Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > Networking Firewall -> Iptables

Reply
Thread Tools Display Modes

Networking Firewall -> Iptables

 
 
Akede
Guest
Posts: n/a

 
      09-14-2004, 05:27 AM
Hello, all.
I'm rather new to Iptables and have been working on a firewall script.
All was going well for a while, but it appears that lately I've been
unable to forward some traffic to client machines on the network.
Essentially, I need to redirect specific ports off to specific clients
on the network. I've attached my currenty script.

Quick run down on my network setup; for those of you whom know
Iptables or are willing to throw in your 1/50th of a dollar to help
out:

Gateway's IP is 192.168.1.1,
Client IPs range from 192.168.1.100 to 192.168.1.200.
Virtual IPs (Vmware clients, etc) Range from 192.168.1.10 to
192.168.1.50.

eth1 is my network card that's connected to the internet.
eth0 is the internal card, that all the clients are connected to.


All machines are directly connected to the gateway; I don't have a
specific cluster linked to another client, which then links to
another, and so on. That's pretty messy. Anyway, here is the script:

#!/bin/sh

ACTION=$1

IPT="/usr/sbin/iptables"

#interface to protect from, external network
INT="eth1"
LOC="eth0"

#Clear old crap
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

#Create default policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

#enable IP forwarding for internal networking
echo 1 > /proc/sys/net/ipv4/ip_forward

$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE

# This rule protects fowarding rule.
$IPT -A FORWARD -i $INT -m state --state INVALID -j DROP


#Redirect some ports
#--BEGIN_REDIRECT
$IPT -t nat -A PREROUTING -i $INT -d 0.0.0.0/32 -p tcp --dport 6346 -j
DNAT --to 192.168.1.100:6346
$IPT -t nat -A PREROUTING -i $INT -d 0.0.0.0/32 -p tcp --dport 35 -j
DNAT --to 192.168.1.100:22
#--END


# Now, our firewall chain. We use the limit commands to
# cap the rate at which it alerts to 15 log messages per minute.
$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix
Firewall:
$IPT -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter.
$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix
Dropwall:
$IPT -A dropwall -j DROP

# Our "hey, thems some bad tcp flags!" chain.
$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix
Badflags:
$IPT -A badflags -j DROP

# And our silent logging chain.
$IPT -N silent
$IPT -A silent -j DROP

# This rule will accept connections from local(net) machines.
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -s 192.168.1.0/0 -d 0/0 -p all -j ACCEPT
$IPT -A INPUT -s 192.168.0.0/0 -d 0/0 -p all -j ACCEPT

# Drop those nasty packets! These are all TCP flag
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that
# are used to attack a box in various ways, so we
# just drop them and log them here.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j
ACCEPT
$IPT -A INPUT -p icmp -j firewall


#first: enable SSH from LAN only, second: allow from anywhere
#$IPT -A INPUT -i $INT -s 192.168.1.0/0 -d 0/0 -p tcp --dport 22 -j
ACCEPT
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT

#open ports to the world
# ports must be opened if you're going to forward it off
# to another machine within the network.
#--BEGIN_OPEN
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 20 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 35 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 6346 -j ACCEPT

#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 7002 -j ACCEPT
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 6003 -j ACCEPT
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p udp --dport 27010 -j ACCEPT
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p udp --dport 27015 -j ACCEPT
#--END


# Lets do some basic state-matching. This allows us
# to accept related and established connections, so
# client-side things like ftp work properly, for example.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Uncomment to drop port 137 netbios packets silently.
# We don't like that netbios stuff, and it's way too
# spammy with windows machines on the network.
$IPT -A INPUT -p udp --sport 137 --dport 137 -j silent


# Our final trap. Everything on INPUT goes to the dropwall
# so we don't get silent drops.
$IPT -A INPUT -j dropwall




Essentially, what I'm looking for is clients within the firewall to be
able to do whatever they want on the network without interruption.
When they need data on a specific port sent to them, the script is
modified from a PHP script that add/removes the forwarding for them.
However, it doesn't appear to be forwarding any ports to clients, they
can use the internet and everything; but it won't forward ports to
their systems. Any suggestions as to why, existing firewall scripts
that'll do this (I've looked.. for a while, anyway--didn't find any.
Got frustrated, started my own.)

Any help would be greatly appreciated.

Regards,
Michael
 
Reply With Quote
 
 
 
 
Ken
Guest
Posts: n/a

 
      09-15-2004, 03:06 AM
Hi Akede -

On 13 Sep 2004 22:27:36 -0700, (E-Mail Removed) (Akede) wrote:

>#Redirect some ports
>#--BEGIN_REDIRECT
>$IPT -t nat -A PREROUTING -i $INT -d 0.0.0.0/32 -p tcp --dport 6346 -j
>DNAT --to 192.168.1.100:6346
>$IPT -t nat -A PREROUTING -i $INT -d 0.0.0.0/32 -p tcp --dport 35 -j
>DNAT --to 192.168.1.100:22
>#--END

The first problem I see is:
-d 0.0.0.0/32
You are making these rules apply only when the destination IP address
is exactly 0.0.0.0.

If you want it to apply to all destination IP addresses, you can use:
-d 0.0.0.0/0
or just omit the destionation address information completely.

--
Ken
http://www.ke9nr.net/
 
Reply With Quote
Reply

« Rsync daemon problems | Fedora Core 2 Unbelievably slow »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables firewall do-over William Gill Linux Networking 4 06-19-2007 06:36 PM
Iptables Firewall & Ftp Matt Linux Networking 1 06-23-2004 12:49 AM
apm and iptables (firewall) Patricia McNeelege Linux Networking 1 02-27-2004 10:01 AM
Firewall with iptables Henry Linux Networking 1 08-17-2003 05:37 PM
Firewall with iptables Henry Linux Networking 1 07-10-2003 05:33 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11