Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
iptables seems to block allowed traffic
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 595
Location: Germany

PostPosted: Sun May 01, 2011 12:02 pm    Post subject: iptables seems to block allowed traffic Reply with quote

Hey there,
to keep it short and simple, here are the relevant lines of my iptables rules:
Code:
#!/bin/sh
echo "1" > /proc/sys/net/ipv4/conf/all/arp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo "1" > /proc/sys/net/ipv4/ip_forward

### delete existing tables
iptables -F
iptables -t nat -F
iptables -t mangle -F

lan="eth1"
wan="eth0"
intern=10.0.0.0/24
clients=10.0.0.3-10.0.0.20

### drop everything by default
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

iptables -A FORWARD -s $intern -i $lan -o $wan -j ACCEPT

### accept traffic belonging to an existing connection
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### masquerading
iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE
iptables -t nat -A POSTROUTING -o $wan -j SNAT --to-source $extip

### bittorrent
iptables -A FORWARD -i $wan -o $lan -p tcp --dport 51413 -j ACCEPT
iptables -A FORWARD -i $wan -o $lan -p udp --dport 51413 -j ACCEPT
iptables -t nat -I PREROUTING -i $wan -p tcp --dport 51413 -j DNAT --to-destination 10.0.0.2:51413
iptables -t nat -I PREROUTING -i $wan -p udp --dport 51413 -j DNAT --to-destination 10.0.0.2:51413

### log and drop all other traffic
iptables -A INPUT -j LOG --log-prefix "DROPPED_INPUT: " --log-level=5
iptables -A INPUT -j DROP
iptables -A OUTPUT -j LOG --log-prefix "DROPPED_OUTPUT: " --log-level=5
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j LOG --log-prefix "DROPPED_FORWARD: " --log-level=5
iptables -A FORWARD -j DROP

I simply want to forward all incoming traffic on port 51413 to 10.0.0.21:51413. All other traffic (which is unwanted), will be logged and dropped afterwards.

But the log contains many many lines as these:
Code:
DROPPED_INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=89.104.18.158 DST=MY_EXTERNAL_IP LEN=91 TOS=0x00 PREC=0x00 TTL=118 ID=827 PROTO=TCP SPT=60683 DPT=51413 WINDOW=4233 RES=0x00 ACK PSH FIN URGP=0
DROPPED_INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=89.104.18.158 DST=MY_EXTERNAL_IP LEN=91 TOS=0x00 PREC=0x00 TTL=118 ID=941 DF PROTO=TCP SPT=60683 DPT=51413 WINDOW=4233 RES=0x00 ACK PSH FIN URGP=0
DROPPED_INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=89.104.18.158 DST=MY_EXTERNAL_IP LEN=91 TOS=0x00 PREC=0x00 TTL=118 ID=1212 DF PROTO=TCP SPT=60683 DPT=51413 WINDOW=4233 RES=0x00 ACK PSH FIN URGP=0
DROPPED_INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=89.104.18.158 DST=MY_EXTERNAL_IP LEN=91 TOS=0x00 PREC=0x00 TTL=118 ID=1481 DF PROTO=TCP SPT=60683 DPT=51413 WINDOW=4233 RES=0x00 ACK PSH FIN URGP=0
DROPPED_INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=89.104.18.158 DST=MY_EXTERNAL_IP LEN=40 TOS=0x00 PREC=0x00 TTL=118 ID=1938 DF PROTO=TCP SPT=60683 DPT=51413 WINDOW=0 RES=0x00 ACK RST URGP=0
DROPPED_INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=94.221.216.70 DST=MY_EXTERNAL_IP LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=11992 DF PROTO=TCP SPT=49420 DPT=51413 WINDOW=0 RES=0x00 ACK RST URGP=0


Why?

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
dE_logics
Advocate
Advocate


Joined: 02 Jan 2009
Posts: 2253
Location: $TERM

PostPosted: Sun May 01, 2011 1:48 pm    Post subject: Reply with quote

I'm not sure about the things that you changed in /proc, but -


Code:
iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE
iptables -t nat -A POSTROUTING -o $wan -j SNAT --to-source $extip


Seems ambiguous. I suggest deleting the latter.

If that doesn't work I also suggest setting the FILTER policies to ACCEPT for debugging.
_________________
My blog
Back to top
View user's profile Send private message
pigeon768
l33t
l33t


Joined: 02 Jan 2006
Posts: 679

PostPosted: Mon May 02, 2011 7:14 am    Post subject: Re: iptables seems to block allowed traffic Reply with quote

Jimini wrote:
Code:
### bittorrent
iptables -A FORWARD -i $wan -o $lan -p tcp --dport 51413 -j ACCEPT
iptables -A FORWARD -i $wan -o $lan -p udp --dport 51413 -j ACCEPT
iptables -t nat -I PREROUTING -i $wan -p tcp --dport 51413 -j DNAT --to-destination 10.0.0.2:51413
iptables -t nat -I PREROUTING -i $wan -p udp --dport 51413 -j DNAT --to-destination 10.0.0.2:51413

### log and drop all other traffic
iptables -A INPUT -j LOG --log-prefix "DROPPED_INPUT: " --log-level=5
iptables -A INPUT -j DROP
iptables -A OUTPUT -j LOG --log-prefix "DROPPED_OUTPUT: " --log-level=5
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j LOG --log-prefix "DROPPED_FORWARD: " --log-level=5
iptables -A FORWARD -j DROP
Code:
DROPPED_INPUT: IN=eth0 .....
It's been a while, so I'm a little rusty, but those packets are being dropped before they even get to the FORWARD table. You need to -j ACCEPT them through the INPUT table on $wan, not the FORWARD table. (also you won't need -o on the INPUT table) I believe that when you DNAT them their state becomes ESTABLISHED so you don't need to ACCEPT them in FORWARD either.

I believe dE_logics is correct; the -j SNAT is redundant; -j MASQUERADE takes care of this for you.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15991

PostPosted: Tue May 03, 2011 2:24 am    Post subject: Re: iptables seems to block allowed traffic Reply with quote

pigeon768 wrote:
It's been a while, so I'm a little rusty, but those packets are being dropped before they even get to the FORWARD table.
Yes. Since they are being dropped in INPUT, that tells us that the kernel decided to deliver the traffic locally instead of rewriting the destination header. Somehow, the DNAT rule failed to match.
pigeon768 wrote:
You need to -j ACCEPT them through the INPUT table on $wan, not the FORWARD table.
That depends on the intended handling. If the listening socket is on the local machine, then yes, he should process it via INPUT and not have a PREROUTING rule or FORWARD rule. If the listening socket is on an internal machine hidden behind the local machine, then no, he should process it in PREROUTING and FORWARD, but not in INPUT.
pigeon768 wrote:
I believe that when you DNAT them their state becomes ESTABLISHED so you don't need to ACCEPT them in FORWARD either.
No, on both counts. First, they will still be in state NEW when they enter the FORWARD chain, which allows you to DNAT everything for a given port, then selectively allow particular clients in a NEW state and allow everything in an ESTABLISHED state. Second, you do need to ACCEPT them in FORWARD if you want them to receive handling different from the FORWARD policy.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum