Hello I have problem with configuration my firewall on iptables.I've multihomed Linux box, which have one interface with private address and second interface with real IP.I had same configuration on ipchains and all worked fine, I want to use strong ruleset iptables. I rewrite script of firewall, I had same configuration on ipchains and all worked fine.But now, my DNS server (on same Linux box) can't connect to forwarders of my ISP. I've upgraded with RH7.0 to RH7.2, then I've download and compiled kernel 2.4.17. This first strings script : ext_int="eth0" lan_int="eth1" loop_int="lo"
ipaddr="193.194.100.19" netmask="255.255.255.248" network="193.194.100.16" lan_ipaddr="192.168.100.1" lan_1="192.168.100.0/24" lan_2="192.168.102.0/24" lan_3="192.168.101.0/24" anywhere="any/0" loopback="127.0.0.0/8" class_a="10.0.0.0/8" class_b="172.16.0.0/12" class_c="192.168.0.0/16" class_d="224.0.0.0/4" class_e="240.0.0.0/5" broadcast_src="0.0.0.0" broadcast_dest="255.255.255.255" privports="0:1023" unprivports="1024:65535" nameserv1="194.67.1.154" # my ISP DNS servers nameserv2="194.67.1.155" #default policy iptables -F iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #allow any traffic from loopback interface iptables -t filter -A INPUT -i $loop_int -j ACCEPT iptables -t filter -A OUTPUT -o $loop_int -j ACCEPT #switch on tools for check SYN-cookie echo 1 >/proc/sys/net/ipv4/tcp_syncookies for f in /proc/sys/net/ipv4/conf/*/rp_filter;do echo 1 > $f done #DROP packets with source IP address of external interface iptables -t filter -A INPUT -i $ext_int -s $ipaddr -j DROP iptables -t filter -A INPUT -i $lan_int -s $lan_ipaddr -j DROP #DROP packets with IP-address of private networks and etc. #class_a iptables -t filter -A INPUT -i $ext_int -s $class_a -j DROP iptables -t filter -A INPUT -i $ext_int -d $class_a -j DROP iptables -t filter -A OUTPUT -o $ext_int -s $class_a -j DROP iptables -t filter -A OUTPUT -o $ext_int -d $class_a -j DROP #class_b iptables -t filter -A INPUT -i $ext_int -s $class_b -j DROP iptables -t filter -A INPUT -i $ext_int -d $class_b -j DROP iptables -t filter -A OUTPUT -o $ext_int -s $class_b -j DROP iptables -t filter -A OUTPUT -o $ext_int -d $class_b -j DROP #class_c iptables -t filter -A INPUT -i $ext_int -s $class_c -j DROP iptables -t filter -A INPUT -i $ext_int -d $class_c -j DROP iptables -t filter -A OUTPUT -o $ext_int -s $class_c -j DROP iptables -t filter -A OUTPUT -o $ext_int -d $class_c -j DROP #class_d iptables -t filter -A INPUT -i $ext_int -s $class_d -j DROP iptables -t filter -A OUTPUT -o $ext_int -s $class_d -j REJECT iptables -t filter -A INPUT -i $ext_int -d $class_d -j REJECT iptables -t filter -A OUTPUT -o $ext_int -d $class_d -j REJECT #class_e iptables -t filter -A INPUT -i $ext_int -s $class_e -j DROP #DROP packets send from loopback source iptables -t filter -A INPUT -i $ext_int -s $loopback -j DROP iptables -t filter -A OUTPUT -o $ext_int -s $loopback -j DROP #DROP incorrect broadcast addresses iptables -t filter -A INPUT -i $ext_int -s $broadcast_dest -j DROP iptables -t filter -A INPUT -i $ext_int -d $broadcast_src -j DROP #allow to work ICMP protocol #accept ICMP message Source Quench iptables -t filter -A INPUT -i $ext_int -p icmp -s $anywhere --icmp-type source-quench -d /$ipaddr -j ACCEPT iptables -t filter -A OUTPUT -o $ext_int -p icmp -s $ipaddr --icmp-type source-quench -d /$anywhere -j ACCEPT #accept ICMP message Parameter Promlem iptables -t filter -A INPUT -i $ext_int -p icmp -s $anywhere --icmp-type parameter-problem -d /$ipaddr -j ACCEPT iptables -t filter -A OUTPUT -o $ext_int -p icmp -s $ipaddr --icmp-type parameter-problem -d /$anywhere -j ACCEPT #accept ICMP message Destination Unreachable iptables -t filter -A INPUT -i $ext_int -p icmp -s $anywhere --icmp-type / destination-unreachable -d $ipaddr -j ACCEPT iptables -t filter -A OUTPUT -o $ext_int -p icmp -s $ipaddr --icmp-type destination-unreachable / -d $anywhere -j ACCEPT iptables -t filter -A OUTPUT -o $ext_int -p icmp -s $ipaddr --icmp-type fragmentation-needed -d / $anywhere -j ACCEPT #accept ICMP message Time Exceeded iptables -t filter -A INPUT -i $ext_int -p icmp -s $anywhere --icmp-type time-exceeded -d /$ipaddr -j ACCEPT iptables -t filter -A OUTPUT -o $ext_int -p icmp -s $ipaddr --icmp-type time-exceeded -d /$anywhere -j ACCEPT #---------------------------- #accept ICMP message Echo Request(8) and Echo Reply(0) #transmition packets on remote host iptables -t filter -A INPUT -i $ext_int -p icmp -s 193.194.100.17 --icmp-type echo-reply -d /$ipaddr -j ACCEPT iptables -t filter -A OUTPUT -o $ext_int -p icmp -s $ipaddr --icmp-type echo-request -d /$anywhere -j ACCEPT #receive packets fom remote host iptables -t filter -A INPUT -i $ext_int -p icmp -s 193.194.100.17 --icmp-type echo-request -d /$ipaddr -j ACCEPT iptables -t filter -A OUTPUT -o $ext_int -p icmp -s $ipaddr --icmp-type echo-reply -d / 193.194.100.17 -j ACCEPT #rules versus smurf-attack iptables -t filter -A INPUT -i $ext_int -p icmp -d $broadcast_dest -j DROP iptables -t filter -A OUTPUT -o $ext_int -p icmp -d $broadcast_dest -j REJECT iptables -t filter -A INPUT -i $ext_int -p icmp -d $netmask -j DROP iptables -t filter -A OUTPUT -o $ext_int -p icmp -d $netmask -j REJECT iptables -t filter -A INPUT -i $ext_int -p icmp -d $network -j DROP iptables -t filter -A OUTPUT -o $ext_int -p icmp -d $network -j REJECT #request to ISP DNS iptables -t filter -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -o $ext_int -p tcp -s /$ipaddr --sport $unprivports -d $nameserv1 --dport 53 -j ACCEPT iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -i $ext_int -p tcp -s /$nameserv1 ! --syn --sport 53 -d $ipaddr --dport $unprivports -j ACCEPT iptables -t filter -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -o $ext_int -p tcp -s /$ipaddr --sport $unprivports -d $nameserv2 --dport 53 -j ACCEPT iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -i $ext_int -p tcp -s /$nameserv2 ! --syn --sport 53 -d $ipaddr --dport $unprivports -j ACCEPT Very appreciated any reply. Regards Nicos
