[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 127.0.0.1 is allowed

On 2007-03-08 Carolyn Debian wrote:
> My iptable rules are not attached but included in the first post. Am I 
> seeing a different version than you?

Looks like it.

> Anyway, here they are:

The script looks okay to me. I suggested some simplifications (see
below), but AFAICS the ruleset should work. Check the logs, though. If
your ruleset drops packets it shouldn't, they will show up there. And
maybe try accepting all outbound traffic on the external interface:

  iptables -A OUTPUT -o $EXTIF -j ACCEPT

instead of accepting only traffic with source address $EXTIP.

What connections is tinyproxy actually trying to establish when you try
to load a page in your browser? Can you run a sniffer (e.g. tcpdump or
tshark) on the remote host? And could you post the config again, please?
Just like your firewall ruleset I didn't see it included in your first
mail.

> #!/bin/sh
> 
> INTIF="eth1"
> INTNET="192.168.1.0/24"
> INTIP="192.168.1.1/24"

If you want this to be a host address you need /32 here.

> EXTIF="ppp0"
> EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed
> -e 's/.*://'`"

Just some cosmetics, but awk is all you need here:

EXTIP="`/sbin/ifconfig $EXTIF | awk '/inet/ {sub(".*:","",$2); print $2}'`"

> /sbin/depmod -a
> /sbin/modprobe ip_tables
> /sbin/modprobe ip_conntrack
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_conntrack_irc
> /sbin/modprobe iptable_nat
> /sbin/modprobe ip_nat_ftp
> /sbin/modprobe ip_nat_irc
> 
> UNIVERSE="0.0.0.0/0"
> REMOTEIP="72.58.128.0/24"

Is that supposed to be a host or a network address? Since the last
octett is zero I'll assume that it's a network address. In that case
REMOTENET would be a more appropriate name for the variable. However,
AFAICS you need neither $UNIVERSE nor $REMOTEIP for your ruleset (see
below).

> iptables -P INPUT DROP
> iptables -F INPUT
> iptables -P OUTPUT DROP
> iptables -F OUTPUT
> iptables -P FORWARD DROP
> iptables -F FORWARD
> iptables -F -t nat

You can flush all chains at once:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -F
iptables -t nat -F

> if [ "`iptables -L | grep drop-and-log-it`" ]; then
> iptables -F drop-and-log-it
> fi
> 
> iptables -X

No point in flushing a user-defined chain if you're going to delete it
anyway.

> iptables -Z
> 
> iptables -N drop-and-log-it
> iptables -A drop-and-log-it -j LOG --log-level info
> iptables -A drop-and-log-it -j REJECT
> 
> iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
> iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
> iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
> iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

As a general note: 0.0.0.0/0 is implicitly assumed when you leave out -s
or -d. Makes your rules more readable. Also I'd accept only NEW inbound
connections.

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INTIF -s $INTNET -m state --state NEW -j ACCEPT
iptables -A INPUT -i $EXTIF -s $INTNET -j drop-and-log-it
iptables -A INPUT -i $EXTIF -d $EXTIP -m state --state NEW -j ACCEPT

> iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state 
> ESTABLISHED,RELATED -j ACCEPT

You should accept ESTABLISHED and RELATED traffic on all interfaces, not
only on the external.

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

> iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp 
> -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT

This rule is pointless, because you already accept all traffic to $EXTIP
on the external interface.

> iptables -A INPUT -i $EXTIF -s $REMOTEIP -d $UNIVERSE -j ACCEPT

What's this rule supposed to achieve? You're already accepting traffic
from the world on the external interface.

> iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

iptables -A INPUT -j drop-and-log-it

> iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
> iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
> iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

The OUTPUT chain handles traffic that originates from the host itself,
thus traffic with $EXTIP should not be going out on $INTIF.

> iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
> iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
> iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

This will suffice:

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
iptables -A OUTPUT -o $EXTIF -s $EXTIP -j ACCEPT
iptables -A OUTPUT -j drop-and-log-it

> # Fix the problem of not being able to access some websites.
> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS 
> --clamp-mss-to-pmtu
> iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state 
> ESTABLISHED,RELATED -j ACCEPT

Just accept all ESTABLISHED and RELATED traffic. Saves you trouble.

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

> iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

Better accept only NEW connections on the internal interface:

iptables -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT

> iptables -A FORWARD -j drop-and-log-it
> iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

Should do. Or you could just use Masquerading instead:

iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Regards
Ansgar Wiechers
-- 
"If you think technology can solve your security problems, then you
don't understand the problems and you don't understand the technology."
--Bruce Schneier
Reply to: