Find the answer to your Linux question:
Results 1 to 5 of 5
Alright, alas here is my problem. This is the nat script that I use at home and for a few customers. It has always in the past worked fine without ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2009
    Posts
    3

    iptables Routing Issues


    Alright, alas here is my problem. This is the nat script that I use at home and for a few customers. It has always in the past worked fine without a problem. This latest environment is a bit different. Typically my machines have been sitting right on the internet, this one is stuck behind a comcast NAT. This may not even be the problem but it's the only noticeable difference between that environment and the one I'm on now.

    The server itself has no problems. The machines behind its nat have no problems with connectivity or transparent squid. The issue is whenever I try to initiate another type of connection from the client machines. Typically I wouldn't mind this for security reasons but I need SSL to work.

    I have a feeling i left out a single rule and it's causing iptables to drop something that needs to be forwarded/accepted.

    Code:
    # set wan interface such as eth1 or ppp0
    SHARE_IF="eth0"
    WAN="eth0"
    LAN="eth1"
    
    # clean old fw
    echo "Clearing old firewall rules..."
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    
    # Get some kernel modules
    echo "Loading kernel modules..."
    $MOD ip_tables
    $MOD iptable_filter
    $MOD iptable_nat
    $MOD ip_conntrack
    $MOD ipt_MASQUERADE
    $MOD ip_nat_ftp
    $MOD ip_nat_irc
    $MOD ip_conntrack_ftp
    $MOD ip_conntrack_irc
    
    # Clean old rules if any, rhel specific but above will take care of everything
    # service iptables stop
    
    # unlimited traffic via loopback device
    $IPT -A INPUT -i lo -j ACCEPT
    $IPT -A OUTPUT -o lo -j ACCEPT
    
    echo "Setting ${WAN} as WAN interface..."
    $IPT --table nat --append POSTROUTING --out-interface ${WAN} -j MASQUERADE
    
    echo Blocking open ports
    iptables -A INPUT -p tcp -m tcp --dport 111 -j REJECT --reject-with tcp-reset -i ${WAN}
    iptables -A INPUT -p tcp -m tcp --dport 135:139 -j REJECT --reject-with tcp-reset -i ${WAN}
    iptables -A INPUT -p tcp -m tcp --dport 445 -j REJECT --reject-with tcp-reset -i ${WAN}
    iptables -A INPUT -p tcp -m tcp --dport 9022 -j REJECT --reject-with tcp-reset -i ${WAN}
    iptables -A INPUT -p tcp -m tcp --dport 4445 -j REJECT --reject-with tcp-reset -i ${WAN}
    iptables -A INPUT -p tcp -m tcp --dport 1720 -j REJECT --reject-with tcp-reset -i ${WAN}
    iptables -A INPUT -p tcp -m tcp --dport 5038 -j REJECT --reject-with tcp-reset -i ${WAN}
    iptables -A INPUT -p tcp -m tcp --dport 3306 -j REJECT --reject-with tcp-reset -i ${WAN}
    iptables -A INPUT -p tcp -m tcp --dport 3128 -j REJECT --reject-with tcp-reset -i ${WAN}
    iptables -A INPUT -p tcp -m tcp --dport 3306 -j REJECT --reject-with tcp-reset -i ${WAN}
    
    echo Block other ports, just in case.
    iptables -A INPUT -p tcp --dport 21 -j REJECT --reject-with tcp-reset -i ${WAN}
    iptables -A INPUT -p tcp --dport 23 -j REJECT --reject-with tcp-reset -i ${WAN}
    iptables -A INPUT -p tcp --dport 25 -j REJECT --reject-with tcp-reset -i ${WAN}
    iptables -A INPUT -p tcp --dport 79 -j REJECT --reject-with tcp-reset -i ${WAN}
    iptables -A INPUT -p tcp --dport 110 -j REJECT --reject-with tcp-reset -i ${WAN}
    iptables -A INPUT -p tcp --dport 143 -j REJECT --reject-with tcp-reset -i ${WAN}
    
    echo Setting Rules
    
    #port 3389=RDP
    #iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT -i ${WAN}
    
    echo Mapping Ports to other network locations
    
    echo Enabling Transparent Squid Routing
    #iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
    #Rule for dansguardian routing
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
    # End other custom rules
    
    echo All Done!
    echo
    echo Network Services status:
    echo
    Thanks

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Security is not you best topic I see. This firewall is not that secure at all. The only thing saving your @ss is the NAT. You are using this script on customers sites? You are joking right? This firewall is a crackers dream. Security 101 DROP everything and only allow to pass what is needed! HERE is some reading material for you.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Mar 2009
    Posts
    3
    I'm looking for help getting this working, not security advice. When the machine is ready for production I'll lock it down I run a complete tcp/udp scan on every machine and block every port that I do not need open by hand. I've had problems with SIP when I've set the default action to drop.

    My buddy who is a sysadmin at a big ISP said that iptables won't place nice unless it's sitting on a public IP. Has anyone had experience with iptables behind a NAT? I know I've had NAT behind NAT in my testing environment before and it has worked.

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Quote Originally Posted by paulrausch View Post
    My buddy who is a sysadmin at a big ISP said that iptables won't place nice unless it's sitting on a public IP.
    Tell your Buddy that he should stop blowing smoke and he doesn't have a clue what he is talking about. Iptables will work on public or private or a combination of the 2 with out issues. Iptables does only what it is told to do. If you haven't configured it right you cannot blame the firewall.

    Has anyone had experience with iptables behind a NAT? I know I've had NAT behind NAT in my testing environment before and it has worked.
    Yes, I have. Works without issues as long as you have it setup correctly.

    How about you tell me how you want to setup the firewall

    IP Address
    PORT
    IP Address/PORT

    Then tell me what you want to allow though

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Mar 2009
    Posts
    3
    As of right now machines are unable to access anything. HTTP works because I have that traffic running through dansguardian/squid. For some reason I must have screwed up a rule somewhere whereas other data isn't going through correctly.

    Most importantly I need SSL/SSH working.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •