Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Firewall setup

Posted on 2004-04-04
2
Medium Priority
?
273 Views
Last Modified: 2010-03-18
I have four  machines A,B,C,D
A and B are in one network(192.168.1.0 mask 255.255.255.0)
         
C and  D are in another network(192.168.0.0 mask 255.255.255.0)
For A pc  B is the gateway.
||-ly for C pc D is the gateway.
I want to connect from machine A to aother network(i.e C and D) using B as the gateway.
||=ly  I want to connect from machine D to aother network(i.e A and B) using C as the gateway.
what i did was I enabled ipforwarding in Both my gateways B and C.

The I create a Static route in machine C for machine B

In machine C the routing entry is  
 route add 192.168.1.1 dev eth0
 route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1


In machine B the routing entry is  
route add -net 192.168.0.0 netmask 255.255.255.0 dev eth0
 
Both my machine A and D are using B and C as default gateways respectivley.
i am able to ping and ssh form both the sides.

Now  i planned to setup a firewall in my Gateways using iptables.Here only i have a problem.After i sets up the firewall my Client machines can not access the other network.But gateways can access to each other.They too can not access the other side clinets.

My Firewall rules are
                         
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP



iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 5000 -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -j ACCEPT

Similary in my other gateway i have a rule.
Both the sides i enabled ip forwarding.
         I guess something wrong in my firewall rules.But i don't know where it is going wrong.I am totally new to this area.Can any one help me?
0
Comment
Question by:palanisaravanan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 9

Accepted Solution

by:
Alf666 earned 1000 total points
ID: 10752298
Your forward rules do not allow packets to "come back".

On machines B and D, you should have :

iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT

One good way of diagnosing this kind of problems is using ethereal (or the text version : tethereal).

tethereal -i eth0
will give you everything that comes in/out of this interface. On the gateways, you can run :

tethereal -i eth0
tethereal -i eth1

On two different terminals.
That way, you would have seen that your packets come in one way, but not the other :-)

If you use ssh to connect to the gateways, then better filter out ssh from tethereal if you don't want your terminal to be filled up with non-interesting packets :

tethereal -i eth0 not port 22

0
 
LVL 40

Expert Comment

by:jlevie
ID: 10752453
At the least you need to change your forward rule (its backwards). You need a bit more in the rule set and I'd suggest that you try:

iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT

0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question