Re: IPTables F*&%-up :(

From: Mairhtin O'Feannag (irishboyca_at_rocketmail.com)
Date: 07/09/03 

Date: Wed, 09 Jul 2003 00:28:49 GMT

Juha,

My whole script is as follows. Please note I did a ESTABLISHED, RELATED
entry.

The book said to restrict it to source ports above 1024, so I did. I'll
try without the source ports. *shrug*

I really appreciate the help though!!!

Please let me know if you see anything stupid that I'm doing.

IPTABLES-SCRIPT FOLLOWS ********************************************

# iptables script generator: V0.1-2002
# Comes with no warranty!
# e-mail: michael@1go.dk

# Disable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# enable Masquerade and forwarding
iptables -t nat -A POSTROUTING -s 10.0.0.1/8 -o eth0 -j SNAT --to-source
67.117.74.180
iptables -A FORWARD -j ACCEPT -i eth1 -s 10.0.0.1/8
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED
-j ACCEPT

# user definded chain for accepted TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP

# rules for incoming packets from LAN

iptables -A INPUT -p ALL -i eth1 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 10.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 67.117.74.180 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s 67.117.74.178 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 10.0.0.255 -j ACCEPT

# Open ports on router for server/services
iptables -A INPUT -j ACCEPT -p tcp -s 67.117.74.180
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --dport 20
iptables -A INPUT -j ACCEPT -p tcp --dport 21
iptables -A INPUT -j ACCEPT -p tcp --dport 110
iptables -A INPUT -j ACCEPT -p tcp --dport 25
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -p tcp --dport 5800
iptables -A INPUT -j ACCEPT -p tcp --dport 5900
iptables -A INPUT -j ACCEPT -p tcp -s 10.0.0.40
iptables -A INPUT -j ACCEPT -p tcp -s 67.117.74.178
iptables -A INPUT -j ACCEPT -p tcp -s 10.0.0.5

iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j
ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j
ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j
ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 23 --tcp-flags SYN,RST,ACK SYN -j
ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 20 --tcp-flags SYN,RST,ACK SYN -j
ACCEPT

# UDP rules

iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 20 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 21 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 2074 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 4000 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 10.0.0.40 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 67.117.74.178 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 10.0.0.5 -j ACCEPT

# ICMP rules

iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT

# OUTPUT chain rules
# only packets with local addresses (no spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.0.0.1/8 -j ACCEPT
iptables -A OUTPUT -p ALL -s 67.117.74.180 -j ACCEPT
iptables -A OUTPUT -p ALL -s 67.117.74.178 -j ACCEPT

# STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open ports to server on LAN
iptables -A FORWARD -j ACCEPT -p tcp --dport 80
#iptables -t nat -A PREROUTING -i eth0 -p UDP -s 0/0 -d 67.117.74.180 --
dport 53 -j DNAT --to 10.0.0.80

iptables -A PREROUTING -t nat -i eth0 -p tcp --sport 1024:65535 -d
67.117.74.180 --dport 1417 -j DNAT --to-destination 10.0.0.5
iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 1024:65535 -d
10.0.0.5 --dport 1417 -m state --state NEW -j ACCEPT

iptables -A PREROUTING -t nat -i eth0 -p tcp --sport 1024:65535 -d
67.117.74.180 --dport 1418 -j DNAT --to-destination 10.0.0.5
iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 1024:65535 -d
10.0.0.5 --dport 1418 -m state --state NEW -j ACCEPT

iptables -A PREROUTING -t nat -i eth0 -p tcp --sport 1024:65535 -d
67.117.74.180 --dport 1419 -j DNAT --to-destination 10.0.0.5
iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 1024:65535 -d
10.0.0.5 --dport 1419 -m state --state NEW -j ACCEPT

iptables -A PREROUTING -t nat -i eth0 -p tcp --sport 1024:65535 -d
67.117.74.180 --dport 1420 -j DNAT --to-destination 10.0.0.5
iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 1024:65535 -d
10.0.0.5 --dport 1420 -m state --state NEW -j ACCEPT

iptables -A PREROUTING -t nat -i eth0 -p udp --sport 1024:65535 -d
67.117.74.180 --dport 407 -j DNAT --to-destination 10.0.0.5
iptables -A FORWARD -i eth0 -o eth1 -p udp --sport 1024:65535 -d
10.0.0.5 --dport 407 -m state --state NEW -j ACCEPT

#iptables -t nat -A PREROUTING -i eth0 -p tcp -d 67.117.74.180 --dport 80
-j DNAT --to 10.0.0.5:80

# further forwarding chains based upon above
echo 1 > /proc/sys/net/ipv4/ip_forward

Juha Laiho <Juha.Laiho@iki.fi> wrote in news:beepm5$vab$2@ichaos.ichaos-
int:

> "Mairhtin O'Feannag" <irishboyca@rocketmail.com> said:
>>I have the documentation for a program called Timbuktu (remote
>>administration for Windoze) and it says that UDP port 407, and TCP
ports
>>1417,1418,1419 & 1420 should be opened up.
>>
>>So... I added the following to my IPTABLES script :
>>
>>
>>iptables -A PREROUTING -t nat -i eth0 -p tcp --sport 1024:65535 -d
>>67.117.74.180 --dport 1417 -j DNAT --to-destination 10.0.0.5
>>iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 1024:65535 -d
>>10.0.0.5 --dport 1417 -m state --state NEW -j ACCEPT
> ...
>
> Don't be so certain of the soure port -- in other words, don't check
> the source port. Then another thing is, do you have somewhere in the
> iptables script a line that allows packets other than '--state NEW',
> as with this you're only allowing the oprning packet of the session.
>
> Another issue; you might wish to run 'tcpdump' on the FW machine
> to see what it sees of the traffic. Also, after a few failed tries,
> check with "iptables -vL FORWARD" that the packet counts on these
> rules are increasing -- i.e. that no other rule is shadowing these.

Relevant Pages

  • Fwd: Re: howto block ports
    ... >> i have had a firewall configured to drop inbound packets on ports ... >kernel know how to interperit the packets and apply your firewall rules ... >> i have read refer to iptables. ... >> a 2.4.18 kernel. ...
    (Debian-User)
  • iptables errors
    ... # Clients can optionally be configured to use only unprivileged ports. ... iptables -F OUTPUT ... # Log Spoofed Packets, Source Routed Packets, Redirect Packets ... # incoming Redirect and outgoing Destination Unreachable ...
    (comp.os.linux.networking)
  • Re: howto block ports
    ... > i have had a firewall configured to drop inbound packets on ports ... kernel know how to interperit the packets and apply your firewall rules ... > i have read refer to iptables. ... > a 2.4.18 kernel. ...
    (Debian-User)
  • Re: IPTABLES: Per erfolgreichem SSH Login Ports =?iso-8859-15?Q?=F6ffnen?=
    ... Also sollen weitere Ports z.B. nur mit dem korrekten Keyfile ... Entkopple doch den Teil, der iptables aufruft, von dem teil, der ... wenn sich jemand per ssh einloggt. ... kommandos absetzt und keinen User-input entgegen nimmt. ...
    (de.comp.security.firewall)
  • Re: iptables syntax error
    ... in which I have the iptables binary in the source code .I then copy the ... then source ports below 512 will be mapped to other ports below 512: ... # Difference between SNAT and MASQUERADE? ... # connections will survive a reconnect. ...
    (comp.os.linux.networking)
Quantcast