Re: weird iptables behaviour

On Sat, 25 Nov 2006 02:05:21 +0000, Fabio wrote:

On Fri, 24 Nov 2006 22:13:09 +0100, Jeroen Geilman wrote:

Fabio wrote:

iptables is configured via the following script:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -j DROP

Erm.. okay, but that's not quite all, is it ?
On PC1, *everything* is dropped - assuming you set the INPUT policy to DENY,
as you should.

You filter this *** on INPUT, *not* FORWARD.
In your situation, FORWARD is a trivial case, only interesting in and of
itself when PC1 is a *pure* router, which it isn't.

Assuming you have set DENY on INPUT and ACCEPT on OUTPUT, your effective
rules will now be:

INPUT all interfaces, *including* the internet from PC1, DENY ALL
OUTPUT all interfaces, ACCEPT ALL
FORWARD all interfaces, ACCEPT from 192.168.1.x, DENY the rest.

If you have set ACCEPT on INPUT, on the other hand, you have zero actual
security.

Your PC1 is wide open to the Intarweb in that case.

Change the FORWARD to INPUT in your ruleset and you should be good.



Sorry, I think I didn't undestand well,
this is the script I use to make masquerade:

---- START SCRIPT---------
#!/bin/sh
iptables="/sbin/iptables"
MAX_MSS="1380"

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp ip_nat_ftp
modprobe iptable_nat
modprobe ipt_MASQUERADE

iptables -v -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -v -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -v -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -v -A FORWARD -j DROP

# clamp MTU for new TCP connections to world
if [ -n "$MAX_MSS" ]
then
iptables -v -A egress -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $MAX_MSS
else
iptables -v -A egress -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi

echo '1' > /proc/sys/net/ipv4/ip_forward

------- END SCRIPT -----------


And here you can see the iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 10.0.0.0/24 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain egress (0 references)
target prot opt source destination
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp \
flags:0x06/0x02 TCPMSS set 1380



and this is iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


I can't undestand why I can see, let say www.google.com from
the localnet, and i can't open www.yahoo.com

Hope You can help me,
thank you in advance
Fabio

Sorry, i mistyped something,
now the localnet is 10.0.0.0 and all the scripts are
changed, but the problem reamin the same:
ping them all, open fews
Help me please!!! :o>
Fabio
.

Quantcast