iptables help needed
François Patte
francois.patte at math-info.univ-paris5.fr
Tue Jun 3 07:21:58 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Le 03.06.2008 02:26, Simon Slater a écrit :
| On Mon, 2008-06-02 at 11:17 +0200, François Patte wrote:
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> Le 02.06.2008 10:26, Simon Slater a écrit :
|> | G'day all,
|> | I've been plugging away at this for some time and have no idea which
|> | direction to turn. The iptables on a gateway box (FC6) is blocking
|> | access to the internet from a laptop (F8). On each attempt to access
|> | the internet, the gateway responds with a reset.
|> |
|> | I have turned on everything in iptables using lokkit and
|> | system-config-iptables, with some hand editing to boot (guided by
|> | various howto's), probably allowing more than I need, but cannot
get the
|> | laptop out through the firewall.
|>
|> What is the result of:
|>
|> cat /proc/sys/net/ipv4/ip_forward
|>
| 1
|
| This morning I flushed the iptables rules to see what would happen and
| the gateway still sends the reset.
I don't understand what you mean by "reset".
I don't know how these system-config-iptables/whatever are working you
can try this:
first: iptables -L > rules-iptables_orig
second: execute (as root) this script:
#<---begin
#!/bin/sh
#Antispoof: pris en charge par netfilter
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
~ for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
~ do
~ echo 1 > $filtre
~ done
fi
IPTABLES=/sbin/iptables
EXTERNAL_DEVICE=ppp0
INTERNAL_DEVICE=eth0
# On vide toutes les règles avant d'appliquer
# les nouvelles règles de firewall
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
#politique globale: on jette tout ce qui n'est pas autorisé
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#nouvelles chaines:
#on logue et on jette
$IPTABLES -N LOG_DROP
$IPTABLES -A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-level 4
$IPTABLES -A LOG_DROP -j DROP
#on logue et on accepte
$IPTABLES -N LOG_ACCEPT
$IPTABLES -A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : "
- --log-level 4
$IPTABLES -A LOG_ACCEPT -j ACCEPT
#tout est accepté sur lo
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#navigation internet acceptée: les connexions en entrée ne sont
acceptées que si elles font suite à une connexion déjà établie
#http:80, https:443
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp -m multiport --dport
80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp -m multiport --sport
80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp -m multiport --sport
80,443 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp -m multiport --dport
80,443 -m state --state ESTABLISHED,RELATED -j ACCEPT
#DNS du serveur
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p udp --dport 53 -m state
- --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp --dport 53 -m state
- --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp --sport 53 -m state
- --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p udp --sport 53 -m state
- --state ESTABLISHED -j ACCEPT
#SMTP(25) et NEWS(119) en sortie sur internet
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp -m multiport --dport
25,119 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp -m multiport --sport
25,119 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp --dport 25 -m state
- --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp --sport 25 -m state
- --state NEW,ESTABLISHED -j ACCEPT
#ftp: les paquets ne sont acceptés que dans la mesure ou ils font partie
d'une connexion établie en sortie
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp --dport 21 -m state
- --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp --sport 21 -m state
- --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp --dport 20 -m state
- --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp --sport 20 -m state
- --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_DEVICE -p tcp --sport 1024:65535
- --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_DEVICE -p tcp --sport 1024:65535 --dport
1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
#LAN
#
#circulation sur le LAN acceptée dans tous les sens
$IPTABLES -A INPUT -i $INTERNAL_DEVICE -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNAL_DEVICE -d 192.168.1.0/24 -j ACCEPT
#mascarade
#$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_DEVICE -j LOG --log-prefix
"[IPTABLES MASQ]"
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
#dhcp du LAN
$IPTABLES -A INPUT -i $INTERNAL_DEVICE -p udp -s 0.0.0.0/32 --sport 68
- -d 255.255.255.255/32 --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNAL_DEVICE -p udp -s 0.0.0.0/32 --sport 67
- -d 255.255.255.255/32 --dport 68 -j ACCEPT
#"forwarding"
#dns
$IPTABLES -A FORWARD -i $INTERNAL_DEVICE -o $EXTERNAL_DEVICE -p tcp
- --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -o $INTERNAL_DEVICE -i $EXTERNAL_DEVICE -p tcp
- --sport 53 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNAL_DEVICE -o $EXTERNAL_DEVICE -p udp
- --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -o $INTERNAL_DEVICE -i $EXTERNAL_DEVICE -p udp
- --sport 53 -j ACCEPT
#navigation
$IPTABLES -A FORWARD -i $EXTERNAL_DEVICE -o $INTERNAL_DEVICE -p tcp -m
state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -o $EXTERNAL_DEVICE -i $INTERNAL_DEVICE -p tcp -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTERNAL_DEVICE -o $INTERNAL_DEVICE -p udp -m
state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -o $EXTERNAL_DEVICE -i $INTERNAL_DEVICE -p udp -m
state --state NEW,ESTABLISHED -j ACCEPT
#courrier
$IPTABLES -A FORWARD -o $INTERNAL_DEVICE -i $EXTERNAL_DEVICE -p tcp
- --sport 25 -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNAL_DEVICE -o $EXTERNAL_DEVICE -p tcp
- --dport 25 -j ACCEPT
#news
$IPTABLES -A FORWARD -i $INTERNAL_DEVICE -o $EXTERNAL_DEVICE -p tcp
- --dport 119 -j ACCEPT
$IPTABLES -A FORWARD -o $INTERNAL_DEVICE -i $EXTERNAL_DEVICE -p tcp
- --sport 119 -j ACCEPT
#cups
$IPTABLES -A INPUT -p tcp -i $INTERNAL_DEVICE --dport 631 -j LOG_ACCEPT
$IPTABLES -A INPUT -p tcp -i $INTERNAL_DEVICE --sport 631 -j LOG_ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $INTERNAL_DEVICE --sport 631 -j LOG_ACCEPT
$IPTABLES -A OUTPUT -p tcp -o $INTERNAL_DEVICE --dport 631 -j LOG_ACCEPT
$IPTABLES -A INPUT -p udp -i $INTERNAL_DEVICE --dport 631 -j LOG_ACCEPT
$IPTABLES -A INPUT -p udp -i $INTERNAL_DEVICE --sport 631 -j LOG_ACCEPT
$IPTABLES -A OUTPUT -p udp -o $INTERNAL_DEVICE --sport 631 -j LOG_ACCEPT
$IPTABLES -A OUTPUT -p udp -o $INTERNAL_DEVICE --dport 631 -j LOG_ACCEPT
#le serveur est autorisé à se connecter sur le LAN
$IPTABLES -A OUTPUT -o $INTERNAL_DEVICE -s 192.168.1.1 -d 192.168.1.0/24
- -j ACCEPT
#tout ce qui est arrivé ici sans trouver de destination est logué et jeté
$IPTABLES -A FORWARD -j LOG_DROP
$IPTABLES -A INPUT -j LOG_DROP
$IPTABLES -A OUTPUT -j LOG_DROP
#autorisation de "ipforward"
echo 1 > /proc/sys/net/ipv4/ip_forward
#<-----end
You may want to change IP addresses 192.168.1.* to fit your own LAN.
try some internet browsing from your laptop and is if it works.
third: iptables -L > iptables-rules_new
And compare and try to guess what has to be changed in your use of
system-config-iptables
- --
François Patte
UFR de mathématiques et informatique
Université Paris Descartes
45, rue des Saints Pères
F-75270 Paris Cedex 06
Tél. +33 (0)1 44 55 35 61
http://www.math-info.univ-paris5.fr/~patte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFIRPEWdE6C2dhV2JURAj8UAKCQ/lKjpJqNOo50rLLODiv26uYZjgCgtd7a
szaRrqdT6nOLKuDo2vJn4a0=
=j3HK
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list