[fw-wiz] iptables problem forwarding

From: Weazy (opensource@hackerthreads.com)
Date: 03/30/03

  • Next message: LE CORVIC Y InfoEdpEtcDep: "RE: [fw-wiz] VPN client accessing wrong IP address."
    From: "Weazy" <opensource@hackerthreads.com>
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Sun, 30 Mar 2003 11:38:31 -0500

    hello folks.

    i have built an iptables firewall that i am mostly happy with. the main
    problem that still exists is the firewall will not allow connections i do
    want to permit.

    1. i want to allow ssh
    2. want to forward port 3389 to an internal machine.

    i posted by iptables here hoping someone can see the mistake.
    i have comment each line so you know what i am trying to do. I have the
    input policy set as drop. i have tried setting that to accept with no change
    in results.

    thank you in advance

    # setting up modules we neet to support NAT and add protocols with
    unordinary behavior
    modprobe iptable_nat
    modprobe ip_conntrack_ftp ip_nat_ftp
    modprobe ip_conntrack
    modprobe ip_conntrack_irc ip_nat_irc

    #make sure packet forwarding enabled by kernel
    echo 1 > /proc/sys/net/ipv4/ip_forward

    #flushing existing tables
    iptables --flush
    iptables -t nat --flush

    #enable connection tracking
    iptables -I FORWARD -m state --state INVALID -j DROP
    iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

    #allowing one service on this machine ssh
    iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
    iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp -i eth1 --dport 22-j ACCEPT
    iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT

    #enable loopback
    iptables -A INPUT -i lo -p all -j ACCEPT
    iptables -A OUTPUT -o lo -p all -j ACCEPT

    # accept established connections
    iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    #Allow inbound service
    iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d --destination-port 3389 -j ACCEPT

    #defend against port scans and DDOS attacks
    #dealing with packets w/o syn flags when they are new
    iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j
    LOG --log-prefix "new no-SYN: "
    iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
    iptables -A FORWARD -i eth0 -p tcp --tcp-flags ACK ACK -m state --state
    NEW -j LOG --log-prefix "New ACK: "

    #enforcing TCP standards
    iptables -A INPUT -p tcp --tcp-option \! 2 -j
    LOG --log-tcp-options --log-prefix "TCP standards not met: "
    iptables -A INPUT -p tcp --tcp-option \! 2 -j REJECT --reject-with tcp-reset
    iptables -A INPUT -p tcp -j LOG -m limit --limit 500/hour --limit-burst
    500 --log-prefix "MIRROR: "
    iptables -A INPUT -p tcp -j MIRROR -m limit --limit 500/hour --limit-burst

    #dropping packets on the internet side going to/from private use multicast
    also making sure we dont spoof
    #others or allow internal spoofing

    #iptables -A INPUT -i eth0 -s -j DROP
    #$iptables -A OUTPUT -o eth0 -s -j DROP

    #allowing all outbound traffic
    iptables -A FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT

    #rewrite all connections coming from private network to use eth0 addres and
    rewrite response

    iptables -t nat -F
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x
    iptables -P INPUT DROP

    firewall-wizards mailing list

  • Next message: LE CORVIC Y InfoEdpEtcDep: "RE: [fw-wiz] VPN client accessing wrong IP address."