Firewall with Iptables

Hello

I am currently in the process of writting a new firewall script. The
original script I was using was originally written for ipchains and
ported to iptables without using any of its new features. Now I wish
to take advantage of Netfilters advanced features, especially
connection tracking.

The computer iptables is running on is used as a gateway for the other
computers in the local network as well as running some services like
Cups, Samba etc. It is connected to the Internet via a DSL-Modem
running as interface ppp0. I have used this -
http://www.linuxjournal.com/article/4815 - guide as a basis for
configuring the firewall but I am still running into some problems
which so far I have not been able to solve on my own.

According to my understanding the line I marked with ">>>" should
allow the computer to accept new incoming and forwarded connection on
every interface but ppp0. Unfortunately this is not working as it
should, I have to manually add an ACCEPT-Rule for eth0 and lo in order
to access the computer. Where is the error in the script ? What I
also would like to know if the order in which I new rules are added is
important. Should I put the lines in which I set the default policies
in the beginning after flushing the tables or in the end like they are
now?

Yours sincerely
Stefan Malte Schumacher




for i in filter nat
do
iptables -t $i -F
iptables -t $i -X
done

iptables -t filter -N tcprules

iptables -t filter -A tcprules -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> iptables -t filter -A tcprules -i ! ppp0 -m state --state NEW -j ACCEPT
iptables -t filter -A tcprules -i ppp0 -m state --state NEW,INVALID -j DROP

iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.99.0/24 -d 0/0 -j MASQUERADE

iptables -t filter -A INPUT -j tcprules
iptables -t filter -A FORWARD -j tcprules

iptables -t filter -A INPUT -i eth0 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -j ACCEPT
iptables -t filter -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i ppp0 -p tcp -m multiport --dports 4662,6881,6882,9866 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -m multiport --dports 4666,9866,12478 -j ACCEPT

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT

In news:ink355-(E-Mail Removed),
Stefan Malte Schumacher <(E-Mail Removed)> typed:

> The computer iptables is running on is used as a gateway for the other
> computers in the local network as well as running some services like
> Cups, Samba etc. It is connected to the Internet via a DSL-Modem
> running as interface ppp0. I have used this -
> http://www.linuxjournal.com/article/4815 - guide as a basis for
> configuring the firewall but I am still running into some problems
> which so far I have not been able to solve on my own.

Use the script located at
http://physics.ramapo.edu/downloads/...0040429.tar.gz
instead. It's simple and effective for your purpose.

I can point to the examples from iptables tutorial. They are simpler
too.

Hello,

Stefan Malte Schumacher a écrit :
>
> I have used this - http://www.linuxjournal.com/article/4815

Hmm, 2001 - this is *very* old.

> According to my understanding the line I marked with ">>>" should
> allow the computer to accept new incoming and forwarded connection on
> every interface but ppp0. Unfortunately this is not working as it
> should, I have to manually add an ACCEPT-Rule for eth0 and lo in order
> to access the computer. Where is the error in the script ?

> iptables -t filter -A tcprules -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> >>> iptables -t filter -A tcprules -i ! ppp0 -m state --state NEW -j ACCEPT
> iptables -t filter -A tcprules -i ppp0 -m state --state NEW,INVALID -j DROP

The marked rule accepts only packets in the NEW state. You need to
accept packets in the ESTABLISHED and RELATED states too, else
connections will hang after the first packet. Usually there is a generic
rule at the beginning of the chain accepting packets in the ESTABLISHED
and RELATED states from any interface. So removing the "-i ppp0" in the
previous rule should do the trick.

> What I
> also would like to know if the order in which I new rules are added is
> important.

Yes it is. The rules in a chain are added and examined in order.

> Should I put the lines in which I set the default policies
> in the beginning after flushing the tables or in the end like they are
> now?

Flushing a chain which has ACCEPT default policy means that it accepts
everything, until some DROP rules are added or the policy is changed to
DROP. Flushing a chain which has DROP default policy means that it drops
everything until some ACCEPT rules are added.

> The marked rule accepts only packets in the NEW state. You need to
> accept packets in the ESTABLISHED and RELATED states too, else
> connections will hang after the first packet. Usually there is a generic
> rule at the beginning of the chain accepting packets in the ESTABLISHED
> and RELATED states from any interface. So removing the "-i ppp0" in the
> previous rule should do the trick.


Thanks for the advice. I have changed the rule so that it accepts
anything on "! ppp0" regardless of its state and now access to local
services and forwarding works fine without any additional ACCEPT-lines
in the script.

Unfortunately another problem has arisen. I wish for a local service
(mldonkey) to be accessible from the internet, but despite the rules I
set in the marked lines connections from outside are not yet possible.
I have also tried to target the INPUT chain instead of my custom chain
tcprules, but the results are the same.


iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT

iptables -t filter -N tcprules

iptables -t filter -A tcprules -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A tcprules -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -t filter -A tcprules -i ! ppp0 -j ACCEPT

>>> iptables -t filter -A tcprules -i ppp0 -p tcp -m multiport --dports 4662,6881,6882,9866 -j ACCEPT
>>> iptables -t filter -A tcprules -i ppp0 -p udp -m multiport --dports 4666,9866,12478 -j ACCEPT

iptables -t filter -A INPUT -j tcprules
iptables -t filter -A FORWARD -j tcprules

iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.99.0/24 -d 0/0 -j MASQUERADE


Yours sincerely
Stefan

Stefan Malte Schumacher <(E-Mail Removed)> wrote:

> Unfortunately another problem has arisen. I wish for a local service
> (mldonkey) to be accessible from the internet, but despite the rules I
> set in the marked lines connections from outside are not yet possible.
....

> iptables -t filter -P INPUT DROP
> iptables -t filter -P FORWARD DROP
> iptables -t filter -P OUTPUT ACCEPT
> iptables -t filter -N tcprules
> iptables -t filter -A tcprules -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -t filter -A tcprules -i ppp0 -m state --state NEW,INVALID -j DROP
> iptables -t filter -A tcprules -i ! ppp0 -j ACCEPT
>
> >>> iptables -t filter -A tcprules -i ppp0 -p tcp -m multiport --dports 4662,6881,6882,9866 -j ACCEPT
> >>> iptables -t filter -A tcprules -i ppp0 -p udp -m multiport --dports 4666,9866,12478 -j ACCEPT

For access to a service on the Internet connection host you will also
need a rule equivalent to

iptables -A INPUT -p tcp --syn -j ACCEPT

> iptables -t filter -A INPUT -j tcprules
> iptables -t filter -A FORWARD -j tcprules
> iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.99.0/24 -d 0/0 -j MASQUERADE

--
Clifford Kite
/* ... packets usually cross many administrative boundaries on their way
from a source to a destination and often the only point of agreement
between those separate administrations is that all problems are someone
else's fault. --Van Jacobson, abstract of April 97 MSRI talk */

Stefan Malte Schumacher wrote:

> iptables -t filter -P INPUT DROP
> iptables -t filter -P FORWARD DROP
> iptables -t filter -P OUTPUT ACCEPT
>
> iptables -t filter -N tcprules
>
> iptables -t filter -A tcprules -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -t filter -A tcprules -i ppp0 -m state --state NEW,INVALID -j DROP
> iptables -t filter -A tcprules -i ! ppp0 -j ACCEPT
>
> >>> iptables -t filter -A tcprules -i ppp0 -p tcp -m multiport --dports 4662,6881,6882,9866 -j ACCEPT
> >>> iptables -t filter -A tcprules -i ppp0 -p udp -m multiport --dports 4666,9866,12478 -j ACCEPT
>

You need these rules to be before the line above with the -j DROP

Andy.


> iptables -t filter -A INPUT -j tcprules
> iptables -t filter -A FORWARD -j tcprules
>
> iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.99.0/24 -d 0/0 -j MASQUERADE
>
>
> Yours sincerely
> Stefan

Clifford Kite wrote:

> For access to a service on the Internet connection host you will also
> need a rule equivalent to
>
> iptables -A INPUT -p tcp --syn -j ACCEPT

I don't think you do if the port is open because of the ACCEPT

Andy

Andy Furniss <(E-Mail Removed)> wrote:
> Clifford Kite wrote:

>> For access to a service on the Internet connection host you will also
>> need a rule equivalent to
>>
>> iptables -A INPUT -p tcp --syn -j ACCEPT

> I don't think you do if the port is open because of the ACCEPT

Is a port used to allow the initial SYN request access?

--
Clifford Kite
/* Those who can't write, write manuals. */

Clifford Kite wrote:
> Andy Furniss <(E-Mail Removed)> wrote:
>> Clifford Kite wrote:
>
>>> For access to a service on the Internet connection host you will also
>>> need a rule equivalent to
>>>
>>> iptables -A INPUT -p tcp --syn -j ACCEPT
>
>> I don't think you do if the port is open because of the ACCEPT
>
> Is a port used to allow the initial SYN request access?
>

If the port is open then a service on the firewall box will get the syn.

I think your rule could allow access to all ports on the firewall, which
isn't what you want.

In this case you would have to use -I instead of -A, though, because the
tcprules DROP would mean nothing -i ppp0 would reach it anyway.

Andy.