Mark
asked on
can't figure out problem with iptables
I have a Linux host as router/firewall/LAN-DNS. It has 2 NICs: eth0 is connected to the Internet and eth1 is connected to the internal LAN. I've attempted to set up an iptables firewall with a minorly modified version of a script I use elsewhere, but when I run the script, no LAN hosts (192.168.0.0/24) can connect to other LAN hosts or get to the Internet. I can't see what's wrong. Here's my script:
# Initialize things
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -t nat -P PREROUTING ACCEPT
/usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
/usr/sbin/iptables -t nat -P OUTPUT ACCEPT
/usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
/usr/sbin/iptables -t mangle -P INPUT ACCEPT
/usr/sbin/iptables -t mangle -P FORWARD ACCEPT
/usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
/usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT
/usr/sbin/iptables -t raw -P PREROUTING ACCEPT
/usr/sbin/iptables -t raw -P OUTPUT ACCEPT
/usr/sbin/iptables -F
/usr/sbin/iptables -F -t nat
/usr/sbin/iptables -F -t mangle
/usr/sbin/iptables -F -t raw
/usr/sbin/iptables -X
/usr/sbin/iptables -X -t nat
/usr/sbin/iptables -X -t mangle
/usr/sbin/iptables -X -t raw
# Turn off ACCEPT for all INPUT
/usr/sbin/iptables -P INPUT DROP
# Routing ...
/usr/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
/usr/sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT
# Enable specific INPUT
/usr/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
# Accept everything on LAN interface
/usr/sbin/iptables -A INPUT -i eth1 -p tcp --syn -j ACCEPT
# Log attempt to break in via SSH
/usr/sbin/iptables -N logdrop
/usr/sbin/iptables -A logdrop -j LOG --log-level 6 --log-prefix "SSH Break-in attempt "
/usr/sbin/iptables -A logdrop -j DROP
/usr/sbin/iptables -N checkcount
/usr/sbin/iptables -A checkcount -m recent --set
/usr/sbin/iptables -A checkcount -m recent --rcheck --hitcount 12 -j logdrop
/usr/sbin/iptables -A checkcount -j RETURN
# Allow ssh for specific IP from the Internet (eth0)
/usr/sbin/iptables -I INPUT -i eth0 -p tcp -m tcp -s 96.11.168.98 --dport 22 -j ACCEPT
/usr/sbin/iptables -I INPUT -i eth0 -p tcp -m tcp -s 76.181.64.0/23 --dport 22 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --syn --dport 22 -i eth0 -j checkcount
/usr/sbin/iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -i eth0 --dport 22 -j
And here is `iptables -L -v -n --line-numbers`Chain INPUT (policy DROP 21 packets, 3641 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- eth0 * 76.181.64.0/23 0.0.0.0/0 tcp dpt:22
2 0 0 ACCEPT tcp -- eth0 * 96.11.168.98 0.0.0.0/0 tcp dpt:22
3 0 0 tcp -- -eth0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 1901:1902
4 103 11903 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5 2 136 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
6 0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
7 0 0 checkcount tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02
8 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 limit: avg 1/sec burst 3
9 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 multiport dports 25,80,443
Chain FORWARD (policy ACCEPT 6 packets, 615 bytes)
num pkts bytes target prot opt in out source destination
1 7 487 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 79 packets, 8684 bytes)
num pkts bytes target prot opt in out source destination
Chain checkcount (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: DEFAULT side: source mask: 255.255.255.255
2 0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
3 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SSH Break-in attempt "
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
I can't see why I lose all communication on 192.168.0.0/24. Ideas?
You dont seem to nat the traffic from that address nor you have a single interface in that network.
Can you post output of "iprables-save" ?
Can you post output of "iprables-save" ?
ASKER
Arnold:
/usr/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
/usr/sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT
gheist:
You need to define a route (NAT) from eth1 through eth0Is than not what I have in lines 33,34 of my first source listing in initial post?
/usr/sbin/iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
/usr/sbin/iptables --append FORWARD --in-interface eth1 -j ACCEPT
What is the default gateway that is set on the 192.168.0.0 computers? Does it match the IP of the eth1 interface?Yes, they are set to DHCP and the gateway is this host at 192.168.0.2. For example:
C:\Users\mark.HPRS>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : hprs.local
Link-local IPv6 Address . . . . . : fe80::286e:664d:27b7:eb1b%13
IPv4 Address. . . . . . . . . . . : 192.168.0.58
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.2
Tunnel adapter isatap.hprs.local:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hprs.local
Tunnel adapter Local Area Connection* 12:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
in /etc/sysctl.confYes:
Do you have forwarding enabled?
net.ipv4.ip_forward = 1
$ cat /proc/sys/net/ipv4/ip_forward
1
There are several references on setting up linux as a router.The routing isn't the problem I've set up several Linux hosts as routers. I can route just fine using only the NAT rules. My problem are the drop rules. I'm doing something to prevent LAN hosts from using this computer for DNS. They can't resolve each other and they can't resolve external domains.
gheist:
You dont seem to nat the traffic from that addressyes, see lines 33,34 in my initial src posting.
nor you have a single interface in that network.Don't know what you mean by that. Please clarify.
Can you post output of "iprables-save" ?yes, but will have to be tomorrow when I'm in front of the console so I can fix when I mess up the LAN.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you ping https://www.experts-exchange.com from the LAN?
Just looking to confirm whether your input policy line 6 coming via eth1 limits Lan to tcp traffic only.
Just looking to confirm whether your input policy line 6 coming via eth1 limits Lan to tcp traffic only.
ASKER
Sorry for the delay ... lots of gnats to swat on this one.
gheist:
gheist:
Can you post output of "iprables-save" ?Here it is:
# Generated by iptables-save v1.4.20 on Sun Feb 22 19:51:57 2015
*raw
:PREROUTING ACCEPT [114:10002]
:OUTPUT ACCEPT [66:6316]
COMMIT
# Completed on Sun Feb 22 19:51:57 2015
# Generated by iptables-save v1.4.20 on Sun Feb 22 19:51:57 2015
*mangle
:PREROUTING ACCEPT [114:10002]
:INPUT ACCEPT [110:9828]
:FORWARD ACCEPT [4:174]
:OUTPUT ACCEPT [66:6316]
:POSTROUTING ACCEPT [70:6490]
COMMIT
# Completed on Sun Feb 22 19:51:57 2015
# Generated by iptables-save v1.4.20 on Sun Feb 22 19:51:57 2015
*nat
:PREROUTING ACCEPT [15:1500]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:328]
:POSTROUTING ACCEPT [1:328]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1901 -j DNAT --to-destination 192.168.0.100:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1903 -j DNAT --to-destination 192.168.0.4:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1904 -j DNAT --to-destination 192.168.0.50:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1905 -j DNAT --to-destination 192.168.0.51:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1906 -j DNAT --to-destination 192.168.0.52:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1907 -j DNAT --to-destination 192.168.0.53:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1908 -j DNAT --to-destination 192.168.0.54:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1909 -j DNAT --to-destination 192.168.0.55:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1910 -j DNAT --to-destination 192.168.0.56:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1911 -j DNAT --to-destination 192.168.0.57:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1912 -j DNAT --to-destination 192.168.0.58:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1913 -j DNAT --to-destination 192.168.0.59:3389
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1902 -j DNAT --to-destination 192.168.0.101:3389
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Feb 22 19:51:57 2015
# Generated by iptables-save v1.4.20 on Sun Feb 22 19:51:57 2015
*filter
:INPUT DROP [19:2812]
:FORWARD ACCEPT [2:85]
:OUTPUT ACCEPT [66:6316]
:checkcount - [0:0]
:logdrop - [0:0]
-A INPUT -s 76.181.64.0/23 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 96.11.168.98/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i -eth0 -p tcp -m multiport --dports 1901:1902
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j checkcount
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec --limit-burst 3 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 25,80,443 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A checkcount -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A checkcount -m recent --rcheck --hitcount 12 --name DEFAULT --mask 255.255.255.255 --rsource -j logdrop
-A checkcount -j RETURN
-A logdrop -j LOG --log-prefix "SSH Break-in attempt " --log-level 6
-A logdrop -j DROP
COMMIT
# Completed on Sun Feb 22 19:51:57 2015
Arnold:
What is the ip on the eth1 interface?192.168.0.2
Can you post the routing table from the linux box?Will do so after work hours when I put the firewall back without messing up staff.
you are not allowing udp from the LAN implicit deny by policy.Ah ah! This may very well be the problem! I will try that this evening.
try this before going from the lan browse to http://54.209.131.74 EE web server.
This will confirm whether the issue is the failure to lookup the address versus inability to get through to the internet.
This will confirm whether the issue is the failure to lookup the address versus inability to get through to the internet.
ASKER
Arnold:
and that does seem to have fixed it! I wasn't thinking about DNS being udp. I'll continue watching this to make sure.
An unexpected error occured during your request.
For immediate assistance please contact Customer Service.
Details: (Type: com.ee.common.exception.Ex pectedExce ption)
Caused By: (Type: com.ee.common.exception.CM SSiteNotDe finedExcep tion)
But I can browse to google and other external webpages.
What do you think?
you are not allowing udp from the LAN implicit deny by policy.I added: iptables -A INPUT -i eth1 -p udp -j ACCEPT
and that does seem to have fixed it! I wasn't thinking about DNS being udp. I'll continue watching this to make sure.
Can you post the routing table from the linux box?Here it is:
$ route -vv
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default <REDACTED> 0.0.0.0 UG 1 0 0 eth0
64.129.23.0 * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
try this before going from the lan browse to http://54.209.131.74 EE web server.Hmmm, not sure what this is telling me. When going to that IP from a client workstation I got (from EE):
This will confirm whether the issue is the failure to lookup the address versus inability to get through to the internet.
An unexpected error occured during your request.
For immediate assistance please contact Customer Service.
Details: (Type: com.ee.common.exception.Ex
Caused By: (Type: com.ee.common.exception.CM
But I can browse to google and other external webpages.
What do you think?
Hi mark,
Should have checked before posting the IP as a test, the site is named based seems to not like access by ip.
Glad to hear the addition of the udp rule solved the issue.
Icmp is the only one currently missing from being allowed from the LAN to the outside.
Should have checked before posting the IP as a test, the site is named based seems to not like access by ip.
Glad to hear the addition of the udp rule solved the issue.
Icmp is the only one currently missing from being allowed from the LAN to the outside.
ASKER
Arnold:
/usr/sbin/iptables -P OUTPUT ACCEPT
Right? I can ping anyone inside or outside the LAN:
Redacted the IP referenced as the gatewayThanks.
Icmp is the only one currently missing from being allowed from the LAN to the outside.From LAN to outside should be all permitted with rule:
/usr/sbin/iptables -P OUTPUT ACCEPT
Right? I can ping anyone inside or outside the LAN:
$ ping yahoo.com
PING yahoo.com (206.190.36.45) 56(84) bytes of data.
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=1 ttl=50 time=73.0 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=2 ttl=50 time=75.1 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=3 ttl=50 time=71.2 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=4 ttl=50 time=74.9 ms
ASKER
Things seem to be working just fine. Apparently my problem was not permitting DNS on udp. If more issues crop up I'll post another question.
I managed to load your iptables-save into fwbuilder.
What does sysctl net.ipv4.ip_forward
say? Must be 1 for *ROUTING tables to work.
What does sysctl net.ipv4.ip_forward
say? Must be 1 for *ROUTING tables to work.
ASKER
gheist:
The problem was that I didn't enable DNS for udp. Once I did that, problem solved. I forgot that DNS uses udp on port 53.
What does sysctl net.ipv4.ip_forwardYes, it is set to 1.
say? Must be 1 for *ROUTING tables to work.
The problem was that I didn't enable DNS for udp. Once I did that, problem solved. I forgot that DNS uses udp on port 53.
ntp uses udp on port 123
ASKER
Thanks! I think I might need that too.
What is the default gateway that is set on the 192.168.0.0 computers?
Does it match the IP of the eth1 interface?
in /etc/sysctl.conf
Do you have forwarding enabled?
net.ipv4.ip_forward = 1
There are several references on setting up linux as a router.
http://etutorials.org/Linux+systems/red+hat+linux+bible+fedora+enterprise+edition/Part+IV+Red+Hat+Linux+Network+and+Server+Setup/Chapter+16+Connecting+to+the+Internet/Setting+up+Red+Hat+Linux+as+a+Router/
You are on a slackware system, but the iptables rules/configuration should still apply.