iptables Routing Issues

[paulrausch]

Alright, alas here is my problem. This is the nat script that I use at home and for a few customers. It has always in the past worked fine without a problem. This latest environment is a bit different. Typically my machines have been sitting right on the internet, this one is stuck behind a comcast NAT. This may not even be the problem but it's the only noticeable difference between that environment and the one I'm on now.

The server itself has no problems. The machines behind its nat have no problems with connectivity or transparent squid. The issue is whenever I try to initiate another type of connection from the client machines. Typically I wouldn't mind this for security reasons but I need SSL to work.

I have a feeling i left out a single rule and it's causing iptables to drop something that needs to be forwarded/accepted.

Code:

# set wan interface such as eth1 or ppp0
SHARE_IF="eth0"
WAN="eth0"
LAN="eth1"

# clean old fw
echo "Clearing old firewall rules..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Get some kernel modules
echo "Loading kernel modules..."
$MOD ip_tables
$MOD iptable_filter
$MOD iptable_nat
$MOD ip_conntrack
$MOD ipt_MASQUERADE
$MOD ip_nat_ftp
$MOD ip_nat_irc
$MOD ip_conntrack_ftp
$MOD ip_conntrack_irc

# Clean old rules if any, rhel specific but above will take care of everything
# service iptables stop

# unlimited traffic via loopback device
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

echo "Setting ${WAN} as WAN interface..."
$IPT --table nat --append POSTROUTING --out-interface ${WAN} -j MASQUERADE

echo Blocking open ports
iptables -A INPUT -p tcp -m tcp --dport 111 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 135:139 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 445 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 9022 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 4445 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 1720 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 5038 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 3306 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 3128 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp -m tcp --dport 3306 -j REJECT --reject-with tcp-reset -i ${WAN}

echo Block other ports, just in case.
iptables -A INPUT -p tcp --dport 21 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp --dport 23 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp --dport 25 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp --dport 79 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp --dport 110 -j REJECT --reject-with tcp-reset -i ${WAN}
iptables -A INPUT -p tcp --dport 143 -j REJECT --reject-with tcp-reset -i ${WAN}

echo Setting Rules

#port 3389=RDP
#iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT -i ${WAN}

echo Mapping Ports to other network locations

echo Enabling Transparent Squid Routing
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
#Rule for dansguardian routing
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
# End other custom rules

echo All Done!
echo
echo Network Services status:
echo

Thanks

[Lazydog]

Security is not you best topic I see. This firewall is not that secure at all. The only thing saving your @ss is the NAT. You are using this script on customers sites? You are joking right? This firewall is a crackers dream. Security 101 DROP everything and only allow to pass what is needed! HERE is some reading material for you.

[paulrausch]

I'm looking for help getting this working, not security advice. When the machine is ready for production I'll lock it down I run a complete tcp/udp scan on every machine and block every port that I do not need open by hand. I've had problems with SIP when I've set the default action to drop.

My buddy who is a sysadmin at a big ISP said that iptables won't place nice unless it's sitting on a public IP. Has anyone had experience with iptables behind a NAT? I know I've had NAT behind NAT in my testing environment before and it has worked.

[Lazydog]

My buddy who is a sysadmin at a big ISP said that iptables won't place nice unless it's sitting on a public IP.

Tell your Buddy that he should stop blowing smoke and he doesn't have a clue what he is talking about. Iptables will work on public or private or a combination of the 2 with out issues. Iptables does only what it is told to do. If you haven't configured it right you cannot blame the firewall.

Has anyone had experience with iptables behind a NAT? I know I've had NAT behind NAT in my testing environment before and it has worked.

Yes, I have. Works without issues as long as you have it setup correctly.

How about you tell me how you want to setup the firewall

IP Address
PORT
IP Address/PORT

Then tell me what you want to allow though

[paulrausch]

As of right now machines are unable to access anything. HTTP works because I have that traffic running through dansguardian/squid. For some reason I must have screwed up a rule somewhere whereas other data isn't going through correctly.

Most importantly I need SSL/SSH working.