Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
Hi all, Not looking for help on a critical problem, just wanting to see if anyone can offer some advice on my first iptables script. Apologies if this should of ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2013
    Posts
    7

    Advice on my first iptables script


    Hi all,

    Not looking for help on a critical problem, just wanting to see if anyone can offer some advice on my first iptables script.

    Apologies if this should of been in the newbie section.

    Its ugly and probably demonstrates my lack of understanding of iptables more than anything, so i thought the best learning experience would be to put it up and let people pick it apart.

    The network is a centos router which has one external NIC (eth0) and one internal NIC (eth1). That (the router) is running the firewall, the DNS server is external to this network.

    The clients are on the eth1 side, obviously. Im forwarding SSH connections to them through the firewall, i hope the comments in the script explain how.

    The router itself is running sshd on port 50000.

    Here it is:

    Code:
    #!/bin/bash
    
    ## default policies
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    
    ## allow established connections
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    ## packet forwarding from LAN to teh webz
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
    
    ## allow ssh connections to the router on port 50000 from outside
    iptables -A INPUT -p tcp -i eth0 --dport 50000 -j ACCEPT
    
    ## when a tcp connection comes in on port 50001, dnat to the first client on port 22
    iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 50001 -j DNAT --to 192.168.0.2:22
    
    ## when a tcp connection comes in on port 50002, dnat to the second client on port 22
    iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 50002 -j DNAT --to 192.168.0.3:22
    
    ## packet forwarding to make the above dnat work
    iptables -A FORWARD -o eth1 -p tcp --dport 22 -j ACCEPT
    Here is the /etc/sysconfig/iptables output as well for those who prefer reading that.

    Code:
    # Generated by iptables-save v1.4.7 on Wed May 22 17:30:24 2013
    *nat
    :PREROUTING ACCEPT [15:970]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 50001 -j DNAT --to-destination 192.168.0.2:22
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 50002 -j DNAT --to-destination 192.168.0.3:22
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Wed May 22 17:30:24 2013
    # Generated by iptables-save v1.4.7 on Wed May 22 17:30:24 2013
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 50000 -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i eth1 -o eth0 -j ACCEPT
    -A FORWARD -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT
    COMMIT
    # Completed on Wed May 22 17:30:24 2013
    So there it is, this is my first effort so please feel free to pick it apart and comment.

    Thanks in advance for any input!

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    hello, Alex, and welcome!

    as long as you are writing a script to generate rules, i would throw some commands to flush the rules first, e.g.:

    Code:
    #!/bin/bash
    
    iptables -F
    iptables -X
    
    # your iptables commands

  3. #3
    Just Joined!
    Join Date
    May 2013
    Posts
    7
    Thanks atreyu! Funnily enough i was thinking of that whilst walking into work this morning, although i didnt think to include iptables -X.

    Thanks for the input!

    Do the rules themselves look secure?

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    You might as well zero the counters too if they are not needed.

    Code:
    iptables -Z
    I would also suggest you not mix STATEFUL and STATELESS rules. Trouble shooting can lead to long nights.
    Presently all your rules with ESTABLISHED,RELATED are not doing anything as there is nothing being tagged and added to the DB for these rules.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    May 2013
    Posts
    7
    Thanks for the input lazydog, sorry it took me a fortnight to reply (working away).

    Can you expand on your comment regarding the ESTABLISHED,RELATED rules?

    As i understood it, the default policy as i have set it is to drop
    anything destined for the router or beyond the router, except for connections already in place (so outbound connections from the router for example).

    The -state --mstate ESTABLISHED,RELATED option applies this to any packets that are already part of an established connection. Have i understood this incorrectly?


    Quote Originally Posted by Lazydog View Post
    Presently all your rules with ESTABLISHED,RELATED are not doing anything as there is nothing being tagged and added to the DB for these rules.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    To have an ESTABLISHED,RELATED connection you have to have a rule that add the connection into the db that this rule looks at. This is done with the NEW rule. Once the connection is accepted it is placed into the db so the ESTABLISHED,RELATED rules can match against it. Without the NEW rules nothing is laced into the db and thus ESTABLISHED,RELATED will never match anything.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    @lazydog,

    i like that explanation, i've wondered the same thing myself in the past. would you mind augmenting your explanation with some iptables examples that clearly illustrate what you are talking about?

  8. #8
    Just Joined!
    Join Date
    May 2013
    Posts
    7
    Quote Originally Posted by Lazydog View Post
    To have an ESTABLISHED,RELATED connection you have to have a rule that add the connection into the db that this rule looks at. This is done with the NEW rule. Once the connection is accepted it is placed into the db so the ESTABLISHED,RELATED rules can match against it. Without the NEW rules nothing is laced into the db and thus ESTABLISHED,RELATED will never match anything.
    Thanks so much lazydog thats really cleared things up.

  9. #9
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Code:
    iptables -A INPUT -i eth0 --dport 22 -j accept
    The above rule only looks to see if the packet matches the port and allows it through

    Code:
    iptables -A INPUT -i eth0 --dport 22 -m conntrack --ctstate NEW -j ACCEPT
    This rule does the same as the first one with the exception that it adds the connection to the db for use by the following rule

    Code:
    iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    This rule allow iptables to quickly establish if the connection is allowed or not.

    Usually at the top of all your chains you would place the above rule to allow iptables to skip checking all the rules agains every packet that arrives thus speeding up the firewall.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  10. #10
    Just Joined!
    Join Date
    May 2013
    Posts
    7
    Lazydog i have taken on board your suggestions and spent some time reading up, here is the new improved script and i would really appreciate your (and everyone elses) input.

    The VM lab i was working with has changed slightly, this firewall is running on a router with 3 nics, eth0 is "internet facing" and belongs to 192.168.2.0/24 (really its just my office LAN), eth1 belongs to 192.168.0.0/29 and eth2 to 192.168.100.0/29.

    I have a client on each subnet, with addresses of 192.168.0.2 and 192.168.100.2 respectively, the xxx.xxx.xxx.1 address in both subnets belongs obviously to the router. I ssh to the router via port 50000 and forward ssh connections to 50001 and 50002 to each of the clients, as before.

    EDIT: Iv added some further rules for allowing SSH into the gateway itself and to allow SSH forwarding to the clients.

    FURTHER EDIT: Iv modified quite a bit from the original post, i am editing here so to avoid repetitive posts, which will teach me to post code before i have tested it

    Code:
    #! /bin/bash
    
    ## flush the filter and nat tables and zero counters
    iptables -F
    iptables -t nat -F
    iptables -Z
    
    ## redirect DNS and HTTP requests from our clients to the internet
    iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -m conntrack --ctstate NEW -j DNAT --to-destination 192.168.2.1
    iptables -t nat -A PREROUTING -i eth2 -p udp --dport 53 -m conntrack --ctstate NEW -j DNAT --to-destination 192.168.2.1
    iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport --dport 80,443 -m conntrack --ctstate NEW -j DNAT --to-destination 192.168.2.1
    iptables -t nat -A PREROUTING -i eth2 -p tcp -m multiport --dport 80,443 -m conntrack --ctstate NEW -j DNAT --to-destination 192.168.2.1
    
    ## redirect SSH requests on specific ports to the appropriate client
    iptables -t nat -A PREROUTING  -p tcp --dport 50001 -m conntrack --ctstate NEW,ESTABLISHED -j DNAT --to-destination 192.168.0.2
    iptables -t nat -A PREROUTING  -p tcp --dport 50002 -m conntrack --ctstate NEW,ESTABLISHED -j DNAT --to-destination 192.168.100.2
    
    ## router input chain (allow SSH on port 50000)
    iptables -A INPUT -i lo -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 50000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i eth0 -m conntrack --ctstate NEW,INVALID -j REJECT
    
    ## router output chain
    iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m conntrack --ctstate INVALID -j REJECT
    
    ## allow client forwarding and SSH
    iptables -A FORWARD -i eth1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth2 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -o eth2 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth0 -p tcp -m multiport ! --dport 50001,50002 -m conntrack --ctstate NEW -j REJECT
    iptables -A FORWARD -i eth0 -m conntrack --ctstate INVALID -j REJECT
    
    ## if a client connection is forwarded to the WAN, apply NAT
    iptables -t nat -A POSTROUTING -o eth0 -m conntrack --ctstate NEW,ESTABLISHED -j MASQUERADE
    Last edited by AlexH; 06-21-2013 at 11:17 AM. Reason: clarity, added rule for ssh to the gateway

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •