iptables rules [SOLVED]

Message

Blutch · Post by **Blutch** » Thu Jul 06, 2006 1:29 pm

Hello everybody.

I'm trying to set up iptables for 2 purposes:
- configure NAT (my gentoo box is a gateway)
- protect my computers

I read some articles / tutorials about iptables, and I reached this file:

Code: Select all

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT DROP
#iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

iptables -t nat -F
iptables -t nat -X

iptables -t nat -P PREROUTING   ACCEPT
iptables -t nat -P OUTPUT   ACCEPT
iptables -t nat -P POSTROUTING   ACCEPT

iptables -t mangle -F
iptables -t mangle -X

iptables -t mangle -P PREROUTING   ACCEPT
iptables -t mangle -P INPUT  ACCEPT
iptables -t mangle -P OUTPUT   ACCEPT
iptables -t mangle -P FORWARD   ACCEPT
iptables -t mangle -P POSTROUTING   ACCEPT

# accept everything from lo & LAN
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT

#iptables -t filter -A INPUT -i eth0 -m  state --state ESTABLISHED -p tcp --sport 80 -j  ACCEPT
#iptables -t filter -A  OUTPUT  -o eth0 -m  state --state  NEW,ESTABLISHED -p tcp --dport 80 -j  ACCEPT
#iptables -t filter -A INPUT -i eth0 -m  state --state ESTABLISHED -p tcp -m  multiport --sport 22,80,443 -j  ACCEPT
#iptables -t filter -A OUTPUT -o eth0 -m  state --state  NEW,ESTABLISHED -p tcp -m  multiport --dport 22,80,443 -j  ACCEPT
#iptables -t filter -A INPUT -i eth0 -m  state --state ESTABLISHED -p icmp -j  ACCEPT
#iptables -t filter -A  OUTPUT  -o eth0 -m  state --state  NEW,ESTABLISHED -p icmp -j  ACCEPT

#Since the 6 previous lines won't work (except icmp), forget about security until solution is found
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#the following lines won't let traffic pass, if iptables -t filter -P FORWARD DROP is set
#iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED -j ACCEPT

The problems are the following:
(1) NAT works if the line #iptables -t filter -P FORWARD DROP is commented out. The 2 last lines of my config can't allow the traffic from the NATed computers if I wrote iptables -t filter -P FORWARD DROP before.
(2) The 6 lines about the filter rules are problematic: the 4 first lines won't allow anything for ssh, http or https. But the 2 last lines about icmp work, I can ping the internet from my server.

I've then been searching for solutions to those 2 problems.
My temporary solution to the (1) problem is to comment out the iptables -t filter -P FORWARD DROP line, so the NATed comupters can access the internet.
My temporary solution to the (2) problem is to accept everything from eth0, which isn't a good idea, but the only way to have currently an internet connection.

Any suggestions would be welcome.
Thanks already.
Blutch

[EDIT]
I forgot to tell:
eth0 is my internet interface
eth1 is my LAN interface
I'm using iptables v1.3.5

Mroofka · Post by **Mroofka** » Thu Jul 06, 2006 8:09 pm

Hi

--state new,related,established

This should help in both problems, I think

Pozdrawiam

Kaddy · Post by **Kaddy** » Thu Jul 06, 2006 10:05 pm

first off, for forwarding ports, try this out:

Code: Select all

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport <destination port> -j DNAT --to-destination ip.to.forward.to:port

so, for ssh, you could do something like this fro ssh forwarding

Code: Select all

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.1.1.100:22

that would forward port 22 (ssh) to the IP 10.1.1.100 port 22
change the port numbers and IPs as needed

r4d1x · Post by **r4d1x** » Fri Jul 07, 2006 2:12 am

just to make it easier on your self, IPKungfu is an excellent script set (IMO) that gives you the ease of configuring, but allows you to add your own advanced chains.

emerge ipkungfu
edit /etc/ipkungfu.conf
/etc/init.d/ipkungfu start

everythings happy

Blutch · Post by **Blutch** » Fri Jul 07, 2006 5:28 pm

Thanks for all your answers, but I found another solution, using another howto (in french: http://www.lea-linux.org/cached/index/R ... ables.html)

For the NAT, I just had to put these lines:

Code: Select all

iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -F FORWARD
iptables -A FORWARD -j ACCEPT

For the rest, I had to add the name resolution:

Code: Select all

iptables -A INPUT -i eth0 --protocol udp --source-port 53 -j ACCEPT
iptables -A OUTPUT -o eth0 --protocol udp --destination-port 53 -j ACCEPT
iptables -A INPUT -i eth0 --protocol tcp --source-port 53 -j ACCEPT
iptables -A OUTPUT -o eth0 --protocol tcp --destination-port 53 -j ACCEPT

and then all lines like

Code: Select all

iptables -A INPUT -i eth0 --protocol tcp --source-port 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 --protocol tcp --destination-port 80 -m state --state NEW,ESTABLISHED -j ACCEPT

did work.

r4d1x · Post by **r4d1x** » Sat Jul 08, 2006 4:47 am

glad to hear its up and running. I remember having the same problem. The pre/post routing are essential to NAT'ing your box.