Re: iptables script

To: Debian ML <debian-user@lists.debian.org>
Subject: Re: iptables script
From: mdevin <mdevin@ozemail.com.au>
Date: Mon, 10 Dec 2001 11:20:16 +1000
Message-id: <[🔎] 20011210112016.D1171@flea.home>
Mail-followup-to: Debian ML <debian-user@lists.debian.org>
In-reply-to: <[🔎] 20011209185249.A2410@linuxkafe.net>; from astartoth@linuxkafe.net on Sun, Dec 09, 2001 at 06:52:49PM +0000
References: <[🔎] 20011209185249.A2410@linuxkafe.net>
On Sun, Dec 09, 2001 at 06:52:49PM +0000, Am?rico Rocha wrote:
> 
> Hi all,
> 
> I'm trying to forward port ssh (22) to another computer 
> on my intranet
> 
> The network topology is simple: 192.168.0.12, is connected
> on eth0 to dhcp, and eth1 acts as a NAT to the intranet
> consisting on 9 computers.
> 
> here's the firwall script (iptables) i use:
> 
> #!/bin/sh
> #########################################
> # Script created using EasyTables v0.8.4-3
> # by Roi Dayan
> #########################################
> #printf "."
> IPC=/usr/local/sbin/iptables
> IF=eth0
> #IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \  -f 1`
> #MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`
> #NET=$IP/$MASK
> 
> #printf "."
> #Delete user made chains. Flush and zero the chains.
> $IPC -F
> $IPC -X
> $IPC -Z
> $IPC -t nat -F
> $IPC -t nat -X
> $IPC -t nat -Z
> 
> #Creating custom chains.
> $IPC -N LDROP
> $IPC -A LDROP -p tcp -j LOG --log-level debug --log-prefix "DROP "
> $IPC -A LDROP -p udp -j LOG --log-level debug --log-prefix "DROP "
> $IPC -A LDROP -p icmp -j LOG --log-level debug --log-prefix "DROP "
> $IPC -A LDROP -f -j LOG --log-level warning --log-prefix "DROP "
> $IPC -A LDROP -j DROP
> $IPC -N LREJECT
> $IPC -A LREJECT -p tcp -j LOG --log-level debug --log-prefix "REJECT "
> $IPC -A LREJECT -p udp -j LOG --log-level debug --log-prefix "REJECT "
> $IPC -A LREJECT -p icmp -j LOG --log-level debug --log-prefix "REJECT "
> $IPC -A LREJECT -f -j LOG --log-level warning --log-prefix "REJECT "
> $IPC -A LREJECT -j REJECT
> $IPC -N LACCEPT
> $IPC -A LACCEPT -p tcp -j LOG --log-level debug --log-prefix "ACCEPT "
> $IPC -A LACCEPT -p udp -j LOG --log-level debug --log-prefix "ACCEPT "
> $IPC -A LACCEPT -p icmp -j LOG --log-level debug --log-prefix "ACCEPT "
> $IPC -A LACCEPT -f -j LOG --log-level warning --log-prefix "ACCEPT "
> $IPC -A LACCEPT -j ACCEPT
> $IPC -N TREJECT
> $IPC -A TREJECT -p tcp -j REJECT --reject-with tcp-reset
> $IPC -A TREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
> $IPC -A TREJECT -j REJECT
> $IPC -N LTREJECT
> $IPC -A LTREJECT -p tcp -j REJECT --reject-with tcp-reset
> $IPC -A LTREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
> $IPC -A LTREJECT -p tcp -j LOG --log-level debug --log-prefix "REJECT "
> $IPC -A LTREJECT -p udp -j LOG --log-level debug --log-prefix "REJECT "
> $IPC -A LTREJECT -p icmp -j LOG --log-level debug --log-prefix "REJECT "
> $IPC -A LTREJECT -f -j LOG --log-level warning --log-prefix "REJECT "
> $IPC -A LTREJECT -p tcp -j REJECT --reject-with tcp-reset
> $IPC -A LTREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
> $IPC -A LTREJECT -j REJECT
> 
> 
> #printf "."
> #Modules to help certain services
> #/sbin/depmod -a  >/dev/null 2>&1
> #/sbin/modprobe ip_masq_ftp  >/dev/null 2>&1
> #/sbin/modprobe ip_masq_raudio  >/dev/null 2>&1
> #/sbin/modprobe ip_masq_irc  >/dev/null 2>&1
> #/sbin/modprobe ip_masq_icq  >/dev/null 2>&1
> #/sbin/modprobe ip_masq_quake  >/dev/null 2>&1
> #/sbin/modprobe ip_masq_user  >/dev/null 2>&1
> #/sbin/modprobe ip_masq_vdolive  >/dev/null 2>&1
> 
> #printf "."
> #Allow all traffic on the loopback interface (lo)
> $IPC -I INPUT -i lo -j ACCEPT
> $IPC -I OUTPUT -o lo -j ACCEPT
> $IPC -I INPUT -i ! lo -s 127.0.0.0/255.0.0.0 -j DROP
Should this be:
$IPC -I INPUT -i ! lo -d 127.0.0.0/255.0.0.0 -j DROP
I think you are trying to drop packets to destination loopback that are
actually coming from somewhere else (ie. not the lo interface).
> 
> #printf "."
> #Allow connections with the ack bit set.
> #(They are from an established connections)
> $IPC -A INPUT -p tcp ! --syn -i $IF -j ACCEPT
> 
> #printf "."
> #Turn on source address verification in kernel
> if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
>   for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
>     echo 1 > $f
>   done
> fi
> 
> #printf "."
> #Turn on syn cookies protection in kernel
> if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
>  then
>   echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> fi
> 
> #printf "."
> #Set up kernel to handle dynamic IP masquerading
> if [ -e /proc/sys/net/ipv4/ip_dynaddr ]
>  then
>   echo 1 > /proc/sys/net/ipv4/ip_dynaddr
> fi
> 
> #printf "."
> #to enable ip MASQUERADE and automatic defragmention (for masquerading)
> echo 1 > /proc/sys/net/ipv4/ip_forward
> #echo 1 > /proc/sys/net/ipv4/ip_always_defrag
> 
> #printf "."
> #timeouts
> #$IPC -M -S 14400 60 600
> 
> #printf "."
> #Block nonroutable IPs
> $IPC -A INPUT -j DROP -s 10.0.0.0/8 -i $IF
> $IPC -A INPUT -j DROP -s 127.0.0.0/8 -i $IF
> $IPC -A INPUT -j DROP -s 172.16.0.0/12 -i $IF
> $IPC -A INPUT -j DROP -s 192.168.0.0/16 -i $IF
> 
> #printf "."
> #Block Back Orifice
> $IPC -A INPUT -p tcp -i $IF --dport 31337 -j LDROP
> $IPC -A INPUT -p udp -i $IF --dport 31337 -j LDROP
> 
> #Block NetBus
> $IPC -A INPUT -p tcp -i $IF --dport 12345:12346 -j LDROP
> $IPC -A INPUT -p udp -i $IF --dport 12345:12346 -j LDROP
> 
> #Block Trin00
> $IPC -A INPUT -p tcp -i $IF --dport 1524 -j LDROP
> $IPC -A INPUT -p tcp -i $IF --dport 27665 -j LDROP
> $IPC -A INPUT -p udp -i $IF --dport 27444 -j LDROP
> $IPC -A INPUT -p udp -i $IF --dport 31335 -j LDROP
> 
> #printf "."
> #Block Multicast
> $IPC -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP
> $IPC -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP
> 
> #printf "."
> #PortsRules
> 
> #FTP(21)
> $IPC -A INPUT -p tcp -i $IF --dport 21 -j LACCEPT
> 
> #SSH
> $IPC -A INPUT -p tcp -i $IF --dport 22 -j LACCEPT
> 
> #Telnet
> $IPC -A INPUT -p tcp -i $IF --dport 23 -j LACCEPT
> 
> #SMTP
> $IPC -A INPUT -p tcp -i $IF --dport 25 -j LACCEPT
> 
> #WWW
> $IPC -A INPUT -p tcp -s 0/0 -i $IF --dport 80 -j LACCEPT
> $IPC -A INPUT -p tcp -i $IF --dport 80 -j LACCEPT
> 
> #Rejecting (not denying) ident requests.
> $IPC -A INPUT -p tcp -i $IF --dport 113 -j TREJECT
> $IPC -A INPUT -p udp -i $IF --dport 113 -j TREJECT
> #Blocking access to the X Server ports.
> $IPC -A INPUT -p tcp -i $IF --dport 5999:6003 -j LDROP
> $IPC -A INPUT -p udp -i $IF --dport 5999:6003 -j LDROP
> $IPC -A INPUT -p tcp -i $IF --dport 7100 -j LDROP
> #printf "."
> 
> #Settings for internal interfaces (LAN) - Internet Connection Share.
> $IPC -A FORWARD -i $IF -j ACCEPT
> $IPC -A FORWARD -o $IF -j ACCEPT
> $IPC -t nat -A POSTROUTING -o $IF -j MASQUERADE
> #printf "."
> #printf "."
> #Settings for internal interfaces (LAN).
> InternalIP=`/sbin/ifconfig eth1 | grep inet | cut -d : -f 2 | cut -d \  -f 1`
> InternalMASK=`/sbin/ifconfig eth1 | grep Mas | cut -d : -f 4`
> InternalNET=$InternalIP/$InternalMASK
> $IPC -A INPUT -i eth1 -j ACCEPT
> $IPC -A OUTPUT -o eth1 -j ACCEPT
> $IPC -A INPUT -i ! eth1 -s $InternalNET -j DROP
> #printf "."
> 
> 
> #printf "."
> ### Custom rules should be added here ###
> 
> #########################################
> 
> #printf "."
> #Set telnet, www, smtp, pop3 and FTP for minimum delay
> #$IPC -A OUTPUT -p tcp -d 0/0 80 -t 0x01 0x10
> #$IPC -A OUTPUT -p tcp -d 0/0 22 -t 0x01 0x10
> #$IPC -A OUTPUT -p tcp -d 0/0 23 -t 0x01 0x10
> #$IPC -A OUTPUT -p tcp -d 0/0 21 -t 0x01 0x10
> #$IPC -A OUTPUT -p tcp -d 0/0 110 -t 0x01 0x10
> #$IPC -A OUTPUT -p tcp -d 0/0 25 -t 0x01 0x10
> 
> $IPC -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
> $IPC -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
> $IPC -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
> $IPC -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos Minimize-Delay
> $IPC -t mangle -A OUTPUT -p tcp --dport 110 -j TOS --set-tos Minimize-Delay
> $IPC -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
> #printf "."
> #Set ftp-data for maximum throughput
> #$IPC -A OUTPUT -p tcp -d 0/0 20 -t 0x01 0x08
> 
> $IPC -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput
> #printf "."
> #Allow ICMP
> $IPC -A INPUT -p icmp -i $IF -j ACCEPT
> $IPC -A OUTPUT -p icmp -o $IF -j ACCEPT
> 
> #printf "."
> #Open ports for established connections
> $IPC -A INPUT -m state --state ESTABLISHED -j ACCEPT
> $IPC -A INPUT -m state --state RELATED -j ACCEPT
> $IPC -A INPUT -p tcp -i $IF --dport 1023:65535 -j ACCEPT
> $IPC -A INPUT -p udp -i $IF --dport 1023:65535 -j ACCEPT
> 
> #printf "."
> #Set default rule on MASQUERADE chain to DROP
> $IPC -P FORWARD DROP
> 
> #printf "."
> #DROP everything else
> $IPC -P OUTPUT ACCEPT
> $IPC -A INPUT -i $IF -j LDROP
> #printf "."
> ###################### Port-Forwarding ???..... ################################
> # $IPC -A PREROUTING -t nat -p tcp -i eth0 -o eth1 --dport 22 -j DNAT --to 192.168.0.8
> # $IPC -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.0.8 --dport 22 -j ACCEPT 
> 
> The last two lines on this script are commented; the portforwrd didn't work
> 
> I'm running debian 2.2r4 (potato) on both machines, but i have apt-get'ed
> all the necessary packages so i could use iptables and kernel 2.4.
>
I think the rules should be something like:
$IPC -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 192.168.0.8
$IPC A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.0.8 --dport 22 -j ACCEPT

I don't think that you specify the out interface in the PREROUTING
chain.  This may be the cause of your error.

Also, check the comments I made above.  I am not totally sure of this -
perhaps better ask the same on debian-firewall list.

Cheers.
Mark.
Attachment: pgp3HYzcvg65D.pgp
Description: PGP signature
Reply to:
References:
- iptables script
  - From: Américo Rocha <astartoth@linuxkafe.net>
Prev by Date: Re: Update to X 4.1.0-10 overwrote my XF86Config-4
Next by Date: invisible information in dselect
Previous by thread: iptables script
Next by thread: inetd error
Index(es):
- Date
- Thread