Re: [Bridge] allowing external access to the bridge

Sun, 17 Mar 2002 17:23:36 -0800 

Hi Bart,

The IP assigned to the bridge is actually not NAT'd as I am using all
external IP's (hence my reason for using a bridge firewall).  Here's a
little background:

It's a business cable modem account, bridged connection.  I have 7 IP's
(xx.xx.xx.44-50).  The bridge/firewall currently has 2 NIC's, eth0 to the
net, and eth1 to the LAN.  The bridged interface, br0, has the IP
xx.xx.xx.50.  I am able to access the firewall from all machines on it's
subnet, but I can't seem to punch an ssh hole from the internet.  

Attached is the copy of my firewall script.  

Thanks for hte suggestions so far, and if anybody has any more, please let
me know!  

Thanks,

-Tim

ps.  I apologize to those who got this email twice.




On Sun, 17 Mar 2002, Bart De Schuymer wrote:

> 
> ----- Original Message -----
> From: "Tim Riley" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Sunday, March 17, 2002 2:21 AM
> Subject: [Bridge] allowing external access to the bridge
> 
> 
> > Hello,
> >
> > I have a bridge firewall set up with an IP assigned to br0.  I am able to
> > access the firewall (via ssh) from the LAN, but I would like to allow ssh
> > access from one IP on hte internet.  I've tried every iptables syntax I
> > could think of, and can't get this working.  Is this possible?  I realize
> > the bridge is completely transparent to the outside world, so I'm
> > wondering if there's any way to punch a hole.
> 
> Could you elaborate on your network topology?
> Anyway, if you gave your bridge a private ip address (one that you can't
> find on the internet) then you can't access it from the internet.
> 
> cheers,
> Bart
> 
> 

BR_IP="xx.xx.xx.50"
BR_IFACE=br0
BR_NETMASK="255.255.255.128"
BR_GATEWAY="xx.xx.xx.1"

INET_IFACE="eth0"
LAN_IFACE="eth1"

LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="/sbin/iptables"

rmmod ipchains
#########
# Load all required IPTables modules
#

#
# Needed to initially load modules
#
/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT
#
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT

#
# Support for connection tracking of FTP and IRC.
#
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

#
# Take down the interfaces before setting up the bridge
#

ifdown $INET_IFACE
ifdown $LAN_IFACE
ifconfig $INET_IFACE 0.0.0.0
ifconfig $LAN_IFACE 0.0.0.0

# Clean up for a restart

$IPTABLES -F 
$IPTABLES -X
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# Our interfaces don't have IP addresses so we have to start with the mangle
# PREROUTING table

$IPTABLES -t mangle -P PREROUTING ACCEPT

# Now we are pretty secure, let's start the bridge
# This will create a new interface

brctl addbr $BR_IFACE

# and add the interfaces to it
brctl addif $BR_IFACE $INET_IFACE
brctl addif $BR_IFACE $LAN_IFACE

# make us visible to the network again (optional)
if [ "$BR_IP" != "" ] ; then
    ifconfig $BR_IFACE $BR_IP netmask $BR_NETMASK
    route add default gw $BR_GATEWAY
else
# otherwise we must at least bring the interface up for the bridge to work.
    ifconfig $BR_IFACE up
fi

# Block obvious spoofs

$IPTABLES -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP

# Accept internal packets on the internal i/f
$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -s xx.xx.xx.44 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -s xx.xx.xx.45 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -s xx.xx.xx.46 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -s xx.xx.xx.47 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -s xx.xx.xx.48 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -s xx.xx.xx.49 -j ACCEPT

# Accept external packets on the external i/f

$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE ! -s xx.xx.xx.44 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE ! -s xx.xx.xx.45 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE ! -s xx.xx.xx.46 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE ! -s xx.xx.xx.47 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE ! -s xx.xx.xx.48 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE ! -s xx.xx.xx.49 -j ACCEPT

$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -j ACCEPT

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -p ALL -s xx.xx.xx.44 -j ACCEPT
$IPTABLES -A FORWARD -p ALL -s xx.xx.xx.45 -j ACCEPT
$IPTABLES -A FORWARD -p ALL -s xx.xx.xx.46 -j ACCEPT
$IPTABLES -A FORWARD -p ALL -s xx.xx.xx.47 -j ACCEPT
$IPTABLES -A FORWARD -p ALL -s xx.xx.xx.48 -j ACCEPT
$IPTABLES -A FORWARD -p ALL -s xx.xx.xx.49 -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 
--log-prefix "IPT FORWARD packet died: "

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N icmp_packets
#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT        # echo reply
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT        # dest 
unreachable
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT        # redirect
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT       # time 
exceeded
$IPTABLES -A FORWARD -p ICMP -j icmp_packets

#
# UDP ports
#
$IPTABLES -N udpincoming_packets

$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT       # DNS
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT      # ntp
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT    # 
speakfreely
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT    #icq

$IPTABLES -A FORWARD -p UDP -j udpincoming_packets

#

$IPTABLES -N tcp_packets

#
# The allowed chain for TCP connections
#

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

# TCP rules
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New 
not syn:"
$IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW -j DROP


$IPTABLES -A FORWARD -p TCP -j tcp_packets

#
# Input to the firewall itself. Leave these out if you don't want the firewall
# to be visible on the network at all.
# Note that the PREROUTING restrictions above mean that only packets form inside
# the firewall can fulfill the source condition. So the firewall machine should not be
# visible to the internet.
#

$IPTABLES -A INPUT -p ALL -i $BR_IFACE -s xx.xx.xx.44 -d $BR_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $BR_IFACE -s xx.xx.xx.45 -d $BR_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $BR_IFACE -s xx.xx.xx.46 -d $BR_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $BR_IFACE -s xx.xx.xx.47 -d $BR_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $BR_IFACE -s xx.xx.xx.48 -d $BR_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $BR_IFACE -s xx.xx.xx.49 -d $BR_IP -j ACCEPT


# But you *will* need this

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $BR_IFACE -d $BR_IP -j ACCEPT

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 
--log-prefix "IPT INPUT packet died: "

#
# OUTPUT chain
#

$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not 
syn:"
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $BR_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 
--log-prefix "IPT OUTPUT packet died: "

Reply via email to