Red Hat Networking - iptables - RH 9 - script help (script inserted)

This is Interesting: Free IT Magazines  
Home > Archive > Red Hat Networking > January 2004 > iptables - RH 9 - script help (script inserted)





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author iptables - RH 9 - script help (script inserted)
1-news

2004-01-23, 7:48 pm

Hi,

I am trying to get the following iptables script to allow icmp to/from the
fw internal interface to/from the ext fw interface but no luck so I am
asking for your help! I also want tcp/9008 to flow bi-directionally into and
out of the internal/external nic's on the fw. eth0 = internal, eth1 =
external in the following script.

Thank you for any help (remove the dash in my name if you are replying via
e-mail).

## iptables script ##
#!/bin/sh

########################################
#######

# rc.firewall - iptables firewall script

########################################
#######

########################################
#######

# Load Vars

########################################
#######

IPTABLES=/sbin/iptables

### Load eth0 parms - INTERNAL NETWORK ###

.. /etc/sysconfig/network-scripts/ifcfg-eth0

INT_INF=$DEVICE

INT_NET=$NETWORK/24

INT_IP=$IPADDR

### Load eth1 parms - EXTERNAL NETWORK ###

.. /etc/sysconfig/network-scripts/ifcfg-eth1

EXT_INF=$DEVICE

EXT_NET=$NETWORK/22

EXT_IP=$IPADDR

ANYHOST="0.0.0.0/0"

LOOPBACK="127.0.0.0/8"

CLASS_A="10.0.0.0/8"

CLASS_B="172.16.0.0/12"

CLASS_C="192.168.0.0/16"

CLASS_D="224.0.0.0/4"

CLASS_E="240.0.0.0/5"

P_PORTS="0:1023"

UP_PORTS="1024:65535"

########################################
#######

# Load modules

########################################
#######

/sbin/modprobe iptable_nat

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_conntrack

/sbin/modprobe ip_conntrack_ftp

########################################
#######

# Flush rules and pre-existing user-defined chains and zero counters

########################################
#######

$IPTABLES -F

$IPTABLES -F -t nat

$IPTABLES -F -t mangle

$IPTABLES -X

$IPTABLES -X -t nat

$IPTABLES -X -t mangle

$IPTABLES -Z

########################################
#######

# Set default policy for built-in chains to DROP

########################################
#######

$IPTABLES -t nat -P PREROUTING ACCEPT

$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t filter -P INPUT DROP

$IPTABLES -t filter -P OUTPUT DROP

$IPTABLES -t filter -P FORWARD DROP

########################################
#######

# Set kernel flags

########################################
#######

### Disable response to broadcasts ###

/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

### Dont accept source routed packets ###

/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

### Disable ICMP redirects ###

/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

### Enable bad error message protection ###

/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

### Enable reverse path filtering ###

for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do

/bin/echo "1" > ${interface}

done

### Enable IP forwarding ###

/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

########################################
#######

###

### Rules

###

########################################
#######

########################################
#######

# Allow Loopback

########################################
#######

$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A OUTPUT -o lo -j ACCEPT

########################################
#######

# Enable Syn-Flooding Protection on EXT_INF

########################################
#######

$IPTABLES -N syn-flood

$IPTABLES -A INPUT -i $EXT_INF -p tcp --syn -j syn-flood

$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN

$IPTABLES -A syn-flood -j DROP

########################################
#######

# Make sure NEW tcp connections are SYN packets (all interfaces)

########################################
#######

$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

########################################
#######

# Drop all fragments from EXT_INT

########################################
#######

$IPTABLES -A INPUT -i $EXT_INF -f -j DROP

########################################
#######

# Drop spoofed packets with 'my' ipaddress

########################################
#######

$IPTABLES -A INPUT -i $EXT_INF -s $EXT_IP -j DROP

########################################
#######

# Pre-Routing NAT

########################################
#######

# none

########################################
#######

# Post-Routing NAT - SOURCE NAT

########################################
#######

$IPTABLES -t nat -A POSTROUTING -o $INT_INF -s $EXT_NET -j SNAT --to $INT_IP

########################################
#######

# Firewall -> INTERNAL

########################################
#######

# --- Allow All --- #

$IPTABLES -A OUTPUT -o $INT_INF -s $INT_IP -d $ANYHOST -m state --state
NEW,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i $INT_INF -s $ANYHOST -d $INT_IP -m state --state
ESTABLISHED,RELATED -j ACCEPT

########################################
#######

# Firewall -> EXTERNAL

########################################
#######

# --- Allow All --- #

$IPTABLES -A OUTPUT -o $EXT_INF -s $EXT_IP -d $ANYHOST -m state --state
NEW,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i $EXT_INF -s $ANYHOST -d $EXT_IP -m state --state
ESTABLISHED,RELATED -j ACCEPT

########################################
#######

# INTERNAL -> Firewall

########################################
#######

# --- Allow SSH --- #

$IPTABLES -A OUTPUT -o $INT_INF -p tcp --sport 22 -m state --state
ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i $INT_INF -p tcp --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT

########################################
#######

# INTERNAL -> EXTERNAL

########################################
#######

# --- Allow all --- #

$IPTABLES -A FORWARD -i $INT_INF -o $EXT_INF -m state --state
NEW,ESTABLISHED -j ACCEPT

$IPTABLES -A FORWARD -i $EXT_INF -o $INT_INF -m state --state
ESTABLISHED,RELATED -j ACCEPT

########################################
#######

# EXTERNAL -> INTERNAL

########################################
#######

########################################
################ <<<#

## I am trying to get these two items working:

## a) icmp from/to internal and external interfaces

## b) tcp/9008 (bi-directionally)

########################################
################ <<<#

# ---Allow icmp --- #

$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# --- Allow tcp/9008 bi-directionally --- #

$IPTABLES -A FORWARD -i $EXT_INF -o $INT_INF -p tcp --dport 9008 -m
state --state NEW,ESTABLISHED -j ACCEPT

#

# What happens for both of these is the packet makes from eth0 -> eth1 but
no return traffic is seen.

# Both operations work from the console on the firewall but not from a host
on eth0.

# I can ssh into the firewall

# What did I miss? Thank You ! 1-news@cox.net (remove the dash in the user
name to reply)

########################################
#######

# External -> Firewall

########################################
#######

#---Allow DHCP----

#$IPTABLES -A INPUT -i $EXT_INF -p udp --dport 67 -m state --state
NEW,ESTABLISHED -j ACCEPT

#$IPTABLES -A OUTPUT -o $EXT_INF -p udp --dport 68 -m state --state
ESTABLISHED -j ACCEPT

########################################
#######

# Last Rule - Deny all

########################################
#######

# $IPTABLES -A INPUT -j LOG --log-prefix "INPUT-DENY "

$IPTABLES -A INPUT -j DROP

# $IPTABLES -A OUTPUT -j LOG --log-prefix "OUTPUT-DENY "

$IPTABLES -A OUTPUT -j DROP

# $IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD-DENY "

$IPTABLES -A FORWARD -j DROP

########################################
#######

# END

########################################
#######

Thanks for any help you can provide. Note- I can not change to -j MASQ (must
stay SNAT).

Again, 1-news@cox.net (remove the dash in the user name to reply or a reply
to the ng's is fine). TIA !!




Noi

2004-01-23, 7:48 pm

On Sat, 13 Dec 2003 12:16:50 -0500, 1-news thoughtfully wrote:
quote:

> Hi,
>
> I am trying to get the following iptables script to allow icmp to/from the
> fw internal interface to/from the ext fw interface but no luck so I am
> asking for your help! I also want tcp/9008 to flow bi-directionally into
> and out of the internal/external nic's on the fw. eth0 = internal, eth1 =
> external in the following script.
>
> Thank you for any help (remove the dash in my name if you are replying via
> e-mail).
>

Regarding the ICMP problem I think you've positioned your ICMP tests too
far down the tree to be effective. In other words I think your ICMPs are
dropped before they get to your tests.

Look I'm not an expert but your code while technically correct and
ambitious coding it's the worse I've seen in a very long time. Very hard
to read and interpret, not friendly at all and too complex. Suggest you
look at the smb.conf file as a good example for commenting your code, and
grouping your iptable statements together for easier debugging, ie, all
INPUT statements in the Variables in a variable section, INPUT statements
in INPUT section maybe sub-sectioned by device, etc.
quote:

> ## iptables script ##
> #!/bin/sh
>
> ########################################
#######
>
> # rc.firewall - iptables firewall script
>
> ########################################
#######
>
> ########################################
#######
>
> # Load Vars
>
> ########################################
#######
>
> IPTABLES=/sbin/iptables
>
> ### Load eth0 parms - INTERNAL NETWORK ###
>
> . /etc/sysconfig/network-scripts/ifcfg-eth0
>
> INT_INF=$DEVICE
>
> INT_NET=$NETWORK/24
>
> INT_IP=$IPADDR
>
> ### Load eth1 parms - EXTERNAL NETWORK ###
>
> . /etc/sysconfig/network-scripts/ifcfg-eth1
>
> EXT_INF=$DEVICE
>
> EXT_NET=$NETWORK/22
>
> EXT_IP=$IPADDR
>
> ANYHOST="0.0.0.0/0"
>
> LOOPBACK="127.0.0.0/8"
>
> CLASS_A="10.0.0.0/8"
>
> CLASS_B="172.16.0.0/12"
>
> CLASS_C="192.168.0.0/16"
>
> CLASS_D="224.0.0.0/4"
>
> CLASS_E="240.0.0.0/5"
>
> P_PORTS="0:1023"
>
> UP_PORTS="1024:65535"
>
> ########################################
#######
>
> # Load modules
>
> ########################################
#######
>
> /sbin/modprobe iptable_nat
>
> /sbin/modprobe ip_nat_ftp
>
> /sbin/modprobe ip_conntrack
>
> /sbin/modprobe ip_conntrack_ftp
>
> ########################################
#######
>
> # Flush rules and pre-existing user-defined chains and zero counters
>
> ########################################
#######
>
> $IPTABLES -F
>
> $IPTABLES -F -t nat
>
> $IPTABLES -F -t mangle
>
> $IPTABLES -X
>
> $IPTABLES -X -t nat
>
> $IPTABLES -X -t mangle
>
> $IPTABLES -Z
>
> ########################################
#######
>
> # Set default policy for built-in chains to DROP
>
> ########################################
#######
>
> $IPTABLES -t nat -P PREROUTING ACCEPT
>
> $IPTABLES -t nat -P POSTROUTING ACCEPT
>
> $IPTABLES -t filter -P INPUT DROP
>
> $IPTABLES -t filter -P OUTPUT DROP
>
> $IPTABLES -t filter -P FORWARD DROP
>
> ########################################
#######
>
> # Set kernel flags
>
> ########################################
#######
>
> ### Disable response to broadcasts ###
>
> /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> ### Dont accept source routed packets ###
>
> /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
>
> ### Disable ICMP redirects ###
>
> /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
>
> ### Enable bad error message protection ###
>
> /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>
> ### Enable reverse path filtering ###
>
> for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
>
> /bin/echo "1" > ${interface}
>
> done
>
> ### Enable IP forwarding ###
>
> /bin/echo "1" > /proc/sys/net/ipv4/ip_forward
>
> ########################################
#######
>
> ###
>
> ### Rules
>
> ###
>
> ########################################
#######
>
> ########################################
#######
>
> # Allow Loopback
>
> ########################################
#######
>
> $IPTABLES -A INPUT -i lo -j ACCEPT
>
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
>
> ########################################
#######
>
> # Enable Syn-Flooding Protection on EXT_INF
>
> ########################################
#######
>
> $IPTABLES -N syn-flood
>
> $IPTABLES -A INPUT -i $EXT_INF -p tcp --syn -j syn-flood
>
> $IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
>
> $IPTABLES -A syn-flood -j DROP
>
> ########################################
#######
>
> # Make sure NEW tcp connections are SYN packets (all interfaces)
>
> ########################################
#######
>
> $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
>
> ########################################
#######
>
> # Drop all fragments from EXT_INT
>
> ########################################
#######
>
> $IPTABLES -A INPUT -i $EXT_INF -f -j DROP
>
> ########################################
#######
>
> # Drop spoofed packets with 'my' ipaddress
>
> ########################################
#######
>
> $IPTABLES -A INPUT -i $EXT_INF -s $EXT_IP -j DROP
>
> ########################################
#######
>
> # Pre-Routing NAT
>
> ########################################
#######
>
> # none
>
> ########################################
#######
>
> # Post-Routing NAT - SOURCE NAT
>
> ########################################
#######
>
> $IPTABLES -t nat -A POSTROUTING -o $INT_INF -s $EXT_NET -j SNAT --to
> $INT_IP
>
> ########################################
#######
>
> # Firewall -> INTERNAL
>
> ########################################
#######
>
> # --- Allow All --- #
>
> $IPTABLES -A OUTPUT -o $INT_INF -s $INT_IP -d $ANYHOST -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> $IPTABLES -A INPUT -i $INT_INF -s $ANYHOST -d $INT_IP -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> ########################################
#######
>
> # Firewall -> EXTERNAL
>
> ########################################
#######
>
> # --- Allow All --- #
>
> $IPTABLES -A OUTPUT -o $EXT_INF -s $EXT_IP -d $ANYHOST -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> $IPTABLES -A INPUT -i $EXT_INF -s $ANYHOST -d $EXT_IP -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> ########################################
#######
>
> # INTERNAL -> Firewall
>
> ########################################
#######
>
> # --- Allow SSH --- #
>
> $IPTABLES -A OUTPUT -o $INT_INF -p tcp --sport 22 -m state --state
> ESTABLISHED -j ACCEPT
>
> $IPTABLES -A INPUT -i $INT_INF -p tcp --dport 22 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> ########################################
#######
>
> # INTERNAL -> EXTERNAL
>
> ########################################
#######
>
> # --- Allow all --- #
>
> $IPTABLES -A FORWARD -i $INT_INF -o $EXT_INF -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> $IPTABLES -A FORWARD -i $EXT_INF -o $INT_INF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> ########################################
#######
>
> # EXTERNAL -> INTERNAL
>
> ########################################
#######
>
> ########################################
################ <<<#
>
> ## I am trying to get these two items working:
>
> ## a) icmp from/to internal and external interfaces
>
> ## b) tcp/9008 (bi-directionally)
>
> ########################################
################ <<<#
>
> # ---Allow icmp --- #
>
> $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
>
> $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
>
> $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
>
> $IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
>
> # --- Allow tcp/9008 bi-directionally --- #
>
> $IPTABLES -A FORWARD -i $EXT_INF -o $INT_INF -p tcp --dport 9008 -m
> state --state NEW,ESTABLISHED -j ACCEPT
>
> #
>
> # What happens for both of these is the packet makes from eth0 -> eth1
> but no return traffic is seen.
>
> # Both operations work from the console on the firewall but not from a
> host on eth0.
>
> # I can ssh into the firewall
>
> # What did I miss? Thank You ! 1-news@cox.net (remove the dash in the
> user name to reply)
>
> ########################################
#######
>
> # External -> Firewall
>
> ########################################
#######
>
> #---Allow DHCP----
>
> #$IPTABLES -A INPUT -i $EXT_INF -p udp --dport 67 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> #$IPTABLES -A OUTPUT -o $EXT_INF -p udp --dport 68 -m state --state
> ESTABLISHED -j ACCEPT
>
> ########################################
#######
>
> # Last Rule - Deny all
>
> ########################################
#######
>
> # $IPTABLES -A INPUT -j LOG --log-prefix "INPUT-DENY "
>
> $IPTABLES -A INPUT -j DROP
>
> # $IPTABLES -A OUTPUT -j LOG --log-prefix "OUTPUT-DENY "
>
> $IPTABLES -A OUTPUT -j DROP
>
> # $IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD-DENY "
>
> $IPTABLES -A FORWARD -j DROP
>
> ########################################
#######
>
> # END
>
> ########################################
#######
>
> Thanks for any help you can provide. Note- I can not change to -j MASQ
> (must stay SNAT).
>
> Again, 1-news@cox.net (remove the dash in the user name to reply or a
> reply to the ng's is fine). TIA !!


1-news

2004-01-23, 7:48 pm

Noi,

see below

"Noi" <noi@siam.com> wrote in message
news:pan.2003.12.14.19.00.54.239526@siam.com...
quote:

> On Sat, 13 Dec 2003 12:16:50 -0500, 1-news thoughtfully wrote:
>
the[QUOTE][color=darkred]
=[QUOTE][color=darkred]
via[QUOTE][color=darkred]
> Regarding the ICMP problem I think you've positioned your ICMP tests too
> far down the tree to be effective. In other words I think your ICMPs are
> dropped before they get to your tests.


No, they are not. The method being used is to initially flush all
tables/nat, drop all traffic, and then permit what I specifically want to
allow. The initial packet is seen entering eth0 (internal int) and being fwd
to eth1 (external int) but the reply is not being sent back. If the ICMP
section is commented out nothing is seen on eth1 (I've tested that).
quote:

> Look I'm not an expert but your code while technically correct and
> ambitious coding it's the worse I've seen in a very long time. Very hard
> to read and interpret, not friendly at all and too complex. Suggest you
> look at the smb.conf file as a good example for commenting your code, and
> grouping your iptable statements together for easier debugging, ie, all
> INPUT statements in the Variables in a variable section, INPUT statements
> in INPUT section maybe sub-sectioned by device, etc.


There are more than enough comments in there to show what is being done or
what I am trying to achieve. So you do not/can not see my error? That was
helpful (organize the code and add more comments). Save your fingers next
time and hit next in your fav news browser!

<snip> -bandwidth saved below here


Alexander Dalloz

2004-01-23, 7:48 pm

On Sat, 13 Dec 2003 12:16:50 -0500 1-news wrote:
quote:

> ########################################
################ <<<#
>
> ## I am trying to get these two items working:
>
> ## a) icmp from/to internal and external interfaces
>
> ## b) tcp/9008 (bi-directionally)
>
> ########################################
################ <<<#
>
> # ---Allow icmp --- #
>
> $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
>
> $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
>
> $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
>
> $IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
>
> # --- Allow tcp/9008 bi-directionally --- #
>
> $IPTABLES -A FORWARD -i $EXT_INF -o $INT_INF -p tcp --dport 9008 -m
> state --state NEW,ESTABLISHED -j ACCEPT
>
> #
>
> # What happens for both of these is the packet makes from eth0 -> eth1 but
> no return traffic is seen.
>
> # Both operations work from the console on the firewall but not from a host
> on eth0.
>
> # I can ssh into the firewall
>
> # What did I miss? Thank You ! 1-news@cox.net (remove the dash in the user
> name to reply)


ICMP can't go through because you DROP the icmp protocol by the FORWARD
rules.
Port 9008 is not bidirectional as you only have a rule for the direction
outside world -> inside network, not vice versa.

Alexander

F'up redhat.networking.general


--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653

1-news

2004-01-23, 7:48 pm

Alexander,

see below...

"Alexander Dalloz" <alexander.dalloz@uni-bielefeld.de> wrote in message
news:pan.2003.12.15.15.38.46.865035@uni-bielefeld.de...[QUOTE][color=darkred]
> On Sat, 13 Dec 2003 12:16:50 -0500 1-news wrote:
>


Today I modified/added:
$IPTABLES -A FORWARD -i $INT_INF -o $EXT_INF -p tcp --sport 9008 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_INF -o $INT_INF -p tcp --dport 9008 -m
state --state NEW,ESTABLISHED -j ACCEPT

-and- added route to the internal network from the other hosts perspective
on their router and tcp/9008 is working now. <whew> They did not realize I
was doing SNAT and not MASQ so they had no route to my internal network on
their end.

It is too bad I didn't see this note before I figured that out ;)

Thanks anyway!


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com