Solved

Firewall setup

Posted on 2004-04-04
2
253 Views
Last Modified: 2010-03-18
I have four  machines A,B,C,D
A and B are in one network(192.168.1.0 mask 255.255.255.0)
         
C and  D are in another network(192.168.0.0 mask 255.255.255.0)
For A pc  B is the gateway.
||-ly for C pc D is the gateway.
I want to connect from machine A to aother network(i.e C and D) using B as the gateway.
||=ly  I want to connect from machine D to aother network(i.e A and B) using C as the gateway.
what i did was I enabled ipforwarding in Both my gateways B and C.

The I create a Static route in machine C for machine B

In machine C the routing entry is  
 route add 192.168.1.1 dev eth0
 route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1


In machine B the routing entry is  
route add -net 192.168.0.0 netmask 255.255.255.0 dev eth0
 
Both my machine A and D are using B and C as default gateways respectivley.
i am able to ping and ssh form both the sides.

Now  i planned to setup a firewall in my Gateways using iptables.Here only i have a problem.After i sets up the firewall my Client machines can not access the other network.But gateways can access to each other.They too can not access the other side clinets.

My Firewall rules are
                         
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP



iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 5000 -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -j ACCEPT

Similary in my other gateway i have a rule.
Both the sides i enabled ip forwarding.
         I guess something wrong in my firewall rules.But i don't know where it is going wrong.I am totally new to this area.Can any one help me?
0
Comment
Question by:palanisaravanan
2 Comments
 
LVL 9

Accepted Solution

by:
Alf666 earned 250 total points
ID: 10752298
Your forward rules do not allow packets to "come back".

On machines B and D, you should have :

iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT

One good way of diagnosing this kind of problems is using ethereal (or the text version : tethereal).

tethereal -i eth0
will give you everything that comes in/out of this interface. On the gateways, you can run :

tethereal -i eth0
tethereal -i eth1

On two different terminals.
That way, you would have seen that your packets come in one way, but not the other :-)

If you use ssh to connect to the gateways, then better filter out ssh from tethereal if you don't want your terminal to be filled up with non-interesting packets :

tethereal -i eth0 not port 22

0
 
LVL 40

Expert Comment

by:jlevie
ID: 10752453
At the least you need to change your forward rule (its backwards). You need a bit more in the rule set and I'd suggest that you try:

iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT

0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question