firewall forwarding issue, simple fix but what?

[nadsys]

had all forwarding working with a simple firewall script, now i implement a much more detailed one based on krunk's IPTables HOWTO and it works perfectly for the server machine but not for the clients.

i can ping the server from client still so dns/dhcp still working fine.

any help much appreciated. btw, please ignore any line wrapping, its just how it pasted

heres what i have:

[Hobbes-X]

From your message I'm not 100% sure what sort of traffic you're trying to allow, but you're wanting to allow the firewall to access services like I was, you can add this:

[nadsys]

hi, thanx for the reply. i dont think i explained my situation clearly enough before.

i have everything working on server.

i have no access however from the clients to the internet. mozilla, irc, ping, and others i have tried all fail. IP forwarding is enabled in the script so thats not the issue but somewhere in that script it has to allow traffic from client's through the firewall to the internet, im unsure if a rule already exists for that and its just a case of altering it or if i have to do what you just told me and add that line in for the clients to access the WWW.

got firewall from page 2, 3/4 of the way down by Krunk: https://forums.gentoo.org/viewtopic.php?t=159710&postdays=0&postorder=asc&highlight=iptables+howto&start=25

thank you,

Neil
_________________
how do i change directory, try init 6

[Hobbes-X]

Hi Neil,

The part of the script where you can add protocols that the clients are allowed to use is here:

[Hobbes-X]

By the way, the first little section I posted is to allow the firewall to access services hosted on internal clients, so that won't help with your current problem.

[nadsys]

ok, tried ftp instead of ping from client, same error: "network is unreachable". it gives this message instantly. if i disable firewall on server, it works straight away. so its definetly an iptables problem.

now, as you pointed out, the section which is allowing clients to connect has all the services they should need to use ftp/htpp and so on. so thats not the issue either i think.

only error when executing script i get is for suncookies:
-bash: /proc/sys/net/ipv4/tcp_syncookies: No such file or directory

looking in the help section in syncookies in make menuconfig, it says:
If you say Y here, note that SYN cookies aren't enabled by default; you can enable them by saying Y to "/proc file system support" and "Sysctl support" below and executing the command...

i have syncookies in kernel, i have /proc file system in kernel, i cant find "sysctl support" anywhere so i am unsure wether its in kernel or not.

an additional problem i now have is getting ftp to work. i can ftp to any site i add to my firewall but cant get it to list using pasv or not using pasv. i want to be able to tell it to use a certain range of ports for all passive transfers. i allowed port 14000:14500 for this purpose (variable is GLPASV).

ftp problem is secondary to getting clients up and running. thank you for any help.

this is how iptables looks now.
#!/bin/sh
#


# ********** VARIABLE DEFINITIONS **********
#
# External interface
EXTIF="ppp0"
# Internal interface
INTIF="eth1"

# Loop device/localhost
LPDIF="lo"
LPDIP="127.0.0.1"
LPDMSK="255.0.0.0"
LPDNET="$LPDIP/$LPDMSK"

# Text tools variables
IPT="/sbin/iptables"
IFC="/sbin/ifconfig"
G="/bin/grep"
SED="/bin/sed"
AWK="/bin/awk"

# Last but not least, the users
nads=192.168.0.09
lee=192.168.0.10



# Setting up external interface environment variables
# The following doesn't play nice with localization
#EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
# This one does AFAIK
EXTIP="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
EXTBC="255.255.255.255"
# same problem here with localization
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTMSK="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"
EXTNET="$EXTIP/$EXTMSK"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
# Due to absence of EXTBC I manually set it to 255.255.255.255
# this (hopefully) will serve the same purpose

# Setting up environment variables for internal interface
INTIP="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
#INTIP="`$IFC $INTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[3],a," ");print a[1];exit}'`"
#INTBC="`$IFC $INTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"
#INTMSK="`$IFC $INTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET="$INTIP/$INTMSK"
echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"


# ********** INITIALIZATION **********
#
# Deny then accept: this keeps holes from opening up
# while we close ports and such
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

#IPT -P INPUT ACCEPT
#IPT -P OUTPUT ACCEPT
#IPT -P FORWARD ACCEPT

# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
$IPT -t $i -F
done
for i in $CHAINS;
do
$IPT -t $i -X
done

# enable syncookies & ignore icmp broadcasts
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Log Martians
for i in /proc/sys/net/ipv4/conf/*/log_martians ; do
echo 1 > $i
done

# activate forwarding & dynamic address
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Loading necessary kernel modules
# example: MODULES="ip_nat_ftp ip_conntrack_ftp"
#MODULES="ipt_owner"
#for i in $MODULES;
#do
# echo "Inserting module $i"
# modprobe $i
#done


# ********** LOGGING CHAINS **********
#
# We are now going to create a few custom chains that will result in
# logging of dropped packets. This will enable us to avoid having to
# enter a log command prior to every drop we wish to log. The
# first will be first log drops the other will log rejects.

# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl 2> /dev/null
$IPT -A DROPl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP BLOCKED:'
$IPT -A DROPl -j DROP

$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT BLOCKED:'
$IPT -A REJECTl -j REJECT

$IPT -N DROP2 2> /dev/null
$IPT -A DROP2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP UNKNOWN:'
$IPT -A DROP2 -j DROP

$IPT -N REJECT2 2> /dev/null
$IPT -A REJECT2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT UNKNOWN:'
$IPT -A REJECT2 -j REJECT

# For testing, a logging ACCEPT chain
$IPT -N ACCEPTl 2> /dev/null
$IPT -A ACCEPTl -m limit --limit 10/second --limit-burst 50 -j LOG --log-prefix 'FIREWALL ACCEPT:'
$IPT -A ACCEPTl -j ACCEPT


# ********** SANE COMMON RULES **********
#
# Now we are going to accept all traffic from or to our loopback device
# if the IP matches any of our interfaces.
$IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $INTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -d $LPDIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -d $EXTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -d $INTIP -j ACCEPT

# Blocking Broadcasts
$IPT -A INPUT -i $EXTIF -d $EXTBC -j DROPl
$IPT -A INPUT -i $INTIF -d $INTBC -j DROPl
$IPT -A OUTPUT -o $EXTIF -d $EXTBC -j DROPl
$IPT -A OUTPUT -o $INTIF -d $INTBC -j DROPl
$IPT -A FORWARD -o $EXTIF -d $EXTBC -j DROPl
$IPT -A FORWARD -o $INTIF -d $INTBC -j DROPl

# Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into our external interface does not our isp assigned
# ip address, drop it like a hot potato
$IPT -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl

# Now we will block internal addresses originating from anything but our
# predefined interface.....just remember that if you jack your
# laptop or another pc into one of these NIC's directly, you'll need
# to ensure that they either have the same ip or that you add a line explicitly
# that IP as well
# Interface one/internal net one
$IPT -A INPUT -i $INTIF -s ! $INTNET -j DROPl
$IPT -A OUTPUT -o $INTIF -d ! $INTNET -j DROPl
$IPT -A FORWARD -i $INTIF -s ! $INTNET -j DROPl
$IPT -A FORWARD -o $INTIF -d ! $INTNET -j DROPl

# An additional Egress check
$IPT -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl

# Block outbound ICMP (except for PING)

$IPT -A OUTPUT -o $EXTIF -p icmp \
--icmp-type ! 8 -j DROPl
$IPT -A FORWARD -o $EXTIF -p icmp \
--icmp-type ! 8 -j DROPl

# Allow to ping out
$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP \
--icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p icmp -s $INTNET \
--icmp-type 8 -m state --state NEW -j ACCEPT

# Allow internal network to ping internal systems
$IPT -A OUTPUT -o $INTIF -p icmp -s $INTNET \
--icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INTIF -p icmp -s $INTNET \
--icmp-type 8 -m state --state NEW -j ACCEPT





# ********** BLOCKING THE EVIL PORTS **********
#
# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 135 is DCOM RPC
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346 (gnutella - removed)
# Common Trojans 12345 65535
INTCOMBLOCK="0:1 13 22 98 111 135 161:162 1214 1999 2049 3049 4329 3128 8000 8008 8080 12345 65535"
EXTCOMBLOCK="137:139 445"

# TCP ports:
# 512-5!5 is rexec, rlogin, rsh, printer(lpd)
# [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
INTTCPBLOCK="$INTCOMBLOCK 512:515 1080 6000:6009 6112"
EXTTCPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 512:515 1080 6000:6009 6112"

# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
INTUDPBLOCK="$INTCOMBLOCK 161:162 520 517:518 1427 9000"
EXTUDPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 161:162 520 123 517:518 1427 9000"


echo -n "FW: Blocking internal attacks to TCP port: "
for i in $INTTCPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p tcp -s $INTNET --dport $i -j DROPl
$IPT -A OUTPUT -p tcp -s $INTNET --dport $i -j DROPl
$IPT -A FORWARD -p tcp -s $INTNET --dport $i -j DROPl
done
echo ""

echo -n "FW: Blocking external attacks to TCP port: "
for i in $EXTTCPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p tcp -s ! $INTNET --dport $i -j DROPl
$IPT -A OUTPUT -p tcp -s ! $INTNET --dport $i -j DROPl
$IPT -A FORWARD -p tcp -s ! $INTNET --dport $i -j DROPl
done
echo ""

echo -n "FW: Blocking internal attacks to UDP port: "
for i in $INTUDPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p udp -s $INTNET --dport $i -j DROPl
$IPT -A OUTPUT -p udp -s $INTNET --dport $i -j DROPl
$IPT -A FORWARD -p udp -s $INTNET --dport $i -j DROPl
done
echo ""

echo -n "FW: Blocking external attacks to UDP port: "
for i in $EXTUDPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p udp -s ! $INTNET --dport $i -j DROPl
$IPT -A OUTPUT -p udp -s ! $INTNET --dport $i -j DROPl
$IPT -A FORWARD -p udp -s ! $INTNET --dport $i -j DROPl
done
echo ""





# ********** ALLOWING INSIDE TO OUTSIDE SERVICES **********
#
# This is where things go you want to use from your network on the internet
#
# Defining some common chat clients. Remove these from your accepted list for better security.
IRC='ircd'
MSN=1863
NOIP=8245
NFS='sunrpc'
PORTAGE='rsync'
OpenPGP_HTTP_Keyserver=11371
GFTPPORTS="21 1336 1337 5499 5500 8082 8083 443 444 81 21620 21621"

# All services ports are read from /etc/services

TCPSERV="domain sshb http https glftpd ntp $PORTAGE $IRC $NOIP $MSN $OpenPGP_HTTP_Keyserver $GFTPPORTS"
UDPSERV="domain ntp"

echo -n "FW: Allowing inside systems to use services: "
for i in $TCPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP \
--dport $i --syn -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p tcp -s $INTNET \
--dport $i --syn -m state --state NEW -j ACCEPT

done
echo ""

echo -n "FW: Allowing inside systems to use services: "
for i in $UDPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP \
--dport $i -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p udp -s $INTNET \
--dport $i -m state --state NEW -j ACCEPT
done
echo ""





# ********** ALLOWING SERVICES ON FIREWALL **********
#
# DAEMONS on firewall which should be accessible to inside/outside.
# it is presumed that DAEMONS advertised to the outside can also
# be advertised safely to the inside
#
# This is generally NOT A GOOD IDEA (as told by "security experts")
# since if some service on this machine gets hacked, the firewall is
# compromised as well, but what the heck it's only a home network
#
# 50369 is my p2p port
# microsoft-ds is for samba
# 5901 is vnc
# domain is nameserver
# ntp is for timeserving

GLPASV="14000:14500"

# EXTTCPDAEMONS="sshb http https"
EXTTCPDAEMONS="sshb auth glftpd $GLPASV $GFTPPORTS"
INTTCPDAEMONS="$EXTTCPDAEMONS microsoft-ds 5901"
EXTUDPDAEMONS=""
INTUDPDAEMONS="$EXTUDPDAEMONS domain ntp"

echo -n "FW: Allowing external systems to use tcp services on localhost: "
for i in $EXTTCPDAEMONS;
do
echo -n "$i "
$IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP \
--dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""

echo -n "FW: Allowing internal systems to use tcp services on localhost: "
for i in $INTTCPDAEMONS;
do
echo -n "$i "
$IPT -A INPUT -i $INTIF -p tcp -d $INTIP \
--dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""

echo -n "FW: Allowing external systems to use udp services on localhost: "
for i in $EXTUDPDAEMONS;
do
echo -n "$i "
$IPT -A INPUT -i $EXTIF -p udp -d $EXTIP \
--dport $i -m state --state NEW -j ACCEPT
done
echo ""

echo -n "FW: Allowing internal systems to use udp services on localhost: "
for i in $INTUDPDAEMONS;
do
echo -n "$i "
$IPT -A INPUT -i $INTIF -p udp -d $INTIP \
--dport $i -m state --state NEW -j ACCEPT
done
echo ""




# ********** FINALIZING NAT & FIREWALL **********
#
# Setup NAT
$IPT -t nat -A PREROUTING -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE
$IPT -t nat -A POSTROUTING -j ACCEPT
$IPT -t nat -A OUTPUT -j ACCEPT

# allow existing connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# block and log what me may have forgot
$IPT -A INPUT -j DROP2
$IPT -A OUTPUT -j REJECT2
$IPT -A FORWARD -j DROP2
_________________
how do i change directory, try init 6

[Hobbes-X]

I get the same tcp_syncookies error message, and I don't have any problems. I'd guess this is normal, but I didn't look too closely at it since things were working

I wonder if iptables is actually blocking the traffic, or if there's some sort of configuration problem from the script.

With this script, blocked packets are logged, so you should be able to see if they're getting blocked or not by looking at the logs.

You can try grep'ing your logs for the IP addresses of you client machines after you test one of the services, but I think it's easier to open a second terminal to watch while you try one of the problem services:

In one terminal watch the kernel messages:

[nadsys]

ok, taken a step backwards now. took ip_conntrack_ftp and ip_nat_ftp out of the kernel and compiled as modules.

uncommented section in script to start modules. now looks like:

# Loading necessary kernel modules
# example: MODULES="ip_nat_ftp ip_conntrack_ftp"
MODULES="ip_nat_ftp ip_conntrack_ftp""
for i in $MODULES;
do
echo "Inserting module $i"
modprobe $i
done

i then go to run the script and am hit by hundreds of messages saying:

iptables v1.2.11: Couldn't load target `DROP2':/lib/iptables/libipt_DROP2.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: Couldn't load target `REJECT2':/lib/iptables/libipt_REJECT2.so: can not open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: Couldn't load target `DROPl':/lib/iptables/libipt_DROPl.so: cannot open shared object file: No such file or directory

so, maybe this has been problem all along but just hidden because i wasn't seeing it as it was all loaded by kernel, or maybe my understanding is all wrong.

my firewall logs BEFORE this were as follows:

[Hobbes-X]

Yeah- I can post mine once I get home tonight... Those error messages look familar, might be the split lines problem I was having.

I have the FTP modules compiled into the kernel, and that same section commented out. I haven't checked carefully enough to see if FTP's working completely- only just got my first NATing system setup about a week ago

I'm betting the FTP issues will clear up once the others are straightened out- sounds like all traffic is being munged up somewhere.

[nadsys]

ok, got them loading as modules now BUT this is what i get when script executes them.

Inserting module ip_nat_ftp
WARNING: Error inserting ip_conntrack (/lib/modules/2.6.8-gentoo-r3/kernel/net/ipv4/netfilter/ip_conntrack.ko): Device or resource busy
Inserting module ip_conntrack_ftp
WARNING: Error inserting ip_conntrack (/lib/modules/2.6.8-gentoo-r3/kernel/net/ipv4/netfilter/ip_conntrack.ko): Device or resource busy


i do an lsmod BEFORE startiung firewall script and there not there, do it AFTER and they are there. so if there busy is that a hint that the kernel is still loading them even though i took them out of my kernel and made them M in menuconfig since.

how can i check there not part of kernel, i looked at /usr/src/linux/.config, says m next to what i specified, so all should be ok. but isn't lol. please help, its doing my head in.
_________________
how do i change directory, try init 6

[Hobbes-X]

Ok- here's my current set of rules for iptables:

[nadsys]

ok, small bit of success finally. i can connect to my friend now on port 21 without passive on.

still cant get to outside world with my client machines though .

that warning message i just ignored, it still loads modules. so it now works to a degree.

port 21 successful connection looks like:
Connected to HisIP:21
220 HisName
USER HisUsername

331 Password required for HisUsername.
PASS xxxx
230-Set you retry time to 120 seconds or be banned for a week.
230-
230-You have been warned.
230 User leech logged in.
SYST

215 UNIX Type: L8
TYPE I

200 Type set to I.
PWD

257 "/" is current directory.
PORT 84,57,5,173,130,77

200 Port command successful.
LIST -aL

150 Opening data connection for directory list.
226 Transfer ok

then i try other servers not using port 21 and i get the same as before,
with pasv on:
227 Entering Passive Mode (**,***,**,***,102,157).
Cannot create a data connection: Connection refused

with pasv off:
LIST -a

150 Opening data connection for directory list.
Disconnecting from site **.***.**.***

this shows me on pasv side its using local port 102 and sevrer port 157, not port 102 isn't open on my server, i want it to use a port between 14000:14500 like my variables above show. any idea?
_________________
how do i change directory, try init 6

[nadsys]

script as of 02.10.2004:

#!/bin/sh
#


# ********** VARIABLE DEFINITIONS **********
#
# External interface
EXTIF="ppp0"
# Internal interface
INTIF="eth1"

# Loop device/localhost
LPDIF="lo"
LPDIP="127.0.0.1"
LPDMSK="255.0.0.0"
LPDNET="$LPDIP/$LPDMSK"

# Text tools variables
IPT="/sbin/iptables"
IFC="/sbin/ifconfig"
G="/bin/grep"
SED="/bin/sed"
AWK="/bin/awk"

# Last but not least, the users
nads=192.168.0.9
lee=192.168.0.10



# Setting up external interface environment variables
# The following doesn't play nice with localization
#EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
# This one does AFAIK
EXTIP="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
EXTBC="255.255.255.255"
# same problem here with localization
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTMSK="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"
EXTNET="$EXTIP/$EXTMSK"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
# Due to absence of EXTBC I manually set it to 255.255.255.255
# this (hopefully) will serve the same purpose

# Setting up environment variables for internal interface
INTIP="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
#INTIP="`$IFC $INTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[3],a," ");print a[1];exit}'`"
#INTBC="`$IFC $INTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"
#INTMSK="`$IFC $INTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET="$INTIP/$INTMSK"
echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"


# ********** INITIALIZATION **********
#
# Deny then accept: this keeps holes from opening up
# while we close ports and such
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

#IPT -P INPUT ACCEPT
#IPT -P OUTPUT ACCEPT
#IPT -P FORWARD ACCEPT

# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
$IPT -t $i -F
done
for i in $CHAINS;
do
$IPT -t $i -X
done

# enable syncookies & ignore icmp broadcasts
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Log Martians
for i in /proc/sys/net/ipv4/conf/*/log_martians ; do
echo 1 > $i
done

# activate forwarding & dynamic address
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Loading necessary kernel modules
# example: MODULES="ip_nat_ftp ip_conntrack_ftp"
MODULES="ip_nat_ftp ip_conntrack_ftp"
for i in $MODULES;
do
echo "Inserting module $i"
modprobe $i
done


# ********** LOGGING CHAINS **********
#
# We are now going to create a few custom chains that will result in
# logging of dropped packets. This will enable us to avoid having to
# enter a log command prior to every drop we wish to log. The
# first will be first log drops the other will log rejects.

# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl 2> /dev/null
$IPT -A DROPl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP BLOCKED:'
$IPT -A DROPl -j DROP

$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT BLOCKED:'
$IPT -A REJECTl -j REJECT

$IPT -N DROP2 2> /dev/null
$IPT -A DROP2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP UNKNOWN:'
$IPT -A DROP2 -j DROP

$IPT -N REJECT2 2> /dev/null
$IPT -A REJECT2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT UNKNOWN:'
$IPT -A REJECT2 -j REJECT

# For testing, a logging ACCEPT chain
$IPT -N ACCEPTl 2> /dev/null
$IPT -A ACCEPTl -m limit --limit 10/second --limit-burst 50 -j LOG --log-prefix 'FIREWALL ACCEPT:'
$IPT -A ACCEPTl -j ACCEPT


# ********** SANE COMMON RULES **********
#
# Now we are going to accept all traffic from or to our loopback device
# if the IP matches any of our interfaces.
$IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $INTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -d $LPDIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -d $EXTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -d $INTIP -j ACCEPT

# Blocking Broadcasts
$IPT -A INPUT -i $EXTIF -d $EXTBC -j DROPl
$IPT -A INPUT -i $INTIF -d $INTBC -j DROPl
$IPT -A OUTPUT -o $EXTIF -d $EXTBC -j DROPl
$IPT -A OUTPUT -o $INTIF -d $INTBC -j DROPl
$IPT -A FORWARD -o $EXTIF -d $EXTBC -j DROPl
$IPT -A FORWARD -o $INTIF -d $INTBC -j DROPl

# Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into our external interface does not our isp assigned
# ip address, drop it like a hot potato
$IPT -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl

# Now we will block internal addresses originating from anything but our
# predefined interface.....just remember that if you jack your
# laptop or another pc into one of these NIC's directly, you'll need
# to ensure that they either have the same ip or that you add a line explicitly
# that IP as well
# Interface one/internal net one
$IPT -A INPUT -i $INTIF -s ! $INTNET -j DROPl
$IPT -A OUTPUT -o $INTIF -d ! $INTNET -j DROPl
$IPT -A FORWARD -i $INTIF -s ! $INTNET -j DROPl
$IPT -A FORWARD -o $INTIF -d ! $INTNET -j DROPl

# An additional Egress check
$IPT -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl

# Block outbound ICMP (except for PING)

$IPT -A OUTPUT -o $EXTIF -p icmp \
--icmp-type ! 8 -j DROPl
$IPT -A FORWARD -o $EXTIF -p icmp \
--icmp-type ! 8 -j DROPl

# Allow to ping out
$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP \
--icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p icmp -s $INTNET \
--icmp-type 8 -m state --state NEW -j ACCEPT

# Allow internal network to ping internal systems
$IPT -A OUTPUT -o $INTIF -p icmp -s $INTNET \
--icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INTIF -p icmp -s $INTNET \
--icmp-type 8 -m state --state NEW -j ACCEPT





# ********** BLOCKING THE EVIL PORTS **********
#
# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 135 is DCOM RPC
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346 (gnutella - removed)
# Common Trojans 12345 65535
INTCOMBLOCK="0:1 13 22 98 111 135 161:162 1214 1999 2049 3049 4329 3128 8000 8008 8080 12345 65535"
EXTCOMBLOCK="137:139 445"

# TCP ports:
# 512-5!5 is rexec, rlogin, rsh, printer(lpd)
# [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
INTTCPBLOCK="$INTCOMBLOCK 512:515 1080 6000:6009 6112"
EXTTCPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 512:515 1080 6000:6009 6112"

# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
INTUDPBLOCK="$INTCOMBLOCK 161:162 520 517:518 1427 9000"
EXTUDPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 161:162 520 123 517:518 1427 9000"


echo -n "FW: Blocking internal attacks to TCP port: "
for i in $INTTCPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p tcp -s $INTNET --dport $i -j DROPl
$IPT -A OUTPUT -p tcp -s $INTNET --dport $i -j DROPl
$IPT -A FORWARD -p tcp -s $INTNET --dport $i -j DROPl
done
echo ""

echo -n "FW: Blocking external attacks to TCP port: "
for i in $EXTTCPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p tcp -s ! $INTNET --dport $i -j DROPl
$IPT -A OUTPUT -p tcp -s ! $INTNET --dport $i -j DROPl
$IPT -A FORWARD -p tcp -s ! $INTNET --dport $i -j DROPl
done
echo ""

echo -n "FW: Blocking internal attacks to UDP port: "
for i in $INTUDPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p udp -s $INTNET --dport $i -j DROPl
$IPT -A OUTPUT -p udp -s $INTNET --dport $i -j DROPl
$IPT -A FORWARD -p udp -s $INTNET --dport $i -j DROPl
done
echo ""

echo -n "FW: Blocking external attacks to UDP port: "
for i in $EXTUDPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p udp -s ! $INTNET --dport $i -j DROPl
$IPT -A OUTPUT -p udp -s ! $INTNET --dport $i -j DROPl
$IPT -A FORWARD -p udp -s ! $INTNET --dport $i -j DROPl
done
echo ""





# ********** ALLOWING INSIDE TO OUTSIDE SERVICES **********
#
# This is where things go you want to use from your network on the internet
#
# Defining some common chat clients. Remove these from your accepted list for better security.
IRC='ircd'
MSN=1863
NOIP=8245
NFS='sunrpc'
PORTAGE='rsync'
OpenPGP_HTTP_Keyserver=11371
GFTPPORTS="1336 1337 5499 5500 8082 8083 443 444 81 21620 21621"

# All services ports are read from /etc/services

TCPSERV="domain sshb ftp ftp-data http https glftpd ntp $PORTAGE $IRC $NOIP $MSN $OpenPGP_HTTP_Keyserver $GFTPPORTS"
UDPSERV="domain ntp"

echo -n "FW: Allowing inside systems to use services: "
for i in $TCPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP \
--dport $i --syn -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p tcp -s $INTNET \
--dport $i --syn -m state --state NEW -j ACCEPT

done
echo ""

echo -n "FW: Allowing inside systems to use services: "
for i in $UDPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP \
--dport $i -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p udp -s $INTNET \
--dport $i -m state --state NEW -j ACCEPT
done
echo ""





# ********** ALLOWING SERVICES ON FIREWALL **********
#
# DAEMONS on firewall which should be accessible to inside/outside.
# it is presumed that DAEMONS advertised to the outside can also
# be advertised safely to the inside
#
# This is generally NOT A GOOD IDEA (as told by "security experts")
# since if some service on this machine gets hacked, the firewall is
# compromised as well, but what the heck it's only a home network
#
# 50369 is my p2p port
# microsoft-ds is for samba
# 5901 is vnc
# domain is nameserver
# ntp is for timeserving

GPASV="14000:14500"

# EXTTCPDAEMONS="sshb http https"
EXTTCPDAEMONS="ftp ftp-data sshb auth glftpd $GPASV $GFTPPORTS"
INTTCPDAEMONS="$EXTTCPDAEMONS microsoft-ds 5901"
EXTUDPDAEMONS=""
INTUDPDAEMONS="$EXTUDPDAEMONS domain ntp"

echo -n "FW: Allowing external systems to use tcp services on localhost: "
for i in $EXTTCPDAEMONS;
do
echo -n "$i "
$IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP \
--dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""

echo -n "FW: Allowing internal systems to use tcp services on localhost: "
for i in $INTTCPDAEMONS;
do
echo -n "$i "
$IPT -A INPUT -i $INTIF -p tcp -d $INTIP \
--dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""

echo -n "FW: Allowing external systems to use udp services on localhost: "
for i in $EXTUDPDAEMONS;
do
echo -n "$i "
$IPT -A INPUT -i $EXTIF -p udp -d $EXTIP \
--dport $i -m state --state NEW -j ACCEPT
done
echo ""

echo -n "FW: Allowing internal systems to use udp services on localhost: "
for i in $INTUDPDAEMONS;
do
echo -n "$i "
$IPT -A INPUT -i $INTIF -p udp -d $INTIP \
--dport $i -m state --state NEW -j ACCEPT
done
echo ""




# ********** FINALIZING NAT & FIREWALL **********
#
# Setup NAT
$IPT -t nat -A PREROUTING -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE
$IPT -t nat -A POSTROUTING -j ACCEPT
$IPT -t nat -A OUTPUT -j ACCEPT

# allow existing connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# block and log what me may have forgot
$IPT -A INPUT -j DROP2
$IPT -A OUTPUT -j REJECT2
$IPT -A FORWARD -j DROP2
_________________
how do i change directory, try init 6

[Hobbes-X]

Sorry, no ideas for pasv ftp- I'm not too familiar with it. Connecting to the outside should be working though- does pinging out by IP work?

[nadsys]

turned pc2 on, that connected so it got me thinking that pc1 must have a client misconfiguration problem. it was running as a server before. so i fixed it by looking in conf.d/net and making its gateway parameters correct and a few other little things.

i thought i'd checked everywhere, obviously not.

now to just get passive ftp working. ohh the joys of life
_________________
how do i change directory, try init 6