iptables port forwarding for specific source addresses - Networking

This is a discussion on iptables port forwarding for specific source addresses - Networking ; We're seeking help please with finding examples or tutorials on the following, which must be quite common: we wish to accept connections from external specific IP address ranges to a certain port on an internal machine. What syntax is required ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 24

Thread: iptables port forwarding for specific source addresses

  1. iptables port forwarding for specific source addresses

    We're seeking help please with finding examples or tutorials on the
    following, which must be quite common: we wish to accept connections from
    external specific IP address ranges to a certain port on an internal
    machine.

    What syntax is required to allow a machine w.x.0.0/16 to connect to our
    external iptables eth1 = a.b.c.126:8317 (e.g. "security by obscurity") and
    be forwarded to 10.0.0.9:443 where other AUTH security checks exist, please?

    The iptables firewall currently drops all but RELATED, ESTABLISHED on
    external eth1 and logs all unsolicited packets (we have that under control,
    thanks):

    # Generated by iptables-save v1.3.5 on Sun Mar 2 18:01:01 2008
    *filter
    :FORWARD ACCEPT [0:0]
    :INPUT DROP [eth1:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth0 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
    UNSOLICITED:
    COMMIT
    *mangle
    :PREROUTING ACCEPT [1471:303908]
    :INPUT ACCEPT [636:240607]
    :FORWARD ACCEPT [832:63181]
    :OUTPUT ACCEPT [437:39285]
    :POSTROUTING ACCEPT [1269:102466]
    COMMIT
    *nat
    :PREROUTING ACCEPT [203:14045]
    :POSTROUTING ACCEPT [192:12653]
    :OUTPUT ACCEPT [20:1217]
    -A POSTROUTING -o eth1 -j MASQUERADE
    COMMIT



  2. Re: iptables port forwarding for specific source addresses

    ynotssor wrote:

    > We're seeking help please with finding examples or tutorials on the
    > following, which must be quite common: we wish to accept connections from
    > external specific IP address ranges to a certain port on an internal
    > machine.
    >
    > What syntax is required to allow a machine w.x.0.0/16 to connect to our
    > external iptables eth1 = a.b.c.126:8317 (e.g. "security by obscurity") and
    > be forwarded to 10.0.0.9:443 where other AUTH security checks exist,
    > please?


    Two parts are required here - one for the filter to let packets come in:
    *filter
    ....
    -A INPUT -i eth1 -s w.x.0.0/16 --dport 8317 -m state --state NEW -j ACCEPT
    ....
    COMMIT

    and one to nat this connection to the internal machine and port:
    *nat
    ....
    -A PREROUTING -i eth1 -s w.x.0.0/16 --dport 8317 -j DNAT --to-destination
    10.0.0.9:443
    ....
    COMMIT

    On a side note: I guess this is about HTTPS on TCP, so you could add "-p
    tcp --syn" to both rules right behind "--dport 8317". That would filter out
    unwanted UDP traffic and TCP packets commonly not used to establish
    connections.

    Hope it helps,
    Felix Tiede

  3. Re: iptables port forwarding for specific source addresses

    In news:6h67rnFjhbu5U1@mid.individual.net,
    Felix Tiede typed:

    >> What syntax is required to allow a machine w.x.0.0/16 to connect to
    >> our external iptables eth1 = a.b.c.126:8317 (e.g. "security by
    >> obscurity") and be forwarded to 10.0.0.9:443 where other AUTH
    >> security checks exist, please?

    >
    > Two parts are required here - one for the filter to let packets come
    > in: *filter
    > ...
    > -A INPUT -i eth1 -s w.x.0.0/16 --dport 8317 -m state --state NEW -j
    > ACCEPT ...
    > COMMIT
    >
    > and one to nat this connection to the internal machine and port:
    > *nat
    > ...
    > -A PREROUTING -i eth1 -s w.x.0.0/16 --dport 8317 -j DNAT
    > --to-destination
    > 10.0.0.9:443
    > ...
    > COMMIT
    >
    > On a side note: I guess this is about HTTPS on TCP, so you could add
    > "-p tcp --syn" to both rules right behind "--dport 8317". That would
    > filter out unwanted UDP traffic and TCP packets commonly not used to
    > establish connections.


    Thank you so much. Per your assistance I currently have:

    # cat /etc/sysconfig/iptables
    *filter
    :FORWARD ACCEPT [0:0]
    :INPUT DROP [eth1:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth0 -j ACCEPT
    -A INPUT -i eth1 -s w.x.0.0/16 --dport 8317 -p tcp --syn -m state --state
    NEW -j ACCEPT
    -A INPUT -m state -i eth1 --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
    UNSOLICITED:
    COMMIT
    *mangle
    :PREROUTING ACCEPT [1471:303908]
    :INPUT ACCEPT [636:240607]
    :FORWARD ACCEPT [832:63181]
    :OUTPUT ACCEPT [437:39285]
    :POSTROUTING ACCEPT [1269:102466]
    COMMIT
    *nat
    -A PREROUTING -i eth1 -s w.x.0.0/16 --dport 8317 -p tcp --syn -j
    DNAT --to-destination 10.0.0.9:443
    :PREROUTING ACCEPT [203:14045]
    :POSTROUTING ACCEPT [192:12653]
    :OUTPUT ACCEPT [20:1217]
    -A POSTROUTING -o eth1 -j MASQUERADE
    COMMIT

    # /etc/init.d/iptables restart
    Flushing firewall rules: [ OK ]
    Setting chains to policy ACCEPT: nat mangle filter [ OK ]
    Unloading iptables modules: [ OK ]
    Applying iptables firewall rules: iptables-restore v1.3.5: Unknown arg
    `--dport'
    Error occurred at line: 7
    Try `iptables-restore -h' or 'iptables-restore --help' for more information.
    [FAILED]
    # iptables --version
    iptables v1.3.5








  4. Re: iptables port forwarding for specific source addresses

    Felix Tiede wrote:
    > ynotssor wrote:
    >
    > Two parts are required here - one for the filter to let packets come in:
    > *filter
    > ...
    > -A INPUT -i eth1 -s w.x.0.0/16 --dport 8317 -m state --state NEW -j ACCEPT


    If I understodd the question right, 10.0.0.9 isn't on the firewall
    itself. So you probably want:

    -A FORWARD -i eth1 -s x.y.0.0./16 -d 10.0.0.9/32 -p tcp --dport 443 -m
    state --state NEW -j ACCEPT


    > and one to nat this connection to the internal machine and port:
    > *nat
    > ...
    > -A PREROUTING -i eth1 -s w.x.0.0/16 --dport 8317 -j DNAT --to-destination
    > 10.0.0.9:443


    Just a small improvement, but accurateness adds security.

    -A PREROUTING -i eth1 -s x.y.0.0/16 -d a.b.c.d/32 -p tcp --dport 8317 -j
    DNAT --to-destination 10.0.0.9:443


    > On a side note: I guess this is about HTTPS on TCP, so you could add "-p
    > tcp --syn" to both rules right behind "--dport 8317".


    Why adding --syn? The filter rule is stateful.

    Cheers, Harry

  5. Re: iptables port forwarding for specific source addresses

    ynotssor wrote:

    [snip]
    > Thank you so much. Per your assistance I currently have:
    >
    > # cat /etc/sysconfig/iptables
    > *filter
    > :FORWARD ACCEPT [0:0]
    > :INPUT DROP [eth1:0]
    > :OUTPUT ACCEPT [0:0]
    > -A INPUT -i lo -j ACCEPT
    > -A INPUT -i eth0 -j ACCEPT

    Hint: Put this rule behind the next so you don't waste time on checking
    packets belonging to an already established connection.
    > -A INPUT -i eth1 -s w.x.0.0/16 --dport 8317 -p tcp --syn -m state --state
    > NEW -j ACCEPT
    > -A INPUT -m state -i eth1 --state RELATED,ESTABLISHED -j ACCEPT
    > -A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
    > UNSOLICITED:
    > COMMIT
    > *mangle
    > :PREROUTING ACCEPT [1471:303908]
    > :INPUT ACCEPT [636:240607]
    > :FORWARD ACCEPT [832:63181]
    > :OUTPUT ACCEPT [437:39285]
    > :POSTROUTING ACCEPT [1269:102466]
    > COMMIT
    > *nat

    This should go after ":OUTPUT ACCEPT" but before "-A POSTROUTING ..."
    > -A PREROUTING -i eth1 -s w.x.0.0/16 --dport 8317 -p tcp --syn -j
    > DNAT --to-destination 10.0.0.9:443
    > :PREROUTING ACCEPT [203:14045]
    > :POSTROUTING ACCEPT [192:12653]
    > :OUTPUT ACCEPT [20:1217]
    > -A POSTROUTING -o eth1 -j MASQUERADE
    > COMMIT
    >
    > # /etc/init.d/iptables restart
    > Flushing firewall rules: [ OK ]
    > Setting chains to policy ACCEPT: nat mangle filter [ OK ]
    > Unloading iptables modules: [ OK ]
    > Applying iptables firewall rules: iptables-restore v1.3.5: Unknown arg
    > `--dport'
    > Error occurred at line: 7
    > Try `iptables-restore -h' or 'iptables-restore --help' for more
    > information.
    > [FAILED]


    Ah yes, sometimes I forget about the importance of argument order for
    iptables. And since --dport is protocol dependant (not every protocol
    filtered by iptables has source and or destination port), it is necessary
    to specify "-p tcp" _before_ "--dport". That should do the trick.
    For readability of the script you can still stick "-p tcp" and "--syn"
    together, and for even more so, put "-p tcp --syn" before "-s w.x.0.0/16".

    HTH,
    Felix Tiede

  6. Re: iptables port forwarding for specific source addresses

    harry.potter@fredastaire.ch wrote:

    > Felix Tiede wrote:
    >> ynotssor wrote:
    >>
    >> Two parts are required here - one for the filter to let packets come in:
    >> *filter
    >> ...
    >> -A INPUT -i eth1 -s w.x.0.0/16 --dport 8317 -m state --state NEW -j
    >> ACCEPT

    >
    > If I understodd the question right, 10.0.0.9 isn't on the firewall
    > itself. So you probably want:
    >
    > -A FORWARD -i eth1 -s x.y.0.0./16 -d 10.0.0.9/32 -p tcp --dport 443 -m
    > state --state NEW -j ACCEPT


    My bad, yes, you're right.

    >
    >

    [snip]
    >> On a side note: I guess this is about HTTPS on TCP, so you could add "-p
    >> tcp --syn" to both rules right behind "--dport 8317".

    >
    > Why adding --syn? The filter rule is stateful.


    Stateful inspection costs time by checking tables. --syn is information the
    packet already carries with itself and by checking it first unwanted
    traffic will be filtered before costly stateful inspection - that is, if
    order of checking (and not checking anymore after first failure) is as
    specified on commandline...

    Felix Tiede

  7. Re: iptables port forwarding for specific source addresses

    In news:6h7517FjhtbbU1@mid.individual.net,
    Felix Tiede typed:

    > Ah yes, sometimes I forget about the importance of argument order for
    > iptables. And since --dport is protocol dependant (not every protocol
    > filtered by iptables has source and or destination port), it is
    > necessary to specify "-p tcp" _before_ "--dport". That should do the
    > trick.
    > For readability of the script you can still stick "-p tcp" and "--syn"
    > together, and for even more so, put "-p tcp --syn" before "-s
    > w.x.0.0/16".


    Thank you Mssrs. Tiede and Potter@. I now have:

    # cat /etc/sysconfig/iptables
    *filter
    :FORWARD ACCEPT [0:0]
    :INPUT DROP [eth1:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth0 -j ACCEPT
    -A INPUT -m state -i eth1 --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i eth1 -p tcp --syn -s w.x.0.0/16 -d 10.0.0.9/32 --dport 443 -m
    state --state NEW -j ACCEPT
    -A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
    UNSOLICITED:
    COMMIT
    *mangle
    :PREROUTING ACCEPT [1471:303908]
    :INPUT ACCEPT [636:240607]
    :FORWARD ACCEPT [832:63181]
    :OUTPUT ACCEPT [437:39285]
    :POSTROUTING ACCEPT [1269:102466]
    COMMIT
    *nat
    :PREROUTING ACCEPT [203:14045]
    :POSTROUTING ACCEPT [192:12653]
    :OUTPUT ACCEPT [20:1217]
    -A PREROUTING -i eth1 -p tcp --syn -s w.x.0.0/16 -d 10.0.0.9/32 --dport
    8317 -j DNAT --to-destination 10.0.0.9:443
    -A POSTROUTING -o eth1 -j MASQUERADE
    COMMIT

    # /etc/init.d/iptables restart
    Flushing firewall rules: [ OK ]
    Setting chains to policy ACCEPT: nat mangle filter [ OK ]
    Unloading iptables modules: [ OK ]
    Applying iptables firewall rules: [ OK ]
    Loading additional iptables modules: ip_nat_ftp ip_conntrac[ OK ]s_ns

    Yet the firewall is still dropping the packets so that the 10.0.0.9:443
    connection is failing. Using a simple script I wrote to examine the log
    file, we see:

    # probe_report UNSOLICITED
    Address Packets Bytes Protocol(s) Dest.Port(s)
    w.x.f.h 2 88 TCP 8317
    Totals 2 0.1KB for search pattern "UNSOLICITED"





  8. Re: iptables port forwarding for specific source addresses

    ynotssor wrote:

    > We're seeking help please with finding examples or tutorials on the
    > following, which must be quite common: we wish to accept connections from
    > external specific IP address ranges to a certain port on an internal
    > machine.
    >
    > What syntax is required to allow a machine w.x.0.0/16 to connect to our
    > external iptables eth1 = a.b.c.126:8317 (e.g. "security by obscurity") and
    > be forwarded to 10.0.0.9:443 where other AUTH security checks exist,
    > please?
    >
    > The iptables firewall currently drops all but RELATED, ESTABLISHED on
    > external eth1 and logs all unsolicited packets (we have that under
    > control, thanks):
    >
    > # Generated by iptables-save v1.3.5 on Sun Mar 2 18:01:01 2008
    > *filter
    > :FORWARD ACCEPT [0:0]
    > :INPUT DROP [eth1:0]
    > :OUTPUT ACCEPT [0:0]
    > -A INPUT -i lo -j ACCEPT
    > -A INPUT -i eth0 -j ACCEPT
    > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    > -A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
    > UNSOLICITED:
    > COMMIT
    > *mangle
    > :PREROUTING ACCEPT [1471:303908]
    > :INPUT ACCEPT [636:240607]
    > :FORWARD ACCEPT [832:63181]
    > :OUTPUT ACCEPT [437:39285]
    > :POSTROUTING ACCEPT [1269:102466]
    > COMMIT
    > *nat
    > :PREROUTING ACCEPT [203:14045]
    > :POSTROUTING ACCEPT [192:12653]
    > :OUTPUT ACCEPT [20:1217]
    > -A POSTROUTING -o eth1 -j MASQUERADE
    > COMMIT


    I think you are saying you want to route incoming traffic arriving on eth1
    from network a.b.c.d to eth0 which is network 10.0.0.X but only from a
    single IP on the a.b.c.d network
    Something like this (may not be exactly right):
    iptables -A FORWARD -i eth1 -o eth0 -p tcp -s a.b.c.126 --sport 8317 -d
    10.0.0.9 --dport 443 -j ACCEPT
    Eric


  9. Re: iptables port forwarding for specific source addresses

    ynotssor wrote:

    > In news:6h7517FjhtbbU1@mid.individual.net,
    > Felix Tiede typed:
    >
    >> Ah yes, sometimes I forget about the importance of argument order for
    >> iptables. And since --dport is protocol dependant (not every protocol
    >> filtered by iptables has source and or destination port), it is
    >> necessary to specify "-p tcp" _before_ "--dport". That should do the
    >> trick.
    >> For readability of the script you can still stick "-p tcp" and "--syn"
    >> together, and for even more so, put "-p tcp --syn" before "-s
    >> w.x.0.0/16".

    >
    > Thank you Mssrs. Tiede and Potter@. I now have:
    >
    > # cat /etc/sysconfig/iptables
    > *filter
    > :FORWARD ACCEPT [0:0]
    > :INPUT DROP [eth1:0]
    > :OUTPUT ACCEPT [0:0]
    > -A INPUT -i lo -j ACCEPT
    > -A INPUT -i eth0 -j ACCEPT
    > -A INPUT -m state -i eth1 --state RELATED,ESTABLISHED -j ACCEPT
    > -A FORWARD -i eth1 -p tcp --syn -s w.x.0.0/16 -d 10.0.0.9/32 --dport 443
    > -m state --state NEW -j ACCEPT
    > -A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
    > UNSOLICITED:
    > COMMIT
    > *mangle
    > :PREROUTING ACCEPT [1471:303908]
    > :INPUT ACCEPT [636:240607]
    > :FORWARD ACCEPT [832:63181]
    > :OUTPUT ACCEPT [437:39285]
    > :POSTROUTING ACCEPT [1269:102466]
    > COMMIT
    > *nat
    > :PREROUTING ACCEPT [203:14045]
    > :POSTROUTING ACCEPT [192:12653]
    > :OUTPUT ACCEPT [20:1217]
    > -A PREROUTING -i eth1 -p tcp --syn -s w.x.0.0/16 -d 10.0.0.9/32 --dport
    > 8317 -j DNAT --to-destination 10.0.0.9:443
    > -A POSTROUTING -o eth1 -j MASQUERADE
    > COMMIT


    Leave out the "-d 10.0.0.9/32" from the PREROUTING rule. In that state of
    natting, iptables doesn't know the final address (which is going to be
    changed to 10.0.0.9) so it doesn't nat the packet and the FORWARD chain
    won't match.

    Felix Tiede

  10. Re: iptables port forwarding for specific source addresses

    In news:6h7uauFjo1mrU1@mid.individual.net,
    Felix Tiede typed:

    > Leave out the "-d 10.0.0.9/32" from the PREROUTING rule. In that
    > state of natting, iptables doesn't know the final address (which is
    > going to be changed to 10.0.0.9) so it doesn't nat the packet and the
    > FORWARD chain won't match.


    But the incoming packets are dropped, not FORWARDed, and are not nat'd ...
    they don't pass any INPUT criteria and are dropped by default, apparently.

    With everybody's, and particularly your assistance, the problem is solved
    using the following:

    *filter
    :FORWARD ACCEPT [0:0]
    :INPUT DROP [eth1:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth0 -j ACCEPT
    -A INPUT -m state -i eth1 --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i eth1 -p tcp --syn -s w.x.0.0/16 --dport 8317 -m state --state
    NEW -j ACCEPT
    -A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
    UNSOLICITED:
    COMMIT
    *mangle
    :PREROUTING ACCEPT [1471:303908]
    :INPUT ACCEPT [636:240607]
    :FORWARD ACCEPT [832:63181]
    :OUTPUT ACCEPT [437:39285]
    :POSTROUTING ACCEPT [1269:102466]
    COMMIT
    *nat
    :PREROUTING ACCEPT [203:14045]
    :POSTROUTING ACCEPT [192:12653]
    :OUTPUT ACCEPT [20:1217]
    -A PREROUTING -i eth1 -p tcp --syn -s w.x.0.0/16 --dport 8317 -j
    DNAT --to-destination 10.0.0.9:443
    -A POSTROUTING -o eth1 -j MASQUERADE
    COMMIT

    Thank you so much for your help.



  11. Re: iptables port forwarding for specific source addresses

    Hello,

    ynotssor a écrit :
    >
    > *filter
    > :FORWARD ACCEPT [0:0]


    How can you say you are concerned with security ? That ruleset does not
    do any filtering on forwarded traffic !

    > -A INPUT -i eth1 -p tcp --syn -s w.x.0.0/16 --dport 8317 -m state --state


    As already said, this rule is totally useless. Forwarded traffic doesn't
    go through the INPUT chain.

  12. Re: iptables port forwarding for specific source addresses

    harry.potter@fredastaire.ch a écrit :
    >
    > If I understodd the question right, 10.0.0.9 isn't on the firewall
    > itself. So you probably want:
    >
    > -A FORWARD -i eth1 -s x.y.0.0./16 -d 10.0.0.9/32 -p tcp --dport 443 -m
    > state --state NEW -j ACCEPT


    This is not needed, as the FORWARD chain is already wide open...
    Besides, this rule alone would not be enough because there are no
    provisions to allow ESTABLISHED traffic in the FORWARD chain anyway.

    >>-A PREROUTING -i eth1 -s w.x.0.0/16 --dport 8317 -j DNAT --to-destination
    >>10.0.0.9:443

    >
    > Just a small improvement, but accurateness adds security.
    >
    > -A PREROUTING -i eth1 -s x.y.0.0/16 -d a.b.c.d/32 -p tcp --dport 8317 -j
    > DNAT --to-destination 10.0.0.9:443


    What kind of real security does it add ?

  13. Re: iptables port forwarding for specific source addresses

    Felix Tiede a écrit :
    > harry.potter@fredastaire.ch wrote:
    >
    >>>On a side note: I guess this is about HTTPS on TCP, so you could add "-p
    >>>tcp --syn" to both rules right behind "--dport 8317".

    >>
    >>Why adding --syn? The filter rule is stateful.


    --syn has nothing to do with connection state. Don't assume --syn = NEW.
    --syn checks the flags in the TCP header. '-m state' checks the state
    that was assigned to the packet by the connection tracking.

    > Stateful inspection costs time by checking tables. --syn is information the
    > packet already carries with itself and by checking it first unwanted
    > traffic will be filtered before costly stateful inspection - that is, if
    > order of checking (and not checking anymore after first failure) is as
    > specified on commandline...


    You're mistaken. The stateful inspection happens anyway when the
    conntrack module is loaded, usually by creating a rule containing
    state-related matches or targets or NAT. The 'state' match adds very
    little cost, it just checks what state was assigned to the packet. So
    use it, abuse it.

  14. Re: iptables port forwarding for specific source addresses

    "ynotssor" writes:

    > We're seeking help please with finding examples or tutorials on the
    > following, which must be quite common: we wish to accept connections from
    > external specific IP address ranges to a certain port on an internal
    > machine.
    >
    > What syntax is required to allow a machine w.x.0.0/16 to connect to our
    > external iptables eth1 = a.b.c.126:8317 (e.g. "security by obscurity") and
    > be forwarded to 10.0.0.9:443 where other AUTH security checks exist, please?
    >
    > The iptables firewall currently drops all but RELATED, ESTABLISHED on
    > external eth1 and logs all unsolicited packets (we have that under control,
    > thanks):


    Something like:

    iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 8317 -s w.x.0.0/16 -j DNAT --to-destination 10.0.0.9:443

    You'll also need to do forwarding for eth1 and in the FORWARD table.

    sysctl -w net.ipv4.conf.eth1.forwarding=1

    I think you have the FORWARD table already policied to ACCEPT. If you
    need UDP too, then one more rule like the above with -p udp will work.



    --
    Protect? [** America, The Police State **] Serve?
    http://www.hermes-press.com/police_state.htm
    http://www.theregister.co.uk/2008/01..._nsa_internal/
    http://www.privacyinternational.org/...D=x-347-559597
    http://www.homelandstupidity.us/2008...ir-passengers/
    http://www.presstv.ir/detail.aspx?id...tionid=3510203
    Teen Tazered 19 times: http://www.ky3.com/news/local/26158674.html
    Guns For TX Teachers: http://news.bbc.co.uk/1/hi/world/americas/7564654.stm
    Castration Punishment: http://www.foxnews.com/story/0,2933,348171,00.html

  15. Re: iptables port forwarding for specific source addresses

    In news:g8nn9k$2sch$1@biggoron.nerim.net,
    Pascal Hambourg typed:

    >> *filter
    >>> FORWARD ACCEPT [0:0]

    >
    > How can you say you are concerned with security ? That ruleset does
    > not do any filtering on forwarded traffic !


    Correct; the filtering is accomplished on the INPUT chain to eth1. If you
    have some constructive examples of what to do with the FORWARD chin that
    isn't currently accomplished with the eth1 INPUT then I'd be very pleased to
    see your suggestions.

    >> -A INPUT -i eth1 -p tcp --syn -s w.x.0.0/16 --dport 8317 -m state
    >> --state

    >
    > As already said, this rule is totally useless. Forwarded traffic
    > doesn't go through the INPUT chain.


    Traffic needs to pass the INPUT chain before ever being processed by
    FORWARD.





  16. Re: iptables port forwarding for specific source addresses

    ynotssor a écrit :
    >
    > Traffic needs to pass the INPUT chain before ever being processed by
    > FORWARD.


    No. That was true with ipchains, but not with iptables.
    Forwarded packets do not traverse the INPUT chain.

    Please check how packets traverse the chains before writing rules :


  17. Re: iptables port forwarding for specific source addresses

    In news:g8v78n$1opu$1@biggoron.nerim.net,
    Pascal Hambourg typed:

    >> Traffic needs to pass the INPUT chain before ever being processed by
    >> FORWARD.

    >
    > No. That was true with ipchains, but not with iptables.
    > Forwarded packets do not traverse the INPUT chain.


    And yet the simple rules I posted work properly, and are secure, despite
    onslaught attacks by nessus, nmap and anything else I try.



  18. Re: iptables port forwarding for specific source addresses

    ynotssor a écrit :
    > Pascal Hambourg typed:
    >
    >>Forwarded packets do not traverse the INPUT chain.

    >
    > And yet the simple rules I posted work properly, and are secure, despite
    > onslaught attacks by nessus, nmap and anything else I try.


    The ruleset you posted protects only the firewall itself, not the
    internal hosts. Internal hosts are "protected" not thanks to the
    firewall ruleset but because they have private addresses which are not
    supposed to be reachable from the public internet.

    E.g. if an internal host has address 10.0.0.9 and I send a packet to
    that address, your firewall won't even receive the packet because there
    is no internet routing from me to you for that private address. If an
    internal host had a public address, it would be reachable from outside
    and your firewall would not protect it in any way.

    However, the protection provided by private addresses has a limit : it
    relies on 3rd-party routers not routing these addresses to your firewall
    (which is generally true). Also, these addresses may be reached from any
    host directly connected to the network attached to your firewall's
    external interface. The owner of such a host just has to set a route to
    your private subnet using your public address as gateway :

    ip route add 10.0.0.0/8 via a.b.c.126

    and that's it !

  19. Re: iptables port forwarding for specific source addresses

    In news:g90u5e$1vuu$1@biggoron.nerim.net,
    Pascal Hambourg typed:

    > The owner of such a host just has
    > to set a route to your private subnet using your public address as
    > gateway :
    >
    > ip route add 10.0.0.0/8 via a.b.c.126
    > and that's it !


    And one solves this ... how? Please reply in a positive manner.



  20. Re: iptables port forwarding for specific source addresses

    ynotssor wrote:
    > In news:g90u5e$1vuu$1@biggoron.nerim.net,
    > Pascal Hambourg typed:
    >
    >
    >>The owner of such a host just has
    >>to set a route to your private subnet using your public address as
    >>gateway :
    >>
    >>ip route add 10.0.0.0/8 via a.b.c.126
    >>and that's it !

    >
    >
    > And one solves this ... how? Please reply in a positive manner.
    >
    >


    Add the necessary filtering to the FORWARD chain.

    --

    Tauno Voipio

+ Reply to Thread
Page 1 of 2 1 2 LastLast