Masqueraded telnet connects then hangs (help pls)

ableasby@hgmp.mrc.ac.uk ableasby@hgmp.mrc.ac.uk
Thu, 5 Jul 2001 18:18:10 +0100 (BST) 

I'm a newbie to masquerading and am having trouble telnetting
from masqueraded machines. Connections are made e.g.

# telnet fred.bloggs.foo.bar     (uses caching nameserver on 192.168.0.3)

Connected to fred.bloggs.foo.bar
Escape character is '^]'.

(hang for 2-3 minutes)
Connection closed by remote host.

The same sort of thing happens using a browser i.e. a connection is
made then a hang. I think I must be missing something simple and
fundamental here but I'm not sure what. I really would appreciate any
constructive help. Details are as follows:

Internet: eth1 on 192.168.0.3    (just to be different!)
Intranet: eth0 on 192.168.0.0/24

All machines communicate OK on the local intranet and the host
(192.168.0.3) can telnet/ftp/http/etc fine to the internet.

Internet connection: NTL cable modem. IP address via DHCP.

OS: Redhat Linux 7.1 on all machines
Kernel: 2.4.5 on all machines

Firewall: netfilter and given below. Remember I'm a newbie netfilterer!
I also really should use bash however....

#!/bin/tcsh

setenv INTERNAL_NETWORK  192.168.0.0/24


## Activate forwarding
# Masquerade
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr


## Get the IP address supplied by NTL

setenv DHCP_IP "`/sbin/ifconfig eth1 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"



# Set default policies
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  ACCEPT



## Route verification.
## Drop all packets coming from outside with same address as our
## internal network. Stops us being sent spoof packets.
foreach i (/proc/sys/net/ipv4/conf/eth1/rp_filter)
  echo 1 > $i
end
# And everything being forwarded from internal network must have
# our address. Stops anyone using our machine sending spoof packets.
iptables -A FORWARD -i eth0 -s ! $INTERNAL_NETWORK -j DROP 


## Syn-flood protection
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

## Furtive port scanner protection
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

## Ping of death protection
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT


## Drop malformed packets (to stop Nmap)
#
# 1. Outside tcp packets with all flags set (Christmas packets)
iptables -A INPUT   -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
#
# 2. Outside tcp packets with all flags unset
iptables -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP


## Anything from the internet can't have a private network address
iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
iptables -A FORWARD -i eth1 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth1 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth1 -s 10.0.0.0/8 -j DROP


## Block outgoing network filesharing protocols that should only be used on
##  LANs. -- log the SMB ones
iptables -A FORWARD -p tcp --sport 137:139 -j LOG --log-level warning --log-prefix "Alan says: SMB tried to cross"
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -j LOG --log-level warning --log-prefix "Alan says: SMB tried to cross"
iptables -A OUTPUT -p tcp --sport 137:139 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -j DROP

## Block other protocols
# NFS mount
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
iptables -A INPUT -p tcp --sport 635 -j DROP
iptables -A INPUT -p udp --sport 635 -j DROP
# NFS
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
iptables -A INPUT -p tcp --sport 2049 -j DROP
iptables -A INPUT -p udp --sport 2049 -j DROP
# Portmapper
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP
iptables -A INPUT -p tcp --sport 111 -j DROP
iptables -A INPUT -p udp --sport 111 -j DROP

## Block syslog. Don't want others filling up our logs
iptables -A FORWARD -i eth1 -p udp --dport syslog -j DROP
iptables -A INPUT -i eth1 -p udp --dport syslog -j DROP
## Block lpr. Don't want others using our printer
iptables -A FORWARD -i eth1 -p tcp --dport 515 -j DROP
iptables -A INPUT -i eth1 -p tcp --dport 515 -j DROP
## Block rsh. Its vulnerable to IP spoofing
iptables -A FORWARD -i eth1 -p tcp --dport 514 -j DROP
iptables -A INPUT -i eth1 -p tcp --dport 514 -j DROP
## Block rexec. It has flawed client-side authentication
iptables -A FORWARD -i eth1 -p tcp --dport 512 -j DROP
iptables -A INPUT -i eth1 -p tcp --dport 512 -j DROP


## Incoming
# local interface, local machines going anywhere is valid
iptables -A INPUT -i eth0 -s $INTERNAL_NETWORK -d 0.0.0.0/0 -j ACCEPT

# remote machines claiming to be local machines are dropped
iptables -A INPUT -i eth1 -s $INTERNAL_NETWORK -d 0.0.0.0/0 -j DROP

# remote interface going to own ip address is valid
iptables -A INPUT -i eth1 -s 0.0.0.0/0 -d $DHCP_IP/32 -j ACCEPT

# loopback interface is valid
iptables -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

# 


## Outgoing

# local interface, any source,  to local network is valid
iptables -A OUTPUT -o eth0 -s 0.0.0.0/0 -d $INTERNAL_NETWORK -j ACCEPT

# deny any outgoing to local net from external interface
iptables -A OUTPUT -o eth1 -s 0.0.0.0/0 -d $INTERNAL_NETWORK -j DROP

# anything else outgoing is valid
iptables -A OUTPUT -o eth1 -s $DHCP_IP/32 -d 0.0.0.0/0 -j ACCEPT

# loopback is valid
iptables -A OUTPUT -o lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT



## Allow all remaining packets out of our network
iptables -A FORWARD -m state --state NEW -i eth1 -s $DHCP_IP -j ACCEPT
iptables -A OUTPUT -m state --state NEW -o eth1 -s $DHCP_IP -j ACCEPT
#  Allow associated packets back in
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i eth1 -s ! $DHCP_IP -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth1 -s ! $DHCP_IP -j ACCEPT


# catchall (unnecessary using the default ACCEPT but I'm still
# working on this firewall!)
#iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG --log-level warning --log-prefix "Disallowed OUTPUT"



# catchall
#iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j LOG --log-level warning --log-prefix "Disallowed INPUT"