p udp --dport 27010 -j ACCEPT
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p udp --dport 27015 -j ACCEPT
#--END


# Lets do some basic state-matching. This allows us
# to accept related and established connections, so
# client-side things like ftp work properly, for example.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Uncomment to drop port 137 netbios packets silently.
# We don't like that netbios stuff, and it's way too
# spammy with windows machines on the network.
$IPT -A INPUT -p udp --sport 137 --dport 137 -j silent


# Our final trap. Everything on INPUT goes to the dropwall
# so we don't get silent drops.
$IPT -A INPUT -j dropwall




Essentially, what I'm looking for is clients within the firewall to be
able to do whatever they want on the network without interruption.
When they need data on a specific port sent to them, the script is
modified from a PHP script that add/removes the forwarding for them.
However, it doesn't appear to be forwarding any ports to clients, they
can use the internet and everything; but it won't forward ports to
their systems. Any suggestions as to why, existing firewall scripts
that'll do this (I've looked.. for a while, anyway--didn't find any.
Got frustrated, started my own.)

Any help would be greatly appreciated.

Regards,
Michael
Reply With Quote
  #2 (permalink)  
Old 09-15-2004
Ken
 
Posts: n/a
Default Re: Networking Firewall -> Iptables
Hi Akede -

On 13 Sep 2004 22:27:36 -0700, akede2001@yahoo.com (Akede) wrote:

>#Redirect some ports
>#--BEGIN_REDIRECT
>$IPT -t nat -A PREROUTING -i $INT -d 0.0.0.0/32 -p tcp --dport 6346 -j
>DNAT --to 192.168.1.100:6346
>$IPT -t nat -A PREROUTING -i $INT -d 0.0.0.0/32 -p tcp --dport 35 -j
>DNAT --to 192.168.1.100:22
>#--END

The first problem I see is:
-d 0.0.0.0/32
You are making these rules apply only when the destination IP address
is exactly 0.0.0.0.

If you want it to apply to all destination IP addresses, you can use:
-d 0.0.0.0/0
or just omit the destionation address information completely.

--
Ken
http://www.ke9nr.net/
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 05:41 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0