Re: problems with firewall/port forwarding...
Chris,
I don't know iptables, but I had a similar problem using ipchains and
ipmasqadm. It turned out that my ISP was blocking port 80. You may want to
check up on this.
Roger
On Sun, 16 Sep 2001, Chris Sanner [Hitchhiker] wrote:
> I've got a home network that I want to use in several ways.
> a) I want my internal computers to be able to use the gateway interface to get
> out to the internet, and
> b) I only want ssh and http requests back in.
>
> the catch is I want the http requests forwarded to the internal IP 192.168.42.10
> and not the gateway. somehow, this doesn't work when I try to set it up
> from the howto's and documentation I've found...
>
> here are my rules so far (without the full functionality I want. This is just
> for internal stuff getting out to the 'net, and nothing but ssh getting in):
> hex:/home/csanner# iptables -L
> Chain INPUT (policy DROP)
> target prot opt source destination
> icmp_packets icmp -- anywhere anywhere
> tcp_packets tcp -- anywhere anywhere
> udpincoming_packets udp -- anywhere anywhere
> ACCEPT all -- anywhere 192.168.42.255
> ACCEPT all -- anywhere localhost
> ACCEPT all -- anywhere hex
> ACCEPT all -- anywhere cj4042-a.manss1.va.home.comstate RELATED,ESTABLISHED
> LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT INPUT packet died: '
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT FORWARD packet died: '
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- localhost anywhere
> ACCEPT all -- hex anywhere
> ACCEPT all -- cj4042-a.manss1.va.home.com anywhere
> LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT OUTPUT packet died: '
>
> Chain allowed (3 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
> ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
> DROP tcp -- anywhere anywhere
>
> Chain icmp_packets (1 references)
> target prot opt source destination
> ACCEPT icmp -- anywhere anywhere icmp echo-reply
> ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
> ACCEPT icmp -- anywhere anywhere icmp redirect
> ACCEPT icmp -- anywhere anywhere icmp time-exceeded
>
> Chain tcp_packets (1 references)
> target prot opt source destination
> allowed tcp -- anywhere anywhere tcp dpt:ssh
> allowed tcp -- anywhere anywhere tcp dpt:www
> allowed tcp -- anywhere anywhere tcp dpt:auth
>
> Chain udpincoming_packets (1 references)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp spt:domain
> ACCEPT udp -- anywhere anywhere udp spt:ntp
> ACCEPT udp -- anywhere anywhere udp spt:2074
> ACCEPT udp -- anywhere anywhere udp spt:4000
>
> and here is the script I run to set those rules up:
> hex:/home/csanner# more /etc/init.d/rc.firewall
> #!/bin/sh
> #
> # rc.firewall - Initial SIMPLE IP Firewall test script for 2.4.x
> #
> # Author: Oskar Andreasson <blueflux@koffein.net>
> # (c) of BoingWorld.com, use at your own risk, do whatever you please with
> # it as long as you don't distribute this with due credits to
> # BoingWorld.com
> #
>
> ###########
> # Configuration options, these will speed you up getting this script to
> # work with your own setup.
>
> #
> # your LAN's IP range and localhost IP. /24 means to only use the first 24
> # bits of the 32 bit IP adress. the same as netmask 255.255.255.0
> #
> # STATIC_IP is used by me to allow myself to do anything to myself, might
> # be a security risc but sometimes I want this. If you don't have a static
> # IP, I suggest not using this option at all for now but it's still
> # enabled per default and will add some really nifty security bugs for all
> # those who skips reading the documentation=)
>
> LAN_IP_RANGE="192.168.42.0/24"
> LAN_IP="192.168.42.1/32"
> LAN_BCAST_ADRESS="192.168.42.255/32"
> LOCALHOST_IP="127.0.0.1/32"
> STATIC_IP="24.7.168.191/32"
> INET_IFACE="eth1"
> LAN_IFACE="eth0"
> IPTABLES="/sbin/iptables"
>
> #########
> # Load all required IPTables modules
> #
>
> #
> # Needed to initially load modules
> #
> #/sbin/depmod -a
>
> #
> # Adds some iptables targets like LOG, REJECT and MASQUARADE.
> #
> #/sbin/modprobe ipt_LOG
> #/sbin/modprobe ipt_REJECT
> #/sbin/modprobe ipt_MASQUERADE
>
> #
> # Support for owner matching
> #
> #/sbin/modprobe ipt_owner
>
> #
> # Support for connection tracking of FTP and IRC.
> #
> #/sbin/modprobe ip_conntrack_ftp
> #/sbin/modprobe ip_conntrack_irc
>
>
> #CRITICAL: Enable IP forwarding since it is disabled by default.
> #
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
>
> # Dynamic IP users:
> #
> # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this
> # option. This enables dynamic-ip address hacking in IP MASQ, making the
> connection
> # with Diald and similar programs much easier.
> #
> #echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
> # Enable simple IP FORWARDing and Masquerading
> #
> # NOTE: The following is an example for an internal LAN, where the lan
> # runs on eth1, and the Internet is on eth0.
> #
> # Please change the network devices to match your own configuration.
> #
>
> $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-leve
> l DEBUG --log-prefix "IPT FORWARD packet died: "
>
> #
> # set default policies for the INPUT, FORWARD and OUTPUT chains
> #
>
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
>
> #
> # Create separate chains for ICMP, TCP and UDP to traverse
> #
>
> $IPTABLES -N icmp_packets
> $IPTABLES -N tcp_packets
> $IPTABLES -N udpincoming_packets
>
> #
> # the allowed chain for TCP connections
> #
> # This chain will be utilised if someone tries to connect to an allowed
> # port from the internet. If they are opening the connection, or if it's
> # already established we ACCEPT the packages, if not we fuck them. This is
> # where the state matching is performed also, we allow ESTABLISHED and
> # RELATED packets.
>
> $IPTABLES -N allowed
> $IPTABLES -A allowed -p TCP --syn -j ACCEPT
> $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A allowed -p TCP -j DROP
>
> #
> # ICMP rules
> #
>
> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
>
> #
> # TCP rules
> #
>
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
>
> # added by Hitch for packet forwarding
>
> #
> # UDP ports
> #
>
> $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
> $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
> $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
> $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
>
> #
> # PREROUTING chain.
> #
> # Do some checks for obviously spoofed IP's
> #
>
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
>
> #
> # INPUT chain
> #
> # establish the basic INPUT chain and filter the packets onto the correct
> # chains.
> #
>
>
> $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
> $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
> $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
>
> $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
> $IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
> $IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
> $IPTABLES -A INPUT -p ALL -d $STATIC_IP -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level
> DEBUG --log-prefix "IPT INPUT packet died: "
>
> #
> # OUTPUT chain
> #
> # establish the basic OUTPUT chain and filter them onto the correct chain
> #
>
> $IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT
> $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level
> DEBUG --log-prefix "IPT OUTPUT packet died: "
>
> ___________________________________________________________________
>
> can anyone give me a hand with getting all this working?
>
>
> --
> _____________________________________________
> Christopher Sanner | mailto:csanner@tux.org
> Phone :571-277-0206 | http://osf1.gmu.edu/~csanner/
> Contractor to VistaRMS
> President and Co-Founder MasonLUG
> finger csanner@boudicca.tux.org for pgp key and geek code block
>
> You will find that the State is the kind of organization which, while it does
> big things badly, does small things badly too.
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: