 |
|
 |
|
|
 |
iptables - RH 9 - script help (script inserted) |
 |
 |
|
|
01-24-04 12:48 AM
Hi,
I am trying to get the following iptables script to allow icmp to/from the
fw internal interface to/from the ext fw interface but no luck so I am
asking for your help! I also want tcp/9008 to flow bi-directionally into and
out of the internal/external nic's on the fw. eth0 = internal, eth1 =
external in the following script.
Thank you for any help (remove the dash in my name if you are replying via
e-mail).
## iptables script ##
#!/bin/sh
########################################
#######
# rc.firewall - iptables firewall script
########################################
#######
########################################
#######
# Load Vars
########################################
#######
IPTABLES=/sbin/iptables
### Load eth0 parms - INTERNAL NETWORK ###
. /etc/sysconfig/network-scripts/ifcfg-eth0
INT_INF=$DEVICE
INT_NET=$NETWORK/24
INT_IP=$IPADDR
### Load eth1 parms - EXTERNAL NETWORK ###
. /etc/sysconfig/network-scripts/ifcfg-eth1
EXT_INF=$DEVICE
EXT_NET=$NETWORK/22
EXT_IP=$IPADDR
ANYHOST="0.0.0.0/0"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D="224.0.0.0/4"
CLASS_E="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
########################################
#######
# Load modules
########################################
#######
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
########################################
#######
# Flush rules and pre-existing user-defined chains and zero counters
########################################
#######
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -X
$IPTABLES -X -t nat
$IPTABLES -X -t mangle
$IPTABLES -Z
########################################
#######
# Set default policy for built-in chains to DROP
########################################
#######
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P FORWARD DROP
########################################
#######
# Set kernel flags
########################################
#######
### Disable response to broadcasts ###
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
### Dont accept source routed packets ###
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
### Disable ICMP redirects ###
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
### Enable bad error message protection ###
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
### Enable reverse path filtering ###
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done
### Enable IP forwarding ###
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
########################################
#######
###
### Rules
###
########################################
#######
########################################
#######
# Allow Loopback
########################################
#######
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
########################################
#######
# Enable Syn-Flooding Protection on EXT_INF
########################################
#######
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -i $EXT_INF -p tcp --syn -j syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP
########################################
#######
# Make sure NEW tcp connections are SYN packets (all interfaces)
########################################
#######
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
########################################
#######
# Drop all fragments from EXT_INT
########################################
#######
$IPTABLES -A INPUT -i $EXT_INF -f -j DROP
########################################
#######
# Drop spoofed packets with 'my' ipaddress
########################################
#######
$IPTABLES -A INPUT -i $EXT_INF -s $EXT_IP -j DROP
########################################
#######
# Pre-Routing NAT
########################################
#######
# none
########################################
#######
# Post-Routing NAT - SOURCE NAT
########################################
#######
$IPTABLES -t nat -A POSTROUTING -o $INT_INF -s $EXT_NET -j SNAT --to $INT_IP
########################################
#######
# Firewall -> INTERNAL
########################################
#######
# --- Allow All --- #
$IPTABLES -A OUTPUT -o $INT_INF -s $INT_IP -d $ANYHOST -m state --state
NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $INT_INF -s $ANYHOST -d $INT_IP -m state --state
ESTABLISHED,RELATED -j ACCEPT
########################################
#######
# Firewall -> EXTERNAL
########################################
#######
# --- Allow All --- #
$IPTABLES -A OUTPUT -o $EXT_INF -s $EXT_IP -d $ANYHOST -m state --state
NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_INF -s $ANYHOST -d $EXT_IP -m state --state
ESTABLISHED,RELATED -j ACCEPT
########################################
#######
# INTERNAL -> Firewall
########################################
#######
# --- Allow SSH --- #
$IPTABLES -A OUTPUT -o $INT_INF -p tcp --sport 22 -m state --state
ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $INT_INF -p tcp --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT
########################################
#######
# INTERNAL -> EXTERNAL
########################################
#######
# --- Allow all --- #
$IPTABLES -A FORWARD -i $INT_INF -o $EXT_INF -m state --state
NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_INF -o $INT_INF -m state --state
ESTABLISHED,RELATED -j ACCEPT
########################################
#######
# EXTERNAL -> INTERNAL
########################################
#######
########################################
################ <<<#
## I am trying to get these two items working:
## a) icmp from/to internal and external interfaces
## b) tcp/9008 (bi-directionally)
########################################
################ <<<#
# ---Allow icmp --- #
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# --- Allow tcp/9008 bi-directionally --- #
$IPTABLES -A FORWARD -i $EXT_INF -o $INT_INF -p tcp --dport 9008 -m
state --state NEW,ESTABLISHED -j ACCEPT
#
# What happens for both of these is the packet makes from eth0 -> eth1 but
no return traffic is seen.
# Both operations work from the console on the firewall but not from a host
on eth0.
# I can ssh into the firewall
# What did I miss? Thank You ! 1-news@cox.net (remove the dash in the user
name to reply)
########################################
#######
# External -> Firewall
########################################
#######
#---Allow DHCP----
#$IPTABLES -A INPUT -i $EXT_INF -p udp --dport 67 -m state --state
NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXT_INF -p udp --dport 68 -m state --state
ESTABLISHED -j ACCEPT
########################################
#######
# Last Rule - Deny all
########################################
#######
# $IPTABLES -A INPUT -j LOG --log-prefix "INPUT-DENY "
$IPTABLES -A INPUT -j DROP
# $IPTABLES -A OUTPUT -j LOG --log-prefix "OUTPUT-DENY "
$IPTABLES -A OUTPUT -j DROP
# $IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD-DENY "
$IPTABLES -A FORWARD -j DROP
########################################
#######
# END
########################################
#######
Thanks for any help you can provide. Note- I can not change to -j MASQ (must
stay SNAT).
Again, 1-news@cox.net (remove the dash in the user name to reply or a reply
to the ng's is fine). TIA !!
[ Post a follow-up to this message ]
|
|
|
 |
|
 |
|
 |
|
|
|
Re: iptables - RH 9 - script help (script inserted) |
|
|
|
|
01-24-04 12:48 AM
On Sat, 13 Dec 2003 12:16:50 -0500, 1-news thoughtfully wrote:
quote:
> Hi,
>
> I am trying to get the following iptables script to allow icmp to/from the
> fw internal interface to/from the ext fw interface but no luck so I am
> asking for your help! I also want tcp/9008 to flow bi-directionally into
> and out of the internal/external nic's on the fw. eth0 = internal, eth1 =
> external in the following script.
>
> Thank you for any help (remove the dash in my name if you are replying via
> e-mail).
>
Regarding the ICMP problem I think you've positioned your ICMP tests too
far down the tree to be effective. In other words I think your ICMPs are
dropped before they get to your tests.
Look I'm not an expert but your code while technically correct and
ambitious coding it's the worse I've seen in a very long time. Very hard
to read and interpret, not friendly at all and too complex. Suggest you
look at the smb.conf file as a good example for commenting your code, and
grouping your iptable statements together for easier debugging, ie, all
INPUT statements in the Variables in a variable section, INPUT statements
in INPUT section maybe sub-sectioned by device, etc.
quote:
> ## iptables script ##
> #!/bin/sh
>
> ########################################
#######
>
> # rc.firewall - iptables firewall script
>
> ########################################
#######
>
> ########################################
#######
>
> # Load Vars
>
> ########################################
#######
>
> IPTABLES=/sbin/iptables
>
> ### Load eth0 parms - INTERNAL NETWORK ###
>
> . /etc/sysconfig/network-scripts/ifcfg-eth0
>
> INT_INF=$DEVICE
>
> INT_NET=$NETWORK/24
>
> INT_IP=$IPADDR
>
> ### Load eth1 parms - EXTERNAL NETWORK ###
>
> . /etc/sysconfig/network-scripts/ifcfg-eth1
>
> EXT_INF=$DEVICE
>
> EXT_NET=$NETWORK/22
>
> EXT_IP=$IPADDR
>
> ANYHOST="0.0.0.0/0"
>
> LOOPBACK="127.0.0.0/8"
>
> CLASS_A="10.0.0.0/8"
>
> CLASS_B="172.16.0.0/12"
>
> CLASS_C="192.168.0.0/16"
>
> CLASS_D="224.0.0.0/4"
>
> CLASS_E="240.0.0.0/5"
>
> P_PORTS="0:1023"
>
> UP_PORTS="1024:65535"
>
> ########################################
#######
>
> # Load modules
>
> ########################################
#######
>
> /sbin/modprobe iptable_nat
>
> /sbin/modprobe ip_nat_ftp
>
> /sbin/modprobe ip_conntrack
>
> /sbin/modprobe ip_conntrack_ftp
>
> ########################################
#######
>
> # Flush rules and pre-existing user-defined chains and zero counters
>
> ########################################
#######
>
> $IPTABLES -F
>
> $IPTABLES -F -t nat
>
> $IPTABLES -F -t mangle
>
> $IPTABLES -X
>
> $IPTABLES -X -t nat
>
> $IPTABLES -X -t mangle
>
> $IPTABLES -Z
>
> ########################################
#######
>
> # Set default policy for built-in chains to DROP
>
> ########################################
#######
>
> $IPTABLES -t nat -P PREROUTING ACCEPT
>
> $IPTABLES -t nat -P POSTROUTING ACCEPT
>
> $IPTABLES -t filter -P INPUT DROP
>
> $IPTABLES -t filter -P OUTPUT DROP
>
> $IPTABLES -t filter -P FORWARD DROP
>
> ########################################
#######
>
> # Set kernel flags
>
> ########################################
#######
>
> ### Disable response to broadcasts ###
>
> /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> ### Dont accept source routed packets ###
>
> /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
>
> ### Disable ICMP redirects ###
>
> /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
>
> ### Enable bad error message protection ###
>
> /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>
> ### Enable reverse path filtering ###
>
> for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
>
> /bin/echo "1" > ${interface}
>
> done
>
> ### Enable IP forwarding ###
>
> /bin/echo "1" > /proc/sys/net/ipv4/ip_forward
>
> ########################################
#######
>
> ###
>
> ### Rules
>
> ###
>
> ########################################
#######
>
> ########################################
#######
>
> # Allow Loopback
>
> ########################################
#######
>
> $IPTABLES -A INPUT -i lo -j ACCEPT
>
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
>
> ########################################
#######
>
> # Enable Syn-Flooding Protection on EXT_INF
>
> ########################################
#######
>
> $IPTABLES -N syn-flood
>
> $IPTABLES -A INPUT -i $EXT_INF -p tcp --syn -j syn-flood
>
> $IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
>
> $IPTABLES -A syn-flood -j DROP
>
> ########################################
#######
>
> # Make sure NEW tcp connections are SYN packets (all interfaces)
>
> ########################################
#######
>
> $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
>
> ########################################
#######
>
> # Drop all fragments from EXT_INT
>
> ########################################
#######
>
> $IPTABLES -A INPUT -i $EXT_INF -f -j DROP
>
> ########################################
#######
>
> # Drop spoofed packets with 'my' ipaddress
>
> ########################################
#######
>
> $IPTABLES -A INPUT -i $EXT_INF -s $EXT_IP -j DROP
>
> ########################################
#######
>
> # Pre-Routing NAT
>
> ########################################
#######
>
> # none
>
> ########################################
#######
>
> # Post-Routing NAT - SOURCE NAT
>
> ########################################
#######
>
> $IPTABLES -t nat -A POSTROUTING -o $INT_INF -s $EXT_NET -j SNAT --to
> $INT_IP
>
> ########################################
#######
>
> # Firewall -> INTERNAL
>
> ########################################
#######
>
> # --- Allow All --- #
>
> $IPTABLES -A OUTPUT -o $INT_INF -s $INT_IP -d $ANYHOST -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> $IPTABLES -A INPUT -i $INT_INF -s $ANYHOST -d $INT_IP -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> ########################################
#######
>
> # Firewall -> EXTERNAL
>
> ########################################
#######
>
> # --- Allow All --- #
>
> $IPTABLES -A OUTPUT -o $EXT_INF -s $EXT_IP -d $ANYHOST -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> $IPTABLES -A INPUT -i $EXT_INF -s $ANYHOST -d $EXT_IP -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> ########################################
#######
>
> # INTERNAL -> Firewall
>
> ########################################
#######
>
> # --- Allow SSH --- #
>
> $IPTABLES -A OUTPUT -o $INT_INF -p tcp --sport 22 -m state --state
> ESTABLISHED -j ACCEPT
>
> $IPTABLES -A INPUT -i $INT_INF -p tcp --dport 22 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> ########################################
#######
>
> # INTERNAL -> EXTERNAL
>
> ########################################
#######
>
> # --- Allow all --- #
>
> $IPTABLES -A FORWARD -i $INT_INF -o $EXT_INF -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> $IPTABLES -A FORWARD -i $EXT_INF -o $INT_INF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> ########################################
#######
>
> # EXTERNAL -> INTERNAL
>
> ########################################
#######
>
> ########################################
################ <<<#
>
> ## I am trying to get these two items working:
>
> ## a) icmp from/to internal and external interfaces
>
> ## b) tcp/9008 (bi-directionally)
>
> ########################################
################ <<<#
>
> # ---Allow icmp --- #
>
> $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
>
> $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
>
> $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
>
> $IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
>
> # --- Allow tcp/9008 bi-directionally --- #
>
> $IPTABLES -A FORWARD -i $EXT_INF -o $INT_INF -p tcp --dport 9008 -m
> state --state NEW,ESTABLISHED -j ACCEPT
>
> #
>
> # What happens for both of these is the packet makes from eth0 -> eth1
> but no return traffic is seen.
>
> # Both operations work from the console on the firewall but not from a
> host on eth0.
>
> # I can ssh into the firewall
>
> # What did I miss? Thank You ! 1-news@cox.net (remove the dash in the
> user name to reply)
>
> ########################################
#######
>
> # External -> Firewall
>
> ########################################
#######
>
> #---Allow DHCP----
>
> #$IPTABLES -A INPUT -i $EXT_INF -p udp --dport 67 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> #$IPTABLES -A OUTPUT -o $EXT_INF -p udp --dport 68 -m state --state
> ESTABLISHED -j ACCEPT
>
> ########################################
#######
>
> # Last Rule - Deny all
>
> ########################################
#######
>
> # $IPTABLES -A INPUT -j LOG --log-prefix "INPUT-DENY "
>
> $IPTABLES -A INPUT -j DROP
>
> # $IPTABLES -A OUTPUT -j LOG --log-prefix "OUTPUT-DENY "
>
> $IPTABLES -A OUTPUT -j DROP
>
> # $IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD-DENY "
>
> $IPTABLES -A FORWARD -j DROP
>
> ########################################
#######
>
> # END
>
> ########################################
#######
>
> Thanks for any help you can provide. Note- I can not change to -j MASQ
> (must stay SNAT).
>
> Again, 1-news@cox.net (remove the dash in the user name to reply or a
> reply to the ng's is fine). TIA !!
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: iptables - RH 9 - script help (script inserted) |
|
|
|
|
01-24-04 12:48 AM
Noi,
see below
"Noi" <noi@siam.com> wrote in message
news:pan.2003.12.14.19.00.54.239526@siam.com...quote:
> On Sat, 13 Dec 2003 12:16:50 -0500, 1-news thoughtfully wrote:
>
the[QUOTE]
=[QUOTE]
via[QUOTE]
> Regarding the ICMP problem I think you've positioned your ICMP tests too
> far down the tree to be effective. In other words I think your ICMPs are
> dropped before they get to your tests.
No, they are not. The method being used is to initially flush all
tables/nat, drop all traffic, and then permit what I specifically want to
allow. The initial packet is seen entering eth0 (internal int) and being fwd
to eth1 (external int) but the reply is not being sent back. If the ICMP
section is commented out nothing is seen on eth1 (I've tested that).
quote:
> Look I'm not an expert but your code while technically correct and
> ambitious coding it's the worse I've seen in a very long time. Very hard
> to read and interpret, not friendly at all and too complex. Suggest you
> look at the smb.conf file as a good example for commenting your code, and
> grouping your iptable statements together for easier debugging, ie, all
> INPUT statements in the Variables in a variable section, INPUT statements
> in INPUT section maybe sub-sectioned by device, etc.
There are more than enough comments in there to show what is being done or
what I am trying to achieve. So you do not/can not see my error? That was
helpful (organize the code and add more comments). Save your fingers next
time and hit next in your fav news browser!
<snip> -bandwidth saved below here
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: iptables - RH 9 - script help (script inserted) |
|
|
|
|
01-24-04 12:48 AM
On Sat, 13 Dec 2003 12:16:50 -0500 1-news wrote:
quote:
> ########################################
################ <<<#
>
> ## I am trying to get these two items working:
>
> ## a) icmp from/to internal and external interfaces
>
> ## b) tcp/9008 (bi-directionally)
>
> ########################################
################ <<<#
>
> # ---Allow icmp --- #
>
> $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
>
> $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
>
> $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
>
> $IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
>
> # --- Allow tcp/9008 bi-directionally --- #
>
> $IPTABLES -A FORWARD -i $EXT_INF -o $INT_INF -p tcp --dport 9008 -m
> state --state NEW,ESTABLISHED -j ACCEPT
>
> #
>
> # What happens for both of these is the packet makes from eth0 -> eth1 but
> no return traffic is seen.
>
> # Both operations work from the console on the firewall but not from a hos
t
> on eth0.
>
> # I can ssh into the firewall
>
> # What did I miss? Thank You ! 1-news@cox.net (remove the dash in the user
> name to reply)
ICMP can't go through because you DROP the icmp protocol by the FORWARD
rules.
Port 9008 is not bidirectional as you only have a rule for the direction
outside world -> inside network, not vice versa.
Alexander
F'up redhat.networking.general
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
|
|
|
Re: iptables - RH 9 - script help (script inserted) |
|
|
|
|
01-24-04 12:48 AM
Alexander,
see below...
"Alexander Dalloz" <alexander.dalloz@uni-bielefeld.de> wrote in message
news:pan.2003.12.15.15.38.46.865035@uni-bielefeld.de...[QUOTE]
> On Sat, 13 Dec 2003 12:16:50 -0500 1-news wrote:
>
Today I modified/added:
$IPTABLES -A FORWARD -i $INT_INF -o $EXT_INF -p tcp --sport 9008 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_INF -o $INT_INF -p tcp --dport 9008 -m
state --state NEW,ESTABLISHED -j ACCEPT
-and- added route to the internal network from the other hosts perspective
on their router and tcp/9008 is working now. <whew> They did not realize I
was doing SNAT and not MASQ so they had no route to my internal network on
their end.
It is too bad I didn't see this note before I figured that out ;)
Thanks anyway!
[ Post a follow-up to this message ]
|
|
|
|
|
|
|
|
Sponsored Links |
|
|
|
|
 |
All times are GMT. The time now is 10:19 PM. |
 |
|
|
 |
|
 |
|
|
 |
|
Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
|
|
|
|
Medical and Health forum | Computer Games Reviews | Graphics design forum
|
 |
|
 |
|
