iptables: state & forward confusion

From:
Date: 06/12/02

• Next message: Iwo Mergler: "Re: Secure backup on remote untrusted server over slow line?"
• Previous message: Tim Haynes: "Re: significance of "nobody" ownership permission?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 12 Jun 2002 11:15:06 -0400

Setup:

2 dsl lines...terminated into 2 zyxel dsl routers...ethernet connection to
each router uses a nonroutable IP.

publicIP1---dslrouter1---eth1(192.168.1.x)---|

                                               firewall ---eth0(192.168.3.x)
publicIP2---dslrouter2---eth2(192.168.2.x)---|

One line runs out to our colo...second line is for general internet traffic.
We occassionaly end up routing out a single line to deal with DSL
drops/hiccups.
I have things working but it seems to me things could be much simpler.

Here's the rules so far:

#! /bin/bash

iptables=/sbin/iptables

# flush all tables

$iptables -F
$iptables -F -t nat
$iptables -F -t mangle

# establish default 'drop' policy

$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT DROP

# let LOCALHOST do whatever

$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

# set a default policy to allow established & related

$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# NAT outgoing connections

$iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 192.168.2.2
$iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.2

# let ssh in for admin of firewall (from LAN) & out to the colo

$iptables -A INPUT -i eth0 -s 192.168.3.0/24 -p tcp --dport 22 -m
state --state NEW -j ACCEPT
$iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state NEW -j ACCEPT

$iptables -A FORWARD -i eth0 -s 192.168.3.0/24 -p tcp --dport 22 -m
state --state NEW -j ACCEPT
$iptables -A FORWARD -o eth1 -p tcp --sport 22 -m state --state NEW -j
ACCEPT
$iptables -A FORWARD -o eth2 -p tcp --sport 22 -m state --state NEW -j
ACCEPT

# let POP out...additional rules follow for each service that we allow out

$iptables -A FORWARD -i eth0 -s 192.168.3.0/24 -p tcp --dport 110 -m
state --state NEW -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp --sport 110 -m state --state NEW -j
ACCEPT
$iptables -A FORWARD -i eth2 -p tcp --sport 110 -m state --state NEW -j
ACCEPT

This works...but seems excessive...this is my understanding of the outbound
packet path:

1. packets arrive on eth0...routing decision made...packet nat'd
2. packet forwarded to eth1 or eth2...accept those that are explicitly
allowed
3. returning packets forwarded back to eth0...accept those that are
explicitly allowed

I thought that the state matching on established and related in the FORWARD
would handle the returning packets...but this doesn't seem
to be the case. Things break without the NEW accept for each interface on
each service.

Can someone clear this up for me? How many times would a packet get
forwarded say for outbound web requests and returning responses?
Is there anything I could do to simplify things a bit?

---

• Next message: Iwo Mergler: "Re: Secure backup on remote untrusted server over slow line?"
• Previous message: Tim Haynes: "Re: significance of "nobody" ownership permission?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Google Summer of Code 2009: Student applies to create a Better IPTables Management Tool ... a student) and select the Linux Foundation ... The tool focuses on helping the user to perceive what a particular chains of rules in a particular table does to a user specified packet. ... As the project aims for better IPtables management tool, I can contribute with my hard earned 3 years experience in maintenance of firewalls. ... The tools helps the user to either select all the rules in the chain or some particular rules and tells the impact of the application of selected rules upon the incoming/outgoing packet. ... (Linux-Kernel) Re: IPTABLES & APACHE ... Check that with "iptables -vL INPUT". ... three, the action is taken, and processing of the packet ends there. ... policy of the rule list is applied ... address, targeted to the one TCP port, are silently dropped. ... (comp.os.linux.networking) Re: Doubts with iptables (or ipchains) ... With iptables use the state module. ... > done with ipchains (using some alternative ... > of the connection would protect my LAN? ... Why would 'a packet' be 52 bytes? ... (comp.os.linux.security) iptables: state & forward confusion ... $iptables -F -t mangle ... # set a default policy to allow established & related ... packet forwarded to eth1 or eth2...accept those that are explicitly ... forwarded say for outbound web requests and returning responses? ... (comp.os.linux.security) Re: iptables: blocking network access for certain UIDs gives error. ... > you're familiar with iptables. ... > rule will match something using the owner module, ... > "stealthing" is a complete waste of time, I wouldn't DROP the packet ... (Fedora)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)