Results 1 to 5 of 5
Hi all,
I hope that someone can hekp me.
I have a DSL modem router attached to eth0 on Ububtu 8.04. I have a local network attached to eth1. I ...
- 05-31-2009 #1Just Joined!
- Join Date
- May 2009
- Location
- Alice Springs, NT, Australia
- Posts
- 3
Newby problems configuring home server
Hi all,
I hope that someone can hekp me.
I have a DSL modem router attached to eth0 on Ububtu 8.04. I have a local network attached to eth1. I want the Ununtu server to act as the home gateway and later to to use squid to manage downloads.
eth0 - 192.168.1.1/16
eth1 - 192.168.2.1/16
Gandalf - the server - Ubuntu 8.04, DHCP, iptables
I can log to the server using putty and connect to it using webmin.
From the server I can ping dsl modem/router and other external sites if I have their ip address but I cannot get dns to work.
From the winboxes I can connect to webmin but am blocked from all else even with an ip address.
Firewall setup follows.
I would appreciate somee help particularly that which tells me what I've got wrong.
#!/bin/bash
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# ----------------------------------------------------------------------------
# Copyright (C) 1999, 2001 OpenNA.com
# Last modified by Gerhard Mourani: 04-01-2001 <SNIP/>
# This firewall configuration is suitable for Gateway & Proxy Server.
# ----------------------------------------------------------------------------
#
# Invoked from /etc/rc.d/init.d/iptables.
# chkconfig: - 60 95
# description: Starts and stops the IPTABLES packet filter \
# used to provide firewall network services.
# Source function library.
#. /etc/rc.d/init.d/functions
# Source networking configuration.
#. /etc/sysconfig/network
# Check that networking is up.
#if [ ${NETWORKING} = "no" ]
#then
# exit 0
#fi
if [ ! -x /sbin/iptables ]; then
exit 0
fi
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewalling: "
# ----------------------------------------------------------------------------
# Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
IPADDR="192.168.1.1" #`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d \ -f 1`
EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # Your local naming convention
LOCAL_INTERFACE_1="eth1" # Your Internal LAN interface
INTRANET="192.168.2.0/24" # Your Private IP Addr Range
PRIMARY_NAMESERVER="192.168.1.254" # Your Primary Name Server
SECONDARY_NAMESERVER="192.231.203.132" # Your Secondary Name Server
SYSLOG_SERVER="192.168.2.1" # Your Syslog Internal Server
LOOPBACK="127.0.0.0/8" # Reserved loopback address range
CLASS_A="10.0.0.0/8" # Class A private networks
CLASS_B="172.16.0.0/12" # Class B private networks
CLASS_C="192.168.0.0/16" # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addr
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addr
BROADCAST_SRC="0.0.0.0" # Broadcast source addr
BROADCAST_DEST="255.255.255.255" # Broadcast destination addr
PRIVPORTS="0:1023" # Privileged port range
UNPRIVPORTS="1024:" # Unprivileged port range
WINFILESHAREPORTS="137:139" # Windows file sharing ports, UDP and TCP
WINFILESHARE="yes"
# ----------------------------------------------------------------------------
# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged port.
# Clients can optionally be configured to use only unprivileged ports.
SSH_LOCAL_PORTS="1022:65535" # Port range for local clients
SSH_REMOTE_PORTS="513:65535" # Port range for remote clients
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# ----------------------------------------------------------------------------
# FIREWALL MODULES
# ----------------
# Uncomment all of the following modules lines only
# for modularized kernel system.
# These modules are necessary to masquerade their respective services.
# /sbin/modprobe ip_tables
# /sbin/modprobe iptable_nat
# /sbin/modprobe ip_conntrack
# /sbin/modprobe ip_conntrack_ftp
# /sbin/modprobe ip_tables
# /sbin/modprobe ip_nat_ftp
# /sbin/modprobe ipt_LOG
# /sbin/modprobe ipt_MARK
# /sbin/modprobe ipt_MASQUERADE
# /sbin/modprobe ipt_REDIRECT
# /sbin/modprobe ipt_REJECT
# /sbin/modprobe ipt_TOS
# /sbin/modprobe ipt_limit
# /sbin/modprobe ipt_mac
# /sbin/modprobe ipt_mark
# /sbin/modprobe ipt_multiport
# /sbin/modprobe ipt_state
# /sbin/modprobe ipt_tos
# /sbin/modprobe iptable_mangle
# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
iptables -F
iptables -F -t nat
# Remove any existing user-defined chains.
iptables -X
# Set the default policy of the filter to deny.
#mja 31May09
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# ----------------------------------------------------------------------------
# LOOPBACK
# --------
# Unlimited traffic on the loopback interface.
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
# Unlimited traffic within the local network.
# All internal machines have access to the fireall machine.
iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT
# ----------------------------------------------------------------------------
# STATEFUL PART!
# --------------
# Kill malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
# Kill malformed NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
# Block faked, or "spoofed," packets from getting through the firewall.
iptables -A FORWARD -i $LOCAL_INTERFACE_1 -s ! $INTRANET -j DROP
# Allow all internal packets out of our network.
iptables -A FORWARD -m state --state NEW -i $LOCAL_INTERFACE_1 \
-s $INTRANET -j ACCEPT
# Allow the associated packets with those connections back in.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-i $EXTERNAL_INTERFACE -s ! $INTRANET -j ACCEPT
# All internal traffic is masqueraded externally.
iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE
# Blocks any forwards that come from Internet connection. Uncomment only for
# users with modem device like "ppp0".
# iptables -A FORWARD -i $EXTERNAL_INTERFACE -m state \
# --state NEW,INVALID -j REJECT
# ----------------------------------------------------------------------------
# Start Network Windows file sharing
# mja 24May09
if WINFILESHARE="yes"; then
iptables -A INPUT -p tcp --source $CLASS_C --destination-port 137:139 -j ACCEPT
iptables -A INPUT -p udp --source $CLASS_C --destination-port 137:139 -j ACCEPT
fi
# End Network Windows file sharing
# ----------------------------------------------------------------------------
# ----------------------------------------------------------------------------
# Network Ghouls
# Deny access to jerks
# --------------------
# /etc/rc.d/rc.firewall.blocked contains a list of
# iptables -A INPUT -i $EXTERNAL_INTERFACE -s address -j DROP
# rules to block from any access.
# Refuse any connection from problem sites
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
deny_file="/etc/rc.d/rc.firewall.blocked"
temp_file="/tmp/temp.ip.addresses"
cat $deny_file | sed -n -e "s/^[ ]*\([0-9.]*\).*$/\1/p" \
| awk ' $1 ' > $temp_file
while read ip_addy
do
case $ip_addy in
*) iptables -A INPUT -i $EXTERNAL_INTERFACE -s $ip_addy -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $ip_addy -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $ip_addy -j REJECT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $ip_addy -j REJECT
;;
esac
done < $temp_file
rm -f $temp_file > /dev/null 2>&1
unset temp_file
unset deny_file
fi
# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse incoming packets pretending to be from the external address.
iptables -A INPUT -s $IPADDR -j DROP
# Refuse incoming packets claiming to be from a Class A, B or C private network
iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
# iptables -A INPUT -s $CLASS_C -j DROP
# Refuse broadcast address SOURCE packets
iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP
# Refuse Class D multicast addresses
# Multicast is illegal as a source address.
# Multicast uses UDP.
iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
# Refuse special addresses defined as reserved by the IANA.
# Note: The remaining reserved addresses are not included
# filtering them causes problems as reserved blocks are
# being allocated more often now. The following are based on
# reservations as listed by IANA as of 2001/01/04. Please regularly
# Note: this list includes the loopback, multicast, & reserved addresses.
# 0.*.*.* - Can't be blocked for DHCP users.
# 127.*.*.* - LoopBack
# 169.254.*.* - Link Local Networks
# 192.0.2.* - TEST-NET
# 224-255.*.*.* - Classes D & E, plus unallocated.
# iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
# ----------------------------------------------------------------------------
# UDP TRACEROUTE
# --------------
# traceroute usually uses -S 32769:65535 -D 33434:33523
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
-d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
# ----------------------------------------------------------------------------
# DNS forward-only nameserver
# ---------------------------
#mja 31May09 these were all commented out, I've put them in
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $PRIMARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $PRIMARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $SECONDARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $SECONDARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
# DNS: full server (53)
# ---------------------
# server/client to server query or response
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port 53 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port 53 \
-d $IPADDR --destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port 53 \
--destination-port 53 -j ACCEPT
# DNS client (53)
# ---------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 53 -j ACCEPT
# DNS Zone Transfers (53)
# -----------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $SECONDARY_NAMESERVER --source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port 53 \
-d $SECONDARY_NAMESERVER --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# client (80)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT
# ------------------------------------------------------------------
# client (443)
# ------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 443 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 443 -j ACCEPT
# ------------------------------------------------------------------
# WWW-CACHE client
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 3128 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 3128 -j ACCEPT
# Forward all packets through Squid to save bandwidth
#iptables -t nat -A PREROUTING -i eth1 -p tcp
# --destination-port 80
# -d ! 192.168.0.0/255.255.255.0
# -j REDIRECT --to-port 3128
# ------------------------------------------------------------------
# NNTP NEWS client (119)
# ----------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 119 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 119 -j ACCEPT
# ------------------------------------------------------------------
# POP client (110)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 110 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 110 -j ACCEPT
# ------------------------------------------------------------------
# IMAP client (143)
# -----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 143 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 143 -j ACCEPT
# ------------------------------------------------------------------
# SMTP client (25)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 25 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 25 -j ACCEPT
# ------------------------------------------------------------------
# SSH server (22)
# ---------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $SSH_REMOTE_PORTS \
-d $IPADDR --destination-port 22 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port 22 \
--destination-port $SSH_REMOTE_PORTS -j ACCEPT
################################################## #################
iptables -A INPUT -i eth1 -p tcp \
--source-port 513:65535 \
-d 192.168.118.200 --destination-port 22 -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp ! --syn \
-s 192.168.118.200 --source-port 22 \
--destination-port 513:65535 -j ACCEPT
################################################## ################
# SSH client (22)
# ---------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 22 \
-d $IPADDR --destination-port $SSH_LOCAL_PORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $SSH_LOCAL_PORTS \
--destination-port 22 -j ACCEPT
################################################## ###############
iptables -A OUTPUT -o eth1 -p tcp \
-s 192.168.118.200 --source-port 1022:65535 \
--destination-port 22 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp ! --syn \
--source-port 22 \
-d 192.168.118.200 --destination-port 1022:65535 -j ACCEPT
################################################## ###############
# ------------------------------------------------------------------
# TELNET client (23)
# ------------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# --source-port 23 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# --destination-port 23 -j ACCEPT
# ------------------------------------------------------------------
# AUTH server (113)
# -----------------
# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 113 -j REJECT
# AUTH client (113)
# -----------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# --source-port 113 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# --destination-port 113 -j ACCEPT
# ------------------------------------------------------------------
# WHOIS client (43)
# -----------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# --source-port 43 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# --destination-port 43 -j ACCEPT
# ------------------------------------------------------------------
# FINGER client (79)
# ------------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# --source-port 79 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# --destination-port 79 -j ACCEPT
# ------------------------------------------------------------------
# FTP client (21)
# ---------------
# outgoing request
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 21 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 21 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# PORT mode data channel
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port 20 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 20 -j ACCEPT
# ------------------------------------------------------------------
# IRC client (6667)
# -----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 6667 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 6667 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# RealAudio / QuickTime client
# ----------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 554 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 554 -j ACCEPT
# TCP is a more secure method: 7070:7071
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 7070:7071 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 7070:7071 -j ACCEPT
# UDP is the preferred method: 6970:6999
# For LAN machines, UDP requires the RealAudio masquerading module and
# the ipmasqadm third-party software.
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 6970:6999 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port 6970:6999 \
--destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# ICQ client (4000)
# -----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 2000:4000 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 2000:4000 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port 4000 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 4000 -j ACCEPT
# ------------------------------------------------------------------
# SYSLOG client (514)
# -------------------
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
# -s $IPADDR --source-port 514 \
# -d $SYSLOG_SERVER --destination-port $UNPRIVPORTS -j ACCEPT
# ----------------------------------------------------------------------------
# ICMP
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type echo-reply \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type source-quench \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type time-exceeded \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type parameter-problem \
-d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type parameter-problem -j ACCEPT
# ----------------------------------------------------------------------------
# Enable logging for selected denied packets
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $PRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 5 -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 13/255 -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j REJECT
# ----------------------------------------------------------------------------
;;
stop)
echo -n "Shutting Firewalling: "
# Remove all existing rules belonging to this filter
iptables -F
# Delete all user-defined chain to this filter
iptables -X
# Reset the default policy of the filter to accept.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
status iptables
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: iptables {start|stop|status|restart|reload}"
exit 1
esac
echo "done"
exit 0
Mick Arundell
- 05-31-2009 #2Linux Engineer
- Join Date
- Mar 2007
- Location
- The Netherlands
- Posts
- 1,047
Welcome to the forums!
Sounds like a typical DNS problem if you ask me. It has not so much to do with iptables. Check your nameservers in /etc/resolv.conf
Originally Posted by mick-au
Here's an example with OpenDNS, but you can use your ISP's DNS servers or whatever you prefer.Code:cat /etc/resolv.conf
Mind, you can use your home server to act as gateway, but all the clients you attach need to have nameservers defined as well. Otherwise, they all will have the same problem.Code:freston@mymachine$ cat /etc/resolv.conf # Generated by dhcpcd for interface eth0 nameserver 192.168.1.1 nameserver 208.67.222.220 nameserver 208.67.220.222
I dunno how your setup is, whether you use DHCP or static addresses, but assuming DHCP then you need to tell whatever you use to serve DHCP to give nameservers to the clients. For example, I use dnsmasq and I added to /etc/dnsmasq.conf:
Code:dhcp-option=6,192.168.1.1,208.67.222.220,208.67.220.222 # kinda magic but it works
Can't tell an OS by it's GUI
- 05-31-2009 #3Just Joined!
- Join Date
- May 2009
- Location
- Alice Springs, NT, Australia
- Posts
- 3
Thank you Freston for your quick reply.
I do use DHCP and no mater which DNS server I set in the winClient it still can resolve a name.
But before that:
From the winclient I can ping gateway 192.168.2.1 and 192.168.1.1 but I cannot ping 192.168.1.254 which is the dsl router address.
That indicates that my error lies in the redirection part of iptables
Will keep trying
Mick
- 05-31-2009 #4Linux Engineer
- Join Date
- Mar 2007
- Location
- The Netherlands
- Posts
- 1,047
Can, or can't?? Originally Posted by mick-au 
___
Let's see. You have a modem/router. You have a server/gateway. Your setup is thus, that you want to allow your Wintels to run over the gateway to the internet.
Your Wintels can see the server, connect to it and everything, but can't look beyond it. And your server can see the internet, but doesn't resolve DNS.
Well, that looks like two separate problems?
___
I can't really make much of your firewall script. Many lines that appear as necessary to me are commented out. For example, all the modprobes. But also, for example:
This doesn't do anything in my eyes, except stall the script for user input. It does not read the tempfile for input?? Am I overlooking something??Code:# Refuse any connection from problem sites if [ -f /etc/rc.d/rc.firewall.blocked ]; then deny_file="/etc/rc.d/rc.firewall.blocked" temp_file="/tmp/temp.ip.addresses" cat $deny_file | sed -n -e "s/^[ ]*\([0-9.]*\).*$/\1/p" \ | awk ' $1 ' > $temp_file while read ip_addy do case $ip_addy in *) iptables -A INPUT -i $EXTERNAL_INTERFACE -s $ip_addy -j DROP iptables -A INPUT -i $EXTERNAL_INTERFACE -d $ip_addy -j DROP iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $ip_addy -j REJECT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $ip_addy -j REJECT ;; esac done < $temp_file rm -f $temp_file > /dev/null 2>&1 unset temp_file unset deny_file fi
Anyway, maybe this is of 'some' help. Below is the first part of my working iptables script. It doesn't show what I block, allow or whatever, but it may give you some idea about how the basic setup of the system looks like.
Code:#!/bin/bash ######################################################### # VARIABLES AND DEFINITIONS (AND MODPROBES) # ######################################################### # # # Basic setup, after C. Schroder # # ######################################################### # VARIABLES ipt="/usr/sbin/iptables" mod="/sbin/modprobe" LAN_IFACE="eth1" WAN_IFACE="eth0" # BASIC KERNEL MODULES $mod ip_tables $mod ip_conntrack $mod iptable_filter $mod iptable_nat $mod iptable_mangle $mod ipt_LOG $mod ipt_limit $mod ipt_state $mod ipt_MASQUERADE # FOR IRC AND FTP $mod ip_nat_ftp $mod ip_nat_irc $mod ip_conntrack_ftp $mod ip_conntrack_irc # FLUSH RULES AND DELETE CUSTOM CHAINS $ipt -F $ipt -t nat -F $ipt -t mangle -F $ipt -X $ipt -t nat -X $ipt -t mangle -X ######################################################### # GENERAL CONFIGURATION AND DEFAULT POLICIES # ######################################################### # # # After C. Schroder, with few modifications # # ######################################################### # # DEFAULT POLICIES $ipt -P INPUT DROP $ipt -P FORWARD DROP $ipt -P OUTPUT ACCEPT $ipt -t nat -P OUTPUT ACCEPT $ipt -t nat -P PREROUTING ACCEPT $ipt -t nat -P POSTROUTING ACCEPT $ipt -t mangle -P PREROUTING ACCEPT $ipt -t mangle -P POSTROUTING ACCEPT # LOOPBACK AND INTERNAL SERVICES $ipt -A INPUT -i lo -j ACCEPT # IP MASQUERADING $ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE # OUTGOING TRAFFIC RULES $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -A FORWARD -i $LAN_IFACE -s 192.168.1.00/26 -o $WAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Can't tell an OS by it's GUI
- 06-08-2009 #5Just Joined!
- Join Date
- May 2009
- Location
- Alice Springs, NT, Australia
- Posts
- 3
Hi Freston,
Finally found my problems. They were settings in sysctl.conf and lack of gateway setting on network.conf
# enable ip_forwarding
sysctl -w net.ipv4.ip_forward=1
#implement changes made to sysctl.conf
#this will also list the current settings
sysctl -p
Thank you for your help
Mick
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts