iptables problem (two network interfaces)

07-01-2004, 02:17 PM

My lab:
Internet - PIX - DMZ - Debian box with two network cards - Intranet

PIX IP: 192.168.0.10
Debian eth0 IP: 192.168.0.11
Debian eth1 IP: 172.19.0.11

The debian box should seperate the internet/dmz from local lan
(intranet). IPtables should work as firewall. All traffic from lan ->
internet should be allowed. All traffic from internet -> lan should be
blocked except established connection opened from lan site.

I have a iptables script, but it seems that I have missconfigured
something. If I try to do a ping a website or a pop3 request to my
internet provider from my machine inside the lan (ip 172.19.l.55), I
get no answer. SSH access to the debian box is working.

Here my script, hopefully that someone can help me to figure out my
mistake. Thanks in advance.

# intranet
IFACE_INT=eth1

# internet
IFACE_EXT=eth0

# loopback
IFACE_LO=lo

# flush filters
iptables -F
iptables -t nat -F

iptables -X
iptables -t nat -X

# policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# accept ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# enable ip-Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

# *** INPUT ***

# allow all from intranet
iptables -A INPUT -i $IFACE_INT -j ACCEPT

# no internet connection with a local ip!
iptables -A INPUT -i $IFACE_EXT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $IFACE_EXT -s 172.16.0.0/16 -j DROP

# allow established internet connection
iptables -A INPUT -i $IFACE_EXT -m state \
--state ESTABLISHED,RELATED -j ACCEPT

# *** FORWARD ***

# intranet -> internet allow all
iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -j ACCEPT

# internet -> intranet only if for established connection
iptables -A FORWARD -i $IFACE_EXT -o $IFACE_INT -m state \
--state ESTABLISHED,RELATED -j ACCEPT

# *** OUTPUT ***

# intranet
iptables -A OUTPUT -o $IFACE_INT -j ACCEPT

# loopback
iptables -A OUTPUT -o $IFACE_LO -j ACCEPT

# internet
iptables -A OUTPUT -o $IFACE_EXT -j ACCEPT

# Masquerading
iptables -A POSTROUTING -o $IFACE_EXT -t nat -j MASQUERADE

07-04-2004, 11:22 AM

> iptables -t nat -F

You don't need this. "iptables -F" do what you want.

> # *** INPUT ***
> # no internet connection with a local ip!
> iptables -A INPUT -i $IFACE_EXT -s 10.0.0.0/8 -j DROP
> iptables -A INPUT -i $IFACE_EXT -s 172.16.0.0/16 -j DROP

You forgot "iptables -A INPUT -i $IFACE_EXT -s 192.168.0.0/24 -j DROP"

> # *** FORWARD ***
>
> # intranet -> internet allow all
> iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -j ACCEPT

You don't need to do that. Just do:
"iptables -A FORWARD -i $IFACE_INT -j ACCEPT"
The firewall knows that if it have to forward a packet from $IFACE_INT, it
knows that it have to be to $IFACE_EXT

> # internet -> intranet only if for established connection
> iptables -A FORWARD -i $IFACE_EXT -o $IFACE_INT -m state \
> --state ESTABLISHED,RELATED -j ACCEPT

You don't need that. Just need this:
iptables -A FORWARD -m state \
--state ESTABLISHED,RELATED -j ACCEPT

To give your internal hosts permission to ping external hosts, append this
rules:

iptables -A OUTPUT -m state --state NEW -p icmp --icmp-type echo-request -j
ACCEPT
iptables -A FORWARD -m state --state NEW -i $IFACE_INT -p icmp --icmp-type
echo-request -j ACCEPT

I hope this could help.

Nuno Paquete.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
iptables question with multiple interfaces	phiveohtwo@gmail.com	Linux Networking	8	12-17-2007 01:48 AM
Problem with interfaces configuration file	tfeserver	Linux Networking	1	11-04-2007 08:40 PM
IPTables with Virtual Interfaces and Multiple Public IPs	martin.fowler@gmail.com	Linux Networking	2	08-08-2007 06:36 PM
IP Alias & IPtables, redirecting outbound traffic out specific interfaces	paul.groth@gmail.com	Linux Networking	1	05-09-2006 05:45 AM
Problem bringing up network interfaces with slackware	Madhusudan Singh	Linux Networking	1	08-09-2004 02:20 PM