Solved

LAN machine unable to browse Websites because of firewall on gateway

Posted on 2003-11-12
11
344 Views
Last Modified: 2010-07-27
Hi,
I have my Linux machine connected as gateway on my network where machines are connected in a workgrp.
I have configured NAT and Firewall and can browse the Internet sites through the gateway.
However, LAN machines cannot browse the Internet when i put filter rules (given below)

Tracert from LAN machine shows following behaviour:
1 ...........Linuxmachine
2 * * * Request Timed Out.

Interfaces : eth0 : Connected to LAN.
Interfaces : eth1 : Connected to Internet

#############################################################
echo "CONFIGURING NAT"
echo "==============="
#############################################################
#iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.x.x.x
#iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 10.168.168.1-10.168.168.30

##****RULES TO SET UP GATEWAY**********#
#############################################################
echo "FLUSH ALL RULES AND CHAINS"
#############################################################
echo "=========================="
iptables -F #Flush all the rules in filter and nat tables
iptables -X
iptables -t nat -F
iptables --delete-chain
iptables -t nat --delete-chain

#####################################################################
echo "ENABLES PACKET FORWARDING BY KERNEL"
####################################################################
echo "=========================="
echo 1 > /proc/sys/net/ipv4/ip_forward

#**************END GATEWAY RULES ***********************#

#**************FIREWALL RULES*********************************#

#############################################################
echo "DEFAULT POLICIES"
#############################################################
echo "=========================="
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#############################################################
echo "LOCAL TRAFFIC"
#############################################################
echo "=========================="
iptables -A INPUT -i lo -p all -j ACCEPT  
iptables -A OUTPUT -o lo -p all -j ACCEPT

#ALLOW ALL ON INTERNAL ETH0
iptables -A INPUT -p all -i eth0 -s 10.168.168.0/24 -j ACCEPT
iptables -A OUTPUT -p all -o eth0 -s 10.168.168.0/24 -j ACCEPT
#############################################################
echo "ICMP RULES"
#############################################################
# This allows neighbouring machines to ping by ip addr.
echo "=========================="
iptables -A INPUT -p icmp -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -j ACCEPT

############################################################
echo "ALLOW SAMBA RULES"
############################################################
echo "=================="
iptables -A INPUT -p udp -s 10.168.168.0/24 --destination-port 137:139 -j ACCEPT
iptables -A INPUT -p tcp -s 10.168.168.0/24 --destination-port 137:139 -j ACCEPT

############################################################
echo "ALLOW SERVICES"
############################################################
echo "=============="
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT #OPEN HTTP PORT.
iptables -A INPUT -i eth1 -p udp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT #Open secure shell port
iptables -A INPUT -p udp -i eth1 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 53 -j ACCEPT #Open DNS port
iptables -A INPUT -p udp -i eth1 --dport 53 -j ACCEPT

############################################################
echo "BLOCK SERVICES"
############################################################
echo "=================="
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 2049 -j DROP  
iptables -A INPUT -p udp -i eth1  -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p tcp -i eth1  -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
iptables -A INPUT -p tcp -i eth1  -s 0/0 -d 0/0 --dport 7100 -j DROP
iptables -A INPUT -p tcp -i eth1  -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p udp -i eth1  -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p tcp -i eth1  -s 0/0 -d 0/0 --dport 111 -j DROP  
iptables -A INPUT -p udp -i eth1  -s 0/0 -d 0/0 --dport 111 -j DROP  

####################################################################
echo "ENABLE CONNECTION TRACKING"
####################################################################
echo "=========================="
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

####################################################################
echo "ACCEPT ESTABLISHED CONNECTION"
####################################################################
echo "============================"
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT #reject-with tcp-reset

####################################################################
echo "ANTI SPOOFING RULES"
####################################################################
echo "=================="
#Deny outside packets from internet which claim to be from your loopback interface.
iptables -A INPUT -p all -s localhost -i eth1 -j DROP
iptables -A INPUT -p all -s x.x.x.x -i eth1 -j DROP

0
Comment
Question by:nishi_k_79
  • 5
  • 5
11 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
ID: 9735815
I see two immediate problems with your firewall rule set. First of all the rule that sets up NAT (iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.x.x.x) is commented out. Second, even if it was active that rule occurs before "iptables -t nat -F" which would flush the rule out of the nat chain. While you could correct that by edits to the rules a somewhat more secure firewall rule set is below. Read the comments at the beginning for details as to its use.

 #!/bin/sh
#
# Save this to /root/iptables-gw
#
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save
# the running config with 'iptables save' for RedHat to reinstate at the next
# boot IP fordarding must be enabled by other than this script for production
# use. That's best done by editing /etc/sysctl.conf and setting:
#
# net.ipv4.ip_forward = 1
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
#echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
#
# I find it easier to modify this file and run it (make sure it is executable
# with 'chmod +x iptables-gw') to change the rulesets, rather than
# modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
#
IPT="/sbin/iptables"
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
OUTSIDE=eth0
INSIDE=eth1
INSIDE_IP=10.0.0.254
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP

$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP

$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# Use  NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT if to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# Don't leak SMB traffic onto the Internet. We've slipped the surly bonds of windows
# and are dancing on the silvery wings of Linux.
#
$IPT -A FORWARD -p udp --dport 137 -j silent
$IPT -A FORWARD -p udp --dport 138 -j silent
$IPT -A FORWARD -p udp --dport 139 -j silent
$IPT -A FORWARD -p udp --dport 445 -j silent
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.0.0.10
#
# Examples of allowing inbound for the port forwarding examples above.
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following  if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the  IP to be that of the INSIDE interface
# of the firewall.
#
#$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT
#
# If you are running a DHCP server on the firewall uncomment the next line
#
#$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPT -A INPUT -j firewalled
0
 

Author Comment

by:nishi_k_79
ID: 9762457
Hi,
 Have exactly the same script as suggested above..Now, i have my firewall script running on bootup.
dmesg shows following status :
====================
ip_tables: (c)2000 Netfilter core team
ip_conntrack (1015 buckets, 8120 max)
====================
What does this mean ??? Will it have any repurcussions in future ??? Any help greatly appreciated...
0
 
LVL 40

Expert Comment

by:jlevie
ID: 9763546
That's just an informational message from IPtables. It's telling you that the conntack module is starting with 1015 buckets read for use for Internet connections and that it can allocate as many as 8120, based on need.
0
 

Author Comment

by:nishi_k_79
ID: 9776602
First of all let me thank you very very much for the help extended!! Really good work...Kudos to you  and experts-exchange.com  !!

After running the script at boot up however ..I see several of this on the Terminal when i boot up next time , not always though:

kernel: NET: 1 messages suppressed.
kernel: ip_conntrack: table full, dropping packet.
kernel: NET: 2 messages suppressed.
kernel: ip_conntrack: table full, dropping packet.
kernel: NET: 3 messages suppressed.
kernel: ip_conntrack: table full, dropping packet.

1 ) I suspect this is due to the fact that ip_conntrack table is full...however if i increase the table capacity to 8120(max) will it solve the problem ? I browsed through some message-boards and found out that increasing it to the max size still gives the same problem.

Thanks in advance..
0
 
LVL 40

Expert Comment

by:jlevie
ID: 9779134
How many machines do you have inside of the firewall?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:nishi_k_79
ID: 9784776
We have around 14 machines accessing internet through firewall ...all are connected in a workgroup.

Thanks..
0
 
LVL 40

Expert Comment

by:jlevie
ID: 9787536
It certainly doesn't sound like your network is so large that it floods the firewall, if everything is normal. However, if you had an inside machine that was misbehaving or was virus infected it could be producing such a large volume of traffic as to swap IPtables.

What Linux are you using on the firewall?
0
 

Author Comment

by:nishi_k_79
ID: 9816701
 I 'm using Redhat 7.1 and Kernel 2.4.2.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 9817731
Apparently you are running 7.1 "out of the box" since you have the 2.4.2 kernel. The first thing I'd do is to apply all of the RedHat errata to your system, as in running up2date. That probably will fix the problem.
0
 

Author Comment

by:nishi_k_79
ID: 11406916
Thanks jlevie ..Have been a great help..Thanks..
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now