iptables help needed

François Patte francois.patte at math-info.univ-paris5.fr
Tue Jun 3 07:21:58 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 03.06.2008 02:26, Simon Slater a écrit :
| On Mon, 2008-06-02 at 11:17 +0200, François Patte wrote:
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> Le 02.06.2008 10:26, Simon Slater a écrit :
|> | 	G'day all,
|> | 		I've been plugging away at this for some time and have no idea which
|> | direction to turn.  The iptables on a gateway box (FC6) is blocking
|> | access to the internet from a laptop (F8).  On each attempt to access
|> | the internet, the gateway responds with a reset.
|> |
|> | 	I have turned on everything in iptables using lokkit and
|> | system-config-iptables, with some hand editing to boot (guided by
|> | various howto's), probably allowing more than I need, but cannot
get the
|> | laptop out through the firewall.
|>
|> What is the result of:
|>
|> cat /proc/sys/net/ipv4/ip_forward
|>
| 1
|
| 	This morning I flushed the iptables rules to see what would happen and
| the gateway still sends the reset.

I don't understand what you mean by "reset".

I don't know how these system-config-iptables/whatever are working you
can try this:

first: iptables -L > rules-iptables_orig

second: execute (as root) this script:

#<---begin
#!/bin/sh
#Antispoof: pris en charge par netfilter
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
~ for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
~ do
~  echo 1 > $filtre
~ done
fi

IPTABLES=/sbin/iptables
EXTERNAL_DEVICE=ppp0
INTERNAL_DEVICE=eth0


# On vide toutes les règles avant d'appliquer
# les nouvelles règles de firewall

$IPTABLES -F
$IPTABLES -X

$IPTABLES -t nat -F
$IPTABLES -t nat -X

#politique globale: on jette tout ce qui n'est pas autorisé
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#nouvelles chaines:
#on logue et on jette
$IPTABLES -N LOG_DROP
$IPTABLES -A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-level 4
$IPTABLES -A LOG_DROP -j DROP

#on logue et on accepte
$IPTABLES -N LOG_ACCEPT
$IPTABLES -A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : "
- --log-level 4
$IPTABLES -A LOG_ACCEPT -j ACCEPT

#tout est accepté sur lo
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT


#navigation internet acceptée: les connexions en entrée ne sont
acceptées que si elles font suite à une connexion déjà établie
#http:80, https:443
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp -m multiport --dport
80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp -m multiport --sport
80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT  -i $EXTERNAL_DEVICE -p tcp  -m multiport --sport
80,443 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT  -i $EXTERNAL_DEVICE -p tcp  -m multiport --dport
80,443 -m state --state ESTABLISHED,RELATED -j ACCEPT

#DNS du serveur
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p udp --dport 53 -m state
- --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp --dport 53 -m state
- --state NEW,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp --sport 53 -m state
- --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p udp --sport 53 -m state
- --state ESTABLISHED -j ACCEPT


#SMTP(25) et NEWS(119) en sortie sur internet
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp -m multiport --dport
25,119 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp -m multiport --sport
25,119 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp --dport 25 -m state
- --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp --sport 25 -m state
- --state NEW,ESTABLISHED -j ACCEPT

#ftp: les paquets ne sont acceptés que dans la mesure ou ils font partie
d'une connexion établie en sortie
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp --dport 21 -m state
- --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp  --sport 21 -m state
- --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp --dport 20 -m state
- --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp  --sport 20 -m state
- --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp --sport 1024:65535
- --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp --sport 1024:65535 --dport
1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

#LAN
#

#circulation sur le LAN acceptée dans tous les sens
$IPTABLES -A INPUT -i $INTERNAL_DEVICE -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNAL_DEVICE -d 192.168.1.0/24 -j ACCEPT

#mascarade
#$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_DEVICE -j LOG --log-prefix
"[IPTABLES MASQ]"
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

#dhcp du LAN
$IPTABLES -A INPUT -i $INTERNAL_DEVICE -p udp -s 0.0.0.0/32 --sport 68
- -d 255.255.255.255/32 --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNAL_DEVICE -p udp -s 0.0.0.0/32 --sport 67
- -d 255.255.255.255/32 --dport 68 -j ACCEPT

#"forwarding"

#dns
$IPTABLES -A FORWARD -i $INTERNAL_DEVICE -o $EXTERNAL_DEVICE -p tcp
- --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -o $INTERNAL_DEVICE -i $EXTERNAL_DEVICE -p tcp
- --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNAL_DEVICE -o $EXTERNAL_DEVICE -p udp
- --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -o $INTERNAL_DEVICE -i $EXTERNAL_DEVICE -p udp
- --sport 53 -j ACCEPT

#navigation
$IPTABLES -A FORWARD -i $EXTERNAL_DEVICE -o $INTERNAL_DEVICE -p tcp -m
state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -o $EXTERNAL_DEVICE -i $INTERNAL_DEVICE -p tcp -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTERNAL_DEVICE -o $INTERNAL_DEVICE -p udp -m
state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -o $EXTERNAL_DEVICE -i $INTERNAL_DEVICE -p udp -m
state --state NEW,ESTABLISHED -j ACCEPT

#courrier
$IPTABLES -A FORWARD -o $INTERNAL_DEVICE -i $EXTERNAL_DEVICE -p tcp
- --sport 25 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNAL_DEVICE -o $EXTERNAL_DEVICE -p tcp
- --dport 25 -j ACCEPT

#news
$IPTABLES -A FORWARD -i $INTERNAL_DEVICE -o $EXTERNAL_DEVICE -p tcp
- --dport 119 -j ACCEPT
$IPTABLES -A FORWARD -o $INTERNAL_DEVICE -i $EXTERNAL_DEVICE -p tcp
- --sport 119 -j ACCEPT

#cups
$IPTABLES -A INPUT -p tcp -i $INTERNAL_DEVICE --dport 631 -j LOG_ACCEPT
$IPTABLES -A INPUT -p tcp -i $INTERNAL_DEVICE --sport 631 -j LOG_ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $INTERNAL_DEVICE --sport 631 -j LOG_ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $INTERNAL_DEVICE --dport 631 -j LOG_ACCEPT

$IPTABLES -A INPUT -p udp -i $INTERNAL_DEVICE --dport 631 -j LOG_ACCEPT
$IPTABLES -A INPUT -p udp -i $INTERNAL_DEVICE --sport 631 -j LOG_ACCEPT
$IPTABLES -A OUTPUT -p udp -o $INTERNAL_DEVICE --sport 631 -j LOG_ACCEPT
$IPTABLES -A OUTPUT -p udp -o $INTERNAL_DEVICE --dport 631 -j LOG_ACCEPT

#le serveur est autorisé à se connecter sur le LAN
$IPTABLES -A OUTPUT -o $INTERNAL_DEVICE -s 192.168.1.1 -d 192.168.1.0/24
- -j ACCEPT

#tout ce qui est arrivé ici sans trouver de destination est logué et jeté
$IPTABLES -A FORWARD -j LOG_DROP
$IPTABLES -A INPUT -j LOG_DROP
$IPTABLES -A OUTPUT -j LOG_DROP

#autorisation de "ipforward"

echo 1 > /proc/sys/net/ipv4/ip_forward
#<-----end

You may want to change IP addresses 192.168.1.* to fit your own LAN.

try some internet browsing from your laptop and is if it works.

third: iptables -L > iptables-rules_new

And compare and try to guess what has to be changed in your use of
system-config-iptables

- --
François Patte
UFR de mathématiques et informatique
Université Paris Descartes
45, rue des Saints Pères
F-75270 Paris Cedex 06
Tél. +33 (0)1 44 55 35 61
http://www.math-info.univ-paris5.fr/~patte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIRPEWdE6C2dhV2JURAj8UAKCQ/lKjpJqNOo50rLLODiv26uYZjgCgtd7a
szaRrqdT6nOLKuDo2vJn4a0=
=j3HK
-----END PGP SIGNATURE-----




More information about the fedora-list mailing list