Firewall with Iptables - Networking

This is a discussion on Firewall with Iptables - Networking ; Hello I am currently in the process of writting a new firewall script. The original script I was using was originally written for ipchains and ported to iptables without using any of its new features. Now I wish to take ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: Firewall with Iptables

  1. Firewall with Iptables


    Hello

    I am currently in the process of writting a new firewall script. The
    original script I was using was originally written for ipchains and
    ported to iptables without using any of its new features. Now I wish
    to take advantage of Netfilters advanced features, especially
    connection tracking.

    The computer iptables is running on is used as a gateway for the other
    computers in the local network as well as running some services like
    Cups, Samba etc. It is connected to the Internet via a DSL-Modem
    running as interface ppp0. I have used this -
    http://www.linuxjournal.com/article/4815 - guide as a basis for
    configuring the firewall but I am still running into some problems
    which so far I have not been able to solve on my own.

    According to my understanding the line I marked with ">>>" should
    allow the computer to accept new incoming and forwarded connection on
    every interface but ppp0. Unfortunately this is not working as it
    should, I have to manually add an ACCEPT-Rule for eth0 and lo in order
    to access the computer. Where is the error in the script ? What I
    also would like to know if the order in which I new rules are added is
    important. Should I put the lines in which I set the default policies
    in the beginning after flushing the tables or in the end like they are
    now?

    Yours sincerely
    Stefan Malte Schumacher




    for i in filter nat
    do
    iptables -t $i -F
    iptables -t $i -X
    done

    iptables -t filter -N tcprules

    iptables -t filter -A tcprules -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    >>> iptables -t filter -A tcprules -i ! ppp0 -m state --state NEW -j ACCEPT

    iptables -t filter -A tcprules -i ppp0 -m state --state NEW,INVALID -j DROP

    iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.99.0/24 -d 0/0 -j MASQUERADE

    iptables -t filter -A INPUT -j tcprules
    iptables -t filter -A FORWARD -j tcprules

    iptables -t filter -A INPUT -i eth0 -j ACCEPT
    iptables -t filter -A FORWARD -i eth0 -j ACCEPT
    iptables -t filter -A INPUT -i lo -j ACCEPT

    iptables -A INPUT -i ppp0 -p tcp -m multiport --dports 4662,6881,6882,9866 -j ACCEPT
    iptables -A INPUT -i ppp0 -p udp -m multiport --dports 4666,9866,12478 -j ACCEPT

    iptables -t filter -P INPUT DROP
    iptables -t filter -P FORWARD DROP
    iptables -t filter -P OUTPUT ACCEPT



  2. Re: Firewall with Iptables

    In news:ink355-ifk.ln1@drachenhorst.fantasy.net,
    Stefan Malte Schumacher typed:

    > The computer iptables is running on is used as a gateway for the other
    > computers in the local network as well as running some services like
    > Cups, Samba etc. It is connected to the Internet via a DSL-Modem
    > running as interface ppp0. I have used this -
    > http://www.linuxjournal.com/article/4815 - guide as a basis for
    > configuring the firewall but I am still running into some problems
    > which so far I have not been able to solve on my own.


    Use the script located at
    http://physics.ramapo.edu/downloads/...0040429.tar.gz
    instead. It's simple and effective for your purpose.



  3. Re: Firewall with Iptables

    I can point to the examples from iptables tutorial. They are simpler
    too.

  4. Re: Firewall with Iptables

    Hello,

    Stefan Malte Schumacher a écrit :
    >
    > I have used this - http://www.linuxjournal.com/article/4815


    Hmm, 2001 - this is *very* old.

    > According to my understanding the line I marked with ">>>" should
    > allow the computer to accept new incoming and forwarded connection on
    > every interface but ppp0. Unfortunately this is not working as it
    > should, I have to manually add an ACCEPT-Rule for eth0 and lo in order
    > to access the computer. Where is the error in the script ?


    > iptables -t filter -A tcprules -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    > >>> iptables -t filter -A tcprules -i ! ppp0 -m state --state NEW -j ACCEPT

    > iptables -t filter -A tcprules -i ppp0 -m state --state NEW,INVALID -j DROP


    The marked rule accepts only packets in the NEW state. You need to
    accept packets in the ESTABLISHED and RELATED states too, else
    connections will hang after the first packet. Usually there is a generic
    rule at the beginning of the chain accepting packets in the ESTABLISHED
    and RELATED states from any interface. So removing the "-i ppp0" in the
    previous rule should do the trick.

    > What I
    > also would like to know if the order in which I new rules are added is
    > important.


    Yes it is. The rules in a chain are added and examined in order.

    > Should I put the lines in which I set the default policies
    > in the beginning after flushing the tables or in the end like they are
    > now?


    Flushing a chain which has ACCEPT default policy means that it accepts
    everything, until some DROP rules are added or the policy is changed to
    DROP. Flushing a chain which has DROP default policy means that it drops
    everything until some ACCEPT rules are added.

  5. Re: Firewall with Iptables

    > The marked rule accepts only packets in the NEW state. You need to
    > accept packets in the ESTABLISHED and RELATED states too, else
    > connections will hang after the first packet. Usually there is a generic
    > rule at the beginning of the chain accepting packets in the ESTABLISHED
    > and RELATED states from any interface. So removing the "-i ppp0" in the
    > previous rule should do the trick.



    Thanks for the advice. I have changed the rule so that it accepts
    anything on "! ppp0" regardless of its state and now access to local
    services and forwarding works fine without any additional ACCEPT-lines
    in the script.

    Unfortunately another problem has arisen. I wish for a local service
    (mldonkey) to be accessible from the internet, but despite the rules I
    set in the marked lines connections from outside are not yet possible.
    I have also tried to target the INPUT chain instead of my custom chain
    tcprules, but the results are the same.


    iptables -t filter -P INPUT DROP
    iptables -t filter -P FORWARD DROP
    iptables -t filter -P OUTPUT ACCEPT

    iptables -t filter -N tcprules

    iptables -t filter -A tcprules -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -t filter -A tcprules -i ppp0 -m state --state NEW,INVALID -j DROP
    iptables -t filter -A tcprules -i ! ppp0 -j ACCEPT

    >>> iptables -t filter -A tcprules -i ppp0 -p tcp -m multiport --dports 4662,6881,6882,9866 -j ACCEPT
    >>> iptables -t filter -A tcprules -i ppp0 -p udp -m multiport --dports 4666,9866,12478 -j ACCEPT


    iptables -t filter -A INPUT -j tcprules
    iptables -t filter -A FORWARD -j tcprules

    iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.99.0/24 -d 0/0 -j MASQUERADE


    Yours sincerely
    Stefan

  6. Re: Firewall with Iptables

    Stefan Malte Schumacher wrote:

    > Unfortunately another problem has arisen. I wish for a local service
    > (mldonkey) to be accessible from the internet, but despite the rules I
    > set in the marked lines connections from outside are not yet possible.

    ....

    > iptables -t filter -P INPUT DROP
    > iptables -t filter -P FORWARD DROP
    > iptables -t filter -P OUTPUT ACCEPT
    > iptables -t filter -N tcprules
    > iptables -t filter -A tcprules -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    > iptables -t filter -A tcprules -i ppp0 -m state --state NEW,INVALID -j DROP
    > iptables -t filter -A tcprules -i ! ppp0 -j ACCEPT
    >
    > >>> iptables -t filter -A tcprules -i ppp0 -p tcp -m multiport --dports 4662,6881,6882,9866 -j ACCEPT
    > >>> iptables -t filter -A tcprules -i ppp0 -p udp -m multiport --dports 4666,9866,12478 -j ACCEPT


    For access to a service on the Internet connection host you will also
    need a rule equivalent to

    iptables -A INPUT -p tcp --syn -j ACCEPT

    > iptables -t filter -A INPUT -j tcprules
    > iptables -t filter -A FORWARD -j tcprules
    > iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.99.0/24 -d 0/0 -j MASQUERADE


    --
    Clifford Kite
    /* ... packets usually cross many administrative boundaries on their way
    from a source to a destination and often the only point of agreement
    between those separate administrations is that all problems are someone
    else's fault. --Van Jacobson, abstract of April 97 MSRI talk */

  7. Re: Firewall with Iptables

    Stefan Malte Schumacher wrote:

    > iptables -t filter -P INPUT DROP
    > iptables -t filter -P FORWARD DROP
    > iptables -t filter -P OUTPUT ACCEPT
    >
    > iptables -t filter -N tcprules
    >
    > iptables -t filter -A tcprules -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    > iptables -t filter -A tcprules -i ppp0 -m state --state NEW,INVALID -j DROP
    > iptables -t filter -A tcprules -i ! ppp0 -j ACCEPT
    >
    > >>> iptables -t filter -A tcprules -i ppp0 -p tcp -m multiport --dports 4662,6881,6882,9866 -j ACCEPT
    > >>> iptables -t filter -A tcprules -i ppp0 -p udp -m multiport --dports 4666,9866,12478 -j ACCEPT

    >


    You need these rules to be before the line above with the -j DROP

    Andy.


    > iptables -t filter -A INPUT -j tcprules
    > iptables -t filter -A FORWARD -j tcprules
    >
    > iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.99.0/24 -d 0/0 -j MASQUERADE
    >
    >
    > Yours sincerely
    > Stefan


  8. Re: Firewall with Iptables

    Clifford Kite wrote:

    > For access to a service on the Internet connection host you will also
    > need a rule equivalent to
    >
    > iptables -A INPUT -p tcp --syn -j ACCEPT


    I don't think you do if the port is open because of the ACCEPT

    Andy

  9. Re: Firewall with Iptables

    Andy Furniss wrote:
    > Clifford Kite wrote:


    >> For access to a service on the Internet connection host you will also
    >> need a rule equivalent to
    >>
    >> iptables -A INPUT -p tcp --syn -j ACCEPT


    > I don't think you do if the port is open because of the ACCEPT


    Is a port used to allow the initial SYN request access?

    --
    Clifford Kite
    /* Those who can't write, write manuals. */

  10. Re: Firewall with Iptables

    Clifford Kite wrote:
    > Andy Furniss wrote:
    >> Clifford Kite wrote:

    >
    >>> For access to a service on the Internet connection host you will also
    >>> need a rule equivalent to
    >>>
    >>> iptables -A INPUT -p tcp --syn -j ACCEPT

    >
    >> I don't think you do if the port is open because of the ACCEPT

    >
    > Is a port used to allow the initial SYN request access?
    >


    If the port is open then a service on the firewall box will get the syn.

    I think your rule could allow access to all ports on the firewall, which
    isn't what you want.

    In this case you would have to use -I instead of -A, though, because the
    tcprules DROP would mean nothing -i ppp0 would reach it anyway.

    Andy.

  11. Re: Firewall with Iptables

    Andy Furniss wrote:
    > Stefan Malte Schumacher wrote:
    >
    >> iptables -t filter -P INPUT DROP
    >> iptables -t filter -P FORWARD DROP
    >> iptables -t filter -P OUTPUT ACCEPT
    >>
    >> iptables -t filter -N tcprules
    >>
    >> iptables -t filter -A tcprules -i ppp0 -m state --state
    >> ESTABLISHED,RELATED -j ACCEPT
    >> iptables -t filter -A tcprules -i ppp0 -m state --state
    >> NEW,INVALID -j DROP
    >> iptables -t filter -A tcprules -i ! ppp0 -j ACCEPT
    >> >>> iptables -t filter -A tcprules -i ppp0 -p tcp -m

    >> multiport --dports 4662,6881,6882,9866 -j ACCEPT
    >> >>> iptables -t filter -A tcprules -i ppp0 -p udp -m multiport

    >> --dports 4666,9866,12478 -j ACCEPT
    >>

    >
    > You need these rules to be before the line above with the -j DROP


    I just looked at my mldonkey rules and I use -m state --state NEW aswell
    - I wonder what practical difference that makes - maybe Pascal knows ?

    Andy.

  12. Re: Firewall with Iptables


    > You need these rules to be before the line above with the -j DROP



    Thanks Andy (and all the others who helped). Now everything works as
    it should.

    Bye
    Stefan

  13. Re: Firewall with Iptables

    Andy Furniss a écrit :
    >>>
    >>> iptables -t filter -A tcprules -i ppp0 -m state --state
    >>> ESTABLISHED,RELATED -j ACCEPT

    [...]
    >>> iptables -t filter -A tcprules -i ppp0 -p tcp -m
    >>> multiport --dports 4662,6881,6882,9866 -j ACCEPT
    >>> iptables -t filter -A tcprules -i ppp0 -p udp -m multiport
    >>> --dports 4666,9866,12478 -j ACCEPT

    >
    > I just looked at my mldonkey rules and I use -m state --state NEW aswell
    > - I wonder what practical difference that makes - maybe Pascal knows ?


    Me ? Why ?
    "-m state --state NEW" matches only packets starting a new connection
    (usually the first packet), but not packets belonging or related to an
    established connection. Of course theses packets must be accepted too
    for the connection to work, so it generally assumes that you have a
    global rule accepting ESTABLISHED and RELATED states as above. If you
    don't specify states in a rule, it may match packets in the INVALID
    state, which is usually undesirable.

+ Reply to Thread