Re: can't ping LAN machine, NET pings fine
>-----------------------
> "Antony Gelberg" wrote:
>------------------------
>>Can you post iptables -L just after a ping fails?
I'll post my iptables script here.
I've been debugging it and i think there might be some
problems:
1. I'm not sure about this rule in inet_in
$IPT -A inet_in -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "inet_in: New not syn: "
$IPT -A inet_in -p tcp ! --syn -m state --state NEW -j DROP
Could this be holding back pings from the net to the machine? I did
place the ping rules above it to avoid this.
2. Forward rules my be incorrect.
3. Part when the firewall is stopped needs to be checked. These rules
are meant to work when the firewall is stopped: this should blocks all
access but let ssh through from the lan to the fw.
Any pointers to mistakes are welcome.
(format will probably not be great)
================ iptabels script ======================
#! /bin/sh
#
# skeleton example file to build /etc/init.d/ scripts.
# This file should be used to construct scripts for /etc/init.d.
#
# Written by Miquel van Smoorenburg <miquels@cistron.nl>.
# Modified for Debian GNU/Linux
# by Ian Murdock <imurdock@gnu.ai.mit.edu>.
#
# Version: @(#)skeleton 1.9.1 08-Apr-2002 miquels@cistron.nl
#
set -e
DAEMON="2_interfaces"
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
NAME="Personal Firewall"
DESC="protecting system with 2 interfaces"
# Set variables needed for a 2 interfaces system where interface eth0 gets
# an ip from the isp (cable modem) over dhcp and eth1 is 192.168.0.1 and serves
# the LAN with ip's in the range 192.168.0.10-192.168.0.15
IPT=`which iptables`
DEP=`which depmod`
INS=`which modprobe`
EXTIF="eth0"
INTIF="eth1"
LO="lo"
LAN="192.168.0.0/24"
RESERVED_NET="
0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \
5.0.0.0/8 \
7.0.0.0/8 \
23.0.0.0/8 \
27.0.0.0/8 \
31.0.0.0/8 \
36.0.0.0/8 37.0.0.0/8 \
39.0.0.0/8 \
41.0.0.0/8 42.0.0.0/8 \
58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \
70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \
74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 \
82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \
88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 \
95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 \
102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \
108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \
114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \
120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \
126.0.0.0/8 127.0.0.0/8 \
197.0.0.0/8 \
219.0.0.0/8 220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 \
224.0.0.0/8 225.0.0.0/8 226.0.0.0/8 227.0.0.0/8 228.0.0.0/8 229.0.0.0/8 \
230.0.0.0/8 231.0.0.0/8 232.0.0.0/8 233.0.0.0/8 234.0.0.0/8 235.0.0.0/8 \
236.0.0.0/8 237.0.0.0/8 238.0.0.0/8 239.0.0.0/8 \
240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \
246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \
252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8"
case "$1" in
start)
echo "Starting $DESC: $NAME"
#Insert necessary modules
$INS ip_tables
$INS ip_conntrack
$INS ip_conntrack_ftp
$INS ip_conntrack_irc
$INS iptable_filter
$INS ipt_limit
$INS ipt_state
$INS ipt_unclean
$INS ipt_LOG
#Clearing any previous configuration
$IPT -F
$IPT -X
$IPT -Z
$IPT -P INPUT DROP
$IPT -F INPUT
$IPT -P OUTPUT DROP
$IPT -F OUTPUT
$IPT -P FORWARD DROP
$IPT -F FORWARD
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
# Create the rules
$IPT -N inet_in
$IPT -N local_in
$IPT -N internal_in
$IPT -N checkspoof
$IPT -N logspoof
$IPT -N inet_out
$IPT -N local_out
$IPT -N internal_out
# Dynamic IP
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Disable spoofing
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
# Block all echo requests
#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Add synflood protection
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Log martians
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# Not accept ICMP redirect messages
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Track nr of connections
echo "16384" > /proc/sys/net/ipv4/ip_conntrack_max
# Disable ICMP send_redirect
echo "0" > /proc/sys/net/ipv4/conf/eth0/send_redirects
# Don't accept source routed packets.
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
# ICMP Broadcasting protection (smurf amplifier protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# ICMP Dead Error Messages protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# LooseUDP patch is required by some internet-based games
#echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
# IP forwarding (need it to perform for example NAT)
echo "1" > /proc/sys/net/ipv4/ip_forward
# Reduce DoS'ing ability by reducing timeouts
# Defaults:
# echo 60 > /proc/sys/net/ipv4/tcp_fin_timeout
# echo 7200 > /proc/sys/net/ipv4/tcp_keepalive_time
# echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
# echo 1 > /proc/sys/net/ipv4/tcp_sack
echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
# Set out local port range
# Default echo "1024 4999" > /proc/sys/net/ipv4/ip_local_port_range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
# Time To Live (TTL) is the term for a data field in the internet protocol.
# TTL is today interpreted to indicate the maximum number of routers a packet may transit.
echo "64" > /proc/sys/net/ipv4/ip_default_ttl
# Increase the default queuelength. (Kernel Default: 1024)
#echo "2048" > /proc/sys/net/ipv4/ip_queue_maxlen
# Enable ECN? (Explicit Congestion Notification)
echo "1" > /proc/sys/net/ipv4/tcp_ecn
##############################################################################
### logspoof ####
###############################################################################
$IPT -A logspoof -m limit --limit 3/min -j LOG --log-prefix "ip spoofing detected " \
--log-tcp-sequence --log-level info
$IPT -A logspoof -j DROP
###############################################################################
### checkspoof ####
###############################################################################
# this ip is used by my isp for something (don't know what) and is send every 2 minutes so i do
# not even want to log this! Annoying isp. It goes to address 224.0.0.1 which is IGMP multicast
# network
$IPT -A checkspoof -s 10.95.11.80 -j DROP
## Class A Reserved
$IPT -A checkspoof -s 10.0.0.0/8 -j logspoof
## Class B Reserved
$IPT -A checkspoof -s 172.16.0.0/12 -j logspoof
## Class C Reserved
$IPT -A checkspoof -s 192.168.0.0/16 -j logspoof
## Class D Reserved
$IPT -A checkspoof -s 224.0.0.0/4 -j logspoof
## Class E Reserved
$IPT -A checkspoof -s 240.0.0.0/5 -j logspoof
for NET in $RESERVED_NET; do
$IPT -A checkspoof -s $NET -j logspoof
done
###############################################################################
### inet_in ####
###############################################################################
### allow inside on firewall machine: ssh, ddt
$IPT -A inet_in -j checkspoof
$IPT -A inet_in -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A inet_in -p tcp --dport 2222 -j ACCEPT # allow ssh in
$IPT -A inet_in -p udp --dport 1052 -j ACCEPT # allow ddt queries in
$IPT -A inet_in -p udp --sport 67:68 --dport 67:68 -j ACCEPT # dhcp
# accept ping from NET to FW
$IPT -A inet_in -p icmp --icmp-type 3 -j ACCEPT
$IPT -A inet_in -p icmp --icmp-type 8 -j ACCEPT
$IPT -A inet_in -p icmp --icmp-type 0 -j ACCEPT
$IPT -A inet_in -p icmp --icmp-type 11 -j ACCEPT
#debug
$IPT -A inet_in -i $EXTIF -p ALL -j LOG --log-prefix "INPUT: rule inet_in"
$IPT -A inet_in -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "inet_in: New not syn: "
$IPT -A inet_in -p tcp ! --syn -m state --state NEW -j DROP
###############################################################################
### local_in ####
###############################################################################
$IPT -A local_in -j ACCEPT
###############################################################################
### internal_in ####
###############################################################################
# allow dhcp request to eth1 in, allow ssh to firewall machine from lan, allow imap and smtp
$IPT -A internal_in -p tcp --dport 2222 -j ACCEPT
$IPT -A internal_in -p tcp --dport 25 -j ACCEPT
$IPT -A internal_in -p udp --sport 67:68 --dport 67:68 -j ACCEPT
$IPT -A internal_in -p tcp --dport 143 -j ACCEPT
# accept ping from LAN to FW
$IPT -A internal_in -p icmp --icmp-type 3 -j ACCEPT
$IPT -A internal_in -p icmp --icmp-type 8 -j ACCEPT
$IPT -A internal_in -p icmp --icmp-type 0 -j ACCEPT
$IPT -A internal_in -p icmp --icmp-type 11 -j ACCEPT
#debug
$IPT -A internal_in -i $EXTIF -p ALL -j LOG --log-prefix "INPUT: rule internal_in"
###############################################################################
### inet_out ####
###############################################################################
### allow outside: ping, dns, proxy of isp (8080), dhcp, news, smtp, msn/gaim?,
### irc, www, imap, pop3, ftp (+ftpdata), ssh
### all tcp ports ###
#$IPT -A inet_out -p tcp --sport 67:68 --dport 67:68 -j ACCEPT # DHCP to isp
$IPT -A inet_out -p tcp --dport 80 -j ACCEPT # www
$IPT -A inet_out -p tcp --dport 22 -j ACCEPT # ssh
$IPT -A inet_out -p tcp --dport 21 -j ACCEPT # ftp
$IPT -A inet_out -p tcp --dport 43 -j ACCEPT # whois
$IPT -A inet_out -p tcp --dport 110 -j ACCEPT # pop3
$IPT -A inet_out -p tcp --dport 143 -j ACCEPT # imap
$IPT -A inet_out -p tcp --dport 6667 -j ACCEPT # irc
$IPT -A inet_out -p tcp --dport 25 -j ACCEPT # smtp
$IPT -A inet_out -p tcp --dport 119 -j ACCEPT # news
$IPT -A inet_out -p tcp --dport 8080 -j ACCEPT # proxy isp
$IPT -A inet_out -p tcp --dport 53 -j ACCEPT # dns
$IPT -A inet_out -p tcp --dport 443 -j ACCEPT # ?
$IPT -A inet_out -p tcp --dport 1863 -j ACCEPT # gaim
$IPT -A inet_out -p tcp --dport 5222 -j ACCEPT # gaim server
$IPT -A inet_out -p tcp --dport 5000 -j ACCEPT # chess FICS server
$IPT -A inet_out -p tcp --dport 11999 -j ACCEPT # yahoo chess server
### all udp ports ###
$IPT -A inet_out -p udp --dport 53 -j ACCEPT # dns
$IPT -A inet_out -p udp --sport 67:68 --dport 67:68 -j ACCEPT # DHCP to isp
$IPT -A inet_out -p udp --dport 1052 -j ACCEPT # ddt project ports
### all icmp ###
$IPT -A inet_out -p icmp --icmp-type 3 -j ACCEPT
$IPT -A inet_out -p icmp --icmp-type 8 -j ACCEPT
$IPT -A inet_out -p icmp --icmp-type 0 -j ACCEPT
$IPT -A inet_out -p icmp --icmp-type 11 -j ACCEPT
#debug
$IPT -A inet_out -i $EXTIF -p ALL -j LOG --log-prefix "OUTPUT: rule inet_out"
###############################################################################
### local_out ####
###############################################################################
$IPT -A local_out -j ACCEPT
###############################################################################
### internal_out ####
###############################################################################
# from FW to lan: imap, dhcp, smtp
$IPT -A internal_out -p tcp --dport 25 -j ACCEPT
$IPT -A internal_out -p udp --sport 67:68 --dport 67:68 -j ACCEPT
$IPT -A internal_out -p tcp --dport 143 -j ACCEPT
### all icmp ###
$IPT -A internal_out -p icmp --icmp-type 3 -j ACCEPT
$IPT -A internal_out -p icmp --icmp-type 8 -j ACCEPT
$IPT -A internal_out -p icmp --icmp-type 0 -j ACCEPT
$IPT -A internal_out -p icmp --icmp-type 11 -j ACCEPT
#debug
$IPT -A internal_out -i $EXTIF -p ALL -j LOG --log-prefix "OUTPUT: rule internal_out"
###############################################################################
### INPUT ####
###############################################################################
$IPT -A INPUT -i $INTIF -j internal_in
$IPT -A INPUT -i $LO -j local_in
$IPT -A INPUT -i $EXTIF -j inet_in
$IPT -A INPUT -i $EXTIF -p ALL -j LOG --log-prefix "INPUT: dropped packets "
$IPT -A INPUT -i $EXTIF -p ALL -j DROP
###############################################################################
#### OUTPUT ####
###############################################################################
$IPT -A OUTPUT -o $INTIF -j internal_out
$IPT -A OUTPUT -o $LO -j local_out
$IPT -A OUTPUT -o $EXTIF -j inet_out
$IPT -A OUTPUT -o $EXTIF -p ALL -j LOG --log-level info --log-prefix "OUTPUT: dropped packets "
$IPT -A OUTPUT -o $EXTIF -p ALL -j DROP
###############################################################################
#### FORWARD ####
###############################################################################
### i found these in a tutorial somewhere. are these handy or not of use in a
### 1 interface environment
# Syn-flood protection:
$IPT -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Furtive port scanner:
$IPT -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Ping of death:
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# drop invalid packets
$IPT -A FORWARD -m state --state INVALID -j LOG --log-prefix "FORWARD: invalid packets "
$IPT -A FORWARD -m state --state INVALID -j DROP
### allow forwarding to the lan from the net for established or related connections
$IPT -A FORWARD -i $EXTIF -o $INTIF -d $LAN -s ! $LAN \
-m state --state ESTABLISHED,RELATED -j ACCEPT
### allow forwarding to the net from the lan
# Took it out for more restrictive rules
# $IPT -A FORWARD -o $INTIF -i $EXTIF -d $LAN -s ! $LAN -j ACCEPT
# tcp
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 21 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 22 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 25 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 53 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 80 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 110 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 443 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 2222 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 8080 -j ACCEPT
# udp
$IPT -A FORWARD -i $INTIF -o $EXTIF -p udp --dport 53 -j ACCEPT # dns
# ping
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 0 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 3 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 11 -j ACCEPT
### log all the rest (i shouldn't get packets here?) ###
$IPT -A FORWARD -p ALL -j LOG --log-level info --log-prefix "FORWARD: dropped packets "
$IPT -A FORWARD -p ALL -j DROP
###############################################################################
#### POSTROUTING ####
###############################################################################
$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
;;
stop)
echo "Stopping $DESC: $NAME "
#Clearing any previous configuration
$IPT -F
$IPT -X
$IPT -Z
$IPT -P INPUT DROP
$IPT -F INPUT
$IPT -P OUTPUT DROP
$IPT -F OUTPUT
$IPT -P FORWARD DROP
$IPT -F FORWARD
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -N local_in
$IPT -N internal_in
$IPT -N local_out
$IPT -N internal_out
###############################################################################
### local_in ####
###############################################################################
$IPT -A local_in -j ACCEPT
###############################################################################
### local_out ####
###############################################################################
$IPT -A local_out -j ACCEPT
###############################################################################
### internal_in ####
###############################################################################
# allow dhcp request to eth1 in, allow ssh to firewall machine from lan, allow imap and smtp
$IPT -A internal_in -p tcp --dport 2222 -j ACCEPT
$IPT -A internal_in -p tcp --dport 25 -j ACCEPT
$IPT -A internal_in -p udp --sport 67:68 --dport 67:68 -j ACCEPT
$IPT -A internal_in -p tcp --dport 143 -j ACCEPT
###############################################################################
### internal_out ####
###############################################################################
# from FW to lan: imap, dhcp, smtp
$IPT -A internal_out -p tcp --dport 25 -j ACCEPT
$IPT -A internal_out -p udp --sport 67:68 --dport 67:68 -j ACCEPT
$IPT -A internal_out -p tcp --dport 143 -j ACCEPT
###############################################################################
### INPUT ####
###############################################################################
$IPT -A INPUT -i $INTIF -j internal_in
$IPT -A INPUT -i $LO -j local_in
$IPT -A INPUT -i $EXTIF -p ALL -j LOG --log-prefix "INPUT: stopped, dropped packets "
$IPT -A INPUT -i $EXTIF -p ALL -j DROP
###############################################################################
#### OUTPUT ####
###############################################################################
$IPT -A OUTPUT -o $INTIF -j internal_out
$IPT -A OUTPUT -o $LO -j local_out
$IPT -A OUTPUT -o $EXTIF -p ALL -j LOG --log-level info --log-prefix "OUTPUT: stopped, dropped packets "
$IPT -A OUTPUT -o $EXTIF -p ALL -j DROP
###############################################################################
#### FORWARD ####
###############################################################################
$IPT -A FORWARD -p ALL -j DROP
# remove unused modules
$DEP -a
;;
#reload)
#
# If the daemon can reload its config files on the fly
# for example by sending it SIGHUP, do it here.
#
# If the daemon responds to changes in its config file
# directly anyway, make this a do-nothing entry.
#
# echo -n "Reloading $DESC configuration..."
# start-stop-daemon --stop --signal 1 --quiet --pidfile \
# /var/run/$NAME.pid --exec $DAEMON
# echo "done."
#;;
restart|force-reload)
#
# If the "reload" option is implemented, move the "force-reload"
# option to the "reload" entry above. If not, "force-reload" is
# just the same as "restart".
#
echo "Restarting $DESC: $NAME"
/etc/init.d/$DAEMON stop
/etc/init.d/$DAEMON start
;;
*)
N=/etc/init.d/$NAME
# echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $N {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
================ iptabels script ======================
Reply to: