thr3ads.net - LARTC - Firewall Question? [Apr 2002]

If this information is useful, please help other people find it:
Share via:

Ross Skaliotis

2002-Apr-14 16:14 UTC

Re: Firewall Question?

When you use NAT to route traffic from eth0 out to the internet, it flows
through the FORWARD table, bypassing the INPUT and OUTPUT tables
completely. You''ll need to setup a rule in your firewall blocking
access
using the FORWARD table.

-Ross Skaliotis

On Sun, 14 Apr 2002, Brian wrote:
>
> I have a iptables firewall version 1.2.5, I LOVE IPTABLES SO MUCH MORE
> THINGS YOU CAN DO. I have a small network off my eth0 interface
> 192.168.0.X network and my ppp0 is my DSL connection, with the current
> firewall how would I block someone going to the Internet from my eth0
> interface. I have tried many of things here and had no luck.
>
> Both my INPUT and OUTPUT used a DROP policy by default and I am using
> NAT to route my traffic to the Internet.
>
>
>
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
> echo 0 > /proc/sys/net/ipv4/tcp_timestamps
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
> echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
> echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
> echo 0 > /proc/sys/net/ipv4/tcp_sack
>
> modprobe ip_conntrack
> modprobe ip_tables
> modprobe iptable_filter
> modprobe iptable_mangle
> modprobe iptable_nat
> modprobe ipt_LOG
> modprobe ipt_REJECT
> modprobe ipt_MASQUERADE
> modprobe ip_conntrack_ftp
> modprobe ipt_owner
> modprobe ip_conntrack_irc
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o ppp0  -j MASQUERADE
> iptables -A FORWARD  -j ACCEPT
>
>
> iptables -A INPUT -i eth0 -j ACCEPT
> iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> iptables -A INPUT -i ppp0 -p udp     --dport 1024: -j ACCEPT
> iptables -A INPUT -i ppp0 -p udp     --sport 67 --dport 68    -j ACCEPT
> iptables -A INPUT -i ppp0 -p udp -s 208.188.197.4 --sport 53 --dport
> 1024:65535 -j ACCEPT iptables -A INPUT -i ppp0 -p udp -s 206.148.122.8
> --sport 53 --dport 1024:65535 -j ACCEPT
> iptables -A INPUT -i ppp0 -p udp -s 206.148.122.2 --sport 53 --dport
> 1024:65535 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp ! --syn -j ACCEPT
> iptables -A INPUT -i ppp0 -p icmp -j DROP iptables -P INPUT DROP
>
>
>
> iptables  -A  OUTPUT -d 192.168.0.0/24  -j ACCEPT
> iptables  -A  OUTPUT -d 255.255.255.255 -j ACCEPT
> iptables  -A  OUTPUT -d 127.0.0.1 -j ACCEPT
> iptables  -P  OUTPUT DROP
>
>
>
>
>
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>

Brian

2002-Apr-14 17:08 UTC

head link

Firewall Question?

I have a iptables firewall version 1.2.5, I LOVE IPTABLES SO MUCH MORE
THINGS YOU CAN DO. I have a small network off my eth0 interface
192.168.0.X network and my ppp0 is my DSL connection, with the current
firewall how would I block someone going to the Internet from my eth0
interface. I have tried many of things here and had no luck.

Both my INPUT and OUTPUT used a DROP policy by default and I am using
NAT to route my traffic to the Internet.



echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack

modprobe ip_conntrack
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ip_conntrack_ftp
modprobe ipt_owner
modprobe ip_conntrack_irc
 
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o ppp0  -j MASQUERADE
iptables -A FORWARD  -j ACCEPT


iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp     --dport 1024: -j ACCEPT
iptables -A INPUT -i ppp0 -p udp     --sport 67 --dport 68    -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -s 208.188.197.4 --sport 53 --dport
1024:65535 -j ACCEPT iptables -A INPUT -i ppp0 -p udp -s 206.148.122.8
--sport 53 --dport 1024:65535 -j ACCEPT 
iptables -A INPUT -i ppp0 -p udp -s 206.148.122.2 --sport 53 --dport
1024:65535 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp ! --syn -j ACCEPT
iptables -A INPUT -i ppp0 -p icmp -j DROP iptables -P INPUT DROP



iptables  -A  OUTPUT -d 192.168.0.0/24  -j ACCEPT
iptables  -A  OUTPUT -d 255.255.255.255 -j ACCEPT
iptables  -A  OUTPUT -d 127.0.0.1 -j ACCEPT
iptables  -P  OUTPUT DROP

Greg Scott

2002-Apr-14 17:49 UTC

head link

RE: Firewall Question?

A rule like:

/sbin/iptables -A FORWARD -i eth0 -s 192.168.0.0/24 -j DROP

would do the trick.  Kind of a sledgehammer solution, but it should block
everyone.

- Greg


-----Original Message-----
From: Ross Skaliotis [mailto:ross@student.andover.edu]
Sent: Sunday, April 14, 2002 11:15 AM
To: Brian
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Firewall Question?


When you use NAT to route traffic from eth0 out to the internet, it flows
through the FORWARD table, bypassing the INPUT and OUTPUT tables
completely. You''ll need to setup a rule in your firewall blocking
access
using the FORWARD table.

-Ross Skaliotis

On Sun, 14 Apr 2002, Brian wrote:
>
> I have a iptables firewall version 1.2.5, I LOVE IPTABLES SO MUCH MORE
> THINGS YOU CAN DO. I have a small network off my eth0 interface
> 192.168.0.X network and my ppp0 is my DSL connection, with the current
> firewall how would I block someone going to the Internet from my eth0
> interface. I have tried many of things here and had no luck.
>
> Both my INPUT and OUTPUT used a DROP policy by default and I am using
> NAT to route my traffic to the Internet.
>
>
>
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
> echo 0 > /proc/sys/net/ipv4/tcp_timestamps
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
> echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
> echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
> echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
> echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
> echo 0 > /proc/sys/net/ipv4/tcp_sack
>
> modprobe ip_conntrack
> modprobe ip_tables
> modprobe iptable_filter
> modprobe iptable_mangle
> modprobe iptable_nat
> modprobe ipt_LOG
> modprobe ipt_REJECT
> modprobe ipt_MASQUERADE
> modprobe ip_conntrack_ftp
> modprobe ipt_owner
> modprobe ip_conntrack_irc
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o ppp0  -j MASQUERADE
> iptables -A FORWARD  -j ACCEPT
>
>
> iptables -A INPUT -i eth0 -j ACCEPT
> iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
> iptables -A INPUT -i ppp0 -p udp     --dport 1024: -j ACCEPT
> iptables -A INPUT -i ppp0 -p udp     --sport 67 --dport 68    -j ACCEPT
> iptables -A INPUT -i ppp0 -p udp -s 208.188.197.4 --sport 53 --dport
> 1024:65535 -j ACCEPT iptables -A INPUT -i ppp0 -p udp -s 206.148.122.8
> --sport 53 --dport 1024:65535 -j ACCEPT
> iptables -A INPUT -i ppp0 -p udp -s 206.148.122.2 --sport 53 --dport
> 1024:65535 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp ! --syn -j ACCEPT
> iptables -A INPUT -i ppp0 -p icmp -j DROP iptables -P INPUT DROP
>
>
>
> iptables  -A  OUTPUT -d 192.168.0.0/24  -j ACCEPT
> iptables  -A  OUTPUT -d 255.255.255.255 -j ACCEPT
> iptables  -A  OUTPUT -d 127.0.0.1 -j ACCEPT
> iptables  -P  OUTPUT DROP
>
>
>
>
>
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

LARTC - Apr 2002 - Firewall Question?

Re: Firewall Question?

Firewall Question?

RE: Firewall Question?