Hello All,
At home i've setup a Firewall to protect the internal network and to do
some NAT for internal machines WWW and mail
recently and internal machine became a dual homed lan en wlan host.
The internal network is 10.60.0.0 while the wlan net is 10.70.0.0
all traffic for 10.70.0.0 is being routed by the firewall(10.60.0.1) to 10.60.0.4
When there is no policy all works fine when i load my fwbuilder created
policy. all connections are droppped with a any any drop rule.
Still traffic is allowed from 10.60 to 10.70 and reversed.
Anyone any idea's
I've also included the fwbuilder script.
Thx in advance for your input.
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v1.0.9-1
#
# Generated Tue Jun 3 21:28:35 2003 CEST by ackron
#
#
#
#
check() {
N=$1
F=$2
test "Z$F" = "Z" && F=$N
F=`which $F 2>/dev/null`
test ! -x "$F" && {
echo "$1 not found or is not executable"
exit 1
}
}
log() {
test -x "$LOGGER" && logger -p info "$1"
}
va_num=1
add_addr() {
addr=$1
nm=$2
dev=$3
( $IP -4 addr show dev $dev | grep -q "${addr}/" ) ||
{
echo "$dev: $addr/$nm"
$IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num}
va_num=$((va_num + 1))
}
}
LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
LOGGER="/usr/bin/logger"
check lsmod $LSMOD
check modprobe $MODPROBE
check iptables $IPTABLES
check ip $IP
cd /etc || exit 1
log "Activating firewall script generated Tue Jun 3 21:28:35 2003 CEST by ackron"
FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
$IP -4 neigh flush dev eth1
$IP -4 addr flush dev eth1 label "eth1:FWB*"
add_addr 10.60.0.1 16 eth1
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
#
# Rule 0(NAT)
#
#
$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --source-port 20 --destination-port 1024:65535 -j DNAT --to-destination 10.60.0.4
$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp -m multiport --destination-ports 80,443,21,25 -j DNAT --to-destination 10.60.0.4
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --source-port 20 --destination-port 1024:65535 -j DNAT --to-destination 10.60.0.4
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -m multiport --destination-ports 80,443,21,25 -j DNAT --to-destination 10.60.0.4
#
# Rule 1(NAT)
#
#
$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --destination-port 6699 -j DNAT --to-destination 10.60.0.3
$IPTABLES -t nat -A PREROUTING -i ppp0 -p udp --destination-port 6257 -j DNAT --to-destination 10.60.0.3
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination-port 6699 -j DNAT --to-destination 10.60.0.3
$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --destination-port 6257 -j DNAT --to-destination 10.60.0.3
#
# Rule 2(NAT)
#
#
$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --destination-port 2500 -j DNAT --to-destination 10.60.0.4:25
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --destination-port 2500 -j DNAT --to-destination 10.60.0.4:25
#
# Rule 3(NAT)
#
#
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 10.60.0.1 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 10.60.0.1 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 10.60.0.0/16 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 10.70.0.0/16 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 10.60.0.0/16 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 10.70.0.0/16 -j MASQUERADE
#
#
$IPTABLES -t drop -A DROPPING -j LOG --log-level info --log-prefix "RULE %N -- %A "
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Rule 0(ppp0)
#
#
#
$IPTABLES -N ppp0_Out_RULE_0
$IPTABLES -A OUTPUT -o ppp0 -m state --state NEW -j ppp0_Out_RULE_0
$IPTABLES -A ppp0_Out_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A ppp0_Out_RULE_0 -j ACCEPT
#
# Rule 1(ppp0)
#
# Anti-spoofing rule
#
$IPTABLES -N ppp0_In_RULE_1
$IPTABLES -A INPUT -i ppp0 -s 10.60.0.1 -j ppp0_In_RULE_1
$IPTABLES -A INPUT -i ppp0 -s 10.0.0.0/8 -j ppp0_In_RULE_1
$IPTABLES -A FORWARD -i ppp0 -s 10.60.0.1 -j ppp0_In_RULE_1
$IPTABLES -A FORWARD -i ppp0 -s 10.0.0.0/8 -j ppp0_In_RULE_1
$IPTABLES -A ppp0_In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DROP "
$IPTABLES -A ppp0_In_RULE_1 -j DROP
#
# Rule 2(ppp0)
#
# Anti-spoofing rule
#
$IPTABLES -N Cid3E21C940.0
$IPTABLES -A OUTPUT -o ppp0 -j Cid3E21C940.0
$IPTABLES -A Cid3E21C940.0 -o ppp0 -j RETURN
$IPTABLES -A Cid3E21C940.0 -o ppp0 -j DROP
$IPTABLES -N Cid3E21C940.1
$IPTABLES -A FORWARD -o ppp0 -j Cid3E21C940.1
$IPTABLES -A Cid3E21C940.1 -o ppp0 -s 10.60.0.1 -j RETURN
$IPTABLES -A Cid3E21C940.1 -o ppp0 -s 10.0.0.0/8 -j RETURN
$IPTABLES -N ppp0_Out_RULE_2_3
$IPTABLES -A Cid3E21C940.1 -o ppp0 -j ppp0_Out_RULE_2_3
$IPTABLES -A ppp0_Out_RULE_2_3 -j LOG --log-level info --log-prefix "RULE 2 -- DROP "
$IPTABLES -A ppp0_Out_RULE_2_3 -j DROP
#
# Rule 0(eth1)
#
#
#
$IPTABLES -N eth1_In_RULE_0
$IPTABLES -A INPUT -i eth1 -s 10.70.0.0/16 -d 10.60.0.0/16 -m state --state NEW -j eth1_In_RULE_0
$IPTABLES -A FORWARD -i eth1 -s 10.70.0.0/16 -d 10.60.0.0/16 -m state --state NEW -j eth1_In_RULE_0
$IPTABLES -A eth1_In_RULE_0 -j LOG --log-level info --log-prefix "TEST-1"
$IPTABLES -A eth1_In_RULE_0 -j ACCEPT
$IPTABLES -N eth1_Out_RULE_0
$IPTABLES -A FORWARD -o eth1 -s 10.70.0.0/16 -d 10.60.0.0/16 -m state --state NEW -j eth1_Out_RULE_0
$IPTABLES -A eth1_Out_RULE_0 -j LOG --log-level info --log-prefix "TEST-1"
$IPTABLES -A eth1_Out_RULE_0 -j ACCEPT
#
# Rule 1(eth1)
#
#
#
$IPTABLES -N eth1_In_RULE_1
$IPTABLES -A FORWARD -i eth1 -s 10.60.0.0/16 -d 10.70.0.0/16 -m state --state NEW -j eth1_In_RULE_1
$IPTABLES -A eth1_In_RULE_1 -j LOG --log-level info --log-prefix "TEST-2"
$IPTABLES -A eth1_In_RULE_1 -j ACCEPT
$IPTABLES -N eth1_Out_RULE_1
$IPTABLES -A OUTPUT -o eth1 -s 10.60.0.0/16 -d 10.70.0.0/16 -m state --state NEW -j eth1_Out_RULE_1
$IPTABLES -A FORWARD -o eth1 -s 10.60.0.0/16 -d 10.70.0.0/16 -m state --state NEW -j eth1_Out_RULE_1
$IPTABLES -A eth1_Out_RULE_1 -j LOG --log-level info --log-prefix "TEST-2"
$IPTABLES -A eth1_Out_RULE_1 -j ACCEPT
#
# Rule 0(global)
#
# ssh access to firewall
#
$IPTABLES -A OUTPUT -p tcp -d 10.60.0.1 --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
#
# Rule 1(global)
#
#
#
$IPTABLES -N RULE_1
$IPTABLES -A OUTPUT -p tcp -d 10.60.0.1 --destination-port 6699 -m state --state NEW -j RULE_1
$IPTABLES -A OUTPUT -p udp -d 10.60.0.1 --destination-port 6257 -m state --state NEW -j RULE_1
$IPTABLES -A OUTPUT -p tcp -d 10.60.0.3 --destination-port 6699 -m state --state NEW -j RULE_1
$IPTABLES -A OUTPUT -p udp -d 10.60.0.3 --destination-port 6257 -m state --state NEW -j RULE_1
$IPTABLES -A INPUT -p tcp --destination-port 6699 -m state --state NEW -j RULE_1
$IPTABLES -A INPUT -p udp --destination-port 6257 -m state --state NEW -j RULE_1
$IPTABLES -A FORWARD -p tcp -d 10.60.0.3 --destination-port 6699 -m state --state NEW -j RULE_1
$IPTABLES -A FORWARD -p udp -d 10.60.0.3 --destination-port 6257 -m state --state NEW -j RULE_1
$IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT "
$IPTABLES -A RULE_1 -j ACCEPT
#
# Rule 2(global)
#
#
#
$IPTABLES -N RULE_2
$IPTABLES -A OUTPUT -p tcp --source-port 20 -d 10.60.0.1 --destination-port 1024:65535 -m state --state NEW -j RULE_2
$IPTABLES -A OUTPUT -p tcp -m multiport -d 10.60.0.1 --destination-ports 21,80,443,2500,25 -m state --state NEW -j RULE_2
$IPTABLES -A OUTPUT -p tcp --source-port 20 -d 10.60.0.4 --destination-port 1024:65535 -m state --state NEW -j RULE_2
$IPTABLES -A OUTPUT -p tcp -m multiport -d 10.60.0.4 --destination-ports 21,80,443,2500,25 -m state --state NEW -j RULE_2
$IPTABLES -A INPUT -p tcp --source-port 20 --destination-port 1024:65535 -m state --state NEW -j RULE_2
$IPTABLES -A INPUT -p tcp -m multiport --destination-ports 21,80,443,2500,25 -m state --state NEW -j RULE_2
$IPTABLES -A FORWARD -p tcp --source-port 20 -d 10.60.0.4 --destination-port 1024:65535 -m state --state NEW -j RULE_2
$IPTABLES -A FORWARD -p tcp -m multiport -d 10.60.0.4 --destination-ports 21,80,443,2500,25 -m state --state NEW -j RULE_2
$IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- ACCEPT "
$IPTABLES -A RULE_2 -j ACCEPT
#
# Rule 3(global)
#
#
#
$IPTABLES -N RULE_3
$IPTABLES -A INPUT -p tcp -s 10.60.0.4 --destination-port 9999 -m state --state NEW -j RULE_3
$IPTABLES -A RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- ACCEPT "
$IPTABLES -A RULE_3 -j ACCEPT
#
# Rule 4(global)
#
#
#
$IPTABLES -N RULE_4
$IPTABLES -A INPUT -s 10.60.0.1 -m state --state NEW -j RULE_4
$IPTABLES -A OUTPUT -d 10.60.0.1 -m state --state NEW -j RULE_4
$IPTABLES -A OUTPUT -d 10.60.0.0/16 -m state --state NEW -j RULE_4
$IPTABLES -A OUTPUT -d 10.70.0.0/16 -m state --state NEW -j RULE_4
$IPTABLES -A INPUT -s 10.70.0.0/16 -m state --state NEW -j RULE_4
$IPTABLES -A INPUT -s 10.60.0.0/16 -m state --state NEW -j RULE_4
$IPTABLES -N Cid3EDC01C0.0
$IPTABLES -A OUTPUT -s 10.70.0.0/16 -m state --state NEW -j Cid3EDC01C0.0
$IPTABLES -A OUTPUT -s 10.60.0.0/16 -m state --state NEW -j Cid3EDC01C0.0
$IPTABLES -A Cid3EDC01C0.0 -d 10.60.0.0/16 -m state --state NEW -j RULE_4
$IPTABLES -A Cid3EDC01C0.0 -d 10.70.0.0/16 -m state --state NEW -j RULE_4
$IPTABLES -N Cid3EDC01C0.1
$IPTABLES -A INPUT -s 10.70.0.0/16 -m state --state NEW -j Cid3EDC01C0.1
$IPTABLES -A INPUT -s 10.60.0.0/16 -m state --state NEW -j Cid3EDC01C0.1
$IPTABLES -A Cid3EDC01C0.1 -d 10.60.0.0/16 -m state --state NEW -j RULE_4
$IPTABLES -A Cid3EDC01C0.1 -d 10.70.0.0/16 -m state --state NEW -j RULE_4
$IPTABLES -N Cid3EDC01C0.2
$IPTABLES -A FORWARD -s 10.70.0.0/16 -m state --state NEW -j Cid3EDC01C0.2
$IPTABLES -A FORWARD -s 10.60.0.0/16 -m state --state NEW -j Cid3EDC01C0.2
$IPTABLES -A Cid3EDC01C0.2 -d 10.60.0.0/16 -m state --state NEW -j RULE_4
$IPTABLES -A Cid3EDC01C0.2 -d 10.70.0.0/16 -m state --state NEW -j RULE_4
$IPTABLES -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- ACCEPT "
$IPTABLES -A RULE_4 -j ACCEPT
#
# Rule 5(global)
#
#
#
$IPTABLES -N RULE_5
$IPTABLES -A OUTPUT -d 10.60.0.1 -j RULE_5
$IPTABLES -A INPUT -j RULE_5
$IPTABLES -A RULE_5 -j LOG --log-level info --log-prefix "RULE 5 -- DROP "
$IPTABLES -A RULE_5 -j DROP
#
# Rule 6(global)
#
# firewall uses DNS server on LAN
#
$IPTABLES -A INPUT -p udp -s 10.60.0.1 --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d 10.60.0.1 --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d 10.60.0.0/16 --destination-port 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d 10.70.0.0/16 --destination-port 53 -m state --state NEW -j ACCEPT
#
# Rule 7(global)
#
#
#
$IPTABLES -A INPUT -s 10.60.0.1 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
#
# Rule 8(global)
#
# 'masquerading' rule
#
$IPTABLES -A INPUT -s 10.60.0.1 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 10.60.0.0/16 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 10.70.0.0/16 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -s 10.60.0.0/16 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -s 10.70.0.0/16 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 10.60.0.0/16 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 10.70.0.0/16 -m state --state NEW -j ACCEPT
#
# Rule 9(global)
#
# 'catch all' rule
#
$IPTABLES -N RULE_9
$IPTABLES -A OUTPUT -j RULE_9
$IPTABLES -A INPUT -j RULE_9
$IPTABLES -A FORWARD -j RULE_9
$IPTABLES -A RULE_9 -j LOG --log-level info --log-prefix "- Rule 9 - Default DROP"
$IPTABLES -A RULE_9 -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward
Attachment:
pgp8N2zZZzteJ.pgp
Description: PGP signature