|
Ladies and Gents,
I have a FreeSWan box up and
running as my gateway. VPN works fine with everything, roadwarriors, vpn
to vpn and everything. People are happy. EXCEPT FOR ME. Get
this:
There is a Citrix Metaframe
server behind this stupid box. Anyone not VPNed in, just configures their
clients for the WANip of the firewall and it port-forwards them into the
server. Ok, that's all peaches. Now, when I establish a VPN
connection, I can ping the damn server, but can't establish any
connection. Just times out. I can ping the mail server, but I can't
telnet into port 25 to see the SMTP greeting. So, I'm convinced its the
iptables rules I have applied to my firewall.
I'm supplying the firewall
rules, can someone please shed some light? I'm still learning
iptables, I'm just too used to ipchains.
THANKS!!!!!!!
Here we go,
/downloads/cleariptables
# Turn port forwarding on for spoof in /proc/sys/net/ipv4/conf/*/rp_filter do echo 0 > $spoof done echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/modprobe iptable_nat /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp INTERNALIF="eth0"
INTERNALNET="10.0.0.0/24" INTERNALBCAST="10.0.0.255" EXTERNALIF="eth1" MYADDR="216.84.8.11" BIRCH="10.0.0.3" PINE="10.0.0.2" FIR="10.0.0.1" IPTABLES="/sbin/iptables" #Allow dynamic ip echo 1 > /proc/sys/net/ipv4/ip_dynaddr # Allow all connections on the internal interface#
iptables -A INPUT -i lo -j ACCEPT #Kill connections to the local interface from the outside
world.
iptables -A INPUT -d 127.0.0.0/8 -j REJECT #Allow unlimited traffic from internal network using legit
addresses
iptables -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT #Allow IPSEC tunnel traffic
iptables -A INPUT -p 50 -j ACCEPT #Allow all traffic from the ipsec device to the internal network iptables -A FORWARD -i ipsec0 -o $INTERNALIF -j ACCEPT #Kill anything from outside claiming to be from internal
network
iptables -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT ##ICMP
#ping don't forward pings going inside iptables -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT #ping flood protection $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP #Deny icmp to broadcast address $IPTABLES -A INPUT -p icmp -d $INTERNALBCAST -j DROP #Allow all other icmp
$IPTABLES -A INPUT -p icmp -j ACCEPT ##Allow established connections
#Unlike ipchains, we don't have to go through the business of allowing #a local port range- just allow all connections already established. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Note that unlike ipchains, the following must be enabled even with
masquerading
#Don't forward SMB related traffic $IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 137 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 138 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 139 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 137 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 138 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 139 -j REJECT $IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 137 -j REJECT #Allow ALL other forwarding going out $IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT #Allow replies coming in $IPTABLES -A FORWARD -i $EXTERNALIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT $IPTABLES -A INPUT -p udp --dport 20 -j ACCEPT #$IPTABLES -A INPUT -p udp --dport 21 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT #FIR @coinfotech (exchange) email
$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 25 -j DNAT --to $FIR:25 $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d $FIR --dport 25 -j ACCEPT #PINE DNAT 1494,1450,3389
$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 1494 -j DNAT --to $PINE:1494 $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d $PINE --dport 1494 -j ACCEPT $IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport
1450 -j DNAT --to $PINE:1450
$IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d $PINE --dport 1450 -j ACCEPT $IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport
3389 -j DNAT --to $PINE:3389
$IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d $PINE --dport 3389 -j ACCEPT # Masquerade everything out eth0
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE #iptables -t nat -A POSTROUTING -o ipsec0 -j MASQUERADE # or SNAT since i have a static IP #iptables -t nat -A POSTROUTING -o ipsec0 -s 10.0.0.0/24 -j SNAT --to 209.12.32.2 #iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j SNAT --to 209.12.32.2 #iptables -t nat -A POSTROUTING -o eth1 -s 10.0.0.0/24 -j SNAT --to 209.12.32.2 #BS # /sbin/iptables -t mangle -A PREROUTING -i ipsec0 -j MARK --set-mark 1 # /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to 10.0.0.1-10.0.0.254 #forward rules
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT iptables -A FORWARD -d 10.0.0.0/24 -j ACCEPT # ALLOW IPSEC IN eth0 iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p 50 -j ACCEPT iptables -A INPUT -p 22 -j ACCEPT iptables -A INPUT -m limit --limit 5/minute -j LOG --log-level 7
--log-prefix "IPTABLES"
If you have any suggestions on locking these rules
down, be my guest. If anyone is familiar with portsentry, please let me
know the syntax of opening up the firewall for malicious packets to get through
so portsentry can catch them.
Regards,
Vasiliy Boulytchev Colorado Information Technologies Inc. |
