Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

iptables problem forwarding

From: "Weazy" <opensource () hackerthreads com>
Date: Sun, 30 Mar 2003 11:38:31 -0500
hello folks.

i have built an iptables firewall that i am mostly happy with. the main
problem that still exists is the firewall will not allow connections i do
want to permit.

1. i want to allow ssh
2. want to forward port 3389 to an internal machine.


i posted by iptables here hoping someone can see the mistake.
i have comment each line so you know what i am trying to do. I have the
input policy set as drop. i have tried setting that to accept with no change
in results.

thank you in advance


# setting up modules we neet to support NAT and add protocols with
unordinary behavior
modprobe iptable_nat
modprobe ip_conntrack_ftp ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_irc ip_nat_irc

#make sure packet forwarding enabled by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#flushing existing tables
iptables --flush
iptables -t nat --flush

#enable connection tracking
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

#allowing one service on this machine ssh
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 22-j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT

#enable loopback
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

# accept established connections
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


#Allow inbound service
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d
192.168.0.4 --destination-port 3389 -j ACCEPT

#defend against port scans and DDOS attacks
#dealing with packets w/o syn flags when they are new
iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j
LOG --log-prefix "new no-SYN: "
iptables -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ACK ACK -m state --state
NEW -j LOG --log-prefix "New ACK: "

#enforcing TCP standards
iptables -A INPUT -p tcp --tcp-option \! 2 -j
LOG --log-tcp-options --log-prefix "TCP standards not met: "
iptables -A INPUT -p tcp --tcp-option \! 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -j LOG -m limit --limit 500/hour --limit-burst
500 --log-prefix "MIRROR: "
iptables -A INPUT -p tcp -j MIRROR -m limit --limit 500/hour --limit-burst
500

#dropping packets on the internet side going to/from private use multicast
also making sure we dont spoof
#others or allow internal spoofing

#iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
#$iptables -A OUTPUT -o eth0 -s 192.168.0.0/24 -j DROP

#allowing all outbound traffic
iptables -A FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT

#rewrite all connections coming from private network to use eth0 addres and
rewrite response
#appropriately

iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.x
iptables -P INPUT DROP

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: