I've been trying to get my hand rolled iptables firewall to
masquerade traffic on the LAN to/from a Win2K box. I've gotten it to
the point that I can ping from the boxes both ways, smbclient can move
files both ways and the Win2K box can ping Google's IP address but DNS
lookup fails even though I've used the same DNS server in the Win2K
box as on my Debian box which access the Inet via dialup. IE says
"Cannot find server or DNS error."
I've read every HOWTO and the iptables man pages several times but
am at a loss.
Suggestions?
Thanks,
Mike
Here's the firewall code:
#!/bin/sh
# /mc/bin/my_iptables_fw_lan.sh July 29, 2014 Mc
# install fowarding to south40
# from /mc/bin/my_iptables_fw.sh July 25, 2014 Mc
# from ~/nixSecurity/LFS_firewall.txt
# which copied from packet-filtering-HOWTO.html
# and attributed to Rusty Russell
# resources: docs/nixSecurity/IPtables_Basics.html
# You can send test packets using
# Code: telnet ip 445
# and listen incoming packets on 445 port this way
# Code: tcpdump -i eth0 dst port 445
# scan from this side
# Code: nmap -vv --reason -p 1-1056 192.168.1.2
INET=ppp0
LAN=eth1
router='192.168.1.1'
S40='192.168.1.3'
# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe ipt_LOG
# for masq
modprobe ipt_MASQUERADE
# for masq allow forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv4/conf/default/forwarding
echo 1 > /proc/sys/net/ipv4/conf/lo/forwarding
echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding
# Set a known state -----------------------------------------
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# remove all rules and pre-existing user defined chains before we implement
new rules.
iptables -F # delete all rules in all chains
iptables -t nat -F
iptables -t filter -F
iptables -t mangle -F
iptables -X # all chains but those built (INPUT,OUTPUT,FORWARD) will be
deleted.
iptables -Z # zero all counters in all chains.
# -----------------------------------------
# iptables [-t table(nat,mangle,filter,raw)] command(-AIRD
[INPUT,OUTPUT,FORWARD]) [match] [target/jump]
# INPUT ----------------------------------------------
# accept GRC.com for testing
# iptables -A INPUT -s 4.79.142.206 -j ACCEPT
# GRC scan: 411 open,
# most blocked,
88:93,113:114,138:138,210,211,213,215:220,267:271,273,275:280,398 stealth
# second run different stealth
iptables -A INPUT -p tcp --dport 411 -j DROP
iptables -A INPUT -p udp --dport 411 -j DROP
# without SYN packets other computers cannot open communications
iptables -A INPUT -i $INET -p tcp --syn -j DROP
# ICMP echo from south40 conflicts with sysctl
# echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all prevents ping router
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all prevents s40:ping play
# Disallow NEW and INVALID incoming or forwarded packets from ppp0.
iptables -A INPUT -i $INET -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i $INET -m state --state NEW,INVALID -j DROP
# deny ping from Inet
iptables -A INPUT -i $INET -p icmp --icmp-type echo-request -j DROP
# Allow local-only connections
iptables -A INPUT -i $LAN -j ACCEPT
# allow mail to get through 127.0.0.1:25 exim4 loopback
iptables -A INPUT -i lo -j ACCEPT
# for masq
# iptables -A INPUT -m state --state NEW -i $LAN -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i $INET -j ACCEPT
# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " --log-level 4
# OUTPUT ---------------------------------------------- ACCEPT
# drop fragments to south40
iptables -A OUTPUT -f -d $S40 -j DROP
# port 411 showing as open even though DROPed on INPUT
iptables -A OUTPUT -p tcp --dport 411 -j DROP
iptables -A OUTPUT -p udp --dport 411 -j DROP
# MASQ -----------------------------------------------------
# from Masquerading-Simple-HOWTO
# Masquerade out ppp0
iptables -t nat -A POSTROUTING -o $INET -j MASQUERADE
iptables -A FORWARD -i $INET -p tcp --syn -j DROP
# not sure why but this keeps south40 from pinging Inet
# iptables -A FORWARD -i $INET -o $INET -j DROP
--
"You may not control all the events that happen to you, but you can
decide not to be reduced by them."
- Maya Angelou
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140808070458.GA578@playground
