Ralf, et al -- ...and then Ralf Spenneberg said... % % Dear David, % % > % > iptables -A FORWARD -i eth1 -o eth1 -j REJECT % > % What are you trying to achieve? % > % These rules do not allow any traffic through your firewall (Forward % > % REJECT). % > % > As I said, I was lifting from the HOWTO :-) I thought that that rule % > rejected anything coming in on eth1 (external interface) that was due to % > go back out on eth1. % Sorry my mistake. You are right. I apparently assumed you meant -i eth1 % -o eth0. Well, either that or you believed what I wrote :-) % % > I'm not sure why I want to do postrouting going out the LAN interface; I % > thought that NAT was for internal machines trying to get out. I *think* % > that what I want is SNAT == source translation, and the NAT HOWTO doesn't % > talk about DNAT == destination translation so I don't know that it's % > needed -- but, of course, also don't really know about what I'm speaking. % % > % > [Oh, phooey -- I just realized that I had a typo, and you're obviously % > going from what I wrote! eth0 is the LAN and eth1 is the WAN; sorry!] % Ok. lets get this straight. You are protecting internal clients which % want to access the internet. You need Source NAT and the NAT rules are Yep. % applied in the Postrouting chain on the external interface: OK... % % EXTIF=eth1 Quite helpful :-) % iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE OK. So this is stuff going out on the external interface that needs to be readdressed. And I turn on forwarding in the kernel, and packets come to the internal interface bound for something on the external side, and so the kernel knows to just forward them, right? % % > This is one test case that I didn't try since the firewall was otherwise % > locked up. % What do you mean be locked up? I couldn't connect to it at all. Upon reflection I realize that that is a lousy term, since it was probably running happily even if without any network access. % > % > % OUTPUT only filters packets originating on the local machine % > % FORWARD only sees those packets not covered by INPUT and OUTPUT being % > % forwarded by the firewall. % > % > OK. But this FORWARD is different from the NAT forward, right? % There is no nat FORWARD chain. The nat table only has: PREROUTING and % OUTPUT for Destination NAT and POSTROUTING for Source NAT. Ahhh... % Defining a rule in POSTROUTING only defines the NAT not the filterrules OK. So do we need filter table rules to allow packets through, then? Just turning on NAT isn't enough, right? Or is the default policy to accept everything and so it's allowed? % > % > I'm close, I think. I'd start with % > ... % > # returning connections through % > iptables -t filter -A FORWARD -m match --match RELATED,ESTABLISHED -j ACCEPT % Do not forget to turn routing on: % echo 1 > ... Oops. Thanks :-) % > % > to allow things like pings to go out and in. Then I'd need % > % > # incoming to % > iptables -t filter -A INPUT ACCEPT % > % > to just let everything going to the box -- like my ssh -- get there. Not % > yet secure, but a start, right? % Yes. But if you just want to allow ssh and web do the following: Well, so far it's ssh, telnet, web, mysql, and maybe ftp. It's a pretty short list, though. Hmmm... Maybe DNS queries out, and ping bouncing both from the box and through the box. % # Allow ssh and web access to the firewall box % iptables -t filter -A INPUT -i $EXTIF -m match NEW,RELATED,ESTABLISHED % -j ACCEPT % # Allow the firewallbox to answer % iptables -t filter -A OUTPUT -o $EXTIF -m match RELATED,ESTABLISHED -j % ACCEPT I don't get it... How does this allow only those few? It seems as though the lack of a dport specifier would allow anything inbound (but not through bound 'cuz that's rule FORWARD) on the external interface... % % # Block everything else % iptables -t filter -P INPUT DROP % iptables -t filter -P OUTPUT DROP % iptables -t filter -P FORWARD DROP That's the last thing to add :-) So the current attempt is attached; please take a peek at it. % % % Cheers, Thanks again & HAND :-D -- David T-G * There is too much animal courage in (play) davidtg@xxxxxxxxxxxxxxx * society and not sufficient moral courage. (work) davidtgwork@xxxxxxxxxxxxxxx -- Mary Baker Eddy, "Science and Health" http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg!
#!/bin/sh
EXTIF=eth1
INTIF=eth0
# load module
modprobe ipt_MASQUERADE
# flush everything
iptables -F; iptables -t nat -F; iptables -t mangle -F
# turn on NATting & forwarding
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
# accept returning ext packets
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# accept anything originating inside ("not ext")
iptables -t filter -A INPUT -m state --state NEW -i ! $EXTIF -j ACCEPT
# allow ssh & telnet
### and web and mysql? and anything?
### EXTIF plus INTIF 'cuz we might connect from inside... so skip the -i/-o?
iptables -t filter -A INPUT -i $EXTIF -m match NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -o $EXTIF -m match RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i $INTIF -m match NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -o $INTIF -m match RELATED,ESTABLISHED -j ACCEPT
# drop everything else
## iptables -t filter -P INPUT DROP
## iptables -t filter -P OUTPUT DROP
## iptables -t filter -P FORWARD DROP
# what do we have?
echo "---"
iptables -L
echo "---"
iptables -t nat -L
echo "---"
Attachment:
pgp00443.pgp
Description: PGP signature
