Re: Proxy Iptable script--no one in RedHat who can help me

[crucificator <crucificator@xxxxxxx>]

Nilesh wrote:

> */Nilesh <niluforalways@xxxxxxxxx>/* wrote:
>
>     Hello All,
>      
>     I have Installed RedHat 8.0 runing as a proxy server as well as
>     web server but the problem is from my client linux machine i m not
>     able to ping outside world for that i have to restart the network
>     service of client machine for 4-5 times after this trcik im able
>     to ping the outside world.
>      
>     can anybody please tell me how to resolve this problem
>      
>     this is my firewall script
>      
>
>     #!/bin/bash
>
>     # /usr/local/sbin/setiptables.bash
>
>     # Some Definations
>
>     ANYWHERE="any/0" # Match any address
>
>     EX_ETH=eth0 # External Interface
>
>     IN_ETH=eth1 # Local Interface
>
>     LOCAL_IP=192.168.0.1 # Local Host IP
>
>     EXTERNAL_IP=202.54.230.14 # INETRNATE IP
>
>     LOCAL_NET=192.168.0.0/24 # Local Network
>
>     PROXY_IP=192.168.0.225 # Proxy Server IP (Transparent Proxy)
>
>     PROXY_PORT=8080 # Proxy Server Port No
>
>     LOOPBACK_INTERFACE=lo # The Loopback Interface
>
>     LOOPBACK_NETWORK=127.0.0.0/8 # Reserved Loopback Address Range
>
>     PRIVPORTS=0:1023 # Well Known Privileged port range
>
>     UNPRIVPORTS=1024:65535 # Unprivileged port range
>
>     WEBPORT=80 # WebServer Port
>
>     # Clear all iptables
>
>     /etc/init.d/iptables stop
                   /\
?????????     |     why? you are flushing, zeroing, lalala , why stop 
iptables service?

>     # Flush the rule Chains
>
>     iptables -F
>
>     iptables -t nat -F
>
>     # Delete custom chains
>
>     iptables -X
>
>     # Zero counts
>
>     iptables -Z
>
>     # Set the Default Policys
>
>     iptables -P INPUT DROP
>
>     iptables -P OUTPUT ACCEPT
>
>     iptables -P FORWARD ACCEPT
???by default after reloading iptables the OUTPUT and FORWARD chains 
have policy ACCEPT:
after *iptables stop*:
"*Resetting built-in chains to the default ACCEPT policy:"*

>     # Masquerade
>
>     iptables -t nat -A POSTROUTING -o $EX_ETH -j MASQUERADE
>
>     iptables -A OUTPUT -s $LOCAL_NET -o $EX_ETH -j ACCEPT
??? OUTPUT chain already has directive ACCEPT

>     # Any other packets must be dropped.
>
>     iptables -A INPUT -i $EX_ETH -m state --state NEW,INVALID -j DROP
                  /\
???? ?????   | the policy for the INPUT chain is already set to DROP

>     # FORWARD Chain
>
>     iptables -A FORWARD -i $EX_ETH -m state --state NEW,INVALID -j DROP
I don't really get this one. You are blocking unestablished conections 
from outside at the FORWARD level?

>     # Turn on IP forwarding
>
>     echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
>     # Allow unlimited traffic on the loopback interface
>
>     iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
>
>     iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
>
>     # Loopback packets should not be handeld from ext NIC
>
>     iptables -A INPUT -i $EX_ETH -s 127.0.0.0/8 -j DROP
>
>     iptables -A OUTPUT -o $EX_ETH -s 127.0.0.0/8 -j DROP
>
>     # Refuse Bogus Broadcasts
>
>     iptables -A INPUT -i $EX_ETH -s 255.255.255.255 -j DROP
>
>     iptables -A INPUT -i $EX_ETH -d 0.0.0.0 -j DROP
>
>     # ICMP
>
>     iptables -A INPUT -i $EX_ETH -p icmp -s $ANYWHERE -d $EXTERNAL_IP
>     -j ACCEPT
>
>     iptables -A OUTPUT -o $EX_ETH -p icmp -s $EXTERNAL_IP -d $ANYWHERE
>     -j ACCEPT
same problem: OUTPUT is in ACCEPT

>     iptables -A INPUT -i $IN_ETH -p icmp -s $LOCAL_NET -d $LOCAL_IP -j
>     ACCEPT
>
>     iptables -A OUTPUT -o $IN_ETH -p icmp -s $LOCAL_IP -d $LOCAL_NET
>     -j ACCEPT
same problem: OUTPUT is in ACCEPT

>     iptables -A INPUT -i $EX_ETH -p icmp -s $LOCAL_NET -d $ANYWHERE -j
>     ACCEPT
>
>     iptables -A OUTPUT -o $EX_ETH -p icmp -s $ANYWHERE -d $LOCAL_NET
>     -j ACCEPT
same problem: OUTPUT is in ACCEPT

>     iptables -A FORWARD -p icmp -j ACCEPT
FORWARD has policy ACCEPT.

trim it, try it, and send again. Maybe you should also post output on 
iptables -L.
Use logging for packets that weren't accepted with -j LOG (see options) 
and send messages that arrived from iptables to syslog. Should be 
something like this (after all the rules in INPUT chain):

iptables -A INPUT -j LOG --log-level 7 --log-prefix " iptableslog " 
--log-tcp-options --log-ip-options

My view is this:

chain INPUT should have policy DROP. Should contain only rules for 
ACCEPTing traffic for what you need and the rule to ACCEPT all packets 
that are related to my box's established conections. Also REJECT 
broadcasts from internal (windows does this a lot and you don't want you 
workstations to wait for a timeout).

chain OUTPUT should be on ACCEPT unless paranoid. I do not block 
anything to the outside world. I know somebody will tell me 'well you 
should be more carefull' and I'll tell him: 'I am.'

Well, anyway, send trimmed script and also tell us if you can surf the 
net but only at pinging you have problems.



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list