hi ya'll, i'd just like to preface this by saying that i have been looking in the archive and on the internet for 4 days straight and haven't found a clear answer to my problem =) i have a linux (rh7) machine (webMachine, ip: 192.168.0.5) running a web server on port 7090. i have another linux (debian) machine on the same network (firewallMachine, two interfaces ip: 10.0.0.40 [out to inet], ip: 192.168.0.2 [connected to internal network]). on firewallMachine i have also installed squid, to reverse proxy for webMachine, i.e. hide all external ip addresses from webMachine, so it thinks only 1 ip address is communicating with it. squid is configured to listen to port 7090 and then redirect everything to webMachine on port 7090 (trying to keep it simple at first). the only lines i've changed in the default squid.conf configuration are: http_port 7090 httpd_accel_host 192.168.0.5 httpd_accel_port 7090 httpd_accel_single_host on httpd_accel_uses_host_header on (i can't see anything else in that config file that would need to be enabled/disabled, am i right?) here's my firewall.sh: #!/bin/sh SYSCTL="/sbin/sysctl -w" # IPTables Location - adjust if needed IPT="/sbin/iptables" IPTS="/sbin/iptables-save" IPTR="/sbin/iptables-restore" # Interface Information INET_IFACE="eth0" LOCAL_IFACE="eth1" LOCAL_IP="192.168.0.2" LOCAL_NET="192.168.0.0/24" LOCAL_BCAST="192.168.0.255" LO_IFACE="lo" LO_IP="127.0.0.1" # Save and Restore arguments handled here if [ "$1" = "save" ] then echo -n "Saving firewall to /etc/sysconfig/iptables ... " $IPTS > /etc/sysconfig/iptables echo "done" exit 0 elif [ "$1" = "restore" ] then echo -n "Restoring firewall from /etc/sysconfig/iptables ... " $IPTR < /etc/sysconfig/iptables echo "done" exit 0 fi # Load Modules echo "Loading kernel modules ..." /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc # Kernel Parameter Configuration if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/ip_forward else $SYSCTL net.ipv4.ip_forward="1" fi # This enables SYN flood protection. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/tcp_syncookies else $SYSCTL net.ipv4.tcp_syncookies="1" fi # This enables source validation by reversed path according to RFC1812. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter else $SYSCTL net.ipv4.conf.all.rp_filter="1" fi # This kernel parameter instructs the kernel to ignore all ICMP if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts else $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1" fi # This option can be used to accept or refuse source routed packets. if [ "$SYSCTL" = "" ] then echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route else $SYSCTL net.ipv4.conf.all.accept_source_route="0" fi # This option accepts only from gateways in the default gateways list. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects else $SYSCTL net.ipv4.conf.all.secure_redirects="1" fi # This option logs packets from impossible addresses. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians else $SYSCTL net.ipv4.conf.all.log_martians="1" fi # Flush Any Existing Rules or Chains echo "Flushing Tables ..." # Reset Default Policies $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT # Flush all rules $IPT -F $IPT -t nat -F $IPT -t mangle -F # Erase all non-default chains $IPT -X $IPT -t nat -X $IPT -t mangle -X if [ "$1" = "stop" ] then echo "Firewall completely flushed! Now running with no firewall." exit 0 fi # Rules Configuration # Filter Table # Set Policies $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP # User-Specified Chains # Create user chains to reduce the number of rules each packet must traverse. echo "Create and populate custom rule chains ..." # Create a chain to filter INVALID packets $IPT -N bad_packets # Create another chain to filter bad tcp packets $IPT -N bad_tcp_packets # Create separate chains for icmp, tcp (incoming and outgoing), and incoming udp packets. $IPT -N icmp_packets # Used for UDP packets inbound from the Internet $IPT -N udp_inbound # Used to block outbound UDP services from internal network, default to allow all $IPT -N udp_outbound # Used to allow inbound services if desired, default fail except for established sessions $IPT -N tcp_inbound # Used to block outbound services from internal network, default to allow all $IPT -N tcp_outbound # Populate User Chains # bad_packets chain # Drop INVALID packets immediately $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "Invalid packet: " $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP # Then check the tcp packets for additional problems $IPT -A bad_packets -p tcp -j bad_tcp_packets # All good, so return $IPT -A bad_packets -p ALL -j RETURN # bad_tcp_packets chain $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn (possible port scan): " $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # All good, so return $IPT -A bad_tcp_packets -p tcp -j RETURN # icmp_packets chain $IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "ICMP Fragment (possible DoS attack): " $IPT -A icmp_packets --fragment -p ICMP -j DROP # Time Exceeded $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # Not matched, so return so it will be logged $IPT -A icmp_packets -p ICMP -j RETURN # udp_inbound chain $IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT # Not matched, so return for logging $IPT -A udp_inbound -p UDP -j RETURN # udp_outbound chain # No match, so ACCEPT $IPT -A udp_outbound -p UDP -j ACCEPT # tcp_inbound chain $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT # sshd $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT # ICQ File Transfers & Other Advanced Features $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 5000:5100 -j ACCEPT # MSN Messenger File Transfers $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 6891:6900 -j ACCEPT # IMAP $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT # SMTP $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT # Not matched, so return so it will be logged $IPT -A tcp_inbound -p TCP -j RETURN # tcp_outbound chain # No match, so ACCEPT $IPT -A tcp_outbound -p TCP -j ACCEPT # INPUT Chain echo "Process INPUT chain ..." # Allow all on localhost interface $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT # Drop bad packets $IPT -A INPUT -p ALL -j bad_packets # DOCSIS compliant cable modems $IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP # Rules for the private network (accessing gateway system itself) $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT $IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT # Inbound Internet Packet Rules # Accept Established Connections $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT # Route the rest to the appropriate user chain $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # Drop without logging broadcasts that get this far. $IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP # FORWARD Chain echo "Process FORWARD chain ..." # Drop bad packets $IPT -A FORWARD -p ALL -j bad_packets # only existing and related packages are allowed to enter the network $IPT -A FORWARD -i $INET_IFACE -o $LOCAL_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept TCP packets we want to forward from internal sources $IPT -A FORWARD -p tcp -i $LOCAL_IFACE -o $INET_IFACE -j tcp_outbound # Accept UDP packets we want to forward from internal sources $IPT -A FORWARD -p udp -i $LOCAL_IFACE -o $INET_IFACE -j udp_outbound # Accept TCP packets we want to forward from internal sources, NICK ENABLED THIS (WAS THIS HERE AS DEFAULT, BUT NOT ENABLED?) $IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound # Accept UDP packets we want to forward from internal sources #$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound # If not blocked, accept any other packets from the internal interface $IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT # Deal with responses from the internet #$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT # webMachine on 192.168.0.5 $IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 7090 -j ACCEPT # If not blocked, accept any other packets from the internal interface $IPT -A FORWARD -p ALL -i $LOCAL_IFACE -o $INET_IFACE -j ACCEPT # Log packets that still don't match $IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: " # OUTPUT Chain echo "Process OUTPUT chain ..." # Generally trust the firewall on output, However, invalid icmp packets need to be dropped, to prevent a possible exploit. $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP $IPT -A OUTPUT -j ACCEPT # nat table echo "Load rules for nat table ..." # PREROUTING chain # send all incoming traffic to squid firewallMachine $IPT -t nat -A PREROUTING -p tcp --dport 7090 -j DNAT --to 192.168.0.2 # POSTROUTING chain $IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE # mangle table echo "Load rules for mangle table ..." echo "THE WALL has been loaded." i can't seem to reach webMachine from the internet (everything is set up correctly on my adsl router [sits between firewallMachine and internet], that much i do know). Thanks for any help and a quick reponse =) Nick
