Problem with forwarding internal traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Im having problems with forwarding traffic coming from my LAN. Allother things works fine. I think there is a problem with the return ofthe packets. I want to have all the polices in DROP state. My internalLAN is 10.0.0.0/8. Sugestions are welcome. Thanks in advice. Here isthe script:
#! /bin/sh# Firewall Script v.0.2 - By BillieGDJoe (billiegdjoe@xxxxxxxxx)# Created in 15/11/05
# Setting script variables:
# Finding the path of IPTables:
IPTABLES=`which iptables`
# Finding the path of echo:
ECHO=`which echo`
# Finding the path of whoami:
WHOAMI=`which whoami`
# List of TCP and UDP ports which have services running in localhost,like SSHD and DNS:
ALLOW_TCP="22"ALLOW_UDP="53"
# Our private network address with mask, like 192.168.0.0/24:
OUR_NETWORKS="10.0.0.0/8"
# Allow comunication with this ports from localhost, like DNS:
ALLOW_CONNECT_TCP="21 22"
ALLOW_CONNECT_UDP="53"
# Allowed TCP ports that could be forwarded (used) in our network:
LAN_TCP_PORT="21 22 25 80 110"
# Allowed UDP ports that could be forwarded (used) in our network:
LAN_UDP_PORT="53"
# Non-routeable networks (protection against IP Spoofing):
#NON_ROUTEABLE="192.168.0.0/16 127.0.0.0/8 172.16.0.0/12 10.0.0.0/80.0.0.0/8 169.254.0.0/16 192.0.2.0/24 255.255.255.255/32"NON_ROUTEABLE=""
# Setting interfaces and their MAC addresses:
ETH_WAN="eth0"ETH_LAN="eth1"ETH_WAN_MAC="00:40:33:AA:9E:53"ETH_LAN_MAC="00:40:F4:7C:95:07"
# Setting TCP and UDP PORT FORWARDING, like 6180:6180>192.168.0.3:
TCP_FORWARD=""UDP_FORWARD=""
# Setting SSH Service to minimum delay, only if is true (only can beTRUE or FALSE):
SSH_ACCESS="TRUE"
# All variables set up, initialising IPTables:
if [ `$WHOAMI` = "root" ]then
 case "$1" in
  'start')
   # Cleaning old rules:
   for TABLES in filter nat mangle   do    $IPTABLES -t $TABLES -F    $IPTABLES -t $TABLES -Z   done
   # Allowing interface loopback to have access to system:
   $IPTABLES -A INPUT -i lo -j ACCEPT
   # Setting filter polices to drop:
    for TABLES in INPUT FORWARD OUTPUT    do     $IPTABLES -t filter -P $TABLES DROP    done
   # Setting nat polices to drop:
    for TABLES in PREROUTING POSTROUTING OUTPUT    do     $IPTABLES -t nat -P $TABLES DROP    done
   # Setting mangle polices to drop:
    for TABLES in INPUT PREROUTING POSTROUTING FORWARD OUTPUT    do     $IPTABLES -t mangle -P $TABLES DROP    done
   # Enabling tcp forward in kernel:
   $ECHO "1" >/proc/sys/net/ipv4/ip_forward
   # Blocking packets coming from non-routeable networks:
   if [ "$NON_ROUTEABLE" != "" ]   then    for NETWORKS in $NON_ROUTEABLE    do     ${IPTABLES} -A INPUT -s $NETWORKS -i $ETH_WAN -j LOG--log-prefix="TRYING TO FORGE A PRIVATE IP "     ${IPTABLES} -A INPUT -s $NETWORKS -i $ETH_WAN -j REJECT     ${IPTABLES} -A FORWARD -s $NETWORKS -i ETH_WAN -m mac--mac-source $ETH_WAN_MAC -j REJECT    done   fi
   # Setting SSH to minimize-delay:
   if [ "$SSH_ACCESS" = "TRUE" ]   then    $IPTABLES -t mangle -A OUTPUT -o $ETH_WAN -p tcp --dport 22 -j TOS--set-tos 16    $IPTABLES -t mangle -A PREROUTING -i $ETH_WAN -p tcp --sport 22 -jTOS --set-tos 16    $IPTABLES -t mangle -A OUTPUT -o $ETH_LAN -p tcp --dport 22 -j TOS--set-tos 16    $IPTABLES -t mangle -A PREROUTING -i $ETH_LAN -p tcp --sport 22 -jTOS --set-tos 16   fi
   # TOS (dns = 8, http = 4, ftp = 2):
   $IPTABLES -t mangle -A PREROUTING -i $ETH_LAN -p udp --dport 53 -jTOS --set-tos 8   $IPTABLES -t mangle -A PREROUTING -i $ETH_WAN -p udp --sport 53 -jTOS --set-tos 8   $IPTABLES -t mangle -A POSTROUTING -o $ETH_WAN -p udp --dport 53 -jTOS --set-tos 8

   $IPTABLES -t mangle -A PREROUTING -i $ETH_LAN -p tcp --dport 80 -jTOS --set-tos 4   $IPTABLES -t mangle -A PREROUTING -i $ETH_WAN -p tcp --sport 80 -jTOS --set-tos 4   $IPTABLES -t mangle -A POSTROUTING -o $ETH_WAN -p tcp --dport 80 -jTOS --set-tos 4

   $IPTABLES -t mangle -A PREROUTING -i $ETH_LAN -p tcp --dport 21 -jTOS --set-tos 2   $IPTABLES -t mangle -A PREROUTING -i $ETH_WAN -p tcp --sport 21 -jTOS --set-tos 2   $IPTABLES -t mangle -A POSTROUTING -o $ETH_WAN -p tcp --dport 21 -jTOS --set-tos 2
   # Allowing ICMP (ping) packets, TCP and UDP ports:
   $IPTABLES -t mangle -A PREROUTING -p icmp -j ACCEPT   $IPTABLES -t nat -A PREROUTING -p icmp -j ACCEPT   $IPTABLES -t mangle -A INPUT -p icmp -j ACCEPT   $IPTABLES -t filter -A INPUT -p icmp -j ACCEPT
   $IPTABLES -t mangle -A OUTPUT -p icmp -j ACCEPT   $IPTABLES -t nat -A OUTPUT -p icmp -j ACCEPT   $IPTABLES -t filter -A OUTPUT -p icmp -j ACCEPT   $IPTABLES -t mangle -A POSTROUTING -p icmp -j ACCEPT   $IPTABLES -t nat -A POSTROUTING -p icmp -j ACCEPT
   for PORTS in $ALLOW_CONNECT_TCP   do    $IPTABLES -t mangle -A PREROUTING -p tcp --sport $PORTS -j ACCEPT    $IPTABLES -t nat -A PREROUTING -p tcp --sport $PORTS -j ACCEPT    $IPTABLES -t mangle -A INPUT -p tcp --sport $PORTS -j ACCEPT    $IPTABLES -t filter -A INPUT -p tcp --sport $PORTS -j ACCEPT
    $IPTABLES -t mangle -A OUTPUT -p tcp --sport $PORTS -j ACCEPT    $IPTABLES -t nat -A OUTPUT -p tcp --sport $PORTS -j ACCEPT    $IPTABLES -t filter -A OUTPUT -p tcp --sport $PORTS -j ACCEPT    $IPTABLES -t mangle -A POSTROUTING -p tcp --sport $PORTS -j ACCEPT    $IPTABLES -t nat -A POSTROUTING -p tcp --sport $PORTS -j ACCEPT
    $IPTABLES -t mangle -A OUTPUT -p tcp --dport $PORTS -j ACCEPT    $IPTABLES -t nat -A OUTPUT -p tcp --dport $PORTS -j ACCEPT    $IPTABLES -t filter -A OUTPUT -p tcp --dport $PORTS -j ACCEPT    $IPTABLES -t mangle -A POSTROUTING -p tcp --dport $PORTS -j ACCEPT    $IPTABLES -t nat -A POSTROUTING -p tcp --dport $PORTS -j ACCEPT   done
   for PORTS in $ALLOW_CONNECT_UDP   do    $IPTABLES -t mangle -A PREROUTING -p udp --sport $PORTS -j ACCEPT    $IPTABLES -t nat -A PREROUTING -p udp --sport $PORTS -j ACCEPT    $IPTABLES -t mangle -A INPUT -p udp --sport $PORTS -j ACCEPT    $IPTABLES -t filter -A INPUT -p udp --sport $PORTS -j ACCEPT
    $IPTABLES -t mangle -A OUTPUT -p udp --sport $PORTS -j ACCEPT    $IPTABLES -t nat -A OUTPUT -p udp --sport $PORTS -j ACCEPT    $IPTABLES -t filter -A OUTPUT -p udp --sport $PORTS -j ACCEPT    $IPTABLES -t mangle -A POSTROUTING -p udp --sport $PORTS -j ACCEPT    $IPTABLES -t nat -A POSTROUTING -p udp --sport $PORTS -j ACCEPT
    $IPTABLES -t mangle -A OUTPUT -p udp --dport $PORTS -j ACCEPT    $IPTABLES -t nat -A OUTPUT -p udp --dport $PORTS -j ACCEPT    $IPTABLES -t filter -A OUTPUT -p udp --dport $PORTS -j ACCEPT    $IPTABLES -t mangle -A POSTROUTING -p udp --dport $PORTS -j ACCEPT    $IPTABLES -t nat -A POSTROUTING -p udp --dport $PORTS -j ACCEPT   done
   # Opening TCP ports:
    if [ "$ALLOW_TCP" != "" ]    then     for PORT in $ALLOW_TCP     do     $IPTABLES -t mangle -A PREROUTING -p tcp --dport $PORT -j ACCEPT     $IPTABLES -t nat -A PREROUTING -p tcp --dport $PORT -j ACCEPT    $IPTABLES -t mangle -A INPUT -p tcp --dport $PORT -j ACCEPT    $IPTABLES -t filter -A INPUT -p tcp --dport $PORT -j ACCEPT    done    fi
   # Opening UDP ports:
   if [ "$ALLOW_UDP" != "" ]   then    for PORT in $ALLOW_UDP    do    $IPTABLES -t mangle -A PREROUTING -p udp --dport $PORT -j ACCEPT     $IPTABLES -t nat -A PREROUTING -p udp --dport $PORT -j ACCEPT    $IPTABLES -t mangle -A INPUT -p udp --dport $PORT -j ACCEPT    $IPTABLES -t filter -A INPUT -p udp --dport $PORT -j ACCEPT    done   fi
   # Enabling our networks to communicate with world:
   if [ "$OUR_NETWORKS" != "" ]   then    for NET in $OUR_NETWORKS    do     for PORT in $LAN_TCP_PORT     do      $IPTABLES -t mangle -A PREROUTING -s $NET -p tcp --dport $PORT -j ACCEPT      $IPTABLES -t nat -A PREROUTING -s $NET -p tcp --dport $PORT -j ACCEPT      $IPTABLES -t mangle -A FORWARD -s $NET -p tcp --dport $PORT -j ACCEPT      $IPTABLES -t filter -A FORWARD -s $NET -p tcp --dport $PORT -j ACCEPT      $IPTABLES -t mangle -A POSTROUTING -s $NET -p tcp --dport $PORT -j ACCEPT      $IPTABLES -t nat -A POSTROUTING -s $NET -p tcp --dport $PORT -j ACCEPT
      $IPTABLES -t mangle -A PREROUTING -d $NET -p tcp --sport $PORT -j ACCEPT      $IPTABLES -t nat -A PREROUTING -d $NET -p tcp --sport $PORT -j ACCEPT      $IPTABLES -t mangle -A FORWARD -d $NET -p tcp --sport $PORT -j ACCEPT      $IPTABLES -t filter -A FORWARD -d $NET -p tcp --sport $PORT -j ACCEPT      $IPTABLES -t mangle -A POSTROUTING -d $NET -p tcp --sport $PORT -j ACCEPT      $IPTABLES -t nat -A POSTROUTING -d $NET -p tcp --sport $PORT -j ACCEPT     done
     #for PORT in $LAN_UDP_PORT     #do
     #done
     # Now, accepting all packets with flag ESTABLISHED,RELATED(connections already established or related):
     $IPTABLES -t filter -A FORWARD -d $NET -m state --stateESTABLISHED,RELATED -j ACCEPT    done   fi
   # Setting TCP forward:
    if [ "$TCP_FORWARD" != "" ]    then      for RULE in $TCP_FORWARD      do       echo "$RULE" | {        IFS=':>' read srcport destport host        $IPTABLES -t filter -A FORWARD -p tcp -d $host --dport$destport -i $ETH_WAN -j ACCEPT        $IPTABLES -t nat -A PREROUTING -p tcp -i $ETH_WAN --dport$srcport -j DNAT --to-destination $host:$destport       }      done    fi
   # Setting UDP forward:
   if [ "$UDP_FORWARD" != "" ]    then      for RULE in $UDP_FORWARD      do       echo "$RULE" | {        IFS=':>' read srcport destport host        $IPTABLES -t filter -A FORWARD -p udp -d $host --dport$destport -j ACCEPT        $IPTABLES -t nat -A PREROUTING -p udp -i $ETH_WAN --dport$srcport -j DNAT --to-destination $host:$destport       }      done    fi
   ;;
  'stop')   # Cleaning old rules:
   for TABLES in filter nat mangle   do    $IPTABLES -t $TABLES -F   done
   # Allowing interface loopback to have access to system:
   $IPTABLES -A INPUT -i lo -j ACCEPT
   ;;
  'open')
   # Opening firewall:
   # Cleaning old rules:
   for TABLES in filter nat mangle   do    $IPTABLES -t $TABLES -F   done
   # Allowing interface loopback to have access to system:
   $IPTABLES -A INPUT -i lo -j ACCEPT
   # Setting filter polices:
   for TABLES in INPUT FORWARD OUTPUT   do    $IPTABLES -t filter -P $TABLES ACCEPT   done
   # Setting nat polices:
   for TABLES in PREROUTING POSTROUTING OUTPUT   do    $IPTABLES -t nat -P $TABLES ACCEPT   done
   # Setting mangle polices:
   for TABLES in INPUT FORWARD OUTPUT PREROUTING POSTROUTING   do    $IPTABLES -t mangle -P $TABLES ACCEPT   done
   ;;
  *)   $ECHO "usage $0 start|stop|open"
   ;;
 esacelse $ECHO "This script must be run as root!"fi




BillieGDJoe
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux