2014-08-08 09:04 keltezéssel, Mike McClain írta: > I've been trying to get my hand rolled iptables firewall to > masquerade traffic on the LAN to/from a Win2K box. I've gotten it to > the point that I can ping from the boxes both ways, smbclient can move > files both ways and the Win2K box can ping Google's IP address but DNS > lookup fails even though I've used the same DNS server in the Win2K > box as on my Debian box which access the Inet via dialup. IE says > "Cannot find server or DNS error." > I've read every HOWTO and the iptables man pages several times but > am at a loss. > Suggestions? > Thanks, > Mike > > Here's the firewall code: > #!/bin/sh > # /mc/bin/my_iptables_fw_lan.sh July 29, 2014 Mc > # install fowarding to south40 > # from /mc/bin/my_iptables_fw.sh July 25, 2014 Mc > # from ~/nixSecurity/LFS_firewall.txt > # which copied from packet-filtering-HOWTO.html > # and attributed to Rusty Russell > # resources: docs/nixSecurity/IPtables_Basics.html > > # You can send test packets using > # Code: telnet ip 445 > # and listen incoming packets on 445 port this way > # Code: tcpdump -i eth0 dst port 445 > # scan from this side > # Code: nmap -vv --reason -p 1-1056 192.168.1.2 > > INET=ppp0 > LAN=eth1 > router='192.168.1.1' > S40='192.168.1.3' > > # Insert connection-tracking modules > # (not needed if built into the kernel) > modprobe ip_tables > modprobe iptable_filter > modprobe ip_conntrack > modprobe ip_conntrack_ftp > modprobe ipt_state > modprobe ipt_LOG > # for masq > modprobe ipt_MASQUERADE > > # for masq allow forwarding > echo 1 > /proc/sys/net/ipv4/ip_forward > echo 1 > /proc/sys/net/ipv4/conf/all/forwarding > echo 1 > /proc/sys/net/ipv4/conf/default/forwarding > echo 1 > /proc/sys/net/ipv4/conf/lo/forwarding > echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding > echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding > > # Set a known state ----------------------------------------- > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT ACCEPT > > # remove all rules and pre-existing user defined chains before we implement > new rules. > iptables -F # delete all rules in all chains > iptables -t nat -F > iptables -t filter -F > iptables -t mangle -F > iptables -X # all chains but those built (INPUT,OUTPUT,FORWARD) will be > deleted. > iptables -Z # zero all counters in all chains. > > # ----------------------------------------- > # iptables [-t table(nat,mangle,filter,raw)] command(-AIRD > [INPUT,OUTPUT,FORWARD]) [match] [target/jump] > > # INPUT ---------------------------------------------- > # accept GRC.com for testing > # iptables -A INPUT -s 4.79.142.206 -j ACCEPT > # GRC scan: 411 open, > # most blocked, > 88:93,113:114,138:138,210,211,213,215:220,267:271,273,275:280,398 stealth > # second run different stealth > iptables -A INPUT -p tcp --dport 411 -j DROP > iptables -A INPUT -p udp --dport 411 -j DROP > > # without SYN packets other computers cannot open communications > iptables -A INPUT -i $INET -p tcp --syn -j DROP > > # ICMP echo from south40 conflicts with sysctl > # echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all prevents ping router > # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all prevents s40:ping play > > # Disallow NEW and INVALID incoming or forwarded packets from ppp0. > iptables -A INPUT -i $INET -m state --state NEW,INVALID -j DROP > iptables -A FORWARD -i $INET -m state --state NEW,INVALID -j DROP > > # deny ping from Inet > iptables -A INPUT -i $INET -p icmp --icmp-type echo-request -j DROP > > # Allow local-only connections > iptables -A INPUT -i $LAN -j ACCEPT > > # allow mail to get through 127.0.0.1:25 exim4 loopback > iptables -A INPUT -i lo -j ACCEPT > > # for masq > # iptables -A INPUT -m state --state NEW -i $LAN -j ACCEPT > iptables -A INPUT -m state --state NEW ! -i $INET -j ACCEPT > > # Permit answers on already established connections > # and permit new connections related to established ones > # (e.g. port mode ftp) > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > # Log everything else. What's Windows' latest exploitable vulnerability? > iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " --log-level 4 > > # OUTPUT ---------------------------------------------- ACCEPT > # drop fragments to south40 > iptables -A OUTPUT -f -d $S40 -j DROP > > # port 411 showing as open even though DROPed on INPUT > iptables -A OUTPUT -p tcp --dport 411 -j DROP > iptables -A OUTPUT -p udp --dport 411 -j DROP > > # MASQ ----------------------------------------------------- > # from Masquerading-Simple-HOWTO > # Masquerade out ppp0 > iptables -t nat -A POSTROUTING -o $INET -j MASQUERADE > iptables -A FORWARD -i $INET -p tcp --syn -j DROP > # not sure why but this keeps south40 from pinging Inet > # iptables -A FORWARD -i $INET -o $INET -j DROP > > -- > "You may not control all the events that happen to you, but you can > decide not to be reduced by them." > - Maya Angelou > > It's a rather complicated, sometimes overcomplicated script. But some rules are missing and/or not in the correct order.
To keep things more simple I suggest to do a minimal script and you can make it more complicated later. So I suggest you to delete all lines after the initializing lines (the last line you should keep is iptables -Z # zero all counters in all chains. And continue with a really simple script: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $LAN -j ACCEPT iptables -A FORWARD -i $LAN -j ACCEPT iptables -t nat -A POSTROUTING -o $INET -j MASQUERADE If it works then keep it and after you can add other options line by line (and of course test always). -- --- Friczy --- 'Death is not a bug, it's a feature' -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53e515cb.8050...@freemail.hu
