On Sun, 14 Apr 2002 04:53:04 -0400, you wrote: >If I am understanding your question, you are trying to get your friend to >connect to a server you have access to by "bouncing off" of your machine. I >am assuming that your friend is NOT behind your firewall but on his own >connection to the internet?
Yes this is correct, I will only bounce this connections for him > >If this is the case, one thing that stands out here is the fact that you are >using NAT to accomplish this. This is possible. I was doing the same sort >of thing at my company for internal people that were trying to connect to a >NAT'd address from internally. The problem that arises is that you create a >"3 point TRIANGLE" path for your data using the rules you show here. > >Point A= Friend's machine >Point B= Your Firewall >Point C= Outside Server > >Packets pass from A to B to C then back to A. Your friend sends a packet >(tries to make a connection to your IP address) to the "server". Your box >takes that packet and rewrites its destination address to be the outside >server and forwards it on. The outside server gets this packet, processes >it and tries to respond. Of course, it doesn't know about the "NAT" so it >sends its response back to your friends machine directly. When your >friend's machine gets the packet from the Server, it doesn't know what to do >with it. The packet appears as trash because it doesn't come from any >machine that it sent data too. > >The solution is to put a SNAT rule into the firewall. This rule SNAT's any >of these connections to your IP address and will preserve the proper packet >routing. Of course, there are some issues with this. >1. All data that your friend transmits will go across your network link. >2. Anything that your friend does will appear to be coming from your network >and can open you up to liability for his actions as they will appear to be >your own. You are correct on all of this, and yes, I know that I am "taking resposibility" for his actions. But I simply dont understand exactly how to do it. My friend has a static ip, should I build rules that involves his ip, so this service can not be accessed from other machines than his, and probably I should LOG everything too. Can you help me create the correct ruleset for this, as I am very confused about what to do? I am very new to iptables. (I also strugling to understand and make rules to let people access my ftp server on my windowsboks behind the firewalled linuxboxs, but that I will work on, on my own for some time, to try to figure out myself) > > > >----- Original Message ----- >From: "Rabalder" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Sunday, April 14, 2002 3:07 AM >Subject: Mapping mail & news to a friend > > >> Hello list >> >> I have a RH 7.2 boks, with 2.4.18 kernel and latest iptables installed >> and working well. >> I have generated a rc.firewall from >> http://www.linux-firewall-tools.com/linux/ and modified it a little >> for my needs, and its working well >> I then have a friend without access to mail & news, and I want to >> create a mapping for him >> As a start I have tried to figure out how to do the new part of it but >> it wont work >> I have this in my box >> ppp0 = my network interface >> $IPADDR = my ip gained from a scriptline >> 193.213.112.21:119 = my newsserver and its port >> >> >> $IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp -d $IPADDR --dport 33333 >> -j DNAT --to-destination 193.213.112.21:119 >> >> $IPTABLES -A FORWARD -i ppp0 -o ppp0 -p tcp -d $IPADDR --dport 33333 >> -j ACCEPT >> >> With these two lines I want to let my friend communicate with the >> newsserver true my computer, and I also want to let him gain access to >> a mailserver the same way, but I dont get it to work. >> >> Are anyone able to help me with a working ruleset for this? >> >> Here is the most important part of my rc.firewall with this two lines >> in for my friend so you can see what I have done. >> >> #!/bin/sh >> # /etc/rc.d/rc.firewall >> # Invoked from /etc/ppp/ip-up, or >> # from /sbin/ifup-local, or >> # from /etc/sysconfig/network-scripts/ifup-post. >> >> echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" >> >> # >> -------------------------------------------------------------------------- >-- >> # Some definitions for easy maintenance. >> # EDIT THESE TO SUIT YOUR SYSTEM AND ISP. >> >> EXTERNAL_INTERFACE="ppp0" # Internet connected interface >> LOOPBACK_INTERFACE="lo" # or your local naming >> convention >> LOCAL_INTERFACE_1="eth1" # internal LAN interface >> echo " External Interface: $EXTERNAL_INTERFACE" >> echo " Internal Interface: $LOCAL_INTERFACE_1" >> IPADDR=$(/sbin/ifconfig | /bin/grep P-t-P | /usr/bin/cut -c 21-38 | >> /bin/awk '{print $1}' ) >> >> >> >> LOCALNET_1="192.168.1.0/24" # whatever private range you >> use >> >> ANYWHERE="0/0" # match any IP address >> >> DHCP_SERVER="0/0" >> NAMESERVER_1="148.122.208.99" # everyone must have >> at least one >> NAMESERVER_2="148.122.161.3" >> >> SMTP_SERVER="0/0" # Your ISP mail gateway. Your >> relay. >> POP_SERVER="pop.online.no" # Your ISP pop mail server. >> NEWS_SERVER="0/0" # Your ISP news server >> >> LOOPBACK="127.0.0.0/8" # reserved loopback address >> range >> CLASS_A="10.0.0.0/8" # class A private networks >> CLASS_B="172.16.0.0/12" # class B private networks >> CLASS_C="192.168.0.0/16" # class C private networks >> BROADCAST_SRC="0.0.0.0" # broadcast source address >> BROADCAST_DEST="255.255.255.255" # broadcast destination >> address >> PRIVPORTS="0:1023" # well known, privileged port >> range >> UNPRIVPORTS="1024:65535" # unprivileged port range >> >> # >> -------------------------------------------------------------------------- >-- >> >> NFS_PORT="2049" # (TCP/UDP) NFS >> SOCKS_PORT="1080" # (TCP) Socks >> OPENWINDOWS_PORT="2000" # (TCP) openwindows >> >> # X Windows port allocation begins at 6000 and increments to 6063 >> # for each additional server running. >> XWINDOW_PORTS="6000:6063" # (TCP) X windows >> >> # The SSH client starts at 1023 and works down to 513 for each >> # additional simultaneous connection originating from a privileged >> port. >> # Clients can optionally be configured to use only unprivileged ports. >> SSH_LOCAL_PORTS="1022:65535" # port range for local clients >> SSH_REMOTE_PORTS="513:65535" # port range for remote >> clients >> >> # traceroute usually uses -S 32769:65535 -D 33434:33523 >> TRACEROUTE_SRC_PORTS="32769:65535" >> TRACEROUTE_DEST_PORTS="33434:33523" >> # >> -------------------------------------------------------------------------- >- >> IPTABLES=/sbin/iptables >> echo -en " loading modules: " >> echo " - Verifying that all kernel modules are ok" >> /sbin/depmod -a >> echo -en "ip_tables, " >> /sbin/modprobe ip_tables >> echo -en "ip_conntrack, " >> /sbin/modprobe ip_conntrack >> echo -en "ip_conntrack_ftp, " >> /sbin/modprobe ip_conntrack_ftp >> echo -en "ip_conntrack_irc, " >> /sbin/modprobe ip_conntrack_irc >> echo -en "iptable_nat, " >> /sbin/modprobe iptable_nat >> echo -en "ip_nat_ftp, " >> /sbin/modprobe ip_nat_ftp >> echo -en "ip_nat_irc, " >> /sbin/modprobe ip_nat_irc >> echo -en "ipt_multiport, " >> /sbin/modprobe ipt_multiport >> echo ". Done loading modules." >> echo ". Vi har bekreftet at det virker s� langt." >> # >> -------------------------------------------------------------------------- >-- >> >> # Enable IP Forwarding, if it isn't already >> echo " enabling forwarding.." >> echo "1" > /proc/sys/net/ipv4/ip_forward >> >> echo " enabling DynamicAddr.." >> echo "1" > /proc/sys/net/ipv4/ip_dynaddr >> >> # Enable TCP SYN Cookie Protection >> echo "1" > /proc/sys/net/ipv4/tcp_syncookies >> >> # Enable broadcast echo Protection >> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts >> >> # Enable bad error message Protection >> echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses >> >> # Enable IP spoofing protection >> # turn on Source Address Verification >> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do >> echo 1 > $f >> done >> >> # Disable ICMP Redirect Acceptance >> for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do >> echo 0 > $f >> done >> >> for f in /proc/sys/net/ipv4/conf/*/send_redirects; do >> echo 0 > $f >> done >> >> # Disable Source Routed Packets >> for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do >> echo 0 > $f >> done >> >> # Log Spoofed Packets, Source Routed Packets, Redirect Packets >> for f in /proc/sys/net/ipv4/conf/*/log_martians; do >> echo 1 > $f >> done >> # >> -------------------------------------------------------------------------- >-- >> # Default policy is DROP >> # Explicitly accept desired INCOMING & OUTGOING connections >> >> $IPTABLES -P INPUT DROP >> $IPTABLES -F INPUT >> $IPTABLES -P OUTPUT DROP >> $IPTABLES -F OUTPUT >> $IPTABLES -P FORWARD DROP >> $IPTABLES -F FORWARD >> $IPTABLES -t nat -F >> $IPTABLES -F >> echo " Kontrollpunkt A1" >> # >> -------------------------------------------------------------------------- >-- >> # LOOPBACK >> >> # Unlimited traffic on the loopback interface. >> >> $IPTABLES -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT >> $IPTABLES -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT >> >> # >> -------------------------------------------------------------------------- >-- >> # Unlimited traffic within the local network. >> >> # All internal machines have access to the fireall machine. >> >> $IPTABLES -A INPUT -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT >> $IPTABLES -A OUTPUT -o $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT >> >> # >> -------------------------------------------------------------------------- >-- >> # Masquerade internal traffic. >> >> # All internal traffic is masqueraded externally. >> # WARNING: >> # The iptables functionality is under development. >> # No filters are applied. Just masquerading. >> >> $IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -o $LOCAL_INTERFACE_1 -m >> state \ >> --state ESTABLISHED,RELATED -j ACCEPT >> $IPTABLES -A FORWARD -i $LOCAL_INTERFACE_1 -o $EXTERNAL_INTERFACE -j >> ACCEPT >> $IPTABLES -A FORWARD -j LOG >> >> echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" >> $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j MASQUERADE >> echo " Kontrollpunkt A2" >> # >> -------------------------------------------------------------------------- >-- >> # SPOOFING & BAD ADDRESSES >> # Refuse spoofed packets. >> # Ignore blatantly illegal source addresses. >> # Protect yourself from sending to bad addresses. >> >> # Refuse incoming packets pretending to be from the external >> address. >> $IPTABLES -A INPUT -s $IPADDR -j DROP >> >> # >> -------------------------------------------------------------------------- >-- >> # NOTE: >> # The symbolic names used in /etc/services for the port numbers >> vary by >> # supplier. Using them is less error prone and more meaningful, >> though. >> >> # >> -------------------------------------------------------------------------- >-- >> # TCP UNPRIVILEGED PORTS >> # Avoid ports subject to protocol & system administration problems. >> >> # NFS: establishing a TCP connection >> $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ >> --destination-port $NFS_PORT -j DROP >> $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \ >> --destination-port $NFS_PORT -j REJECT >> >> # openwindows: establishing a connection >> $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ >> --destination-port $OPENWINDOWS_PORT -j DROP >> $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \ >> --destination-port $OPENWINDOWS_PORT -j REJECT >> >> >> # Xwindows: establishing a connection >> $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ >> --destination-port $XWINDOW_PORTS -j DROP >> $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \ >> --destination-port $XWINDOW_PORTS -j REJECT >> >> # SOCKS: establishing a connection >> $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \ >> --destination-port $SOCKS_PORT -j DROP >> $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \ >> --destination-port $SOCKS_PORT -j REJECT >> >> # >> -------------------------------------------------------------------------- >-- >> # UDP UNPRIVILEGED PORTS >> # Avoid ports subject to protocol & system administration problems. >> >> $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp \ >> --destination-port $NFS_PORT -j DROP >> >> # UDP INCOMING TRACEROUTE >> # traceroute usually uses -S 32769:65535 -D 33434:33523 >> >> $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp \ >> --source-port $TRACEROUTE_SRC_PORTS \ >> --destination-port $TRACEROUTE_DEST_PORTS -j DROP >> >> # >> -------------------------------------------------------------------------- Mvh Roger Mauseth
