I hope someone out there can help me, I am new to linux etc, but have managed to get a FED Core 7 system up and running with Squid and Dansguardian. I have managed to build what I think is a goodish firewall using iptables and have allowed certain IP's and Services(at least I think so).
However, when I try and RDP to a windows server on my internal lan from an external IP it wont let me, but if I stop IPTABLES it will allow me, so I am pretty sure it is down to my IPTABLES. I would be grateful if someone would look at it and let me know just what I have done wrong or not done at all. I have also tried looking at the file /var/log/firewall to see what is being blocked, but this file is always empty and I dont know where else to look.
Thanx in advance
Dirk
copy of IPTABLES
# Generated by iptables-save v1.3.7 on Thu Aug 23 10:12:32 2007
*filter
:INPUT DROP [80:13895]
:FORWARD ACCEPT [484:170887]
:OUTPUT DROP [8:608]
:LOG_ACCEPT - [0:0]
:LOG_DROP - [0:0]
:icmp_packets - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s 192.168.0.30 -p tcp -m tcp --dport 22 -j LOG_ACCEPT
-A INPUT -s 192.168.0.191 -p tcp -m tcp --dport 22 -j LOG_ACCEPT
-A INPUT -s 87.???.???.10 -p tcp -m tcp --dport 22 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A INPUT -p udp -m udp --dport 37 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 563 --dport 563 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3389 -j ACCEPT
-A INPUT -s 192.168.0.30 -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -s 192.168.0.191 -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -s 87.???.???.10 -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG_DROP
-A INPUT -s ! 127.0.0.1 -p tcp -m tcp --dport 3128 -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 37 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 563 --dport 563 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3389 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j LOG_DROP
-A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : " --log-tcp-options --log-ip-options
-A LOG_ACCEPT -j ACCEPT
-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options --log-ip-options
-A LOG_DROP -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp_packets -s 192.168.0.52 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
COMMIT
# Completed on Thu Aug 23 10:12:32 2007
# Generated by iptables-save v1.3.7 on Thu Aug 23 10:12:32 2007
*mangle
:PREROUTING ACCEPT [9741:3710201]
:INPUT ACCEPT [9076:3530626]
:FORWARD ACCEPT [484:170887]
:OUTPUT ACCEPT [9803:5873995]
:POSTROUTING ACCEPT [10279:6044274]
-A PREROUTING -i eth0 -j MARK --set-mark 0x9
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
# Completed on Thu Aug 23 10:12:32 2007
# Generated by iptables-save v1.3.7 on Thu Aug 23 10:12:32 2007
*nat
:PREROUTING ACCEPT [322:25511]
:POSTROUTING ACCEPT [193:11619]
:OUTPUT ACCEPT [201:12227]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
COMMIT
# Completed on Thu Aug 23 10:12:32 2007
by: BlazPosted on 2007-09-21 at 04:47:42ID: 19934738
This is NOT a good firewall. You have configured INPUT and OUTPUT chains which are considered only if accessing the firewall machine itself or accessing the net from the firewall machine itself.
For firewalling you should be configuring FORWARD chain. You are now by default allowing all the traffic going through the firewall (default policy ACCEPT)
I think you are doing NAT on the firewall, right? For accessing the internal machine through RDP you should have a NAT rule configured
-A PREROUTING -i <internet interface> -p tcp -m tcp --dport 3389 -j DNAT --to <internal_server_IP>