Re: IP Forwarding to Windows machine
2014-08-08 09:04 keltezéssel, Mike McClain írta:
> I've been trying to get my hand rolled iptables firewall to
> masquerade traffic on the LAN to/from a Win2K box. I've gotten it to
> the point that I can ping from the boxes both ways, smbclient can move
> files both ways and the Win2K box can ping Google's IP address but DNS
> lookup fails even though I've used the same DNS server in the Win2K
> box as on my Debian box which access the Inet via dialup. IE says
> "Cannot find server or DNS error."
> I've read every HOWTO and the iptables man pages several times but
> am at a loss.
> Suggestions?
> Thanks,
> Mike
>
> Here's the firewall code:
> #!/bin/sh
> # /mc/bin/my_iptables_fw_lan.sh July 29, 2014 Mc
> # install fowarding to south40
> # from /mc/bin/my_iptables_fw.sh July 25, 2014 Mc
> # from ~/nixSecurity/LFS_firewall.txt
> # which copied from packet-filtering-HOWTO.html
> # and attributed to Rusty Russell
> # resources: docs/nixSecurity/IPtables_Basics.html
>
> # You can send test packets using
> # Code: telnet ip 445
> # and listen incoming packets on 445 port this way
> # Code: tcpdump -i eth0 dst port 445
> # scan from this side
> # Code: nmap -vv --reason -p 1-1056 192.168.1.2
>
> INET=ppp0
> LAN=eth1
> router='192.168.1.1'
> S40='192.168.1.3'
>
> # Insert connection-tracking modules
> # (not needed if built into the kernel)
> modprobe ip_tables
> modprobe iptable_filter
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> modprobe ipt_state
> modprobe ipt_LOG
> # for masq
> modprobe ipt_MASQUERADE
>
> # for masq allow forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
> echo 1 > /proc/sys/net/ipv4/conf/default/forwarding
> echo 1 > /proc/sys/net/ipv4/conf/lo/forwarding
> echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
> echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding
>
> # Set a known state -----------------------------------------
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
>
> # remove all rules and pre-existing user defined chains before we implement new rules.
> iptables -F # delete all rules in all chains
> iptables -t nat -F
> iptables -t filter -F
> iptables -t mangle -F
> iptables -X # all chains but those built (INPUT,OUTPUT,FORWARD) will be deleted.
> iptables -Z # zero all counters in all chains.
>
> # -----------------------------------------
> # iptables [-t table(nat,mangle,filter,raw)] command(-AIRD [INPUT,OUTPUT,FORWARD]) [match] [target/jump]
>
> # INPUT ----------------------------------------------
> # accept GRC.com for testing
> # iptables -A INPUT -s 4.79.142.206 -j ACCEPT
> # GRC scan: 411 open,
> # most blocked, 88:93,113:114,138:138,210,211,213,215:220,267:271,273,275:280,398 stealth
> # second run different stealth
> iptables -A INPUT -p tcp --dport 411 -j DROP
> iptables -A INPUT -p udp --dport 411 -j DROP
>
> # without SYN packets other computers cannot open communications
> iptables -A INPUT -i $INET -p tcp --syn -j DROP
>
> # ICMP echo from south40 conflicts with sysctl
> # echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all prevents ping router
> # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all prevents s40:ping play
>
> # Disallow NEW and INVALID incoming or forwarded packets from ppp0.
> iptables -A INPUT -i $INET -m state --state NEW,INVALID -j DROP
> iptables -A FORWARD -i $INET -m state --state NEW,INVALID -j DROP
>
> # deny ping from Inet
> iptables -A INPUT -i $INET -p icmp --icmp-type echo-request -j DROP
>
> # Allow local-only connections
> iptables -A INPUT -i $LAN -j ACCEPT
>
> # allow mail to get through 127.0.0.1:25 exim4 loopback
> iptables -A INPUT -i lo -j ACCEPT
>
> # for masq
> # iptables -A INPUT -m state --state NEW -i $LAN -j ACCEPT
> iptables -A INPUT -m state --state NEW ! -i $INET -j ACCEPT
>
> # Permit answers on already established connections
> # and permit new connections related to established ones
> # (e.g. port mode ftp)
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Log everything else. What's Windows' latest exploitable vulnerability?
> iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " --log-level 4
>
> # OUTPUT ---------------------------------------------- ACCEPT
> # drop fragments to south40
> iptables -A OUTPUT -f -d $S40 -j DROP
>
> # port 411 showing as open even though DROPed on INPUT
> iptables -A OUTPUT -p tcp --dport 411 -j DROP
> iptables -A OUTPUT -p udp --dport 411 -j DROP
>
> # MASQ -----------------------------------------------------
> # from Masquerading-Simple-HOWTO
> # Masquerade out ppp0
> iptables -t nat -A POSTROUTING -o $INET -j MASQUERADE
> iptables -A FORWARD -i $INET -p tcp --syn -j DROP
> # not sure why but this keeps south40 from pinging Inet
> # iptables -A FORWARD -i $INET -o $INET -j DROP
>
> --
> "You may not control all the events that happen to you, but you can
> decide not to be reduced by them."
> - Maya Angelou
>
>
It's a rather complicated, sometimes overcomplicated script. But some
rules are missing and/or not in the correct order.
To keep things more simple I suggest to do a minimal script and you can
make it more complicated later.
So I suggest you to delete all lines after the initializing lines (the
last line you should keep is
iptables -Z # zero all counters in all chains.
And continue with a really simple script:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A FORWARD -i $LAN -j ACCEPT
iptables -t nat -A POSTROUTING -o $INET -j MASQUERADE
If it works then keep it and after you can add other options line by
line (and of course test always).
--
--- Friczy ---
'Death is not a bug, it's a feature'
Reply to: