• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 276
  • Last Modified:

Firewall setup

I have four  machines A,B,C,D
A and B are in one network( mask
C and  D are in another network( mask
For A pc  B is the gateway.
||-ly for C pc D is the gateway.
I want to connect from machine A to aother network(i.e C and D) using B as the gateway.
||=ly  I want to connect from machine D to aother network(i.e A and B) using C as the gateway.
what i did was I enabled ipforwarding in Both my gateways B and C.

The I create a Static route in machine C for machine B

In machine C the routing entry is  
 route add dev eth0
 route add -net netmask gw

In machine B the routing entry is  
route add -net netmask dev eth0
Both my machine A and D are using B and C as default gateways respectivley.
i am able to ping and ssh form both the sides.

Now  i planned to setup a firewall in my Gateways using iptables.Here only i have a problem.After i sets up the firewall my Client machines can not access the other network.But gateways can access to each other.They too can not access the other side clinets.

My Firewall rules are
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -s -j ACCEPT
iptables -A INPUT -p udp --dport 5000 -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

iptables -A FORWARD -s -d -j ACCEPT

Similary in my other gateway i have a rule.
Both the sides i enabled ip forwarding.
         I guess something wrong in my firewall rules.But i don't know where it is going wrong.I am totally new to this area.Can any one help me?
1 Solution
Your forward rules do not allow packets to "come back".

On machines B and D, you should have :

iptables -A FORWARD -s -d -j ACCEPT

iptables -A FORWARD -s -d -j ACCEPT

One good way of diagnosing this kind of problems is using ethereal (or the text version : tethereal).

tethereal -i eth0
will give you everything that comes in/out of this interface. On the gateways, you can run :

tethereal -i eth0
tethereal -i eth1

On two different terminals.
That way, you would have seen that your packets come in one way, but not the other :-)

If you use ssh to connect to the gateways, then better filter out ssh from tethereal if you don't want your terminal to be filled up with non-interesting packets :

tethereal -i eth0 not port 22

At the least you need to change your forward rule (its backwards). You need a bit more in the rule set and I'd suggest that you try:

iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -d -j ACCEPT

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now