Re: iptables question

To: debian-user@lists.debian.org
Subject: Re: iptables question
From: deloptes <deloptes@gmail.com>
Date: Sun, 13 Nov 2016 20:40:13 +0100
Message-id: <[🔎] o0afiq$jnb$1@blaine.gmane.org>
Reply-to: deloptes@gmail.com
References: <[🔎] o080pt$ok8$1@blaine.gmane.org> <[🔎] 20161112223216.2c7cf605@jresid.jretrading.com> <[🔎] o08bim$b11$1@blaine.gmane.org> <[🔎] 31009623-6fd0-6806-9d15-ae34c4e6cc66@gmail.com> <[🔎] o09vg1$r8r$1@blaine.gmane.org> <[🔎] 9648db85-21b9-aab6-2f87-387f1144bb68@plouf.fr.eu.org>

Pascal Hambourg wrote:

> Le 13/11/2016 à 16:05, deloptes a écrit :
>>
>> These are the rules - a friend created this like 10y ago. I added few
>> rules to forward ports from outside to the intranet and to be able to
>> handle VPN.
>> You can ignore  192.168.60.1 on eth2 - not used.
> 
> IMO, this ruleset is totally insane.
> 

Haha, yes for me it is also hard to understand it all ... but as I said in
the past 10y it did a good work.

> However, after clearing out all irrelevant rules, I see nothing in what
> is left which may block connections from 192.168.40.0/24 on eth1 to
> anywhere through the firewall :
> 
> *nat
> :PREROUTING ACCEPT [26000:2533530]
> :POSTROUTING ACCEPT [87:4966]
> :OUTPUT ACCEPT [28:2038]
> -A POSTROUTING -s 192.168.40.0/24 -o eth0 -j SNAT --to-source 10.0.0.1
> COMMIT
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> :ifilter - [0:0]
> :ofilter - [0:0]
> -A INPUT -j ifilter
> -A FORWARD -j ifilter
> -A FORWARD -j ofilter
> -A OUTPUT -j ofilter
> -A ifilter -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A ifilter -i eth1 -m state --state NEW -j ACCEPT
> 
> What happens exactly when your try to connect ? What is the command,
> what is the reply ? Did you make a packet capture on eth0 ?
> 

I do ssh user@10...6 and nothing happens - connection time out after ~1min

> Did you check the routing table on the firewall and the targets ? Do
> they have a route to all the 10.0.0.0/24 range ?
> 

the one I posted is on the firewall - firewall is the one I am trying to
modify.
I am not sure that I have a rule to all the 10.0.0.0/24 range, but even if I
replace 10.0.0.1/32 with 10.0.0.0/24 it does not work

>> Another important information perhaps is that the modem is configured to
>> have a DMZ with 10.0.0.1.
> 
> I don't think this is relevant. The modem is not involved.
> 

The modem is a wireless modem so the cable goes to the firewall 10..1 and
via the wlan I have 10..6 etc. So IMO it is involved, but I do not have
root on it - I have only the admin iface and there I see firewall is active
and setup in normal mode (you have easy and hard - translated from the
local language)

>> Devices 10.0.0.6 and 10.0.0.7 which I want to connect from 192.... do not
>> have any firewalls - they are mobile phones.
>>
>> I will really appreciate your help - perhaps reviewing the rules and
>> suggesting improvements as well.
> 
> This ruleset does not need improvements but a total rewrite.

Yes I was thinking the same, I'll put it on the TODO. I even tried once with
fw builder - it couldn't even import properly, because import and export
produced not working firewall.
IT is a bit complicated. However I think the ruleset is not that bad as
testing from outside shows the network 192.168... is well protected

thanks

regards

Reply to:

Follow-Ups:
- Re: iptables question
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

References:
- iptables question
  - From: deloptes <deloptes@gmail.com>
- Re: iptables question
  - From: Joe <joe@jretrading.com>
- Re: iptables question
  - From: deloptes <deloptes@gmail.com>
- Re: iptables question
  - From: Michael Milliman <michael.e.milliman@gmail.com>
- Re: iptables question
  - From: deloptes <deloptes@gmail.com>
- Re: iptables question
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

Prev by Date: How to run a script before shutdown?
Next by Date: Re: Not Resolved: no sound again!
Previous by thread: Re: iptables question
Next by thread: Re: iptables question
Index(es):
- Date
- Thread