Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Iptables - not working as expected
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
PietdeBoer
Apprentice
Apprentice


Joined: 20 Oct 2005
Posts: 244
Location: Eindhoven, the Netherlands

PostPosted: Thu May 27, 2010 12:36 pm    Post subject: [SOLVED] Iptables - not working as expected Reply with quote

Hey guys,

I've created/copied an iptables script.. it does what i want it to do.. except that it does not block all incoming ports on the WAN interface exept the ones i specificly allow

Any clues what goes wrong?
Code:

# First we flush our current rules
iptables -F
iptables -t nat -F

# Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Copy and paste these examples ...
export LAN=eth0
export WAN=eth1

# Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

# (Optional) Allow access to our ssh server from the WAN
iptables -A INPUT -p TCP --dport 23081 -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport 23084 -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport 23085 -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport 23085 -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport 9101 -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport 9102 -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport 9203 -i ${WAN} -j ACCEPT


#Drop TCP / UDP packets to privileged ports
# iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
# iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

# Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.255.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
# Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done



iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.0.201
iptables -t nat -A PREROUTING -p tcp --dport 3389 -i ${WAN} -j DNAT --to 192.168.0.202


# This is so when we boot we don't have to run the rules by hand#
/sbin/iptables-save > /etc/iptables-save

# If you have a dynamic internet address you probably want to enable this:
# net.ipv4.ip_dynaddr = 1

_________________
_ Got Root? _


Last edited by PietdeBoer on Wed Jun 09, 2010 4:51 pm; edited 1 time in total
Back to top
View user's profile Send private message
py-ro
Veteran
Veteran


Joined: 24 Sep 2002
Posts: 1733
Location: St. Wendel

PostPosted: Thu May 27, 2010 12:46 pm    Post subject: Reply with quote

You never DROP those Packets and your default is to allow.

Alter

Code:
iptables -P INPUT ACCEPT


to

Code:
iptables -P INPUT DROP


Py
Back to top
View user's profile Send private message
PietdeBoer
Apprentice
Apprentice


Joined: 20 Oct 2005
Posts: 244
Location: Eindhoven, the Netherlands

PostPosted: Thu May 27, 2010 1:05 pm    Post subject: Reply with quote

will try when im at the site, thx!
_________________
_ Got Root? _
Back to top
View user's profile Send private message
PietdeBoer
Apprentice
Apprentice


Joined: 20 Oct 2005
Posts: 244
Location: Eindhoven, the Netherlands

PostPosted: Tue Jun 01, 2010 6:18 am    Post subject: Reply with quote

I changed the line as suggested above, when i re-ran the script my external DNS stopped functioning.

Am i missing something?
_________________
_ Got Root? _
Back to top
View user's profile Send private message
bendeguz
Apprentice
Apprentice


Joined: 10 Feb 2010
Posts: 189

PostPosted: Tue Jun 01, 2010 10:38 am    Post subject: Reply with quote

PietdeBoer wrote:
I changed the line as suggested above, when i re-ran the script my external DNS stopped functioning.

Am i missing something?


I think it is because you don't allow the answer to come back from the dns server.
Add this line somewhere:
Code:

IPTABLES -A INPUT -i ${WAN} -m state --state ESTABLISHED,RELATED -j ACCEPT


(Is this a home router? You should learn basic iptables to understand what is happening in your script.)
Back to top
View user's profile Send private message
PietdeBoer
Apprentice
Apprentice


Joined: 20 Oct 2005
Posts: 244
Location: Eindhoven, the Netherlands

PostPosted: Wed Jun 09, 2010 4:50 pm    Post subject: Reply with quote

Thx, that worked like a charm!
_________________
_ Got Root? _
Back to top
View user's profile Send private message
d2_racing
Bodhisattva
Bodhisattva


Joined: 25 Apr 2005
Posts: 13047
Location: Ste-Foy,Canada

PostPosted: Wed Jun 09, 2010 9:27 pm    Post subject: Reply with quote

Yep, that was your problem.

You can check mine too : http://gentoo-quebec.org/wiki/index.php/Utilisation_de_Iptables_pour_un_seul_ordinateur
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum