Cannot go out the firewall from internal network (NAT)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi there,

I have already written before,  but still my firewall doesn''t work at
all (or, from another point of view, works too much!!!!). That is, I
resolved a big problem (my kernel did not load modules for nat and now
it does), but still there is another.

I want machines in my internal network resolve by themselves IP
addresses and can connect to some server (like SMTP and PPP belonging
to the ISP who is serving my company).

Both of my desires are not realised for now.

I post my configuration files and the output of command iptables.

Will you help me, please?

Thanks in advance.

Marco Nicoloso.

Configuration script
#!/bin/bash

## RESET DELLE REGOLE ##
iptables -F
iptables -t mangle -F
iptables -t nat -F
iptables -X
iptables -t mangle -X
iptables -t nat -X


## TABELLA FILTER ##

# Definizione criterio generale
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#Creazione nuove catene

#Definizione catena int->ext
iptables -N laninet
#Definizione catena ext->int
iptables -N inetlan

#Forward delle catene
iptables -A FORWARD -i eth1 -o eth0 -j laninet
iptables -A FORWARD -i eth0 -o eth1 -j inetlan

# Frammenti e pacchetti non validi
iptables -A INPUT -f -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -f -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# Traffico di loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#Traffico rete interna
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT

## TABELLA FILTER - INGRESSO ##
# Accetta pacchetti di connessioni esistenti
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#Drop di tutti pacchetti non facenti parte delle catene
iptables -A laninet -s ! 192.168.7.0/24 -j DROP
iptables -A inetlan -s 192.168.7.0/24 -j DROP


# Accettiamo il traffico in ingresso nelle porte del client
iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT

#Enabling some of the ICMP Packets
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT
iptables -A INPUT -p icmp --icmp-type router-advertisement -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

#Forward from the internal network
iptables -A laninet -d 0/0 -j ACCEPT

#Forward from the internet
iptables -A inetlan -p tcp --sport 53 -j ACCEPT
iptables -A inetlan -p udp --sport 53 -j ACCEPT
iptables -A inetlan -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A inetlan -p tcp -j REJECT --reject-with tcp-reset

#Setting up NAT
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.7.0/24 -j SNAT --to
81.22.222.236

Output of common instances of iptables.

#iptables -vnL

Chain INPUT (policy DROP 32 packets, 3605 bytes)
pkts bytes target     prot opt in     out     source               destination
   0     0 DROP       all  -f  *      *       0.0.0.0/0            0.0.0.0/0
   0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID
   0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
16791  729K ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
33506   46M ACCEPT     all  --  eth0   *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
   0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0
0.0.0.0/0           udp spt:53
   0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0           tcp spt:53
   0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp dpt:3128
   0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp dpt:80
   1    48 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:22
   0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0           tcp dpt:25
   0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0           tcp dpt:25
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 3
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 4
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 11
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 12
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 5
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 9
   2   122 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 8
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0           icmp type 0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
 341 22672 laninet    all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0
   0     0 inetlan    all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
   0     0 DROP       all  -f  *      *       0.0.0.0/0            0.0.0.0/0
   0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID
   0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
31529   46M ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
22566 1409K ACCEPT     all  --  *      eth0    0.0.0.0/0
0.0.0.0/0           state NEW,RELATED,ESTABLISHED

Chain inetlan (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 DROP       all  --  *      *       192.168.7.0/24       0.0.0.0/0
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp spt:53
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0           udp spt:53
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
   0     0 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           reject-with tcp-reset

Chain laninet (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 DROP       all  --  *      *      !192.168.7.0/24       0.0.0.0/0
 341 22672 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

#iptables -vnL -t nat

Chain PREROUTING (policy ACCEPT 263K packets, 22M bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 195K packets, 11M bytes)
pkts bytes target     prot opt in     out     source               destination
   0     0 SNAT       all  --  *      eth1    192.168.7.0/24
0.0.0.0/0           to:81.22.222.236

Chain OUTPUT (policy ACCEPT 186K packets, 11M bytes)
pkts bytes target     prot opt in     out     source               destination

#iptables -vnL -t mangle

Chain PREROUTING (policy ACCEPT 4253K packets, 2003M bytes)
pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 4157K packets, 1996M bytes)
pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 25604 packets, 1239K bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4708K packets, 2448M bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 4733K packets, 2449M bytes)
pkts bytes target     prot opt in     out     source               destination
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux