• iptables help, please?

    From gdunn@110:300/11 to All on Sun Jun 22 03:36:43 2014
    Greetings all,

    Hopefully there are still some knowledgeable people in the group, despite
    the apparent spam content.

    I've inherited an iptables configuration that I don't understand, other
    than the UNSOLICITED line. Your help in understanding and correcting any problems will be appreciated.

    First, eth1 is the WAN interface and eth0 is LAN. I'd like to clean up
    the file if possible, and at the same time allow WAN UDP packets on ports
    5198 and 5199 to be forwarded to 192.168.1.50, if possible. Thank You.

    ###############################################################
    *filter
    :FORWARD ACCEPT [eth0:0]
    :INPUT DROP [eth1:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth0 -j ACCEPT
    -A INPUT -m state -i eth1 --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i eth1 -p udp -s 148.78.249.200 --dport 53 -m state --state NEW
    -j ACCEPT
    -A INPUT -i eth1 -p udp -s 148.78.249.201 --dport 53 -m state --state NEW
    -j ACCEPT
    #-A INPUT -i eth1 -p udp -s 148.78.249.202 --dport 53 -m state --state
    NEW -j ACCEPT
    -A INPUT -i eth1 -p udp -s 148.78.249.203 --dport 53 -m state --state NEW
    -j ACCEPT
    -A INPUT -i eth1 -m state --state NEW -j LOG --log-level 7 --log-prefix UNSOLICITED:
    COMMIT
    *mangle
    :PREROUTING ACCEPT [1471:303908]
    :INPUT ACCEPT [636:240607]
    :FORWARD ACCEPT [80:63181]
    :OUTPUT ACCEPT [437:39285]
    :POSTROUTING ACCEPT [1269:102466]
    COMMIT
    *nat
    :OUTPUT ACCEPT [0:0]
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -o eth1 -j MASQUERADE
    # Forward HTTP connections to Squid proxy
    #-A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports
    3128
    COMMIT
    ###############################################################

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: UseNetServer.com (110:300/11@linuxnet)
  • From Philippe Weill@110:300/11 to All on Sun Jun 22 06:54:32 2014
    Le 22/06/2014 05:36, gdunn a ‚crit :
    Greetings all,

    Hopefully there are still some knowledgeable people in the group, despite
    the apparent spam content.

    I've inherited an iptables configuration that I don't understand, other
    than the UNSOLICITED line. Your help in understanding and correcting any problems will be appreciated.


    your iptables is really simple
    from external to internal computers everything is closed ( NAT RULES )
    from internal to external everything is authorized perhaps to much open ( FORWARD ACCEPT POLICY +
    NAT MASQUERADE )

    from external to IPTABLES FIREWALL ( INPUT CHAIN ) only packet udp dns are authorized from dns
    starband.com domain ( 200 and 201 )
    202 and 203 seem to need modification dns are now also 148.78.254.200 and 148.78.254.201

    from IPTABLES FIREWALL to external everything is authorized

    everythin is authorized from INTERNAL to FIREWALL
    First, eth1 is the WAN interface and eth0 is LAN. I'd like to clean up
    the file if possible, and at the same time allow WAN UDP packets on ports 5198 and 5199 to be forwarded to 192.168.1.50, if possible. Thank You.

    to do what you need see at the end


    ###############################################################
    *filter
    :FORWARD ACCEPT [eth0:0]
    :INPUT DROP [eth1:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth0 -j ACCEPT
    -A INPUT -m state -i eth1 --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i eth1 -p udp -s 148.78.249.200 --dport 53 -m state --state NEW
    -j ACCEPT
    -A INPUT -i eth1 -p udp -s 148.78.249.201 --dport 53 -m state --state NEW
    -j ACCEPT
    #-A INPUT -i eth1 -p udp -s 148.78.249.202 --dport 53 -m state --state
    NEW -j ACCEPT
    -A INPUT -i eth1 -p udp -s 148.78.249.203 --dport 53 -m state --state NEW
    -j ACCEPT
    -A INPUT -i eth1 -m state --state NEW -j LOG --log-level 7 --log-prefix UNSOLICITED:
    COMMIT
    *mangle
    :PREROUTING ACCEPT [1471:303908]
    :INPUT ACCEPT [636:240607]
    :FORWARD ACCEPT [80:63181]
    :OUTPUT ACCEPT [437:39285]
    :POSTROUTING ACCEPT [1269:102466]
    COMMIT
    *nat
    :OUTPUT ACCEPT [0:0]
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -o eth1 -j MASQUERADE
    -A PREROUTING -i eth1 -p udp --dport 5198 -j DNAT --to 192.168.1.50
    -A PREROUTING -i eth1 -p udp --dport 5199 -j DNAT --to 192.168.1.50

    # Forward HTTP connections to Squid proxy
    #-A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports
    3128
    COMMIT
    ###############################################################



    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Guest of ProXad - France (110:300/11@linuxnet)
  • From Pascal Hambourg@110:300/11 to All on Sun Jun 22 11:04:09 2014
    Reply-To: pascal.news@plouf.fr.eu.org

    Hello,

    Philippe Weill a ‚crit :

    from external to internal computers everything is closed ( NAT RULES )

    Wrong. The FORWARD chain is empty and its default policy is ACCEPT so everything is allowed in both directions. NAT rules do no filtering.

    from external to IPTABLES FIREWALL ( INPUT CHAIN ) only packet udp dns are
    authorized from dns
    starband.com domain ( 200 and 201 )

    I wonder why external nameservers would send DNS queries to a box acting
    as a router/firewall. The only reason I can imagine is that the box also
    runs an authoritative nameserver acting as a master for these external nameservers. But it would require that TCP port 53 is also allowed for
    zone transfer.

    202 and 203 seem to need modification dns are now also 148.78.254.200 and
    148.78.254.201

    How do you know ?

    and at the same time allow WAN UDP packets on ports
    5198 and 5199 to be forwarded to 192.168.1.50, if possible. Thank You.

    to do what you need see at the end
    -A PREROUTING -i eth1 -p udp --dport 5198 -j DNAT --to 192.168.1.50
    -A PREROUTING -i eth1 -p udp --dport 5199 -j DNAT --to 192.168.1.50

    In one rule :
    -A PREROUTING -i eth1 -p udp -m udp --dport 5198:5199 -j DNAT \
    --to 192.168.1.50
    or
    -A PREROUTING -i eth1 -p udp -m multiport --dports 5198,5199 -j DNAT \
    --to 192.168.1.50

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Plouf ! (110:300/11@linuxnet)
  • From Pascal Hambourg@110:300/11 to All on Sun Jun 22 11:06:27 2014
    Reply-To: pascal.news@plouf.fr.eu.org

    gdunn a ‚crit :

    I've inherited an iptables configuration that I don't understand, other
    than the UNSOLICITED line. Your help in understanding and correcting any problems will be appreciated.

    First, eth1 is the WAN interface and eth0 is LAN. I'd like to clean up
    the file if possible

    It's hard to comment or correct a ruleset without knowing its detailed requirements.

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Plouf ! (110:300/11@linuxnet)
  • From Moe Trin@110:300/11 to All on Sun Jun 22 15:43:34 2014
    On Sun, 22 Jun 2014, in the Usenet newsgroup comp.os.linux.security, in article
    <a3d01$53a64f4b$9440befe$5576@STARBAND.NET>, gdunn wrote:

    Hopefully there are still some knowledgeable people in the group,
    despite the apparent spam content.

    A newsreader with an adequate kill-file system works wonders.

    I've inherited an iptables configuration that I don't understand,
    other than the UNSOLICITED line. Your help in understanding and
    correcting any problems will be appreciated.

    http://www.netfilter.org/documentation/HOWTO/

    [TXT] NAT-HOWTO.txt 05-Oct-2012 10:33 25K
    [TXT] netfilter-double-nat.txt 05-Oct-2012 10:33 9.4K
    [TXT] netfilter-extensions-HOWTO.txt 05-Oct-2012 10:33 80K
    [TXT] netfilter-hacking-HOWTO.txt 05-Oct-2012 10:33 81K
    [TXT] netfilter-mirror-HOWTO.txt 05-Oct-2012 10:33 7.8K
    [TXT] networking-concepts-HOWTO.txt 05-Oct-2012 10:33 28K
    [TXT] packet-filtering-HOWTO.txt 05-Oct-2012 10:33 51K

    The primary author is the person who is responsible for the firewall
    code in the kernel. The last two are a good place to start.

    Old guy

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Area 51 Air and Spacecraft Fueling Company (110:300/11@linuxnet)
  • From Philippe Weill@110:300/11 to All on Mon Jun 23 05:21:50 2014
    Le 22/06/2014 13:04, Pascal Hambourg a ‚crit :
    Hello,

    Philippe Weill a ‚crit :

    from external to internal computers everything is closed ( NAT RULES )

    Wrong. The FORWARD chain is empty and its default policy is ACCEPT so everything is allowed in both directions. NAT rules do no filtering.

    from external to IPTABLES FIREWALL ( INPUT CHAIN ) only packet udp dns are authorized from dns
    starband.com domain ( 200 and 201 )

    I wonder why external nameservers would send DNS queries to a box acting
    as a router/firewall. The only reason I can imagine is that the box also
    runs an authoritative nameserver acting as a master for these external nameservers. But it would require that TCP port 53 is also allowed for
    zone transfer.

    I agree about tcp I think about that and forget to write

    202 and 203 seem to need modification dns are now also 148.78.254.200 and 148.78.254.201

    How do you know ?

    $ host 148.78.249.200
    200.249.78.148.in-addr.arpa domain name pointer ns1-mar.starband.com.
    $ host -t NS starband.com
    starband.com name server ns1-mclcorp.starband.com.
    starband.com name server ns1-mar.starband.com.
    starband.com name server ns2-mclcorp.starband.com.
    starband.com name server ns2-mar.starband.com.

    but without context I can be wrong


    and at the same time allow WAN UDP packets on ports
    5198 and 5199 to be forwarded to 192.168.1.50, if possible. Thank You.

    to do what you need see at the end
    -A PREROUTING -i eth1 -p udp --dport 5198 -j DNAT --to 192.168.1.50
    -A PREROUTING -i eth1 -p udp --dport 5199 -j DNAT --to 192.168.1.50

    In one rule :
    -A PREROUTING -i eth1 -p udp -m udp --dport 5198:5199 -j DNAT \
    --to 192.168.1.50
    or
    -A PREROUTING -i eth1 -p udp -m multiport --dports 5198,5199 -j DNAT \
    --to 192.168.1.50



    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Guest of ProXad - France (110:300/11@linuxnet)