Solved

can't figure out problem with iptables

Posted on 2015-02-18
16
200 Views
Last Modified: 2015-02-24
I have a Linux host as router/firewall/LAN-DNS. It has 2 NICs: eth0 is connected to the Internet and eth1 is connected to the internal LAN. I've attempted to set up an iptables firewall with a minorly modified version of a script I use elsewhere, but when I run the script, no LAN hosts (192.168.0.0/24) can connect to other LAN hosts or get to the Internet. I can't see what's wrong. Here's my script:
# Initialize things
    /usr/sbin/iptables -P INPUT ACCEPT
    /usr/sbin/iptables -P FORWARD ACCEPT
    /usr/sbin/iptables -P OUTPUT ACCEPT

    /usr/sbin/iptables -t nat -P PREROUTING ACCEPT
    /usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
    /usr/sbin/iptables -t nat -P OUTPUT ACCEPT

    /usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
    /usr/sbin/iptables -t mangle -P INPUT ACCEPT
    /usr/sbin/iptables -t mangle -P FORWARD ACCEPT
    /usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
    /usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT

    /usr/sbin/iptables -t raw -P PREROUTING ACCEPT
    /usr/sbin/iptables -t raw -P OUTPUT ACCEPT

    /usr/sbin/iptables -F
    /usr/sbin/iptables -F -t nat
    /usr/sbin/iptables -F -t mangle
    /usr/sbin/iptables -F -t raw

    /usr/sbin/iptables -X
    /usr/sbin/iptables -X -t nat
    /usr/sbin/iptables -X -t mangle
    /usr/sbin/iptables -X -t raw

# Turn off ACCEPT for all INPUT
    /usr/sbin/iptables -P INPUT DROP

# Routing ...
    /usr/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    /usr/sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT

# Enable specific INPUT
    /usr/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    /usr/sbin/iptables -A INPUT -i lo -j ACCEPT

# Accept everything on LAN interface
    /usr/sbin/iptables -A INPUT -i eth1 -p tcp --syn -j ACCEPT

# Log attempt to break in via SSH
    /usr/sbin/iptables -N logdrop
    /usr/sbin/iptables -A logdrop -j LOG --log-level 6 --log-prefix "SSH Break-in attempt "
    /usr/sbin/iptables -A logdrop -j DROP

    /usr/sbin/iptables -N checkcount
    /usr/sbin/iptables -A checkcount -m recent --set
    /usr/sbin/iptables -A checkcount -m recent --rcheck --hitcount 12 -j logdrop
    /usr/sbin/iptables -A checkcount -j RETURN

#  Allow ssh for specific IP from the Internet (eth0)
    /usr/sbin/iptables -I INPUT -i eth0 -p tcp -m tcp -s 96.11.168.98 --dport 22 -j ACCEPT
    /usr/sbin/iptables -I INPUT -i eth0 -p tcp -m tcp -s 76.181.64.0/23 --dport 22 -j ACCEPT

    /usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -i eth0 -j checkcount
    /usr/sbin/iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -i eth0 --dport 22 -j

Open in new window

And here is `iptables -L -v -n --line-numbers`
Chain INPUT (policy DROP 21 packets, 3641 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     tcp  --  eth0   *       76.181.64.0/23       0.0.0.0/0            tcp dpt:22
2        0     0 ACCEPT     tcp  --  eth0   *       96.11.168.98         0.0.0.0/0            tcp dpt:22
3        0     0            tcp  --  -eth0  *       0.0.0.0/0            0.0.0.0/0            multiport dports 1901:1902
4      103 11903 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
5        2   136 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
6        0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02
7        0     0 checkcount  tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 flags:0x17/0x02
8        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 flags:0x17/0x02 limit: avg 1/sec burst 3
9        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 multiport dports 25,80,443

Chain FORWARD (policy ACCEPT 6 packets, 615 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        7   487 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 79 packets, 8684 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain checkcount (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: DEFAULT side: source mask: 255.255.255.255
2        0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: CHECK hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
3        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logdrop (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "SSH Break-in attempt "
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Open in new window

I can't see why I lose all communication on 192.168.0.0/24. Ideas?
0
Comment
Question by:jmarkfoley
  • 7
  • 5
  • 3
16 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You need to define a route (NAT) from eth1 through eth0

What is the default gateway that is set on the 192.168.0.0 computers?
Does it match the IP of the eth1 interface?

in /etc/sysctl.conf
Do you have forwarding enabled?
net.ipv4.ip_forward = 1

There are several references on setting up linux as a router.
http://etutorials.org/Linux+systems/red+hat+linux+bible+fedora+enterprise+edition/Part+IV+Red+Hat+Linux+Network+and+Server+Setup/Chapter+16+Connecting+to+the+Internet/Setting+up+Red+Hat+Linux+as+a+Router/

You are on a slackware system, but the iptables rules/configuration should still apply.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
You dont seem to nat the traffic from that address nor you have a single interface in that network.
Can you post output of "iprables-save" ?
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Arnold:
You need to define a route (NAT) from eth1 through eth0
Is than not what I have in lines 33,34 of my first source listing in initial post?

    /usr/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    /usr/sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT
What is the default gateway that is set on the 192.168.0.0 computers? Does it match the IP of the eth1 interface?
Yes, they are set to DHCP and the gateway is this host at 192.168.0.2. For example:
C:\Users\mark.HPRS>ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : hprs.local
   Link-local IPv6 Address . . . . . : fe80::286e:664d:27b7:eb1b%13
   IPv4 Address. . . . . . . . . . . : 192.168.0.58
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.2

Tunnel adapter isatap.hprs.local:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : hprs.local

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected

Open in new window

in /etc/sysctl.conf
 Do you have forwarding enabled?
 net.ipv4.ip_forward = 1
Yes:
$ cat /proc/sys/net/ipv4/ip_forward
1

Open in new window

There are several references on setting up linux as a router.
The routing isn't the problem I've set up several Linux hosts as routers. I can route just fine using only the NAT rules. My problem are the drop rules. I'm doing something to prevent LAN hosts from using this computer for DNS. They can't resolve each other and they can't resolve external domains.

gheist:
You dont seem to nat the traffic from that address
yes, see lines 33,34 in my initial src posting.
nor you have a single interface in that network.
Don't know what you mean by that. Please clarify.
Can you post output of "iprables-save" ?
yes, but will have to be tomorrow when I'm in front of the console so I can fix when I mess up the LAN.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
Comment Utility
What is the ip on the eth1 interface?
Can you post the routing table from the linux box?


Iptabkes-save on several platforms is the script which you originally posted.
Second section.

Oh, you allow traffic to pass through, not sure you allowing traffic to hit port 53 on the host. Did you bind the name service (bind) to a specific IP or is it listening on all?

Add
Iptables -I INPUT  6 -i eth1 -p udp -m udp  -J ACCEPT

You currently accept all tcp connections, but you are not allowing udp from the LAN implicit deny by policy.

My guess you can not do any UDP from the LAN.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Can you ping www.experts-exchange.com from the LAN?

Just looking to confirm whether your input policy line 6 coming via eth1 limits Lan to tcp traffic only.
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Sorry for the delay ... lots of gnats to swat on this one.

gheist:
Can you post output of "iprables-save" ?
Here it is:
# Generated by iptables-save v1.4.20 on Sun Feb 22 19:51:57 2015
*raw
:PREROUTING ACCEPT [114:10002]
:OUTPUT ACCEPT [66:6316]
COMMIT
# Completed on Sun Feb 22 19:51:57 2015
# Generated by iptables-save v1.4.20 on Sun Feb 22 19:51:57 2015
*mangle
:PREROUTING ACCEPT [114:10002]
:INPUT ACCEPT [110:9828]
:FORWARD ACCEPT [4:174]
:OUTPUT ACCEPT [66:6316]
:POSTROUTING ACCEPT [70:6490]
COMMIT
# Completed on Sun Feb 22 19:51:57 2015
# Generated by iptables-save v1.4.20 on Sun Feb 22 19:51:57 2015
*nat
:PREROUTING ACCEPT [15:1500]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:328]
:POSTROUTING ACCEPT [1:328]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1901 -j DNAT --to-destination 192.168.0.100:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1903 -j DNAT --to-destination 192.168.0.4:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1904 -j DNAT --to-destination 192.168.0.50:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1905 -j DNAT --to-destination 192.168.0.51:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1906 -j DNAT --to-destination 192.168.0.52:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1907 -j DNAT --to-destination 192.168.0.53:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1908 -j DNAT --to-destination 192.168.0.54:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1909 -j DNAT --to-destination 192.168.0.55:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1910 -j DNAT --to-destination 192.168.0.56:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1911 -j DNAT --to-destination 192.168.0.57:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1912 -j DNAT --to-destination 192.168.0.58:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1913 -j DNAT --to-destination 192.168.0.59:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1902 -j DNAT --to-destination 192.168.0.101:3389
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Feb 22 19:51:57 2015
# Generated by iptables-save v1.4.20 on Sun Feb 22 19:51:57 2015
*filter
:INPUT DROP [19:2812]
:FORWARD ACCEPT [2:85]
:OUTPUT ACCEPT [66:6316]
:checkcount - [0:0]
:logdrop - [0:0]
-A INPUT -s 76.181.64.0/23 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 96.11.168.98/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i -eth0 -p tcp -m multiport --dports 1901:1902
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j checkcount
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec --limit-burst 3 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 25,80,443 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A checkcount -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A checkcount -m recent --rcheck --hitcount 12 --name DEFAULT --mask 255.255.255.255 --rsource -j logdrop
-A checkcount -j RETURN
-A logdrop -j LOG --log-prefix "SSH Break-in attempt " --log-level 6
-A logdrop -j DROP
COMMIT
# Completed on Sun Feb 22 19:51:57 2015

Open in new window

Arnold:
What is the ip on the eth1 interface?
192.168.0.2
Can you post the routing table from the linux box?
Will do so after work hours when I put the firewall back without messing up staff.
you are not allowing udp from the LAN implicit deny by policy.
Ah ah! This may very well be the problem! I will try that this evening.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
try this before going from the lan browse to http://54.209.131.74 EE web server.
This will confirm whether the issue is the failure to lookup the address versus inability to get through to the internet.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Arnold:
you are not allowing udp from the LAN implicit deny by policy.
I added: iptables -A INPUT -i eth1 -p udp -j ACCEPT

and that does seem to have fixed it! I wasn't thinking about DNS being udp. I'll continue watching this to make sure.
Can you post the routing table from the linux box?
Here it is:
$ route -vv
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         <REDACTED>    0.0.0.0         UG    1      0        0 eth0
64.129.23.0     *               255.255.255.0   U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1

Open in new window

try this before going from the lan browse to http://54.209.131.74 EE web server.
 This will confirm whether the issue is the failure to lookup the address versus inability to get through to the internet.
Hmmm, not sure what this is telling me. When going to that IP from a client workstation I got (from EE):

An unexpected error occured during your request.
For immediate assistance please contact Customer Service.
Details: (Type: com.ee.common.exception.ExpectedException)
Caused By: (Type: com.ee.common.exception.CMSSiteNotDefinedException)

But I can browse to google and other external webpages.

What do you think?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Hi mark,

Should have checked before posting the IP as a test, the site is named based seems to not like access by ip.  

Glad to hear the addition of the udp rule solved the issue.  
Icmp is the only one currently missing from being allowed from the LAN to the outside.
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Arnold:
Redacted the IP referenced as the gateway
Thanks.
Icmp is the only one currently missing from being allowed from the LAN to the outside.
From LAN to outside should be all permitted with rule:

/usr/sbin/iptables -P OUTPUT ACCEPT

Right? I can ping anyone inside or outside the LAN:
$ ping yahoo.com
PING yahoo.com (206.190.36.45) 56(84) bytes of data.
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=1 ttl=50 time=73.0 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=2 ttl=50 time=75.1 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=3 ttl=50 time=71.2 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=4 ttl=50 time=74.9 ms

Open in new window

0
 
LVL 1

Author Closing Comment

by:jmarkfoley
Comment Utility
Things seem to be working just fine. Apparently my problem was not permitting DNS on udp. If more issues crop up I'll post another question.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
I managed to load your iptables-save into fwbuilder.
What does sysctl net.ipv4.ip_forward
say? Must be 1 for *ROUTING tables to work.
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
gheist:
What does sysctl net.ipv4.ip_forward
 say? Must be 1 for *ROUTING tables to work.
Yes, it is set to 1.

The problem was that I didn't enable DNS for udp. Once I did that, problem solved. I forgot that DNS uses udp on port 53.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
ntp uses udp on port 123
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Thanks! I think I might need that too.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now