[fw-wiz] iptables problem forwarding
From: Weazy (opensource@hackerthreads.com)
Date: 03/30/03
- Previous message: Kessler, Ben: "RE: [fw-wiz] stop microsoft p2p"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Weazy" <opensource@hackerthreads.com> To: <firewall-wizards@honor.icsalabs.com> Date: Sun, 30 Mar 2003 11:38:31 -0500
hello folks.
i have built an iptables firewall that i am mostly happy with. the main
problem that still exists is the firewall will not allow connections i do
want to permit.
1. i want to allow ssh
2. want to forward port 3389 to an internal machine.
i posted by iptables here hoping someone can see the mistake.
i have comment each line so you know what i am trying to do. I have the
input policy set as drop. i have tried setting that to accept with no change
in results.
thank you in advance
# setting up modules we neet to support NAT and add protocols with
unordinary behavior
modprobe iptable_nat
modprobe ip_conntrack_ftp ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_irc ip_nat_irc
#make sure packet forwarding enabled by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
#flushing existing tables
iptables --flush
iptables -t nat --flush
#enable connection tracking
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#allowing one service on this machine ssh
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 22-j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT
#enable loopback
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
# accept established connections
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow inbound service
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d
192.168.0.4 --destination-port 3389 -j ACCEPT
#defend against port scans and DDOS attacks
#dealing with packets w/o syn flags when they are new
iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j
LOG --log-prefix "new no-SYN: "
iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ACK ACK -m state --state
NEW -j LOG --log-prefix "New ACK: "
#enforcing TCP standards
iptables -A INPUT -p tcp --tcp-option \! 2 -j
LOG --log-tcp-options --log-prefix "TCP standards not met: "
iptables -A INPUT -p tcp --tcp-option \! 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -j LOG -m limit --limit 500/hour --limit-burst
500 --log-prefix "MIRROR: "
iptables -A INPUT -p tcp -j MIRROR -m limit --limit 500/hour --limit-burst
500
#dropping packets on the internet side going to/from private use multicast
also making sure we dont spoof
#others or allow internal spoofing
#iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
#$iptables -A OUTPUT -o eth0 -s 192.168.0.0/24 -j DROP
#allowing all outbound traffic
iptables -A FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT
#rewrite all connections coming from private network to use eth0 addres and
rewrite response
#appropriately
iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x
iptables -P INPUT DROP
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Kessler, Ben: "RE: [fw-wiz] stop microsoft p2p"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
