about iptables

Hi All,
I guess, this is a simple question, but I couldn't find an answer in
internet.

my setup:
dsl modem <---> linksys router+dhcp (192.168.1.1) <---> linux box (1
nic)

dhcp 192.168.1.1
dns1 71.0.0.1
dns1 151.0.0.2

iptables rules:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i eth0 -p udp -s 71.0.0.1 --sport domain -m state
--state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s 151.0.0.2 --sport domain -m state
--state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -d 71.0.0.1 --dport domain -m state
--state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -d 151.0.0.2 --dport domain -m state
--state NEW,ESTABLISHED -j ACCEPT


what else do I need to add to be able to browse internet from linux
box?
when I try lynx yahoo.com - it says "making http connection to
yahoo.com" and then nothing.

thanks.

On 27 Apr 2006 15:45:54 -0700, "ParTizan" <(E-Mail Removed)> wrote:

>Hi All,
>I guess, this is a simple question, but I couldn't find an answer in
>internet.
>
>my setup:
>dsl modem <---> linksys router+dhcp (192.168.1.1) <---> linux box (1
>nic)
>
>dhcp 192.168.1.1
>dns1 71.0.0.1
>dns1 151.0.0.2

Your firewall doesn't need to know about the DNS servers.

Bits of my firewall setup:
<http://bugsplatter.mine.nu/bash/firewall/> for net topology

rc.firewall:
....
X_LOCAL="eth0" # main local net: 100-Base-T
X_WORLD="ppp0" # expected ADSL modem interface
....
MSTATE="--match state --state"
....
report " policy"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

report " local"
iptables -A INPUT -p all $MSTATE ESTABLISHED,RELATED -j ACCEPT ##[1]
iptables -A INPUT -p all -i lo -j ACCEPT
iptables -A INPUT -p all -i $X_LOCAL -j ACCEPT
....
[1] This comes first, it allows expected traffic back into the box

Now you need add rules to allow incoming traffic, if you are not
offering services to the public, you don't need any.

Also:

# NAT table
# ``````````
# Perform SNAT or MASQUERADE for localnet to world connections

# Difference between SNAT and MASQUERADE?
# SNAT is more efficient for static public IP address, and established
# connections will survive a reconnect. MASQUERADE is for dynamic IP
# where established connections are dropped when link goes down as a
# new, likely different, IP address is expected on the next connection.

install_nat_table()
{
report " nat"
if [ -n "$IP_WORLD" ]; then
report " SNAT $IP_WORLD"
iptables -t nat -A POSTROUTING -o $X_WORLD \
-j SNAT --to-source $IP_WORLD
else
report " MASQUERADE"
iptables -t nat -A POSTROUTING -o $X_WORLD \
-j MASQUERADE
fi
}

[part of firewall startup, for context]

case $1 in
restart )
# called from ip-up when ADSL connection established, parameters:
# $1 restart -- anything else switches firewall to local mode
# $2 <interface> -- example ppp0
# $3 <IP>, optional -- if specified the output will be SNAT to the
# supplied IP address, otherwise MASQUERADE is used

install_firewall_local_mode
if [ -z "$2" ]; then
echo -e "\nrc.firewall: warning: restart without \c"
echo -e "<interface>, local mode running."
exit 0
else
X_WORLD=$2 # eg. ppp0
fi
if [ -z "$3" ]; then
IP_WORLD="" # MASQUERADE
else
IP_WORLD=$3 # SNAT to supplied IP address
fi
install_firewall_world_mode
echo -e "\n\nrc.firewall: finish: world mode running."
;;
....

Not posting the whole thing 'cos it's a ~600 line bash script.

Grant.
--
Memory fault -- brain fried

thanks! but , do I really need all these settings?
as you can see , I'm already behind my router.

On 27 Apr 2006 17:28:00 -0700, "ParTizan" <(E-Mail Removed)> wrote:

>thanks! but , do I really need all these settings?
>as you can see , I'm already behind my router.

Assuming you reply to me (pls quote context in replies), start with:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p all --match state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p all -i lo -j ACCEPT

for standalone (single box + modem) operation.

Those lines basically allow output from box, but only expected
(requested) traffic can come back into the box. I suggest you
add some OUTPUT logging for debug, perhaps:

iptables -A OUTPUT -p all -o eth0 -j LOG --log-level info \
--log-prefix "fw_out: "

"--log-level info" sends to /var/log/messages, do a tail -f on the log
to watch the thing in action.

Grant.
--
Memory fault -- brain fried

thanks ! it worked.


Grant wrote:
> On 27 Apr 2006 17:28:00 -0700, "ParTizan" <(E-Mail Removed)> wrote:
>
> >thanks! but , do I really need all these settings?
> >as you can see , I'm already behind my router.
>
> Assuming you reply to me (pls quote context in replies), start with:
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
> iptables -A INPUT -p all --match state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -p all -i lo -j ACCEPT
>
> for standalone (single box + modem) operation.
>
> Those lines basically allow output from box, but only expected
> (requested) traffic can come back into the box. I suggest you
> add some OUTPUT logging for debug, perhaps:
>
> iptables -A OUTPUT -p all -o eth0 -j LOG --log-level info \
> --log-prefix "fw_out: "
>
> "--log-level info" sends to /var/log/messages, do a tail -f on the log
> to watch the thing in action.
>
> Grant.
> --
> Memory fault -- brain fried