Re: eth1 - iptables do not work

To: debian-firewall@lists.debian.org
Subject: Re: eth1 - iptables do not work
From: Tamas Hegedus <hegedus@med.unc.edu>
Date: Thu, 09 Oct 2008 08:19:33 -0400
Message-id: <[🔎] 48EDF6D5.3080201@med.unc.edu>
In-reply-to: <[🔎] 20081009065602.GU26719@localhost>
References: <[🔎] 48ED435E.1080901@med.unc.edu> <[🔎] 20081009065602.GU26719@localhost>

Hi,

Yes, I have
internet)----(eth0,x.y.v.z -- eth1, 192.168.15.1)---(192.168.15.0/24

sshd is listening on port 83 (on all interfaces)

I can ssh and imaps to x.y.v.z from the outside world.
I can access the internet from 192.168.15.23

Yes, I think, I screwed up something :-(

The most suspicious is the script I use to set the rules - I downloadedit from the web and customized.


************************
Below you find:
1. iptables -L -nv
2. the script I set the iptables
     - if I move the LOG on ETH1 after the ACCEPT of ETH1 then there is
       no log; so it seems the ACCEPT rule applies but does not work
3. tcpdump -i eth1 -v

Thanks for your help,
tamas

_____________________________________________________________________
iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out sourcedestination43 11505 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/00 0 ACCEPT all -- eth1 * 192.168.15.0/240.0.0.0/00 0 LOG all -- eth1 * 192.168.15.0/240.0.0.0/0 LOG flags 0 level 63 329 ACCEPT all -- eth0 * 0.0.0.0/0152.19.83.61 state RELATED,ESTABLISHED0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:830 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:99359 16119 drop-and-log-it all -- * * 0.0.0.0/00.0.0.0/0


Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out sourcedestination0 0 ACCEPT all -- eth0 eth1 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED0 0 ACCEPT all -- eth1 * 0.0.0.0/00.0.0.0/00 0 drop-and-log-it all -- * * 0.0.0.0/00.0.0.0/0


Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out sourcedestination43 11505 ACCEPT all -- * lo 0.0.0.0/00.0.0.0/04 270 ACCEPT all -- * eth0 152.19.83.610.0.0.0/00 0 ACCEPT all -- * eth0 192.168.15.0/240.0.0.0/00 0 drop-and-log-it all -- * * 0.0.0.0/00.0.0.0/0


Chain drop-and-log-it (3 references)

pkts bytes target prot opt in out sourcedestination59 16119 REJECT all -- * * 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable


_____________________________________________________________________

#!/bin/sh

#iptables-restore < /etc/firewall.conf

echo -e "\n\nSETTING UP IPTABLES FIREWALL..."

EXTIF="eth0"
EXTIP="152.19.83.61"

INTIF="eth1"
INTIP="192.168.15.1"
INTNET="192.168.15.0/24"
UNIVERSE="0.0.0.0/0"

echo "Loading required stateful/NAT kernel modules..."
#/sbin/depmod -a
#/sbin/modprobe ip_tables
#/sbin/modprobe ip_conntrack
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe iptable_nat
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

echo "    Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "    External interface: $EXTIF ($EXTIP)"
echo "    Loading firewall server rules..."

#************************************************************
# Clear any existing rules and setting default policy to DROP
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
   iptables -F drop-and-log-it
fi

# Delete all User-specified chains
iptables -X
# Reset all IPTABLES counters
iptables -Z

# Creating a DROP chain
iptables -N drop-and-log-it
#iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT

#************************************************************
echo -e "     - Loading INPUT rulesets"
# loopback and local interfaces are valid.
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i $INTIF -s $INTNET -j LOG --log-level info
iptables -A INPUT -i $INTIF -s $INTNET -j ACCEPT
# no log if LOG is after the prev rule:
#iptables -A INPUT -i $INTIF -s $INTNET -j LOG --log-level info

# Allow any related traffic coming back to the MASQ server in

iptables -A INPUT -i $EXTIF -d $EXTIP -m state --stateESTABLISHED,RELATED -j ACCEPT


# Allow services

iptables -A INPUT -s $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED-p tcp --dport 83 -j ACCEPTiptables -A INPUT -s $UNIVERSE -m state --state NEW,ESTABLISHED,RELATED-p tcp --dport 993 -j ACCEPT


iptables -A INPUT -j drop-and-log-it

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
#         already flushed and set to a default policy of DROP.
#
echo -e "     - Loading OUTPUT rulesets"

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o $EXTIF -s $EXTIP -j ACCEPT
iptables -A OUTPUT -o $EXTIF -s $INTNET -j ACCEPT
iptables -A OUTPUT -j drop-and-log-it

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#          Allow all connections OUT and only existing/related IN
echo -e "     - Loading FORWARD rulesets"

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --stateESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $INTIF -j ACCEPT
iptables -A FORWARD -j drop-and-log-it

# Enable SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -s $INTNET -o $EXTIF -j SNAT --to $EXTIP

echo -e "    Firewall server rule loading complete\n\n"

_____________________________________________________________________
tcpdump -i eth1 -v

#SSH to eth0 or eth1

08:01:56.500123 IP (tos 0x0, ttl 128, id 26273, offset 0, flags [DF],proto TCP (6), length 48) 192.168.15.23.1521 > 192.168.15.1.83: S, cksum0xea65 (correct), 2327603280:2327603280(0) win 65535 <mss1460,nop,nop,sackOK>

08:01:42.709319 IP (tos 0x0, ttl 128, id 26262, offset 0, flags [DF],proto TCP (6), length 48) 192.168.15.23.1520 > its-sav4.ad.unc.edu.2967:S, cksum 0x1a67 (correct), 3351369879:3351369879(0) win 65535 <mss1460,nop,nop,sackOK>


#IMAPS

08:00:26.208833 IP (tos 0x0, ttl 128, id 26236, offset 0, flags [DF],proto TCP (6), length 48) 192.168.15.23.1518 > violin.imaps: S, cksum0xdc0e (correct), 2557561280:2557561280(0) win 65535 <mss1460,nop,nop,sackOK>



Paolo wrote:

On Wed, Oct 08, 2008 at 07:33:50PM -0400, Tamas Hegedus wrote:

Hi,

I am new to debian. My box has eth0 - x.y.v.z and eth1 - 192.168.15.1


so you have

    internet)----(eth0,x.y.v.z -- eth1, 192.168.15.1)---(192.168.15.0/24

My problem is that I can not connect to my linux box from 192.168.15.x


so you screwed iptables :)

iptables -L -n -v (I simplified the output)


don't simplify, pls post _full_ output from iptables-save.

SPT=4576 DPT=83 WINDOW=655


what service are you running on port 83?

Reply to:

Follow-Ups:
- Re: eth1 - iptables do not work
  - From: Ansgar Wiechers <lists@planetcobalt.net>

References:
- eth1 - iptables do not work
  - From: Tamas Hegedus <hegedus@med.unc.edu>
- Re: eth1 - iptables do not work
  - From: Paolo <oopla@users.sf.net>

Prev by Date: Re: Transparent proxy from different networks
Next by Date: Re: eth1 - iptables do not work
Previous by thread: Re: eth1 - iptables do not work
Next by thread: Re: eth1 - iptables do not work
Index(es):
- Date
- Thread