Postrouting problem with Sarge firewall
Hi All
I have a Debian Sarge firewall box set up with PII 300, 64 MRam, Intel
Pro nic. The box is connected to internet via USB ISDN modem.
Since it is a dial up connection, public ip is assigned dynamically
every time it is connected. This however causes major grief so far.
The machine has scheduled to reconnect to the internet twice a day due
to the connection duration limite set by the Isp.
The network diagram is:
Internet <------> ppp0 dynamically assigned ip firewall <------->
Internal network 192.168.1.0/24 eth0
Inside the internal network there is an Asterisk PBX box doing telephony
application. As a result I used the stock standard firewall script and
add port forwarding to it. The firewall script is below:
#!/bin/sh
#
# rc.firewall-2.4-stronger
#
FWVER=0.77s
echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"
IPTABLES=/sbin/iptables
#IPTABLES=/usr/local/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
GREP=/bin/grep
AWK=/usr/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig
#Setting the EXTERNAL and INTERNAL interfaces for the network
EXTIF="ppp0"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo " ---"
# Get dynamically assigned External IP
EXTIP="`$IFCONFIG $EXTIF | $AWK \
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
#
#EXTIP="your.static.PPP.address"
echo " External IP: $EXTIP"
echo " ---"
# Assign the internal TCP/IP network and IP address
INTNET="192.168.1.0/24"
INTIP="192.168.1.1"
echo " Internal Network: $INTNET"
echo " Internal IP: $INTIP"
echo " ---"
# Setting a few other local variables
#
UNIVERSE="0.0.0.0/0"
UNPRIVPORTS="1024:65535"
PRIVPORTS="0:1024"
#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==
# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
echo -en " Loading kernel modules: "
#
echo -en "ip_tables, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
$INSMOD ip_tables
fi
echo -en "ip_conntrack, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack
fi
#
echo -e "ip_conntrack_ftp, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack_ftp
fi
#
echo -en " ip_conntrack_irc, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack_irc
fi
#
echo -en "iptable_nat, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
$INSMOD iptable_nat
fi
#
echo -e "ip_nat_ftp"
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
$INSMOD ip_nat_ftp
fi
echo " ---"
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
#
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " ---"
echo " Clearing any existing rules and setting default policy to REJECT.."
$IPTABLES -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -F -t filter
$IPTABLES -F -t mangle
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
#
# Delete all User-specified chains
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
#
# Reset all IPTABLES counters
$IPTABLES -Z
echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j REJECT
echo -e "\n - Loading INPUT rulesets"
# local host
$IPTABLES -t filter -A INPUT -i lo -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o lo -j ACCEPT
# local network
$IPTABLES -t filter -A OUTPUT -o $INTIF -j ACCEPT
$IPTABLES -t filter -A INPUT -i $INTIF -j ACCEPT
# known hosts
$IPTABLES -t filter -A INPUT -i $EXTIF -s 218.214.35.158 \
-d $EXTIP -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $EXTIF -d 218.214.35.158 \
-s $EXTIP -j ACCEPT
#Masquerade
$IPTABLES -t nat -A POSTROUTING -s $INTNET -j SNAT --to-source $EXTIP
#Established and related connection allowed
$IPTABLES -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow internal network to establish new connection
$IPTABLES -t filter -A FORWARD -s $INTNET -d $UNIVERSE -m state --state NEW -j ACCEPT
###############################################################################################
$IPTABLES -t filter -A INPUT -p tcp \
-s $UNIVERSE --sport $UNPRIVPORTS \
-d $EXTIP --dport 22 \
-j ACCEPT
$IPTABLES -t filter -A OUTPUT -p tcp \
-d $UNIVERSE --dport $UNPRIVPORTS \
-s $EXTIP --sport 22 \
-j ACCEPT
$IPTABLES -t filter -A INPUT -p icmp -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --dport 4569 \
-j DNAT --to-destination 192.168.1.10
$IPTABLES -t filter -A FORWARD -s $UNIVERSE -d 192.168.1.10 \
-m state --state NEW,ESTABLISHED,RELATED \
-p udp --dport 4569 -j ACCEPT
echo -e "\nDone.\n"
This firewall script somehow works intermittantly. When it disconnects
and reconnects to the isp, the postrouting rules do not seem to
translate internal address of the pbx server to the current public ip
address and as a result the packet from the other end cannot come back
to the pbx box.
Any suggestions as to why it does not follow the rules are most appreciated.
David Kwok
Reply to: