Re: how is this stuff getting thru default deny iptables firewall?....

Sat, 22 Jun 2002 23:53:07 -0700 

Antony

Thanks again.

Here is my rule set... it is preceded by the usual stuff
like flushing chains, dropping certain classes of packets, etc.

These are the *only* rules with "-j ACCEPT" in my entire firewall script
and somehow DNS sneaks thru...


$PROTECTED_NETWORK = 192.168.0.0/29
$PROTECTED_NETWORK_SPACE = 192.168.0.0/16

...

# Allow all thru loopback.
$IPTABLES -t filter -A INPUT  -i $LOOPBACK_INTERFACE -j ACCEPT
$IPTABLES -t filter -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

# Only SSH from Internet but anything *to* Internet.
$IPTABLES -t filter -A FORWARD     -i $INTERNET_INTERFACE             \
          -s ! $PROTECTED_NETWORK_SPACE -d   $PROTECTED_PC_IP_ADDRESS \
          -p tcp --dport $SSH_PORT                                    \
          -j ACCEPT
$IPTABLES -t filter -A FORWARD     -o $INTERNET_INTERFACE             \
          -s   $PROTECTED_NETWORK       -d ! $PROTECTED_NETWORK_SPACE \
          -j ACCEPT

# Allow all thru priviate LAN NIC.
$IPTABLES -t filter -A FORWARD     -i $PROTECTED_NETWORK_INTERFACE    \
          -s $PROTECTED_NETWORK         -d ! $PROTECTED_NETWORK_SPACE \
          -j ACCEPT
$IPTABLES -t filter -A FORWARD     -o $PROTECTED_NETWORK_INTERFACE    \
          -s ! $PROTECTED_NETWORK_SPACE -d   $PROTECTED_NETWORK       \
          -j ACCEPT

# The usual NAT stuff here.
$IPTABLES -t nat    -A PREROUTING  -i $INTERNET_INTERFACE             \
          -s ! $PROTECTED_NETWORK_SPACE -d   $INTERNET_IP_ADDRESS     \
          -p tcp --dport $SSH_PORT                                    \
          -j DNAT --to-destination $PROTECTED_PC_IP_ADDRESS
$IPTABLES -t nat    -A POSTROUTING -o $INTERNET_INTERFACE             \
          -s   $PROTECTED_NETWORK       -d ! $PROTECTED_NETWORK_SPACE \
          -j SNAT --to-source      $INTERNET_IP_ADDRESS


I don't have *anything* with ESTABLISHED or RELATED that would allow
DNS to sneak in...... *but it does*!?!?!?!?

Chris


On Sat, Jun 22, 2002 at 06:38:40PM +0100, Antony Stone wrote:
> On Saturday 22 June 2002 6:30 pm, Christian Seberino wrote:
> 
> > My firewall *only* forwards SSH stuff to private LAN.
> >
> > It forwards *everything* _from_ private LAN to Internet however.
> >
> > How can the private LAN use DNS which it does????
> >
> > How is DNS server returning the info thru firewall
> > if it *only* allows SSH??!?!?!?
> 
> Do you have a rule allowing reply packets from, say, a website back to your 
> internal clients ?
> 
> Maybe:
> 
> iptables -A FORWARD -i $EXTIF -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> Same rule will allow replies to DNS requests.
> 
> If you don't have anything like that, post your ruleset and we'll have a 
> think about it.
> 
>  
> 
> Antony.

-- 
_______________________________________

Dr. Christian Seberino
SPAWAR Systems Center San Diego
Code 2363
53560 Hull Street
San Diego, CA 92152-5001
U.S.A.

Phone: (619) 553-7940
Fax:   (619) 553-2836
Email: [EMAIL PROTECTED]
_______________________________________

Reply via email to