No Internet Connection

Giancarlo Boaron gboaron at yahoo.com.br
Fri Sep 10 16:49:01 CEST 2004


Ok. So that's my super mega power iptables script I'm
testing for my internet server.

I already put the DHCP rules (my ISP doesn't have a
fixed IP address for the DHCP server. They are always
changing it... don't ask me why) but I didn't test it
yet.

I developed this script using the very good classic
idea: block everything and allow just what I want.

So, this internet server will be a firewall (as soon
as this script works), making NAT (with MASQUERADING).
I also have the SQUID for proxing and caching. 

Some users in my LAN have free pass for everything
while the rest of my users just can connect to the
mail servers (POP and SMTP) and a few users can
connect to ICQ, Messenger, etc (I really don't like
this idea, but I have to do it).

I don't use any authentication method based on user
and password. Instead, I use rules based on the MAC
address for the computers with free pass. (Ok. I know
it isn't a very safe aproach).

So, here goes my script:

INET_IP=`ifconfig eth0 | grep inet | cut -d : -f 2 |
cut -d ' ' -f 2`
INET_IFACE="eth0"

LAN_IP="192.168.0.41"
LAN_IP_RANGE="192.168.0.0/24"
LAN_IFACE="eth1"

LO_IFACE="lo"
LO_IP="127.0.0.1"

Mac1="00:e0:18:3b:af:78"
Mac2="00:50:04:9c:42:23"
Mac3="00:0e:a6:bd:e7:7f"
Mac4="00:c0:df:a5:0c:a5"

IPTABLES="/usr/sbin/iptables"

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_REJECT
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -F
$IPTABLES -X

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -N tcp_invalidos

$IPTABLES -A tcp_invalidos -p tcp --tcp-flags SYN,ACK
SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A tcp_invalidos -p tcp ! --syn -m state
--state NEW -j LOG \
--log-prefix "Novo nao SYN:"
$IPTABLES -A tcp_invalidos -p tcp ! --syn -m state
--state NEW -j DROP

$IPTABLES -A OUTPUT -p tcp -j tcp_invalidos

$IPTABLES -A OUTPUT -p udp --sport 68 --dport 67 -j
ACCEPT

$IPTABLES -A OUTPUT -p all -m state --state
ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 80 -s $INET_IP -o
$INET_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 -s $INET_IP -o
$INET_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -s $INET_IP -o
$INET_IFACE -j ACCEPT

# ICQ:
$IPTABLES -A OUTPUT -p tcp -d 64.12.163.197 -o
$INET_IFACE -j ACCEPT

$IPTABLES -A INPUT -p tcp -j tcp_invalidos

$IPTABLES -A INPUT -p udp --sport 67 --dport 68 -j
ACCEPT

$IPTABLES -A INPUT -p ALL -m state --state
ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

# SQUID:
$IPTABLES -A INPUT -i $LAN_IFACE -p tcp --dport 80 -j
ACCEPT

$IPTABLES -A FORWARD -p tcp -j tcp_invalidos

$IPTABLES -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -m mac --mac-source $Mac1 -j
ACCEPT

$IPTABLES -A FORWARD -m mac --mac-source $Mac2 -j
ACCEPT

$IPTABLES -A FORWARD -m mac --mac-source $Mac3 -j
ACCEPT

$IPTABLES -A FORWARD -m mac --mac-source $Mac4 -j
ACCEPT

$IPTABLES -A FORWARD -p tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT

$IPTABLES -A FORWARD -d <my pop server> -p tcp --dport
110 \
-i $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -d <my smtp server> -p tcp
--dport 25 \
-i $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE
-j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE
-j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 443 -i $LAN_IFACE
-j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT
--to-source $INET_IP

That's it. Another question: When I configure this
script to run automatically after rebooting the
server, I receive this error message (3 times): "Bad
argument eth0" so the script doesn't work, neither my
Internet access from my LAN and I can't find where is
the error.

However, after rebooting the server and loggin in as
root, I can run the script from command line. It works
and my LAN can access the Internet during that short
time (about 20 minutes. However, I didn't test the
DHCP rules to ckeck if it continues to happen).

Regards
Giancarlo



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 



More information about the netfilter mailing list