[fw-wiz] iptables problem forwarding

From: Weazy (opensource@hackerthreads.com)
Date: 03/30/03

  • Next message: LE CORVIC Y InfoEdpEtcDep: "RE: [fw-wiz] VPN client accessing wrong IP address."
    From: "Weazy" <opensource@hackerthreads.com>
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Sun, 30 Mar 2003 11:38:31 -0500

    hello folks.

    i have built an iptables firewall that i am mostly happy with. the main
    problem that still exists is the firewall will not allow connections i do
    want to permit.

    1. i want to allow ssh
    2. want to forward port 3389 to an internal machine.

    i posted by iptables here hoping someone can see the mistake.
    i have comment each line so you know what i am trying to do. I have the
    input policy set as drop. i have tried setting that to accept with no change
    in results.

    thank you in advance

    # setting up modules we neet to support NAT and add protocols with
    unordinary behavior
    modprobe iptable_nat
    modprobe ip_conntrack_ftp ip_nat_ftp
    modprobe ip_conntrack
    modprobe ip_conntrack_irc ip_nat_irc

    #make sure packet forwarding enabled by kernel
    echo 1 > /proc/sys/net/ipv4/ip_forward

    #flushing existing tables
    iptables --flush
    iptables -t nat --flush

    #enable connection tracking
    iptables -I FORWARD -m state --state INVALID -j DROP
    iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

    #allowing one service on this machine ssh
    iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
    iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp -i eth1 --dport 22-j ACCEPT
    iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT

    #enable loopback
    iptables -A INPUT -i lo -p all -j ACCEPT
    iptables -A OUTPUT -o lo -p all -j ACCEPT

    # accept established connections
    iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    #Allow inbound service
    iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d --destination-port 3389 -j ACCEPT

    #defend against port scans and DDOS attacks
    #dealing with packets w/o syn flags when they are new
    iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j
    LOG --log-prefix "new no-SYN: "
    iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
    iptables -A FORWARD -i eth0 -p tcp --tcp-flags ACK ACK -m state --state
    NEW -j LOG --log-prefix "New ACK: "

    #enforcing TCP standards
    iptables -A INPUT -p tcp --tcp-option \! 2 -j
    LOG --log-tcp-options --log-prefix "TCP standards not met: "
    iptables -A INPUT -p tcp --tcp-option \! 2 -j REJECT --reject-with tcp-reset
    iptables -A INPUT -p tcp -j LOG -m limit --limit 500/hour --limit-burst
    500 --log-prefix "MIRROR: "
    iptables -A INPUT -p tcp -j MIRROR -m limit --limit 500/hour --limit-burst

    #dropping packets on the internet side going to/from private use multicast
    also making sure we dont spoof
    #others or allow internal spoofing

    #iptables -A INPUT -i eth0 -s -j DROP
    #$iptables -A OUTPUT -o eth0 -s -j DROP

    #allowing all outbound traffic
    iptables -A FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT

    #rewrite all connections coming from private network to use eth0 addres and
    rewrite response

    iptables -t nat -F
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x
    iptables -P INPUT DROP

    firewall-wizards mailing list

  • Next message: LE CORVIC Y InfoEdpEtcDep: "RE: [fw-wiz] VPN client accessing wrong IP address."

    Relevant Pages

    • RE: Advice on which FreeBSD firewall package to choose.
      ... I have not used iptables or ipfw. ... Advice on which FreeBSD firewall package to choose. ... Software-based VPN connections out from both the Inside LAN and Wireless ...
    • Re: internet connection sharing
      ... much better off just buying a hardware router. ... and provide a firewall which is a good idea to ... #Load some iptables kernel modules ... $MODPROBE ipt_conntrack ...
    • Re: Security on RH6.2 Advice: harden or upgrade?
      ... you close down all other ports, keep 6.2 updated, and use iptables the way ... > - take a tripwire image of the machine. ... > - place machine on DMZ - open for external incoming https connections ... > - No connections to machines behind firewall allowed. ...
    • Re: Question(s) default firewall in Fedora
      ... There is no service "firewall", ... Input rules affect connections coming in to the network. ... If you want to set rules by hand, learn about iptables. ... read messages from the public lists. ...
    • IPTables Established connection problem.
      ... I posted a couple weeks ago about IPTables possibly losing state. ... My established connections still freeze if I have firewalling ... $IPT -F OUTPUT ... #Log martians (packets with impossible addresses) ...