Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > Trouble while setting iptables

Reply
Thread Tools Display Modes

Trouble while setting iptables

 
 
Arsenio Lupin
Guest
Posts: n/a

 
      11-11-2003, 07:21 PM
Hi,

i'm trying to setup a firewall with netfilter/iptables increasing security
from than one i actually have, on the linux box i use to share my adsl modem
(USB). On this linux box i also have two net cards that go to two clients
(the two subnets: 192.168.0.x/255.255.255.0 and 10.0.0.x/255.255.255.0).

The script i actually have (that works) is:

############## SCRIPT ACTUALLY WORKING ####################
set -x
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -F -t nat
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i ! ppp0 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i ! ppp0 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i ! ppp0 -p tcp --dport 67:68 -j ACCEPT
iptables -A INPUT -i ! ppp0 -p udp --dport 67:68 -j ACCEPT
iptables -A INPUT -i ! ppp0 -p tcp --dport 2684:2686 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 6667 -j ACCEPT
iptables -A INPUT -p tcp --dport 7777 -j ACCEPT
iptables -A INPUT -p udp --dport 7777 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j DROP
iptables -A INPUT -p icmp --icmp-type 0 -j DROP
iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
# enable Masquerade and forwarding
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i eth0 -d 0/0 -j ACCEPT
iptables -A FORWARD -i eth1 -d 0/0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP

################### END SCRIPT ACTUALLY WORKING ###############

Now, if i run another script (see below), built up from the the actual i
cant' navigate from nowhere; i also receive an error ("ping: sendmsg:
Operation not permitted" or "unknown host") when i ping the client or the
web.
Ok there's something wrong, but why if i run again the working script and/or
i restart the iptables my net dosn't restart working?

################ SECOND SCRIPT ##################################
#### DEBUGGING ###
set -x

### Azzera e pulisce ogni regola esistente
iptables -F
iptables -F -t nat
iptables -X
iptables -Z

### Imposta le policy di default
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -t nat -P POSTROUTING DROP
iptables -t nat -P PREROUTING DROP

### Abilita il forwarding di pacchetti non locali
echo 1 > /proc/sys/net/ipv4/ip_forward
### Non risponde ai ping inviati al broadcast della subnet
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
### Ignora finti messaggi di errore ICMP
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
### Non accetta pacchetti ICMP di route redirection
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
### SETTING ANTISPOOFING PROTECTION ###
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
### DON'T RESPOND TO BROADCAST PINGS ###
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

#### VARIABILI ####
# External Public Interface
EXTIF="ppp0"
# Internal Private Interface
INTIF_0="eth0"
INTIF_1="eth1"
# Internal LAN IP
LANIN_0="192.168.0.0/8"
LANIN_1="10.0.0.0/8"
# DNS servers
DNS1="212.216.172.162"
DNS2="212.216.112.222"
# RFC IPs Classi di indirizzi dedicate a utilizzi privati o particolari e
non routate su Internet
LOOPBACK="127.0.0.0/8"
# Permette il traffico di loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s $LOOPBACK -j ACCEPT
iptables -A INPUT -d $LOOPBACK -j ACCEPT
iptables -A OUTPUT -d $LOOPBACK -j ACCEPT
iptables -A OUTPUT -s $LOOPBACK -j ACCEPT
# Regole che permettono l'accesso al firewall Linux dagli IP della rete
Interna
iptables -A INPUT -s $LANIN_0 -j ACCEPT
iptables -A INPUT -s $LANIN_1 -j ACCEPT
# DNS Regole per permettere di ricevere risposta (da 2 server DNS
specificati) a query DNS fatte dalla
#macchina locale
iptables -A INPUT -i $EXTIF -p udp -s $DNS1 --sport 53 -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp -s $DNS2 --sport 53 -j ACCEPT
iptables -A INPUT -i $EXTIF -p tcp -s $DNS1 --sport 53 -j ACCEPT
iptables -A INPUT -i $EXTIF -p tcp -s $DNS2 --sport 53 -j ACCEPT
# Ora dai client
iptables -A INPUT -i ! $EXTIF -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i ! $EXTIF -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i ! $EXTIF -p tcp --dport 67:68 -j ACCEPT
iptables -A INPUT -i ! $EXTIF -p udp --dport 67:68 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 5 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp -j LOG --log-prefix "ICMP drop:"
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
# enable Masquerade and forwarding
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
iptables -A FORWARD -i $INTIF_0 -d 0/0 -j ACCEPT
iptables -A FORWARD -i $INTIF_1 -d 0/0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
iptables -A INPUT -i eth0 -j LOG --log-prefix "Default drop:"
################################################## ##################

Thanks

--
>>>>>>>>>>>>>>><<<<<<<<<<<<<<<

Arsenio Lupin
 
Reply With Quote
 
 
 
 
Dino
Guest
Posts: n/a

 
      11-14-2003, 08:34 AM
Well, I didn't bother in reading the configuration through. But...
seems like the problem is in
> ### Imposta le policy di default
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
> iptables -t nat -P POSTROUTING DROP
> iptables -t nat -P PREROUTING DROP
This way you can't pass packets throug.
I had your same idea (setting always default to drop seemed more secure)
but it didn't work.
But I'd stick to a far easyer configuration... you're not protecting a
NASA mainframe, I think.
Bye (anzi, ciao visto che sei italiano ome me :-)

Arsenio Lupin wrote:

> Hi,
>
> i'm trying to setup a firewall with netfilter/iptables increasing security
> from than one i actually have, on the linux box i use to share my adsl modem
> (USB). On this linux box i also have two net cards that go to two clients
> (the two subnets: 192.168.0.x/255.255.255.0 and 10.0.0.x/255.255.255.0).
>
> The script i actually have (that works) is:
>
> ############## SCRIPT ACTUALLY WORKING ####################
> set -x
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -F
> iptables -F -t nat
> iptables -X
> iptables -Z
> iptables -P INPUT DROP
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -d 127.0.0.1 -j ACCEPT
> iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
> iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
> iptables -A INPUT -p tcp --dport 20 -j ACCEPT
> iptables -A INPUT -p tcp --dport 21 -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -i ! ppp0 -p tcp --dport 53 -j ACCEPT
> iptables -A INPUT -i ! ppp0 -p udp --dport 53 -j ACCEPT
> iptables -A INPUT -i ! ppp0 -p tcp --dport 67:68 -j ACCEPT
> iptables -A INPUT -i ! ppp0 -p udp --dport 67:68 -j ACCEPT
> iptables -A INPUT -i ! ppp0 -p tcp --dport 2684:2686 -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 110 -j ACCEPT
> iptables -A INPUT -p tcp --dport 123 -j ACCEPT
> iptables -A INPUT -p udp --dport 123 -j ACCEPT
> iptables -A INPUT -p tcp --dport 443 -j ACCEPT
> iptables -A INPUT -p tcp --dport 6667 -j ACCEPT
> iptables -A INPUT -p tcp --dport 7777 -j ACCEPT
> iptables -A INPUT -p udp --dport 7777 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 8 -j DROP
> iptables -A INPUT -p icmp --icmp-type 0 -j DROP
> iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
> iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
> # enable Masquerade and forwarding
> iptables -P FORWARD DROP
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> iptables -A FORWARD -i eth0 -d 0/0 -j ACCEPT
> iptables -A FORWARD -i eth1 -d 0/0 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
>
> ################### END SCRIPT ACTUALLY WORKING ###############
>
> Now, if i run another script (see below), built up from the the actual i
> cant' navigate from nowhere; i also receive an error ("ping: sendmsg:
> Operation not permitted" or "unknown host") when i ping the client or the
> web.
> Ok there's something wrong, but why if i run again the working script and/or
> i restart the iptables my net dosn't restart working?
>
> ################ SECOND SCRIPT ##################################
> #### DEBUGGING ###
> set -x
>
> ### Azzera e pulisce ogni regola esistente
> iptables -F
> iptables -F -t nat
> iptables -X
> iptables -Z
>
> ### Imposta le policy di default
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
> iptables -t nat -P POSTROUTING DROP
> iptables -t nat -P PREROUTING DROP
>
> ### Abilita il forwarding di pacchetti non locali
> echo 1 > /proc/sys/net/ipv4/ip_forward
> ### Non risponde ai ping inviati al broadcast della subnet
> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> ### Ignora finti messaggi di errore ICMP
> echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> ### Non accetta pacchetti ICMP di route redirection
> echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
> ### SETTING ANTISPOOFING PROTECTION ###
> echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
> ### DON'T RESPOND TO BROADCAST PINGS ###
> echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
>
> #### VARIABILI ####
> # External Public Interface
> EXTIF="ppp0"
> # Internal Private Interface
> INTIF_0="eth0"
> INTIF_1="eth1"
> # Internal LAN IP
> LANIN_0="192.168.0.0/8"
> LANIN_1="10.0.0.0/8"
> # DNS servers
> DNS1="212.216.172.162"
> DNS2="212.216.112.222"
> # RFC IPs Classi di indirizzi dedicate a utilizzi privati o particolari e
> non routate su Internet
> LOOPBACK="127.0.0.0/8"
> # Permette il traffico di loopback
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -s $LOOPBACK -j ACCEPT
> iptables -A INPUT -d $LOOPBACK -j ACCEPT
> iptables -A OUTPUT -d $LOOPBACK -j ACCEPT
> iptables -A OUTPUT -s $LOOPBACK -j ACCEPT
> # Regole che permettono l'accesso al firewall Linux dagli IP della rete
> Interna
> iptables -A INPUT -s $LANIN_0 -j ACCEPT
> iptables -A INPUT -s $LANIN_1 -j ACCEPT
> # DNS Regole per permettere di ricevere risposta (da 2 server DNS
> specificati) a query DNS fatte dalla
> #macchina locale
> iptables -A INPUT -i $EXTIF -p udp -s $DNS1 --sport 53 -j ACCEPT
> iptables -A INPUT -i $EXTIF -p udp -s $DNS2 --sport 53 -j ACCEPT
> iptables -A INPUT -i $EXTIF -p tcp -s $DNS1 --sport 53 -j ACCEPT
> iptables -A INPUT -i $EXTIF -p tcp -s $DNS2 --sport 53 -j ACCEPT
> # Ora dai client
> iptables -A INPUT -i ! $EXTIF -p tcp --dport 53 -j ACCEPT
> iptables -A INPUT -i ! $EXTIF -p udp --dport 53 -j ACCEPT
> iptables -A INPUT -i ! $EXTIF -p tcp --dport 67:68 -j ACCEPT
> iptables -A INPUT -i ! $EXTIF -p udp --dport 67:68 -j ACCEPT
> iptables -A INPUT -p tcp --dport 20 -j ACCEPT
> iptables -A INPUT -p tcp --dport 21 -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 110 -j ACCEPT
> iptables -A INPUT -p tcp --dport 123 -j ACCEPT
> iptables -A INPUT -p udp --dport 123 -j ACCEPT
> iptables -A INPUT -p tcp --dport 443 -j ACCEPT
> # iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
> # iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
> # iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT
> # iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
> # iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
> iptables -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
> iptables -A INPUT -p icmp -m icmp --icmp-type 5 -j ACCEPT
> iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
> iptables -A INPUT -p icmp -j LOG --log-prefix "ICMP drop:"
> iptables -A INPUT -p icmp -j DROP
> iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
> # enable Masquerade and forwarding
> iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> iptables -A FORWARD -i $INTIF_0 -d 0/0 -j ACCEPT
> iptables -A FORWARD -i $INTIF_1 -d 0/0 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
> iptables -A INPUT -i eth0 -j LOG --log-prefix "Default drop:"
> ################################################## ##################
>
> Thanks
>
 
Reply With Quote
Reply

« squid, why google search not cached | Wireless problems »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Trouble setting up a wired network Geppetto Network Routers 0 12-27-2006 07:26 PM
Trouble setting up home network Jayme Wireless Networks 1 05-27-2006 02:03 AM
trouble setting up home network Novice networker Wireless Networks 1 06-10-2005 04:59 AM
Trouble setting up home network Trevor Appleton Home Networking 12 07-06-2004 06:13 PM
Trouble setting up simple network Trevor Appleton Home Networking 7 12-27-2003 07:57 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11