# iptables and ident

## EvilN

Hi all.

Im not getting any identd respons from my WAN side (from LAN it works fine).

I've tried oidentd and fakeidentd and bot answers from LAN but nor on WAN side.

Have turned the firewall ruleset inside out but Im missing something.

Could anyone have a readthrough and give me a hint?

The ruleset (one WAN interface, eth0 and one LAN, eth1).

Built as a script.

--

#!/bin/bash

/sbin/iptables --flush

/sbin/iptables -P FORWARD DROP

/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -P INPUT DROP

########## Port forwarding rules #############

#forward direct connect

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 1974 -i eth0 -j DNAT --to 192.168.0.10

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 3724 -i eth0 -j DNAT --to 192.168.0.13

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 6112 -i eth0 -j DNAT --to 192.168.0.13

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 6881:6999 -i eth0 -j DNAT --to 192.168.0.13

########## Input Rules #############

#deny all incoming fake networks on eth0

/sbin/iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP

/sbin/iptables -A INPUT -s 127.0.0.0/8 -i eth0 -j DROP

/sbin/iptables -A INPUT -s 192.168.0.0/16 -i eth0 -j DROP

/sbin/iptables -A INPUT -s 172.16.0.0/12 -i eth0 -j DROP

/sbin/iptables -A INPUT -s 240.0.0.0/5 -i eth0 -j DROP

/sbin/iptables -A INPUT -i lo -j ACCEPT

#Allow all LAN connections

/sbin/iptables -A INPUT -i eth1 -j ACCEPT

#Services

#Allow IDENT

/sbin/iptables -A INPUT -p tcp --dport 113 -i eth0 -j ACCEPT

#Allow SSH from internet

#/sbin/iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT

#Allow eDONKEY

/sbin/iptables -A INPUT -p tcp --dport 54328 -i eth0 -j ACCEPT

#Allow Web

/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT

## Statefull Part

#Allow connection through that we started internall

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### Rules for LAN

# Forward the internal network so internet works

/sbin/iptables -A FORWARD -i eth1 -j ACCEPT

#BitComet PC1

iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 1974 -d 192.168.0.10 -j ACCEPT

#WOW stuff PC2

iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 3724 -d 192.168.0.13 -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 6112 -d 192.168.0.13 -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 6881:6999 -d 192.168.0.13 -j ACCEPT

# allow established connections

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

## turn on NAT

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#Log Everything that didnt hit any other rule

#/sbin/iptables -A INPUT -j LOG --log-level warning --log-prefix "iptables:   "

/bin/echo "Rules Reloaded"

/bin/echo "Saving rules for reboot"

/etc/init.d/iptables save

exit 0

--

Note that there is a line for the identd: /sbin/iptables -A INPUT -p tcp --dport 113 -i eth0 -j ACCEPT

Anyone see anything I missed?

----------

## think4urs11

netstat -plunt please

----------

## EvilN

--

tcp        0      0 0.0.0.0:113             0.0.0.0:*               LISTEN      11816/fakeidentd

--

I can see the connection try with tcpdump but it doesnt seem like the ident daemon replies to anything but eth1, I havent bound wither fakeidentd or oident to a specific interface:

--

nostromo ~ # tcpdump -l -i eth0 | grep auth

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

23:51:25.971350 IP zzzz.xxxx.cust.bredbandsbolaget.se.radius-acct > xx-zzz-yyy-vv-uu.tbcn.telia.com.auth: S 38409973:38409973(0) win 5840 <mss 1460,sackOK,timestamp 1506639880 0,nop,wscale 2>

--

Im totaly lost. Why am I not allowing outgoing connections for "auth" service? Cant see it in the iptables list.

----------

## EvilN

*bump*

----------

## EvilN

*bump*

If someone cant help me soon with this one (ive been over it a million times now) I'll just have to go with OpenBSD on the firewall instead...

Can someone just HINT what the heck Ive screwed up???

----------

## kadeux

At first glance the rules seems ok. I noticed that you are using the nat table, but only flush the filter table at the beginning of your script. If you restore the rules at boot time which you have saved at the end of the script and don't flush all tables you are using, then an old+forgotten wrong entry in the nat table could cause your problem.

Add the following to the beginning of your script:

```
/sbin/iptables -t nat --flush
```

.. and if you have support for the mangle table or raw table compiled in to your kernel, repeat the flushing for these tables, too. 

You might consider to post the results of the following commands:

```
/sbin/iptables -L -n -v

/sbin/iptables -t nat -L -n -v

/sbin/iptables -t mangle -L -n -v

/sbin/iptables -t raw -L -n -v
```

For bug hunting you could disconnect from the internet, connect one of your local machines to the external interface of your firewall, reset the counters of all tables, change the IP of the computer connected to the external Interface of your firewall to a non-private value (so you can test your iptables ruleset with the final rules) and send an auth request to your firewall. Then run the iptables -L command for all tables and look where the dropped packets are shown.

----------

## EvilN

Thanks Buddy!

That did the trick.

Old crap from the NAT table was lingering around.

I initally wrote the firewall script for single machines connected directly to the internet and just added the nat part later.

Should have done it from scratch instead.

Many thanks!

----------

