# IPtables

## cold

i just get my wireless nic working  :Smile: 

but now i have a problem with my firewall

i can ping www.gentoo.org

but when i try to open the page on my client

it hangs at Website Founf Waiting for Reply  :Sad: 

this is my firewall 

can someone tell me what i am doeing wrong?

```

#!/bin/sh

# Masquerading firewall (relatief veilig)

# Een hele relatief veilige masquerading firewall waarmee het mogelijk ommet

# het hele achterliggende LAN het internet op te kunnen. De default policy

# wordt op 'weiger alles' gezet, waarna er gaten in de firewall worden

# gemaakt. Alleen de variabelen moeten aan de omgeving worden aangepast.

#

# Uitgebracht onder GPL, copyright 2001, Bart Geverts.

############################################################################

# variabelen

## variabelen die moeten worden aangepast aan omgeving

# pad naar iptables

IPTABLES="/sbin/iptables"

# interfaces (aanpassen aan eigen omgeving)

# interface waarmee gateway aan lokale netwerk zit

INTERNAL_INTERFACE="eth0"

INT="eth0"

WLAN_INTERFACE="wlan0"

# interface waarmee gateway aan het internet zit

EXTERNAL_INTERFACE="ppp0"

# ipadressen / netwerken

LAN="192.168.0.0/24"        # lokale netwerk (aanpassen aan eigen omgeving)

WLAN="10.10.10.0/3"

# overige

MASQ="yes"

HTTP_SERVER="no"

FTP_SERVER="no"

SSH_SERVER="yes"

NAME_SERVER="no"

SMTP_SERVER="no"

TELNET_SERVER="no"

LOG="yes"

WEBMIN="yes"

## variabelen die NIET moeten worden aangepast

#${IPTABLES} -A FORWARD -i ppp0 -o eth0 -p tcp --dport 4662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#${IPTABLES} -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -j DNAT --to 192.168.0.2

#${IPTABLES} -A INPUT  -i ${EXTERNAL_INTERFACE} -p tcp \

#              --source-port ${UNPRIVPORTS} \

#              --destination-port 90 -j ACCEPT

#

#${IPTABLES}  --table nat  -A PREROUTING  -i ppp0  -p tcp --dport 90  -j DNAT --to 192.168.0.2

# interfaces

LOOPBACK_INTERFACE="lo"    # loopback interface

# ipadressen / netwerken

ANYWHERE="0.0.0.0/0"        # elk ip adres valt hierbinnen

LOOPBACK="127.0.0.1"        # ip adres van localhost

CLASS_A="10.0.0.0/8"        # klasse A prive netwerk

CLASS_B="172.16.0.0/12"     # klasse B prive netwerk

CLASS_C="192.168.0.0/24"    # klasse C prive netwerk

# poorten

PRIVPORTS="0:5000"

UNPRIVPORTS="5000:65535"

############################################################################

# clean-up + init

# flush en clear alle rules en zet de tellers op 0

${IPTABLES} -F

${IPTABLES} -X

${IPTABLES} -Z

${IPTABLES} -t nat -F

${IPTABLES} -t nat -X

${IPTABLES} -t nat -Z

# set de default policies

${IPTABLES} -P INPUT DROP

${IPTABLES} -P FORWARD DROP

${IPTABLES} -P OUTPUT DROP

${IPTABLES} -t nat -P PREROUTING ACCEPT

${IPTABLES} -t nat -P POSTROUTING ACCEPT

${IPTABLES} -t nat -P OUTPUT ACCEPT

############################################################################

# initialiseren van de kernel

## Enable IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

## Enable IP-spoofing beveiliging

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do

    echo 1 > $f

done

## Disable ICMP redirect acceptatie

for f in /proc/sys/net/ipv4/conf/*/accept_redirects ; do

    echo 0 > $f

done

## Disable ICMP send_redirects

for f in /proc/sys/net/ipv4/conf/*/send_redirects ; do

    echo 0 > $f

done

## Source routed pakketten niet accepteren

for f in /proc/sys/net/ipv4/conf/*/accept_source_route ; do

    echo 0 > $f

done

## Log spoofed pakketten, source routed pakketten en redirected pakketten

for f in /proc/sys/net/ipv4/conf/*/log_martians ; do

    echo 1 > $f

done

## Enable TCP SYN cookie beveiliging

#echo 1 > /proc/sys/net/ipv4/tcp_syncookies

## Enable ICMP broadcasting protection

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

## Enable ICMP dead error message protection

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

## Enable dynamic TCP/IP address hacking

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

############################################################################

# op de loopback interface kunnen (en moeten) we alles toelaten

## Onbeperkt verkeer op lo toestaan

${IPTABLES} -A INPUT -i ${LOOPBACK_INTERFACE} -j ACCEPT

${IPTABLES} -A OUTPUT -o ${LOOPBACK_INTERFACE} -j ACCEPT

############################################################################

# in de gemiddelde HTK-environment kunnen we ook alles op het lokale netwerk

# toelaten

## Onbeperkt verkeer op interne interface toestaan

${IPTABLES} -A INPUT -i ${INTERNAL_INTERFACE} -j ACCEPT

${IPTABLES} -A OUTPUT -o ${INTERNAL_INTERFACE} -j ACCEPT

${IPTABLES} -A INPUT -i ${WLAN_INTERFACE} -j ACCEPT

${IPTABLES} -A OUTPUT -o ${WLAN_INTERFACE} -j ACCEPT

############################################################################

# sommige pakketten resoluut weigeren

## Weiger (en log) alle gefragmenteerde pakketten

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -f -j LOG \

            --log-prefix "FRAGMENT! "

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -f -j DROP

## Weiger (en log) alles van privenetwerken op externe iface

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${LOOPBACK} -j LOG \

            --log-prefix "SPOOFING! "

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${CLASS_A}  -j LOG \

            --log-prefix "CLASS A ADDRESS! "

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${CLASS_B}  -j LOG \

            --log-prefix "CLASS B ADDRESS! "

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${CLASS_C}  -j LOG \

            --log-prefix "CLASS C ADDRESS! "

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${LOOPBACK} -j DROP

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${CLASS_A}  -j DROP

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${CLASS_B}  -j DROP

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -s ${CLASS_C}  -j DROP

############################################################################

# masquerade

## Alles met afkomst van of bestemming lokale netwerk heeft forwarden

if [ "${MASQ}" = "yes" ] ; then

  ${IPTABLES} -A POSTROUTING -t nat -o ${EXTERNAL_INTERFACE} -j MASQUERADE

  ${IPTABLES} -A FORWARD -i ${INTERNAL_INTERFACE} \

            -o ${EXTERNAL_INTERFACE} -s ${LAN} -d ! ${LAN} -j ACCEPT

  ${IPTABLES} -A FORWARD -o ${INTERNAL_INTERFACE} \

            -i ${EXTERNAL_INTERFACE} -d ${LAN} -s ! ${LAN} -j ACCEPT

  ${IPTABLES} -A FORWARD -i ${WLAN_INTERFACE} \

            -o ${EXTERNAL_INTERFACE} -s ${WLAN} -d ! ${WLAN} -j ACCEPT

  ${IPTABLES} -A FORWARD -o ${WLAN_INTERFACE} \

            -i ${EXTERNAL_INTERFACE} -d ${WLAN} -s ! ${WLAN} -j ACCEPT

fi

############################################################################

# accepteer bepaalde ICMP pakketten

## Een aantal typen ICMP pakketten accepteren

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p icmp \

          --icmp-type 0 -s ${ANYWHERE}  \

          -m limit --limit 2/s -j ACCEPT

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p icmp \

          --icmp-type 3 -s ${ANYWHERE} \

          -m limit --limit 2/s -j ACCEPT

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p icmp \

          --icmp-type 5 -s ${ANYWHERE} \

          -m limit --limit 2/s -j ACCEPT

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p icmp \

          --icmp-type 8 -s ${ANYWHERE} \

          -m limit --limit 2/s -j ACCEPT

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p icmp \

          --icmp-type 11 -s ${ANYWHERE} \

          -m limit --limit 10/s -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p icmp \

          --icmp-type 3 -d ${ANYWHERE} \

          -m limit --limit 2/s -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p icmp \

          --icmp-type 8 -d ${ANYWHERE} \

          -m limit --limit 2/s -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p icmp \

          --icmp-type 0 -d ${ANYWHERE} \

          -m limit --limit 2/s -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p icmp \

          --icmp-type 11 -d ${ANYWHERE} \

          -m limit --limit 10/s -j ACCEPT

############################################################################

# TCP connecties gestart vanuit lokale netwerk accepteren

## accepteer TCP connecties vlgs SYS, ACK+SYN, ACK principe

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \

            -m state --state ESTABLISHED,RELATED  -j ACCEPT

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp \

            -m state --state ESTABLISHED,RELATED  -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \

            --tcp-flags ACK,SYN SYN  -j ACCEPT

## auth aanvragen accepteren (voorkomt timeouts)

${IPTABLES} -A INPUT  -i ${EXTERNAL_INTERFACE} -p tcp \

            --source-port ${UNPRIVPORTS} \

            --destination-port 113 -j ACCEPT

############################################################################

# UDP

## dns aanvragen vanuit lokale netwerk toestaan

${IPTABLES} -A INPUT  -i ${EXTERNAL_INTERFACE} -p udp \

            --source-port 53  --destination-port ${UNPRIVPORTS} -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p udp \

            --source-port ${UNPRIVPORTS}  --destination-port 53 -j ACCEPT

## traceroute toestaan

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p udp \

            --source-port 32769:65535  --destination-port 33434:33523 \

            -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p udp \

            --source-port 32769:65535  --destination-port 33434:33523 \

            -j ACCEPT

## time toestaan

${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p udp \

            --source-port ${UNPRIVPORTS}  --destination-port 37 -j ACCEPT

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p udp \

            --source-port 37  --destination-port ${UNPRIVPORTS} -j ACCEPT

# andere UDP poorten hier toevoegen

############################################################################

# zelf servers draaien

## http server openstellen voor buitenwereld

if [ "${HTTP_SERVER}" = "yes" ] ; then

  ${IPTABLES} -A INPUT  -i ${EXTERNAL_INTERFACE} -p tcp \

              --source-port ${UNPRIVPORTS} \

              --destination-port 80 -j ACCEPT

  ${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \

              --source-port 80 \

              --destination-port ${UNPRIVPORTS} -j ACCEPT

fi

## nameserver openstellen voor buitenwereld

if [ "${NAME_SERVER}" = "yes" ] ; then

  ${IPTABLES} -A INPUT  -i ${EXTERNAL_INTERFACE} -p tcp \

              --source-port ${UNPRIVPORTS} \

              --destination-port 53 -j ACCEPT

  ${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \

              --source-port 53 \

              --destination-port ${UNPRIVPORTS} -j ACCEPT

fi

## ssh server openstellen voor buitenwereld

if [ "${SSH_SERVER}" = "yes" ] ; then

  ${IPTABLES} -A INPUT  -i ${EXTERNAL_INTERFACE} -p tcp \

              --source-port ${UNPRIVPORTS} \

              --destination-port 22 -j ACCEPT

  ${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \

              --source-port 22 \

              --destination-port ${UNPRIVPORTS} -j ACCEPT

fi

## telnet server openstellen voor buitenwereld

if [ "${TELNET_SERVER}" = "yes" ] ; then

  ${IPTABLES} -A INPUT  -i ${EXTERNAL_INTERFACE} -p tcp \

              --source-port ${UNPRIVPORTS} \

              --destination-port 21 -j ACCEPT

  ${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \

              --source-port 21 \

              --destination-port ${UNPRIVPORTS} -j ACCEPT

fi

## webmin intern

if [ "${WEBMIN}" = "yes" ] ; then

  ${IPTABLES} -A INPUT  -i ${INT} -p tcp \

              --source-port ${UNPRIVPORTS} \

              --destination-port 10000 -j ACCEPT

  ${IPTABLES} -A OUTPUT -o ${INT} -p tcp \

              --source-port 10000 \

              --destination-port ${UNPRIVPORTS} -j ACCEPT

fi

## smtp server openstellen voor buitenwereld

if [ "${SMTP_SERVER}" = "yes" ] ; then

  ${IPTABLES} -A INPUT  -i ${EXTERNAL_INTERFACE} -p tcp \

              --source-port ${UNPRIVPORTS} \

              --destination-port 25 -j ACCEPT

  ${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \

              --source-port 25 \

              --destination-port ${UNPRIVPORTS} -j ACCEPT

fi

## ftp server openstellen voor buitenwereld

if [ "${FTP_SERVER}" = "yes" ] ; then

  ${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp \

              -m state --state NEW,ESTABLISHED \

              --source-port ${UNPRIVPORTS} --destination-port 21 -j ACCEPT

  ${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \

              -m state --state ESTABLISHED,RELATED \

              --source-port 21 --destination-port ${UNPRIVPORTS} -j ACCEPT

  ## ftp server - active

  ${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp \

              -m state --state ESTABLISHED,RELATED ! --syn \

              --destination-port 20 -j ACCEPT

  ${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \

              -m state --state ESTABLISHED,RELATED \

              --source-port 20 -j ACCEPT

  ## ftp server - passive

  ${IPTABLES} -A INPUT -i ${EXTERNAL_INTERFACE} -p tcp \

              -m state --state ESTABLISHED,RELATED \

              --destination-port ${UNPRIVPORTS} -j ACCEPT

  ${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp \

              -m state --state ESTABLISHED,RELATED \

              --source-port ${UNPRIVPORTS} -j ACCEPT

fi

${IPTABLES}  --table nat  -A PREROUTING  -i ppp0  -p tcp --dport 4662  -j DNAT --to 192.168.0.2

############################################################################

# trash opvangen

# alles dat nu nog wordt opgevangen loggen

if [ "${LOG}" = "yes" ] ; then

  ${IPTABLES} -A INPUT   -j LOG --log-prefix "filtered on INPUT "

  ${IPTABLES} -A OUTPUT  -j LOG --log-prefix "filtered on OUTPUT "

  ${IPTABLES} -A FORWARD -j LOG --log-prefix "filtered on FORWARD "

fi

```

----------

## cold

it is possible to connect to MSN and use it but webpages are still not working   :Mad: 

----------

## scout

I don't even understand why your msn is working ...

see you should have a line

${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp --dport port -j ACCEPT

where port is http or 80

I dont's see any of these lines ... but I don't understand why you can connect with msn. is it because msn uses udp ? could you please post the result of iptables -vL once your firewall is started

----------

## cold

 *scout wrote:*   

> I don't even understand why your msn is working ...
> 
> see you should have a line
> 
> ${IPTABLES} -A OUTPUT -o ${EXTERNAL_INTERFACE} -p tcp --dport port -j ACCEPT
> ...

 

```

bash-2.05b# iptables -vL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

bash-2.05b#

```

this firewall does work for the rest of the network !

----------

## scout

 *cold wrote:*   

> 
> 
> ```
> 
> bash-2.05b# iptables -vL
> ...

 

You haven't got any firewall here !

----------

## dreamer

Hi!

First of all, why all this complex rules in your forward chain? Just do something like this:

-A FORWARD -i eth0 -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

AFAICS this is more effective and more secure.

If it still doesn't work you can observe your networktraffic with netstat -ant or a similar tool. That way you can find out where things go wrong.

cheers

----------

## Crg

 *dreamer wrote:*   

> 
> 
> -A FORWARD -i eth0 -j ACCEPT
> 
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> ...

 

It'd be better to be:

```

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

iptables -F

iptables -A FORWARD -i eth0 -j ACCEPT

iptables -A INPUT -i eth0 -j ACCEPT # If you want to be able to access the fw

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

```

----------

## dreamer

 *Crg wrote:*   

> 
> 
> It'd be better to be:
> 
> ```
> ...

 

yup, i've something similar over here. in my example i was just referring to the FORWARD chain.

@TS : why not create your own ruleset? IMHO it gives you more control, overview en understanding.

----------

