Bad Filter Set?

Dan Egli dan@shortcircuit.dyndns.org
Tue, 12 Nov 2002 16:31:40 -0700 (MST) 

On Mon, 11 Nov 2002, Anders Fugmann wrote:

> Dan Egli wrote:
> > 
> > 1) Block all ports EXCEPT:
> > FTP, SSH, TELNET (yes there is a reason for telnet!), SMTP, DNS, NNTP, NTP,
> > ROUTED (520), PRINTER (515), POP3, IMAP, HTTP, HTTPS, and ports 4000 & 5000
> > (special programs run on those ports and they need to be open).
> You do realize that many of these protocols are very insecure, and 
> should not be opend to the public. Also do you really want to allow 
> everyone (on the intra- and inter-net ) to use your printers?

Ok. This is true, so let me clarify. the INTERNAL net should have access 
to all those. The EXTERNAL side needs:
SMTP, FTP, TELNET, SSH, 4000 & 5000
> 
> > 
> > 2) Forward Inbound traffic from port 5000 to IP 192.168.0.5. Should be a
> > Transparent NAT (If I hit 192.168.0.1 port 5000, then the firewall forwards
> > it to 192.168.0.5 5000,  and any packets sent from 192.168.0.5:5000 [which
> > would only be in reply to an inbound packet] should appear as coming from
> > 192.168.0.1:5000). Here's a basic setup of the machine so you have that to
> > go on:
> This is impossible. A machine with IP 192.168.0.6 cannot be redirected 
> to 192.168.0.5 through 192.168.0.1. But in the example below, all 
> connections to 64.122.31.38:5000 (through eth1) will be redirected to 
> 192.168.0.5.
That is what I wanted. On the internal side all machines will have access 
to the 192.168.0.5 machine directly, no need for nat. It was only for 
external that this was needed. 

> > 
> > EXTERNAL IP:  64.122.31.38 on eth1
> > internal IP: 192.168.0.1 on eth0
> > 
> > 3) Perform basic IP Masquerading for unlisted machines on the 192.168.0.x
> > net. So if a machine addressed as 192.168.0.26 requests www.yahoo.com, it
> > goes in from eth0, then goes out eth1 as from eth1's address, and the return
> > comes in eth1 and goes back out eth0 to the correct machine.
> > 
> > 4) Log any blocked traffic in the syslog.
> > 
> > Your help is greatly appreciated!
> > 
> Here is your rules. I have not tested them, so minor changes may be 
> nessesary.
> --------------------------------
> 
> # Set default policies.
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
> 
> # Flush all tables.
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD
> iptables -t NAT -F PREROUTING
> iptables -t NAT -F POSTROUTING
> iptables -t NAT -F OUTPUT
> 
> iptables -A INPUT -p tcp -m multiport --dports \
>    SMTP,DNS,NNTP,NTP,ROUTED,520,PRINTER,POP3,IMAP,HTTP,\
>    HTTPS,4000,5000 -j ACCEPT
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -j LOG
> 
> iptables -A FORWARD -i eth0 -j ACCEPT
> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -j LOG
> 
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5000 \
>    -j DNAT --to-destination 192.168.0.5:5000
> 
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 64.122.31.38
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> -------------------------
> 
> Regards
> Anders Fugmann
> 
> 
>