Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

can't figure out problem with iptables

Posted on 2015-02-18
16
Medium Priority
?
261 Views
Last Modified: 2015-02-24
I have a Linux host as router/firewall/LAN-DNS. It has 2 NICs: eth0 is connected to the Internet and eth1 is connected to the internal LAN. I've attempted to set up an iptables firewall with a minorly modified version of a script I use elsewhere, but when I run the script, no LAN hosts (192.168.0.0/24) can connect to other LAN hosts or get to the Internet. I can't see what's wrong. Here's my script:
# Initialize things
    /usr/sbin/iptables -P INPUT ACCEPT
    /usr/sbin/iptables -P FORWARD ACCEPT
    /usr/sbin/iptables -P OUTPUT ACCEPT

    /usr/sbin/iptables -t nat -P PREROUTING ACCEPT
    /usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
    /usr/sbin/iptables -t nat -P OUTPUT ACCEPT

    /usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
    /usr/sbin/iptables -t mangle -P INPUT ACCEPT
    /usr/sbin/iptables -t mangle -P FORWARD ACCEPT
    /usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
    /usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT

    /usr/sbin/iptables -t raw -P PREROUTING ACCEPT
    /usr/sbin/iptables -t raw -P OUTPUT ACCEPT

    /usr/sbin/iptables -F
    /usr/sbin/iptables -F -t nat
    /usr/sbin/iptables -F -t mangle
    /usr/sbin/iptables -F -t raw

    /usr/sbin/iptables -X
    /usr/sbin/iptables -X -t nat
    /usr/sbin/iptables -X -t mangle
    /usr/sbin/iptables -X -t raw

# Turn off ACCEPT for all INPUT
    /usr/sbin/iptables -P INPUT DROP

# Routing ...
    /usr/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    /usr/sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT

# Enable specific INPUT
    /usr/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    /usr/sbin/iptables -A INPUT -i lo -j ACCEPT

# Accept everything on LAN interface
    /usr/sbin/iptables -A INPUT -i eth1 -p tcp --syn -j ACCEPT

# Log attempt to break in via SSH
    /usr/sbin/iptables -N logdrop
    /usr/sbin/iptables -A logdrop -j LOG --log-level 6 --log-prefix "SSH Break-in attempt "
    /usr/sbin/iptables -A logdrop -j DROP

    /usr/sbin/iptables -N checkcount
    /usr/sbin/iptables -A checkcount -m recent --set
    /usr/sbin/iptables -A checkcount -m recent --rcheck --hitcount 12 -j logdrop
    /usr/sbin/iptables -A checkcount -j RETURN

#  Allow ssh for specific IP from the Internet (eth0)
    /usr/sbin/iptables -I INPUT -i eth0 -p tcp -m tcp -s 96.11.168.98 --dport 22 -j ACCEPT
    /usr/sbin/iptables -I INPUT -i eth0 -p tcp -m tcp -s 76.181.64.0/23 --dport 22 -j ACCEPT

    /usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -i eth0 -j checkcount
    /usr/sbin/iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -i eth0 --dport 22 -j

Open in new window

And here is `iptables -L -v -n --line-numbers`
Chain INPUT (policy DROP 21 packets, 3641 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     tcp  --  eth0   *       76.181.64.0/23       0.0.0.0/0            tcp dpt:22
2        0     0 ACCEPT     tcp  --  eth0   *       96.11.168.98         0.0.0.0/0            tcp dpt:22
3        0     0            tcp  --  -eth0  *       0.0.0.0/0            0.0.0.0/0            multiport dports 1901:1902
4      103 11903 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
5        2   136 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02
7        0     0 checkcount  tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 flags:0x17/0x02
8        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 flags:0x17/0x02 limit: avg 1/sec burst 3
9        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 multiport dports 25,80,443

Chain FORWARD (policy ACCEPT 6 packets, 615 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        7   487 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 79 packets, 8684 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain checkcount (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: DEFAULT side: source mask: 255.255.255.255
2        0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: CHECK hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
3        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logdrop (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "SSH Break-in attempt "
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Open in new window

I can't see why I lose all communication on 192.168.0.0/24. Ideas?
0
Comment
Question by:jmarkfoley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
16 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 40619663
You need to define a route (NAT) from eth1 through eth0

What is the default gateway that is set on the 192.168.0.0 computers?
Does it match the IP of the eth1 interface?

in /etc/sysctl.conf
Do you have forwarding enabled?
net.ipv4.ip_forward = 1

There are several references on setting up linux as a router.
http://etutorials.org/Linux+systems/red+hat+linux+bible+fedora+enterprise+edition/Part+IV+Red+Hat+Linux+Network+and+Server+Setup/Chapter+16+Connecting+to+the+Internet/Setting+up+Red+Hat+Linux+as+a+Router/

You are on a slackware system, but the iptables rules/configuration should still apply.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40619823
You dont seem to nat the traffic from that address nor you have a single interface in that network.
Can you post output of "iprables-save" ?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40620499
Arnold:
You need to define a route (NAT) from eth1 through eth0
Is than not what I have in lines 33,34 of my first source listing in initial post?

    /usr/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    /usr/sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT
What is the default gateway that is set on the 192.168.0.0 computers? Does it match the IP of the eth1 interface?
Yes, they are set to DHCP and the gateway is this host at 192.168.0.2. For example:
C:\Users\mark.HPRS>ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : hprs.local
   Link-local IPv6 Address . . . . . : fe80::286e:664d:27b7:eb1b%13
   IPv4 Address. . . . . . . . . . . : 192.168.0.58
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.2

Tunnel adapter isatap.hprs.local:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : hprs.local

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected

Open in new window

in /etc/sysctl.conf
 Do you have forwarding enabled?
 net.ipv4.ip_forward = 1
Yes:
$ cat /proc/sys/net/ipv4/ip_forward
1

Open in new window

There are several references on setting up linux as a router.
The routing isn't the problem I've set up several Linux hosts as routers. I can route just fine using only the NAT rules. My problem are the drop rules. I'm doing something to prevent LAN hosts from using this computer for DNS. They can't resolve each other and they can't resolve external domains.

gheist:
You dont seem to nat the traffic from that address
yes, see lines 33,34 in my initial src posting.
nor you have a single interface in that network.
Don't know what you mean by that. Please clarify.
Can you post output of "iprables-save" ?
yes, but will have to be tomorrow when I'm in front of the console so I can fix when I mess up the LAN.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 79

Accepted Solution

by:
arnold earned 2000 total points
ID: 40620539
What is the ip on the eth1 interface?
Can you post the routing table from the linux box?


Iptabkes-save on several platforms is the script which you originally posted.
Second section.

Oh, you allow traffic to pass through, not sure you allowing traffic to hit port 53 on the host. Did you bind the name service (bind) to a specific IP or is it listening on all?

Add
Iptables -I INPUT  6 -i eth1 -p udp -m udp  -J ACCEPT

You currently accept all tcp connections, but you are not allowing udp from the LAN implicit deny by policy.

My guess you can not do any UDP from the LAN.
0
 
LVL 79

Expert Comment

by:arnold
ID: 40620541
Can you ping www.experts-exchange.com from the LAN?

Just looking to confirm whether your input policy line 6 coming via eth1 limits Lan to tcp traffic only.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40627001
Sorry for the delay ... lots of gnats to swat on this one.

gheist:
Can you post output of "iprables-save" ?
Here it is:
# Generated by iptables-save v1.4.20 on Sun Feb 22 19:51:57 2015
*raw
:PREROUTING ACCEPT [114:10002]
:OUTPUT ACCEPT [66:6316]
COMMIT
# Completed on Sun Feb 22 19:51:57 2015
# Generated by iptables-save v1.4.20 on Sun Feb 22 19:51:57 2015
*mangle
:PREROUTING ACCEPT [114:10002]
:INPUT ACCEPT [110:9828]
:FORWARD ACCEPT [4:174]
:OUTPUT ACCEPT [66:6316]
:POSTROUTING ACCEPT [70:6490]
COMMIT
# Completed on Sun Feb 22 19:51:57 2015
# Generated by iptables-save v1.4.20 on Sun Feb 22 19:51:57 2015
*nat
:PREROUTING ACCEPT [15:1500]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:328]
:POSTROUTING ACCEPT [1:328]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1901 -j DNAT --to-destination 192.168.0.100:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1903 -j DNAT --to-destination 192.168.0.4:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1904 -j DNAT --to-destination 192.168.0.50:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1905 -j DNAT --to-destination 192.168.0.51:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1906 -j DNAT --to-destination 192.168.0.52:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1907 -j DNAT --to-destination 192.168.0.53:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1908 -j DNAT --to-destination 192.168.0.54:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1909 -j DNAT --to-destination 192.168.0.55:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1910 -j DNAT --to-destination 192.168.0.56:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1911 -j DNAT --to-destination 192.168.0.57:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1912 -j DNAT --to-destination 192.168.0.58:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1913 -j DNAT --to-destination 192.168.0.59:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1902 -j DNAT --to-destination 192.168.0.101:3389
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Feb 22 19:51:57 2015
# Generated by iptables-save v1.4.20 on Sun Feb 22 19:51:57 2015
*filter
:INPUT DROP [19:2812]
:FORWARD ACCEPT [2:85]
:OUTPUT ACCEPT [66:6316]
:checkcount - [0:0]
:logdrop - [0:0]
-A INPUT -s 76.181.64.0/23 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 96.11.168.98/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i -eth0 -p tcp -m multiport --dports 1901:1902
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j checkcount
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec --limit-burst 3 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 25,80,443 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A checkcount -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A checkcount -m recent --rcheck --hitcount 12 --name DEFAULT --mask 255.255.255.255 --rsource -j logdrop
-A checkcount -j RETURN
-A logdrop -j LOG --log-prefix "SSH Break-in attempt " --log-level 6
-A logdrop -j DROP
COMMIT
# Completed on Sun Feb 22 19:51:57 2015

Open in new window

Arnold:
What is the ip on the eth1 interface?
192.168.0.2
Can you post the routing table from the linux box?
Will do so after work hours when I put the firewall back without messing up staff.
you are not allowing udp from the LAN implicit deny by policy.
Ah ah! This may very well be the problem! I will try that this evening.
0
 
LVL 79

Expert Comment

by:arnold
ID: 40627034
try this before going from the lan browse to http://54.209.131.74 EE web server.
This will confirm whether the issue is the failure to lookup the address versus inability to get through to the internet.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40627112
Arnold:
you are not allowing udp from the LAN implicit deny by policy.
I added: iptables -A INPUT -i eth1 -p udp -j ACCEPT

and that does seem to have fixed it! I wasn't thinking about DNS being udp. I'll continue watching this to make sure.
Can you post the routing table from the linux box?
Here it is:
$ route -vv
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         <REDACTED>    0.0.0.0         UG    1      0        0 eth0
64.129.23.0     *               255.255.255.0   U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1

Open in new window

try this before going from the lan browse to http://54.209.131.74 EE web server.
 This will confirm whether the issue is the failure to lookup the address versus inability to get through to the internet.
Hmmm, not sure what this is telling me. When going to that IP from a client workstation I got (from EE):

An unexpected error occured during your request.
For immediate assistance please contact Customer Service.
Details: (Type: com.ee.common.exception.ExpectedException)
Caused By: (Type: com.ee.common.exception.CMSSiteNotDefinedException)

But I can browse to google and other external webpages.

What do you think?
0
 
LVL 79

Expert Comment

by:arnold
ID: 40627245
Hi mark,

Should have checked before posting the IP as a test, the site is named based seems to not like access by ip.  

Glad to hear the addition of the udp rule solved the issue.  
Icmp is the only one currently missing from being allowed from the LAN to the outside.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40628230
Arnold:
Redacted the IP referenced as the gateway
Thanks.
Icmp is the only one currently missing from being allowed from the LAN to the outside.
From LAN to outside should be all permitted with rule:

/usr/sbin/iptables -P OUTPUT ACCEPT

Right? I can ping anyone inside or outside the LAN:
$ ping yahoo.com
PING yahoo.com (206.190.36.45) 56(84) bytes of data.
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=1 ttl=50 time=73.0 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=2 ttl=50 time=75.1 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=3 ttl=50 time=71.2 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=4 ttl=50 time=74.9 ms

Open in new window

0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 40628241
Things seem to be working just fine. Apparently my problem was not permitting DNS on udp. If more issues crop up I'll post another question.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40628690
I managed to load your iptables-save into fwbuilder.
What does sysctl net.ipv4.ip_forward
say? Must be 1 for *ROUTING tables to work.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40628747
gheist:
What does sysctl net.ipv4.ip_forward
 say? Must be 1 for *ROUTING tables to work.
Yes, it is set to 1.

The problem was that I didn't enable DNS for udp. Once I did that, problem solved. I forgot that DNS uses udp on port 53.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40629152
ntp uses udp on port 123
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40629179
Thanks! I think I might need that too.
0

Featured Post

Cloud Training Guides

FREE GUIDES: In-depth and hand-crafted Linux, AWS, OpenStack, DevOps, Azure, and Cloud training guides created by Linux Academy instructors and the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question