problems with firewall/port forwarding...
I've got a home network that I want to use in several ways.
a) I want my internal computers to be able to use the gateway interface to get
out to the internet, and
b) I only want ssh and http requests back in.
the catch is I want the http requests forwarded to the internal IP 192.168.42.10
and not the gateway. somehow, this doesn't work when I try to set it up
from the howto's and documentation I've found...
here are my rules so far (without the full functionality I want. This is just
for internal stuff getting out to the 'net, and nothing but ssh getting in):
hex:/home/csanner# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
icmp_packets icmp -- anywhere anywhere
tcp_packets tcp -- anywhere anywhere
udpincoming_packets udp -- anywhere anywhere
ACCEPT all -- anywhere 192.168.42.255
ACCEPT all -- anywhere localhost
ACCEPT all -- anywhere hex
ACCEPT all -- anywhere cj4042-a.manss1.va.home.comstate RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT INPUT packet died: '
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT FORWARD packet died: '
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- localhost anywhere
ACCEPT all -- hex anywhere
ACCEPT all -- cj4042-a.manss1.va.home.com anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT OUTPUT packet died: '
Chain allowed (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere
Chain icmp_packets (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp redirect
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
Chain tcp_packets (1 references)
target prot opt source destination
allowed tcp -- anywhere anywhere tcp dpt:ssh
allowed tcp -- anywhere anywhere tcp dpt:www
allowed tcp -- anywhere anywhere tcp dpt:auth
Chain udpincoming_packets (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT udp -- anywhere anywhere udp spt:2074
ACCEPT udp -- anywhere anywhere udp spt:4000
and here is the script I run to set those rules up:
hex:/home/csanner# more /etc/init.d/rc.firewall
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall test script for 2.4.x
#
# Author: Oskar Andreasson <blueflux@koffein.net>
# (c) of BoingWorld.com, use at your own risk, do whatever you please with
# it as long as you don't distribute this with due credits to
# BoingWorld.com
#
###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# STATIC_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you don't have a static
# IP, I suggest not using this option at all for now but it's still
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)
LAN_IP_RANGE="192.168.42.0/24"
LAN_IP="192.168.42.1/32"
LAN_BCAST_ADRESS="192.168.42.255/32"
LOCALHOST_IP="127.0.0.1/32"
STATIC_IP="24.7.168.191/32"
INET_IFACE="eth1"
LAN_IFACE="eth0"
IPTABLES="/sbin/iptables"
#########
# Load all required IPTables modules
#
#
# Needed to initially load modules
#
#/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#CRITICAL: Enable IP forwarding since it is disabled by default.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
# option. This enables dynamic-ip address hacking in IP MASQ, making the
connection
# with Diald and similar programs much easier.
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable simple IP FORWARDing and Masquerading
#
# NOTE: The following is an example for an internal LAN, where the lan
# runs on eth1, and the Internet is on eth0.
#
# Please change the network devices to match your own configuration.
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-leve
l DEBUG --log-prefix "IPT FORWARD packet died: "
#
# set default policies for the INPUT, FORWARD and OUTPUT chains
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
#
# the allowed chain for TCP connections
#
# This chain will be utilised if someone tries to connect to an allowed
# port from the internet. If they are opening the connection, or if it's
# already established we ACCEPT the packages, if not we fuck them. This is
# where the state matching is performed also, we allow ESTABLISHED and
# RELATED packets.
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
# added by Hitch for packet forwarding
#
# UDP ports
#
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
#
# PREROUTING chain.
#
# Do some checks for obviously spoofed IP's
#
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
#
# INPUT chain
#
# establish the basic INPUT chain and filter the packets onto the correct
# chains.
#
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $STATIC_IP -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level
DEBUG --log-prefix "IPT INPUT packet died: "
#
# OUTPUT chain
#
# establish the basic OUTPUT chain and filter them onto the correct chain
#
$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level
DEBUG --log-prefix "IPT OUTPUT packet died: "
___________________________________________________________________
can anyone give me a hand with getting all this working?
--
_____________________________________________
Christopher Sanner | mailto:csanner@tux.org
Phone :571-277-0206 | http://osf1.gmu.edu/~csanner/
Contractor to VistaRMS
President and Co-Founder MasonLUG
finger csanner@boudicca.tux.org for pgp key and geek code block
You will find that the State is the kind of organization which, while it does
big things badly, does small things badly too.
Reply to: