Some ruleset-related questions
Marecki
Marek Szuba <cyberman@if.pw.edu.pl>
Mon, 11 Jun 2001 01:22:21 +0200 (MET DST)
Hello,
Having finally got enough time and being really impressed by the potential
of netfilter, I decided to rewrite my firewall/IPMasq rules from ipchains
to iptables. With a little help from the HOWTOs I've managed to come up
with a working equivalent of the old ruleset; however, due to some effects
I've noticed and small bits of information I found missing in the docs,
I've decided to post my questions:
1. While the configuration I've come up with provides both filtering and
SNAT, it seems that it doesn't oprate exactly as intended: my logs started
to fill with log strings similar to this one: IN=ppp0 OUT= MAC=
SRC=11.12.13.14 DST=1.2.3.4 LEN=48 TOS=0x00 PREC=0x00 TTL=52 ID=1607 DF
PROTO-TCP SPT=80 DPT=49572 WINDOW=32120 RES=0x00 ACK SYN URGP=0 , which
happen when one of the masqueraded LAN boxes accesses the mentioned
machine and service (eg. here it would be 11.12.13.14 www) - but not
always, some connections leave no such traces. It doesn't affect only TCP
packets, I got an UDP one (coming from my ISP's DNS' port 53) logged as
well. Neverthless everything seems to work fine.
Did I block too much or do some servers just send incorrectly-shaped
packets? Or perhaps, however unlikely may it be, something is wrong with
connection tracking?
2. Speaking of logging, I'm not quite sure what happens to the packets
after they get logged via the LOG target; it seems to get the chain's
policy applied... right? In that case, how should I set everything up to
eg. log & accept a packet when the policy it to drop? Note that the
ruleset below doesn't cause any need for that (it used to, but not anymore
thanks to conntrack), I'm just curious.
3. ipchains' log entries used to have a field which informed me which rule
got the packet logged. Is there anything like that among netfilter's
log data?
4. Last but not least: any comments regarding the ruleset (redundant
rules, missing rules, flawed rules etc. , skipping only organising it all
into subchains which I intend to introduce later) would be strongly
appreciated. The box this stuff was designed for should provide SNAT for
a LAN along with full Internet access but no entry points from the outside
(even blocking pings).
Here goes the ruleset:
extip="1.2.3.4"
extint="ppp0"
intnet="192.168.7.0/24"
intint="eth0"
#
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi
#############################################################################
# * filter table *
/sbin/iptables -t filter -F INPUT
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -t filter -A INPUT -i $intint -m state --state NEW -j ACCEPT
/sbin/iptables -t filter -A INPUT -i $extint -p icmp --icmp-type echo-request
-j DROP
/sbin/iptables -t filter -A INPUT -p tcp -d $extip/32 --dport auth -j REJECT
--reject-with tcp-reset
/sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
/sbin/iptables -t filter -A INPUT -i dummy -j ACCEPT
/sbin/iptables -t filter -A INPUT -m limit -j LOG
#
/sbin/iptables -t filter -F FORWARD
/sbin/iptables -t filter -P FORWARD DROP
/sbin/iptables -t filter -A FORWARD -m state --state INVALID -j DROP
/sbin/iptables -t filter -A FORWARD -i $intint -j ACCEPT
/sbin/iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables -t filter -A FORWARD -j DROP
#
/sbin/iptables -t filter -F OUTPUT
/sbin/iptables -t filter -P OUTPUT DROP
/sbin/iptables -t filter -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -t filter -A OUTPUT -o $intint -d $intnet -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -o $extint -d $intnet -j DROP
/sbin/iptables -t filter -A OUTPUT -o $extint -s $intnet -j DROp
/sbin/iptables -t filter -A OUTPUT -o $extint -p icmp --icmp-type echo-reply
-j DROP
/sbin/iptables -t filter -A OUTPUT -o $extint -s $extip/32 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -o dummy -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -m limit -j LOG
#############################################################################
# * nat table *
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT
/sbin/iptables -t nat -A POSTROUTING -o $extint -s $intnet -j SNAT --to $extip
#############################################################################
# * mangle table *
/sbin/iptables -t mangle -F PREROUTING
/sbin/iptables -t mangle -F OUTPUT
/sbin/iptables -t mangle -A OUTPUT -p tcp -s $extip/32 --dport ssh -j TOS
--set-tos Minimize-Delay
/sbin/iptables -t mangle -A OUTPUT -p tcp -s $extip/32 --dport ftp -j TOS
--set-tos Minimize-Delay
/sbin/iptables -t mangle -A OUTPUT -p tcp -s $extip/32 --dport www -j TOS
--set-tos Minimize-Delay
#############################################################################
modprobe ip_conntrack_ftp
modprobe ip_nat_fTP
--
Many thanks,
Marek Szuba