Re: [PLUG] iptables and NAT

LeRoy Cressy on Thu, 6 Feb 2003 17:10:05 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables and NAT

From: LeRoy Cressy <leroy@lrcressy.com>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] iptables and NAT

Date: Thu, 06 Feb 2003 17:07:53 -0500

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Ziegler, Scott wrote:
I am trying to setup a Linux workstation (Slackware 8 with 2.4.18 kernel) to tie a local network (192.168.x.x) of XP machines to our corporate network. The Linux machine has a hard coded IP address and it works on the network as far as telnet, ssh, browsing, etc. We need to have network connectivity from the XP (for all of those M$ updates) machines through the Linux machine.

How much do you want to protect your M$ boxes since they are the most vulnerable to attack. If you really are concerned about security then you might want to patch the kernel source with the IP tables source. For instance the string match can prevent email that has known viruses from getting to your windows boxes.

Also you might want to set up the linux box as a router. Since you are using the linux box as a firewall do you really want loadable modual support?

#! /bin/bash echo 0 > /proc/sys/net/ipv4/ip_forward

################################################################ # Block known current viruses

iptables -A block -p tcp --dport http -m state --state NEW,ESTABLISHED,RELATED - m string --string "default.ida" -m limit --limit 1/hour -j LOG - --log-prefix "Co deRed virus " iptables -A block -p tcp --dport http -m state --state NEW,ESTABLISHED,RELATED - m string --string "default.ida" -j DROP

################################################################

########################################### # # # LAN # # # ###########################################

# allow everything from a trusted lan # iptables -A block -m state --state NEW -i eth1 -m limit --limit 1/hour -j LOG --log-level info --log-prefix "Accepted Packets from eth1 " iptables -A block -m state --state NEW -i eth1 -j ACCEPT

########################################### # # # NAT # # # ###########################################

iptables -t nat -F PREROUTING iptables -t nat -F POSTROUTING

# Set up the ip forwarding for the local network to get to the outside:

iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \ --dport 20 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \ --dport 21 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \ --dport 22 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 \ --dport 25 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 \ --dport 465 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p icmp -s 192.168.1.0/16 \ -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \ --dport 43 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \ --dport 37 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \ --dport 9412 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \ --dport 11371 -j SNAT --to $RealIP

# Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward

#####################################################

These were some code snippets from my firewall. I personally do not like the idea of masquerading which allows everything. With SNAT you can specify what packets you want routed through the firewall.

I have tried several variations of iptables configurations and it appears that I still have some NAT problems. On a ping test I appear to have name resolution, but I don't get any acknowledgements and the browser cannot load any pages. I have rebuilt the kernel with the following modules: config_ip_advanced_router config_ip_nf_iptables config_ip_nf_filter config_ip_nf_nat config_ip_nf_nat_needed config_ip_nf_target_masquerade config_ip_nf_target_redirect config_ip_nf_ftp config_ip_nf_mangle

Our public interface is eth0 and the private is eth1. eth1 is up and running with an entry in the route table.

I have followed several tutorials from web sites and books without success. Also, when I configure the iptables, the Linux machine can no longer browse internet from the console.

The configuration I have most recently used is: iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT

The references I have used are: http://www.yolinux.com/TUTORIALS/LinuxTutorialNetworking.html#ADDNIC http://www.netfilter.org/unreliable-guides/NAT-HOWTO/ Linux Firewalls by Robert L. Ziegler

One thing that has not been very clear is if I need to setup ipchains. The yoliux reference shows the setting of ipchains but none of the other references talk about using ipchains.

I would appreciate any help or suggestions. Thanks Scott Ziegler

<<Ziegler, Scott.vcf>>

------------------------------------------------------------------------------ Notice: This e-mail message, together with any attachments, contains information of Merck & Co., Inc. (Whitehouse Station, New Jersey, USA) that may be confidential, proprietary copyrighted and/or legally privileged, and is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please immediately return this by e-mail and then delete it.

==============================================================================

- -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\ http://lrcressy.com ( o.o ) Phone: 215-535-4037 > ^ <

gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA

Jesus saith unto him, I am the way, the truth, and the life: no man cometh unto the Father, but by me. (John 14:6) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQE+QtzLP+/m2oUBr+oRAurqAJ0RGzJTPzwNrogvjApA55whesaAjgCfVeLr PYU17eH0T2MUiPHdoD1s+Yg= =ta/m -----END PGP SIGNATURE-----

_________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] iptables and NAT
From: "Michael Leone" <turgon@mike-leone.com>

References:

[PLUG] iptables and NAT
From: "Ziegler, Scott" <scott_ziegler@merck.com>

Prev by Date: Re: [PLUG] Without OS X

Next by Date: Re: [PLUG] Without OS X

Previous by thread: Re: [PLUG] iptables and NAT

Next by thread: Re: [PLUG] iptables and NAT

Index(es):

Date

Thread