Re: [gentoo-user] iptables firewall+nat problem
Simon,
Save your self allot of time and headakeee and download emerge -p
shorewall Shorewall firewall. IPtables made easy. This site is well
maintained has a great mailing list and awesome easy to follow FAQ's
for Standalone workstation, 2 nic's and 3 nic setup with DMZ.
Shorewall is very light wheight and is a full featured statefull packet
filtering firewall that uses a series of simple shell scripts to take
all the (masacostic fun) our of configuring iptables line by line, word
by word.
http://www.shorewall.net
Unless you trying to learn iptables ofcourse.. Heh. :P
JBanks
--- Simon_Kühling [EMAIL PROTECTED] wrote:
hi everyone,
i'm trying to get my gentoo box running as a firewall and nat-router
for
my home-network. therefore i took the iptables-example script as seen
in
the gentoo security guide
(http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12) and
modified it a little.
the server is able to establish an adsl-connection and lynx has no
prob
to surf the net. the firewall script is started and from inside the
network i can easily access the server (192.168.0.1) via ssh, but
theres
no response to pings from e.g. 192.168.0.121 . the server itself is
not
able to make pings and get a strange error message:
***
tux root # ping www.google.com
PING www.google.akadns.net (216.239.59.99) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- www.google.akadns.net ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
***
my firewallscript is attached to this mail.
i do not see a mistake or something in that script.
btw another strange behavior: yesterday the nat routing suddenly ran
for
about 10 minutes without changing the script (as i can remember).
i am thankful for every little hint :)
simon
#!/sbin/runscript
IPTABLES=/sbin/iptables
IPTABLESSAVE=/sbin/iptables-save
IPTABLESRESTORE=/sbin/iptables-restore
FIREWALL=/etc/firewall.rules
DNS1=145.253.2.11
DNS2=145.253.2.75
#inside
IINTERFACE=eth0
#outside
OINTERFACE=ppp0
opts=${opts} showstatus panic save restore showoptions rules
depend() {
need net procparam
}
rules() {
stop
ebegin Setting internal rules
einfo Setting default rule to drop
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
#default rule
einfo Creating states chain
$IPTABLES -N allowed-connection
$IPTABLES -F allowed-connection
$IPTABLES -A allowed-connection -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG
--log-prefix Bad packet from ${IINTERFACE}:
$IPTABLES -A allowed-connection -j DROP
#ICMP traffic
einfo Creating icmp chain
$IPTABLES -N icmp_allowed
$IPTABLES -F icmp_allowed
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type
time-exceeded -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type
destination-unreachable -j ACCEPT
$IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix Bad ICMP
traffic:
$IPTABLES -A icmp_allowed -p icmp -j DROP
#Incoming traffic
einfo Creating incoming ssh traffic chain
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
#Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags ALL RST --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags ALL FIN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags ALL SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state
RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT
#outgoing traffic
einfo Creating outgoing ssh traffic chain
$IPTABLES -N allow-ssh-traffic-out
$IPTABLES -F allow-ssh-traffic-out
$IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT
einfo Creating outgoing dns traffic chain
$IPTABLES -N allow-dns-traffic-out
$IPTABLES -F allow-dns-traffic-out
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain
-j ACCEPT
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain
-j ACCEPT
einfo Creating outgoing http/https traffic chain
$IPTABLES -N allow-www-traffic-out
$IPTABLES -F allow-www-traffic-out
$IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT
$IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT
#Catch portscanners
einfo Creating portscan detection chain
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m
limit --limit 5/minute -j LOG --log-level alert --log-prefix
NMAP-XMAS:
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags
Re: [gentoo-user] iptables firewall+nat problem
I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP On Saturday 01 November 2003 06:15 am, Simon Kühling wrote: hi everyone, i'm trying to get my gentoo box running as a firewall and nat-router for my home-network. -- Stephen From here to there and there to here, funny things are everywhere. -- Dr Seuss -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP ok, thanks for the hint! simon -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] iptables firewall+nat problem
gshield and shorewall can build you a firewall.. I prefer gshield myself. I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. In my firewall, I do: # Block ping scans iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # ... but not coming from our LAN iptables -A FORWARD -p icmp --icmp-type echo-reply -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
--- Simon_Kühling [EMAIL PROTECTED] wrote: I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. If you insist. Your making allot of extra work for yourself. Shorewall already has all of the scripts that you need. All you need to do is simply modify them. Trust me. Try it, and you will understand. If you don't like it go back to writing everything from scratch. http://www.shorewall.net JBanks __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables firewall+nat problem
I have been running my own personally developed IPTABLES ruleset since I converted from ipchains to iptables. My topology is is pretty simple: WAN (cable modem) --- eth1 [FW] eth0 --- [HUB] -- [LAN boxes] Note that I am forwarding port 25 from the FW to an internet mail server. This thread caused me to take a closer look at both shorewall, and gsheild (I think it was). I actually emerged shorewall, and attempted to configure it. In the end I found it more confusing than my own custom built script. Which I have pretty extensively tested. (and which I will be happy to share if any one is interested). Frankly, I like understanding what is going on under the covers... so I unmerged shorewall, and went back to using my script. On Sat, 2003-11-01 at 19:17, Joshua Banks wrote: --- Simon_Khling [EMAIL PROTECTED] wrote: I wonder if your firewall is blocking ping scans. Disable the firewall and see if you can ping google. well, you are right - disabling the firewall makes ping work again. maybe it is easier to build my own script from scratch instead of using the one from gentoo-security-guide. If you insist. Your making allot of extra work for yourself. Shorewall already has all of the scripts that you need. All you need to do is simply modify them. Trust me. Try it, and you will understand. If you don't like it go back to writing everything from scratch. http://www.shorewall.net JBanks __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ -- [EMAIL PROTECTED] mailing list -- Lincoln A. Baxter [EMAIL PROTECTED] -- [EMAIL PROTECTED] mailing list
