On Thu, Apr 28, 2005 at 11:22:21AM +0500, varun_saa@xxxxxxxx wrote:
> Hello,
> My server is om Mandrake 10.1
> eth0 is WAN with static IP connected to 512K DSL.
> eth1 is LAN - 192.168.0.0/24.
>
> I have the iptables rules :
>
> # Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
> *nat
> :OUTPUT ACCEPT [0:0]
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -o eth0 -j MASQUERADE
so you MASQ all outbound traffic
> COMMIT
> # Completed on Tue Apr 26 14:50:01 2005
> # Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
> *mangle
> :PREROUTING ACCEPT [707:100355]
> :INPUT ACCEPT [704:99811]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [541:74129]
> :POSTROUTING ACCEPT [611:85191]
> COMMIT
> # Completed on Tue Apr 26 14:50:01 2005
> # Generated by iptables-save v1.2.9 on Tue Apr 26 14:50:01 2005
> *filter
> :FORWARD ACCEPT [0:0]
> :INPUT DROP [0:0]
> :OUTPUT ACCEPT [0:0]
the policies of FORWARD and OUTPUT are set to ACCEPT.
> -A INPUT -j ACCEPT
and hey--so is INPUT. no further rule in INPUT will ever be matched as
you just accepted all packets.
> -A INPUT -s 127.0.0.1 -j ACCEPT
normally written as "-A INPUT -i lo -j ACCEPT"
> -A INPUT -p tcp -m tcp -i eth1 --dport 3128 --sport 80 -j ACCEPT
the source port of traffic destined to a squid proxy is not 80, it's
1024:65535...why do i *constantly* see this in rules sets?
> -A INPUT -p udp -m udp -i eth1 --dport 3128 --sport 80 -j ACCEPT
and it's tcp only, not udp.
> -A INPUT -s 62.0.0.0/255.0.0.0 -i eth0 -j REJECT
> -A INPUT -p tcp -m tcp -s 217.81.0.0/255.255.0.0 -i eth0 -j REJECT
> -A INPUT -i eth0 -j DROP
> -A INPUT -p tcp -m tcp -i eth1 --sport 80 -j DROP
> -A INPUT -m state -i eth1 --state ESTABLISHED,RELATED -j ACCEPT
again--all of those are completely irrelevant. good thing too--since
you're not allowing any ESTABLISHED,RELATED to come back through eth0,
which i guess is pretty secure, but it'd be less hassle to just power
off the firewall and cancel your ISP service.
> -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A FORWARD -p tcp -i eth1 -o eth0 --dport 25 --sport 1024: -j ACCEPT --syn
> -A FORWARD -p tcp -i eth1 -o eth0 --dport 110 --sport 1024: -j ACCEPT --syn
> -A FORWARD -p tcp -i eth1 -o eth0 --dport 1863 --sport 1024: -j ACCEPT --syn
> -A FORWARD -p tcp -i eth1 -o eth0 --dport 5050 --sport 1024: -j ACCEPT --syn
those all look pretty good; but remember, you set the policy of FORWARD
to ACCEPT, so any packets not matching the above rules will make it
through anyways.
> -A OUTPUT -p udp --dport 53 --sport 1024: -j ACCEPT
> -A OUTPUT -p tcp -m owner -o eth0 --dport 80 --sport 1024: --uid-owner squid -j ACCEPT --syn
nice work there. oh, and since the policy of OUTPUT is ACCEPT, all
other output traffic is allowed out anyways.
> I would like to bypass squid proxy and do
> a NAT for a client - 192.168.0.253.
i can't see how that would possibly be dropped anyways, but:
-A FORWARD -i eth1 -o eth0 -p tcp --syn -s 192.168.0.253 \
--sport 1024: --dport 80 -j ACCEPT
you'd probably also need to allow DNS resolution for that client as well
(unless you have an internal DNS server):
-A FORWARD -i eth1 -o eth0 -p udp -s 192.168.0.253 \
--sport 1024: --dport 53 -j ACCEPT
you already have the necessary MASQ rule.
-j
--
"Stewie: For God's sake, shake me. Shake me like a British nanny."
--Family Guy
