On Thursday 03 April 2003 10:49 am, Mike wrote:
> Joel,
> I tried forwarding ALL connections and then filtering by the
> forward chain but no luck. Once it reaches the PREROUTING chain and
> makes its descision does it pass anymore chains? Or is that it. I have
It still passes the filter table chains, either INPUT or FORWARD.
> always read you don't want to filter in the NAT table and PREROUTING
That's right. In some circumstances traffic will bypass those chains.
(IE, you have an established connection that is being NATted, it's
traffic will usually not appear in NAT PREROUTING, just the first
packet) Normally you should only have ACCEPT, DNAT, or REDIRECT targets
in that chain, and an ACCEPT policy. (The MIRROR target would be valid
there as well, and any traffic MIRRORed would NOT appear in any
subsequent chains... MIRROR should only be used if you really understand
what it is doing, really need it, and are really careful with it)
> doesn't have a filter table just a NAT & MANGLE. Any ideas?
Two. One is to try:
iptables -I FORWARD 1 -j LOG --log-prefix "FWDLOGALL:"
which will log every packet passing through FORWARD chain, with
"FWDLOGALL" prepended to each entry. This will let you see precisely
what traffic is going through, and what it looks like (re IPs, ports,
etc). It can also potentially generate a huge number of log entries, so
don't leave it in any longer than necessary! You can of course do the
same thing with "-t nat -I PREROUTING 1" to see ALL traffic that is
presenting to the box, and narrow down either LOG rule by matching IPs,
ports, interface, etc. (although "-i" will only match the physical
interface)
I've just tested here and it works. (actually I already knew it would,
but wanted to generate the log entries :^) I set PREROUTING rules on my
gateway to LOG then DNAT all connections inbound on ppp0 to my desktop
machine, and LOG all traffic in FORWARD, then ssh'd back to myself from
a remote SSH session I had open. The ssh connection was DNATted
properly and it was LOGged in FORWARD. Then it was subsequently DROPped
since I only accept SSH connections in FORWARD that originate on my
desktop machine, and always LOG any DROPs in FORWARD.
Apr 3 11:43:32 janus kernel: DNATTEST:IN=ppp0 OUT= MAC= SRC= {elided}
DST=141.150.211.149 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=62380 DF
PROTO=TCP SPT=35792 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Apr 3 11:43:32 janus kernel: FWDLOG:IN=ppp0 OUT=eth1 SRC= {elided}
DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=62380 DF PROTO=TCP
SPT=35792 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Apr 3 11:43:32 janus kernel: IPT:FORWARDdrop:IN=ppp0 OUT=eth1 SRC=
{elided} DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=62380 DF
PROTO=TCP SPT=35792 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
The other approach is to just DNAT the ports you need, and make sure you
DROP everything on INPUT. Since your scenario here is multiple IPs on a
single interface, each forwarding to a different local machine, the
first approach makes more sense - if you need to open/close ports to a
given local machine later then everything is already set up, you just
filter in the FORWARD chain as usual.
j
> -Mike
> ----- Original Message -----
> From: "Joel Newkirk" <netfilter@xxxxxxxxxx>
> To: "Mike" <mikeeo@xxxxxxx>; <netfilter@xxxxxxxxxxxxxxxxxxx>
> Sent: Wednesday, April 02, 2003 3:56 PM
> Subject: Re: sub interface filtering
>
> On Wednesday 02 April 2003 01:45 pm, Mike wrote:
> > Hi guys I have the following setup and rules. And I cant seem to get
> > the filtering to work.
> >
> > iptables -t nat -A PREROUTING -p tcp <routeable internetIP/28>
> > --dport 80 -j DNAT --to 192.168.1.197
> >
> > iptables -t nat -A PREROUTING -p tcp <routeable internetIP/28>
> > --dport 443 -j DNAT --to 192.168.1.197
> > iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.197 -j SNAT --to
> > <routeable internetIP/28
> >
> > but when I scan eth2:1 or eth2:2 from an outside machine I can see
> > ALL the local services (ssh, ptptp,dns etc..) Is connection not
> > passing the forwading chain?
>
> You are DNATting dport 80 and dport 443, but the remainder of the
> ports are not being DNATted, so they still target the firewall box.
> You'd need to DNAT all connections to the specified IP, then DROP all
> except ports 80 and 443 in FORWARD to avoid this.
>
> Of course, this also shows that you are letting lots of (all?!?) ports
> through the INPUT chain to the box itself from outside, which you
> should lock down as well... A DROP policy on INPUT is called for,
> then ACCEPT required ports from eth2 for externally-accessed services
> (if any) and ACCEPT required (or all if desired) ports from the LAN
> machines.
>
> j
