LeRoy Cressy on Thu, 6 Feb 2003 17:10:05 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables and NAT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Ziegler, Scott wrote:
I am trying to setup a Linux workstation (Slackware 8 with 2.4.18 kernel) to
tie a local network (192.168.x.x) of XP machines to our corporate network.
The Linux machine has a hard coded IP address and it works on the network as
far as telnet, ssh, browsing, etc. We need to have network connectivity from
the XP (for all of those M$ updates) machines through the Linux machine.


How much do you want to protect your M$ boxes since they are the most vulnerable to attack. If you really are concerned about security then you might want to patch the kernel source with the IP tables source. For instance the string match can prevent email that has known viruses from getting to your windows boxes.


Also you might want to set up the linux box as a router. Since you are using the linux box as a firewall do you really want loadable modual support?

#! /bin/bash
echo 0 > /proc/sys/net/ipv4/ip_forward

################################################################
# Block known current viruses

iptables -A block -p tcp --dport http -m state --state NEW,ESTABLISHED,RELATED -
m string --string "default.ida" -m limit --limit 1/hour -j LOG - --log-prefix "Co
deRed virus "
iptables -A block -p tcp --dport http -m state --state NEW,ESTABLISHED,RELATED -
m string --string "default.ida" -j DROP


################################################################


########################################### # # # LAN # # # ###########################################

# allow everything from a trusted lan
# iptables -A block -m state --state NEW -i eth1 -m limit --limit 1/hour -j LOG
--log-level info --log-prefix "Accepted Packets from eth1 "
iptables -A block -m state --state NEW -i eth1 -j ACCEPT



########################################### # # # NAT # # # ###########################################


iptables -t nat -F PREROUTING iptables -t nat -F POSTROUTING


# Set up the ip forwarding for the local network to get to the outside:

iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \
--dport 20 -j SNAT --to $RealIP
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \
--dport 21 -j SNAT --to $RealIP
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \
--dport 22 -j SNAT --to $RealIP
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 \
--dport 25 -j SNAT --to $RealIP
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 \
--dport 465 -j SNAT --to $RealIP
iptables -t nat -A POSTROUTING -o eth0 -p icmp -s 192.168.1.0/16 \
-j SNAT --to $RealIP
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \
--dport 43 -j SNAT --to $RealIP
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \
--dport 37 -j SNAT --to $RealIP
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \
--dport 9412 -j SNAT --to $RealIP
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \
--dport 11371 -j SNAT --to $RealIP


# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


#####################################################

These were some code snippets from my firewall. I personally do not like the idea of masquerading which allows everything. With SNAT you can specify what packets you want routed through the firewall.


I have tried several variations of iptables configurations and it appears
that I still have some NAT problems. On a ping test I appear to have name
resolution, but I don't get any acknowledgements and the browser cannot load
any pages. I have rebuilt the kernel with the following modules:
config_ip_advanced_router
config_ip_nf_iptables
config_ip_nf_filter
config_ip_nf_nat
config_ip_nf_nat_needed
config_ip_nf_target_masquerade
config_ip_nf_target_redirect
config_ip_nf_ftp
config_ip_nf_mangle

Our public interface is eth0 and the private is eth1. eth1 is up and running
with an entry in the route table.

I have followed several tutorials from web sites and books without success.
Also, when I configure the iptables, the Linux machine can no longer browse
internet from the console.

The configuration I have most recently used is:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

The references I have used are:
http://www.yolinux.com/TUTORIALS/LinuxTutorialNetworking.html#ADDNIC
http://www.netfilter.org/unreliable-guides/NAT-HOWTO/ Linux Firewalls by Robert L. Ziegler


One thing that has not been very clear is if I need to setup ipchains. The
yoliux reference shows the setting of ipchains but none of the other
references talk about using ipchains.

I would appreciate any help or suggestions.
Thanks
Scott Ziegler


<<Ziegler, Scott.vcf>>


------------------------------------------------------------------------------
Notice: This e-mail message, together with any attachments, contains information of Merck & Co., Inc. (Whitehouse Station, New Jersey, USA) that may be confidential, proprietary copyrighted and/or legally privileged, and is intended solely for the use of the individual or entity named on this message.  If you are not the intended recipient, and have received this message in error, please immediately return this by e-mail and then delete it.

==============================================================================


- -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\
http://lrcressy.com ( o.o )
Phone: 215-535-4037 > ^ <


gpg fingerprint:  62DE 6CAB CEE1 B1B3 359A  81D8 3FEF E6DA 8501 AFEA

Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me. (John 14:6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQE+QtzLP+/m2oUBr+oRAurqAJ0RGzJTPzwNrogvjApA55whesaAjgCfVeLr
PYU17eH0T2MUiPHdoD1s+Yg=
=ta/m
-----END PGP SIGNATURE-----

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug