Strange iptables behaviour (success/failure depends on presence of "harmless" logging line)
[ SUMMARY: Why does adding a "harmless" logging line to my iptables
script let traffic pass (the desired behaviour) that is otherwise
stopped? ]
I'm having problems doing port forwarding through my old 486/25sx NAT
box here. The only reason I mention its spec/age is that I'm having
difficulty seeing what the issue is if it isn't a timing one.
I've attached my firewall script. Any general or non-related comments
are welcome, but the specific issue I have is that (after adding some
forwarding lines to enable me to bypass the rather nasty "it's for
performance reasons, not for security" http proxy at work so that I can
connect to my home ssh server) the success or failure of the extra
iptables filters seems to depend on whether I have the following line
commented out or not:
$IT --append drop-and-log --jump LOG --log-level info --log-prefix "Firewall: "
where IT=/sbin/iptables, of course.
When it's commented out, all external traffic (e.g. pinging
www.google.com) doesn't return, but when it's active the traffic passes
fine. As it should.
The four lines (1 logging one, as above, and 3 "forward port 443 through
into the lan" ones) are marked with ##### comments immediately before
them for your ease of identification. I've included the whole file
(it's only 3kb) because something this strange probably means I've
fscked up somewhere /else/.
Can anyone throw me a fricking clue - PLEASE?
Cheers!
jc
PS Yes, I realise that I don't have to have the internal server running
on port 443, but it's late and I've run out of coffee ...
#!/bin/bash
#
# your system's details go here
IT="/sbin/iptables"
INTIP="192.168.0.1"
INTIFACE="eth0"
INTNET="192.168.0.0/24"
EXTIP="$3"
EXTIFACE="$2"
DNS_SERVERS=""
# what policy shall we follow when we've run out of ideas?
POL="drop-and-log"
# tell the kernel what we're going to be doing
#echo "1" > /proc/sys/net/ipv4/ip_always_defrag
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/conf/$EXTIFACE/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/$INTIFACE/rp_filter
# set all chains to DROP - we'll never reach these ordinarily,
# but they'll be useful when packets coming in while this
# script is running, and the rules aren't all in place
$IT --policy OUTPUT DROP
$IT --policy INPUT DROP
$IT --policy FORWARD DROP
# flush all chains, all tables
$IT --table filter --flush
$IT --table nat --flush
# delete user chains
$IT --delete-chain
# create new chains
$IT --new-chain drop-and-log
$IT --new-chain int-in
$IT --new-chain int-out
$IT --new-chain ext-in
$IT --new-chain ext-out
# start adding rules
# drop-and-log chain
##### LOSE THE "#" AT THE START OF THE NEXT LINE, AND EVERYTHING WORKS
##### FINE!!!
#$IT --append drop-and-log --jump LOG --log-level info --log-prefix "Firewall: "
$IT --append drop-and-log --jump DROP
# input chain
$IT --append INPUT --jump ext-in --in-interface $EXTIFACE
$IT --append INPUT --jump int-in --in-interface $INTIFACE
$IT --append INPUT --jump ACCEPT --in-interface lo
$IT --append INPUT --jump $POL
# output chain
$IT --append OUTPUT --jump ext-out --out-interface $EXTIFACE
$IT --append OUTPUT --jump int-out --out-interface $INTIFACE
$IT --append OUTPUT --jump ACCEPT --out-interface lo
$IT --append OUTPUT --jump $POL
# forward chain
$IT --append FORWARD --jump ACCEPT --in-interface $EXTIFACE --out-interface $INTIFACE --match state --state ESTABLISHED,RELATED
$IT --append FORWARD --jump ACCEPT --in-interface $INTIFACE --out-interface $EXTIFACE
##### LINE ADDED #1
$IT --append FORWARD --jump ACCEPT --in-interface $EXTIFACE --out-interface $INTIFACE --protocol TCP --destination-port 443 --match state --state NEW,ESTABLISHED,RELATED
$IT --append FORWARD --jump $POL
# ext-in chain
#for PROTO in UDP TCP
#do
# for IP in $DNS_SERVERS
# do
# $IT --append ext-in --jump ACCEPT --protocol $PROTO --source $IP --destination $EXTIP --destination-port domain
# done
#done
$IT --append ext-in --jump ACCEPT --match state --state ESTABLISHED,RELATED
##### LINE ADDED #2
# accept connections to the ssh server running internally
$IT --append ext-in --jump ACCEPT --protocol TCP --destination-port 443
$IT --append ext-in --jump $POL
# ext-out
$IT --append ext-out --jump ACCEPT --source $EXTIP --destination ! $INTNET
$IT --append ext-out --jump $POL
# int-in
# nasty hack to firewall off di's laptop,
# except for routing to the 'net.
$IT --append int-in --jump $POL --source 192.168.0.129 --destination $INTNET
# standard int-in chain
$IT --append int-in --jump ACCEPT --source $INTNET
$IT --append int-in --jump $POL
# int-out
$IT --append int-out --jump ACCEPT --destination $INTNET
$IT --append int-out --jump $POL
# masquerade stuff going out on the external interface
$IT --table nat --append POSTROUTING --jump MASQUERADE --out-interface $EXTIFACE
##### LINE ADDED #3
# forward traffic to bigdaddy
$IT --table nat --append PREROUTING --jump DNAT --protocol TCP --destination $EXTIP --destination-port 443 --in-interface $EXTIFACE --to 192.168.0.3:443
# enable forwarding - done last for security
echo "1" > /proc/sys/net/ipv4/ip_forward
Reply to: