A quick perusal, shows a couple of things. Firstly I'm not familiar with
the conntrack or physdev modules, I'd just use the state module and -i
respectively - but i'd imagine they do the same. Secondly, it is usually
cleaner to set the policy on INPUT to drop and remove line 28. Add a
rule to let anything on eth2 in (I assume it is safe).
Remove the output rules, I generally don't drop outgoing stuff - unless
you need to restrict access for a specific reason and then block that.
Add rules to block eth5 from seeing anything internal. The same goes for
FORWARD
Also I assume you've enabled forwarding in the kernel
Hope that helps
On 24/04/2012 09:09, Richard Thornton wrote:
Hi,
I hope you can help, please be gentle as it's my first time with raw
iptables, I have used other firewalls though.
I have a working config, my internal network can get out to the
internet but because of a lack of understanding I have opened up SSH
on the firewall to the internet:
1# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
2*mangle
3:PREROUTING ACCEPT [3292:1334085]
4:INPUT ACCEPT [462:36946]
5:FORWARD ACCEPT [2826:1297011]
6:OUTPUT ACCEPT [268:37651]
7:POSTROUTING ACCEPT [3075:1327352]
8-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss
--mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu
9COMMIT
10# Completed on Tue Apr 24 16:51:19 2012
11# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
12*nat
13:PREROUTING ACCEPT [130:12667]
14:INPUT ACCEPT [4:586]
15:OUTPUT ACCEPT [4:264]
16:POSTROUTING ACCEPT [0:0]
17-A POSTROUTING -o ppp0 -j MASQUERADE
18COMMIT
19# Completed on Tue Apr 24 16:51:19 2012
20# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012
21*filter
22:INPUT DROP [0:0]
23:FORWARD DROP [0:0]
24:OUTPUT DROP [0:0]
25-A INPUT -i lo -j ACCEPT
26-A INPUT -d 192.168.100.254/32 -p tcp -m physdev --physdev-in eth2
-m tcp --dport 22 -j ACCEPT
27-A INPUT -i ppp0 -j ACCEPT
28-A INPUT -j DROP
29-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
30-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
31-A FORWARD -i br0 -o ppp0 -j ACCEPT
32-A FORWARD -j DROP
33-A OUTPUT -o lo -j ACCEPT
34-A OUTPUT -o br0 -j ACCEPT
35-A OUTPUT -o ppp0 -j ACCEPT
36-A OUTPUT -j DROP
37COMMIT
37# Completed on Tue Apr 24 16:51:19 2012
I believe my mistake is in either line 27 or line 35 but if I remove
either of them my firewall fails to be able to access the internet
locally for apt and stuff.
To add some background basically I have the following running on an
ubuntu 12.04 server:
ppp0 brought up on eth0
br0 a bridge which includes wlan0 and eth2 (office lan)
eth3 (lab mgmt)
eth4 (lab)
eth5 (quarantined pc)
So the firewall should be able to access the internet but the internet
should not be able to access the firewall.
Users on br0 should be able to access the internet, lab, lab mgmt, firewall
The lab should be able to access the internet
Lab mgmt should be able to access the internet, there are 8 IPs in
here and I have public IPs for them all but I need to setup SNAT and
fwknop doing DNAT to access them:
iptables -t nat -A POSTROUTING -s x.x.x.x -o eth0 -j SNAT --to-source y.y.y.y
With the above I am worried that this will conflict with line 17...
I believe fwknop will handle the DNAT stuff automagically.
The quarantined PC should be able to access the internet but nothing else
I have a way to go :)
Thanks for looking.
Kind Regards
Richard
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
www.pricegoblin.co.uk
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
