iptables mangle block not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The configuration is like that, i been provided by my ISP  as set of
WAN ip. An i configure my firewall eth0 as external interface and eth1
as my internal interface for all the server with WAN ip. I using
mangle prerouting to do the filter. Problem here is after i configure
all and enable the DROP rule for each interface. my server all can
seem access the server outside tthe server.In short, i can only go in
the the WAN side server but connection from WAN side been block
especially DNS server. I try to disable the drop rule but it will open
all my WAN server to the internet. I configure the INPUT table to
filter who can ssh to the firewall. The rest is in mangle prerouting
table. Please help.
(i do the mtr trace route to yahoo with the drop rule enable, and it
seem like the last and 1st hop is the internal interface and
connection stuck there. It work well with the drop rule disabled)

eth0 = external
eth1 = internal

#!/bin/sh
#
#
#
#
# flush all rule before generate a new set of rule
iptables -F
iptables -t mangle -F
iptables -t mangle -P PREROUTING ACCEPT

#access to local ssh
#iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 21xxxxxxxxx -p tcp -m state --state NEW -m tcp
--dport 22 -j ACCEPT
iptables -A INPUT -s 1xxxxxxxxxxx/255.255.255.0 -p tcp -m state
--state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 6xxxxxxxxxxxx/255.255.255.252 -p tcp -m state
--state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 2xxxxxxxxxxxxxx/255.255.255.192 -p tcp -m state
--state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT  -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j DROP

# make mangle table default to drop
#iptables -t mangle -P PREROUTING DROP



#external network to internal network
#ACCESS TO SEGMENT

2xxxxxxxxxxxxxx/28==========================================================================================================

===========
#iptables -t mangle -A PREROUTING -p all -s 0/0 -d 20xxxxxxxxxxx/28 -j ACCEPT

#xxxxxxxxxxxxx
iptables -t mangle -A PREROUTING -p tcp -s 20xxxxxxxxxxxxx --sport
8282 -d 20xxxxxxxxxxx -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -s 20xxxxxxxxxxxxx -d
20xxxxxxxxxxxxxxx --dport 8282 -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m multiport -s 0/0 -d
2xxxxxxxxxxxxx/28 --destination-ports 80,443 -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -s 0/0 --sport 25 -d
20xxxxxxxxxxxxxxx/28 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport -s
1xxxxxxxxxxxxx/24 --source-ports 1433,1434,22,20,21,3389,3306 -d
20xxxxxxx/28 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport -s
2xxxxxxxxxxxxx/27 --source-ports 1433,1434,22,20,21,3389,3306 -d
20xxxxxxxx/28 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport -s
2xxxxxxxxxxxx/27 --source-ports 1433,1434,22,20,21,3389,3306

-d 20xxxxxxxxxxxxxx/28 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport -s
2xxxxxxxxxxx/27 --source-ports 1433,1434,22,20,21,3389,3306 -d
20xxxxxxxxxxxxx/28 -j ACCEPT

------DNS--------
iptables -t mangle -A PREROUTING -i eth0 -p udp -s 20xxxxxxxxx/28 -d
20xxxxxxxxxxx/32 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p udp -s 20xxxxxxxxxxx/30 -d
2xxxxxxxxxxxxx/32 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 20xxxxxxxxxxxxx/28
-d 2xxxxxxxxxxx/32 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 20xxxxxxxx/30 -d
2xxxxxxxxxxxx/32 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p udp -d 20xxxxxxxxxxx/32 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp -d 2xxxxxxxxxxx/32 -j ACCEPT

---------------------------------
iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport -s
1xxxxxxxx/24 -d 2xxxxxxxxxxxxx/28 --destination-ports
20,21,22,1433,1434,3389,3306 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport -s
2xxxxxxxx/29 -d 2xxxxxxxxxxxx/28 --destination-ports
20,21,22,1433,1434,3389,3306 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport -s
2xxxxxxxxxxxxx/29 -d 2xxxxxxxxx/30 --destination-ports
20,21,22,1433,1434,3389,3306 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport -s
6xxxxxxxxxxxx/30 -d 2xxxxxxxxxxx/28 --destination-ports
20,21,22,1433,1434,3389,3306 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport -s
6xxxxxxxxxxxxx -d 2xxxxxxxxxxxxx/28 --destination-ports
20,21,22,1433,1434,3389,3306 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport -s
6xxxxxxxxxxxx -d 2xxxxxxxxxxxx/28 --destination-ports
20,21,22,1433,1434,3389,3306 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport -s
2xxxxxxxxxxxxx/27 -d 2xxxxxxxxxxx/28 --destination-ports
20,21,22,1433,1434,3389,3306 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport -s
2xxxxxxxxxxxxx/27 -d 2xxxxxxxxxxx/28 --destination-ports
20,21,22,1433,1434,3389,3306 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport -s
2xxxxxxxxxxxx/27 -d 2xxxxxxxxxxx/28 --destination-ports
20,21,22,1433,1434,3389,3306 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport -s
2xxxxxxxxxxxxxx/26 -d 2xxxxxxxxxxxx/28 --destination-ports
20,21,22,1433,1434,3389,3306 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport -s
1xxxxxxxxxxxx/27 -d 2xxxxxxxxxxxxxx/28 --destination-ports
20,21,25,3389 -j ACCEPT

#xxxxxxxxx
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 1xxxxxxxxxxx/24 -d
2xxxxxxxxxxxx --dport 80 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 2xxxxxxxxxxxxx/29
-d 2xxxxxxxxxxxx--dport 80 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 6xxxxxxxxxxx/30 -d
2xxxxxxxxx --dport 80 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 2xxxxxxxxxxxx/27 -d
2xxxxxxxxxxxx --dport 80 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 2xxxxxxxxxxxx/27 -d
2xxxxxxxxx --dport 80 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 2xxxxxxxxxxxxxx/27
-d 2xxxxxxxxxxxxx --dport 80 -j ACCEPT

#xxxxxxxx
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 2xxxxxxxxxxx/32 -d
2xxxxxxxxx/32 --dport 8383 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 2xxxxxxxxx4/32
--sport 8383 -d 2xxxxxxxxxxx/32 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 2xxxxxxxxxxxx7/32
-d 2xxxxxxxxxxx/32 --dport 8383 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 2xxxxxxxxxxxx/32
--sport 8383 -d 2xxxxxxxxxxxxxxx/32 -j ACCEPT

#8080
iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 2xxxxxxxxxxxxxx
--sport 8080 -d 2xxxxxxxxxxxxxx/28 -j ACCEPT


#============================================================================================================================

==============================

#==========================================================================================================================
#iptables -t mangle -A PREROUTING -i eth1 -p all         -j LOG
--log-level debug --log-prefix "ETH1 DROP :"
#iptables -t mangle -A PREROUTING -i eth1 -p all         -s 0/0
         -d 0/0          -j DROP
#==========================================================================================================================

#================================================================================================================
#iptables -t mangle -A PREROUTING -i eth0 -p all         -j LOG
--log-level debug --log-prefix "ETH0 DROP :"
iptables -t mangle -A PREROUTING -i eth0  -p all -s 2xxxxxxxxx/28 -d
2xxxxxxxxxxx/32   -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0  -p all -s 2xxxxxxxxxxx/32 -d
xxxxxxxxxxxxx/28 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth0 -p all                 -j DROP

#================================================================================================================

#internal network to external network
#SEGMENT

2xxxxxxxxxxxx/28#############################################################################################################

####
#ICMP
iptables -t mangle -A PREROUTING -i eth1 -p icmp -s 2xxxxxxxxx/28 -d
0/0 -j ACCEPT
#ALL ACCESS
iptables -t mangle -A PREROUTING -i eth1 -p tcp -s 20xxxxxxxxxxxx/28
 -d 0/0 --dport 80 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -p tcp -s 20xxxxxxxxxxxxx/28
  -d 0/0 --dport 443 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m multiport -s
20xxxxxxxxxxx/28 --source-ports
80,443,20,21,22,1433,1434,3389,3306,8383,53 -d 0/0 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth1 -p tcp -m multiport -s
20xxxxxxxxxxx/28        -d 0/0 --destination-ports
25,1433,1434,22,20,21,3389,3306,8080,53 -j ACCEPT

#iptables -t mangle -A PREROUTING -i eth1 -p udp -s 20xxxxxxxxxxxx/28
-d 2xxxxxxxxxxxx/32 -j ACCEPT

#iptables -t mangle -A PREROUTING -i eth1 -p udp -s 2xxxxxxxxxxx/30 -d
2xxxxxxxxxxxxx/32 -j ACCEPT
#iptables -t mangle -A PREROUTING -i eth1 -p tcp -s 2xxxxxxxxxxxxx/28
-d 2xxxxxxxxxxxxx/32 -j ACCEPT
#iptables -t mangle -A PREROUTING -i eth1 -p tcp -s 20xxxxxxxxxxx/30
-d 2xxxxxxxxxxxxx/32 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -p udp -d 2xxxxxxxxxxxx/32 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -p tcp -d 2xxxxxxxxxxxxxx/32 -j ACCEPT


iptables -t mangle -A PREROUTING -i eth1 -p udp -s 2xxxxxxxxx/28
--sport 161 -d 0/0 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -p tcp -s 2xxxxxxxxxxxx/28 -d
203.142.17.134/32 --dport 8383 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -p tcp -s 2xxxxxxxxxxx/28 -d
2xxxxxxxxxxx/32 --dport 8383 -j ACCEPT

#To xxxxxxxxx
iptables -t mangle -A PREROUTING -i eth1 -p tcp -s 2xxxxxxxxx -d
2xxxxxxxxxxx--dport 8282 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -p tcp -s 2xxxxxxxxx --sport
8282 -d 2xxxxxxxxxxxx -j ACCEPT

#To xxxxxxxxxxxxx
iptables -t mangle -A PREROUTING -i eth1 -p tcp -s 2xxxxxxxxxxx/28 -d
192.xxxxxxx        -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -p tcp -s 2xxxxxxxxx/28 -d
192.xxxxxx     -j ACCEPT
#############################################################################################################################

#############


#==========================================================================================================================
#iptables -t mangle -A PREROUTING -i eth1 -p all         -j LOG
--log-level debug --log-prefix "ETH1 DROP :"
#iptables -t mangle -A PREROUTING -i eth1 -p all         -s 0/0
         -d 0/0          -j DROP
#==========================================================================================================================
#iptables -t mangle -A PREROUTING -i eth1 -p all -s 2xxxxxxxxx/32     -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1  -p all -s 2xxxxxxxxx/28 -d
2xxxxxxxxx/32   -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1  -p all -s 2xxxxxxxx/32 -d
2xxxxxxx/28 -j ACCEPT

iptables -t mangle -A PREROUTING -i eth1 -p all         -s 0/0
        -d 0/0          -j DROP


Thanks
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux