* Cisco VPN Client + Cisco 800 + Firewall
@ 2004-10-21 19:01 shore
2004-10-21 19:29 ` Jason Opperisano
0 siblings, 1 reply; 4+ messages in thread
From: shore @ 2004-10-21 19:01 UTC (permalink / raw)
To: netfilter
Hi,
I don't know how to start, so I'll just start by showing how my network is
build:
Internet
|
|
Cisco(800)(dsl modem/router)
192.168.10.254
|
|
192.168.10.1(eth0)
Firewall
192.168.0.50(eht1)
|
|
LAN 192.168.0.0/24
The Cisco is controled by the ISP, so I can't change any configuration on it,
only if I ask them to. The Firewall is running squid also.
The ISP configured the Cisco modem/router to accept VPN connections from the
internet with Cisco VPN client, and to attribute them a 10.0.0.0/8 range ip.
The problem is I can't access the LAN from the VPN clients. I'm not an iptables
master, but i've already searched everywhere for a solution and could't find
one. Mostly, I think, because I didn't want to get rid of my Firewall script,
it is doing a nice job so far.
Thanks
Here goes the script:
# IPTABLES Firewall v 0.86
# by shadow999@firemail.de
#
# Small parts from http://members.optusnet.com.au/~technion/
#!/bin/sh
# This is the location of the iptables command
IPTABLES="/usr/sbin/iptables"
IFCONFIG="/sbin/ifconfig"
ROUTE="/sbin/route"
case "$1" in
stop)
echo "Shutting down firewall..."
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo "...done"
;;
status)
echo $"Table: filter"
iptables --list
echo $"Table: nat"
iptables -t nat --list
echo $"Table: mangle"
iptables -t mangle --list
;;
restart|reload)
$0 stop
$0 start
;;
start)
echo "Starting Firewall..."
echo ""
##--------------------------Begin Firewall---------------------------------##
#----Default-Interfaces-----#
## Default external interface (used, if EXTIF isn't specified on command line)
DEFAULT_EXTIF="ppp0"
## Default internal interface (used, if INTIF isn't specified on command line)
DEFAULT_INTIF="eth0"
#----Special Variables-----#
# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"
# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"
# Specification of X Window System (TCP) ports.
XWINPORTS="6000:6063"
# Ports for IRC-Connection-Tracking
IRCPORTS="6665,6666,6667,6668,6669,7000"
#-----Port-Forwarding Variables-----#
#For port-forwarding to an internal host, define a variable with the appropriate
#internal IP-Address here and take a look at the port-forwarding sections in the
FORWARD +
#PREROUTING-chain:
#These are examples, uncomment to activate
#IP for forwarded Battlecom-traffic
#BATTLECOMIP="192.168.0.5"
#IP for forwarded traffic
#HTTPIP="192.168.0.254"
#CAM_IP="192.168.0.19"
#SIGAPSSHIP="192.168.0.30"
#----Flood Variables-----#
# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"
# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"
# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"
#----Automatically determine infos about involved interfaces-----#
### External Interface:
## Get external interface from command-line
## If no interface is specified then set $DEFAULT_EXTIF as EXTIF
if [ "x$2" != "x" ]; then
EXTIF=$2
else
EXTIF=$DEFAULT_EXTIF
fi
echo External Interface: $EXTIF
## Determine external IP
EXTIP="`$IFCONFIG $EXTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
if [ "$EXTIP" = '' ]; then
echo "Aborting: Unable to determine the IP-address of $EXTIF !"
exit 1
fi
echo External IP: $EXTIP
## Determine external gateway
EXTGW=`$ROUTE -n | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW
echo " --- "
### Internal Interface:
## Get internal interface from command-line
## If no interface is specified then set $DEFAULT_INTIF as INTIF
if [ "x$3" != "x" ]; then
INTIF=$3
else
INTIF=$DEFAULT_INTIF
fi
echo Internal Interface: $INTIF
## Determine internal IP
INTIP="`$IFCONFIG $INTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
if [ "$INTIP" = '' ]; then
echo "Aborting: Unable to determine the IP-address of $INTIF !"
exit 1
fi
echo Internal IP: $INTIP
## Determine internal netmask
INTMASK="255.255.0.0"
echo Internal Netmask: $INTMASK
## Determine network address of the internal network
INTLAN=$INTIP'/'$INTMASK
echo Internal LAN: $INTLAN
echo ""
#----Load IPTABLES-modules-----#
#Insert modules- should be done automatically if needed
#If the IRC-modules are available, uncomment them below
echo "Loading IPTABLES modules"
dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
#/sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6
echo " --- "
#----Clear/Reset all chains-----#
#Clear all IPTABLES-chains
#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#----Set network sysctl options-----#
echo "Setting sysctl options"
#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo " --- "
echo "Creating user-chains"
#----Create logging chains-----#
##These are the logging-chains. They all have a certain limit of log-entries/sec
to prevent log-flooding
##The syslog-entries will be fireparse-compatible (see http://www.fireparse.com)
#Invalid packets (not ESTABLISHED,RELATED or NEW)
$IPTABLES -N LINVALID
$IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix "fp=INVALID:1 a=DROP "
$IPTABLES -A LINVALID -j DROP
#TCP-Packets with one ore more bad flags
$IPTABLES -N LBADFLAG
$IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix "fp=BADFLAG:1 a=DROP "
$IPTABLES -A LBADFLAG -j DROP
#Logging of connection attempts on special ports (Trojan portscans, special
services, etc.)
$IPTABLES -N LSPECIALPORT
$IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP "
$IPTABLES -A LSPECIALPORT -j DROP
#Logging of possible TCP-SYN-Floods
$IPTABLES -N LSYNFLOOD
$IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
$IPTABLES -A LSYNFLOOD -j DROP
#Logging of possible Ping-Floods
$IPTABLES -N LPINGFLOOD
$IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
$IPTABLES -A LPINGFLOOD -j DROP
#All other dropped packets
$IPTABLES -N LDROP
$IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP "
$IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP "
$IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP "
$IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix "fp=FRAGMENT:4 a=DROP "
$IPTABLES -A LDROP -j DROP
#All other rejected packets
$IPTABLES -N LREJECT
$IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT "
$IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT "
$IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst
$LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT "
$IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT "
$IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A LREJECT -j REJECT
#----Create Accept-Chains-----#
#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
$IPTABLES -N TCPACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst
$TCPSYNLIMITBURST -j ACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
$IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT
#----Create special User-Chains-----#
#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible
flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)
$IPTABLES -N CHECKBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j
LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG
#FILTERING FOR SPECIAL PORTS
#Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)
#SMB-Traffic
$IPTABLES -N SMB
$IPTABLES -A SMB -p tcp --dport 137 -j DROP
$IPTABLES -A SMB -p tcp --dport 138 -j DROP
$IPTABLES -A SMB -p tcp --dport 139 -j DROP
$IPTABLES -A SMB -p tcp --dport 445 -j DROP
$IPTABLES -A SMB -p udp --dport 137 -j DROP
$IPTABLES -A SMB -p udp --dport 138 -j DROP
$IPTABLES -A SMB -p udp --dport 139 -j DROP
$IPTABLES -A SMB -p udp --dport 445 -j DROP
#Inbound Special Ports
$IPTABLES -N SPECIALPORTS
#Deepthroat Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -j LSPECIALPORT
#Subseven Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT
#Netbus Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT
#Back Orifice scan
$IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT
#X-Win
$IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS -j LSPECIALPORT
#Hack'a'Tack 2000
$IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT
#ICMP/TRACEROUTE FILTERING
#Inbound ICMP/Traceroute
$IPTABLES -N ICMPINBOUND
#Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be
logged/dropped
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit
$PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
#
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD
#Block ICMP-Redirects (Should already be catched by sysctl-options, if
enabled)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP
#Block ICMP-Timestamp (Should already be catched by sysctl-options, if
enabled)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP
#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP
#Allow all other ICMP in
$IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT
#Outbound ICMP/Traceroute
$IPTABLES -N ICMPOUTBOUND
#Block ICMP-Redirects (Should already be catched by sysctl-options, if
enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP
#Block ICMP-TTL-Expired
#MS Traceroute (MS uses ICMP instead of UDp for tracert)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j
LDROP
#Block ICMP-Parameter-Problem
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP
#Block ICMP-Timestamp (Should already be catched by sysctl-options, if
enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP
#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP
##Accept all other ICMP going out
$IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT
#----End User-Chains-----#
echo " --- "
#----Start Ruleset-----#
echo "Implementing firewall rules..."
#################
## INPUT-Chain ## (everything that is addressed to the firewall itself)
#################
##GENERAL Filtering
# Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A INPUT -m state --state INVALID -j LINVALID
# Check TCP-Packets for Bad Flags
$IPTABLES -A INPUT -p tcp -j CHECKBADFLAG
##Packets FROM FIREWALL-BOX ITSELF
#Local IF
$IPTABLES -A INPUT -i lo -j ACCEPT
#
#Kill connections to the local interface from the outside world (--> Should be
already catched by kernel/rp_filter)
$IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT
##Packets FROM INTERNAL NET
##Allow unlimited traffic from internal network using legit addresses to
firewall-box
##If protection from the internal interface is needed, alter it
$IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT
#Kill anything from outside claiming to be from internal network
(Address-Spoofing --> Should be already catched by rp_filter)
$IPTABLES -A INPUT -s $INTLAN -j LREJECT
##Packets FROM EXTERNAL NET
##ICMP & Traceroute filtering
#Filter ICMP
#$IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND
#Block UDP-Traceroute
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP
##Silent Drops/Rejects (Things we don't want in our logs)
#Drop all SMB-Traffic
$IPTABLES -A INPUT -i $EXTIF -j SMB
#Silently reject Ident (Don't DROP ident, because of possible delays when
establishing an outbound connection)
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with
tcp-reset
##Public services running ON FIREWALL-BOX (comment out to activate):
# ftp-data
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j TCPACCEPT
# ftp
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j TCPACCEPT
# ssh
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j TCPACCEPT
#telnet
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT
# smtp
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j TCPACCEPT
# DNS
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT
#$IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT
# http
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT
# https
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT
# POP-3
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT
##Separate logging of special portscans/connection attempts
#$IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS
##Allow ESTABLISHED/RELATED connections in
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state
RELATED -j TCPACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state
RELATED -j ACCEPT
##Catch all rule
$IPTABLES -A INPUT -j LDROP
##################
## Output-Chain ## (everything that comes directly from the Firewall-Box)
##################
##Packets TO FIREWALL-BOX ITSELF
#Local IF
$IPTABLES -A OUTPUT -o lo -j ACCEPT
##Packets TO INTERNAL NET
#Allow unlimited traffic to internal network using legit addresses
$IPTABLES -A OUTPUT -o $INTIF -d $INTLAN -j ACCEPT
##Packets TO EXTERNAL NET
##ICMP & Traceroute
$IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB
$IPTABLES -A OUTPUT -o $EXTIF -j SMB
#Ident
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT --reject-with
tcp-reset
##Public services running ON FIREWALL-BOX (comment out to activate):
# ftp-data
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 20 -j ACCEPT
# ftp
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 21 -j ACCEPT
# ssh
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state --state ESTABLISHED
-j ACCEPT
#telnet
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state --state ESTABLISHED
-j ACCEPT
# smtp
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state --state ESTABLISHED
-j ACCEPT
# DNS
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT
# http
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state --state ESTABLISHED
-j ACCEPT
# https
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state --state ESTABLISHED
-j ACCEPT
# POP-3
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state --state ESTABLISHED
-j ACCEPT
##Accept all tcp/udp traffic on unprivileged ports going out
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport $UNPRIVPORTS -j ACCEPT
##Catch all rule
$IPTABLES -A OUTPUT -j LDROP
####################
## FORWARD-Chain ## (everything that passes the firewall)
####################
##GENERAL Filtering
#Kill invalid packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A FORWARD -m state --state INVALID -j LINVALID
# Check TCP-Packets for Bad Flags
$IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG
##Filtering FROM INTERNAL NET
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB
$IPTABLES -A FORWARD -o $EXTIF -j SMB
##Special Drops/Rejects
# - To be done -
##Filter for some Trojans communicating to outside
# - To be done -
##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)
#HTTP-Forwarding
#$IPTABLES -A FORWARD -o $EXTIF -s $HTTPIP -p tcp --sport 80 -j ACCEPT
## MOSTRA TUDO
#$IPTABLES -A FORWARD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST
-j LOG --log-prefix "fp=FORWARD:1 a=OK "
##Allow all other forwarding (from Ports > 1024) from Internal Net to External
Net
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport
$UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport
$UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT
##Filtering FROM EXTERNAL NET
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB
$IPTABLES -A FORWARD -i $EXTIF -j SMB
##Allow replies coming in
$IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state
RELATED -j TCPACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state
RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state RELATED -j ACCEPT
##Port-Forwarding [inbound] (--> Also see chain PREROUTING)
#HTTP-Forwarding
#$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $HTTPIP --dport 80 -j ACCEPT
#Battlecom-Forwarding
#$IPTABLES -A FORWARD -p tcp --dport 2300:2400 -i $EXTIF -d $BATTLECOMIP -j
ACCEPT
#$IPTABLES -A FORWARD -p udp --dport 2300:2400 -i $EXTIF -d $BATTLECOMIP -j
ACCEPT
#$IPTABLES -A FORWARD -p tcp --dport 47624 -i $EXTIF -d $BATTLECOMIP -j ACCEPT
#$IPTABLES -A FORWARD -p tcp --dport 8022 -i $EXTIF -d $SIGAPSSHIP -j ACCEPT
##Catch all rule/Deny every other forwarding
$IPTABLES -A FORWARD -j LDROP
################
## PREROUTING ##
################
##Port-Forwarding (--> Also see chain FORWARD)
##HTTP
#$IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp -d $EXTIP --dport 80 -j DNAT
--to $HTTPIP
##**************** ADICIONADO POR MIM!! (REDIRECT DO SQUID)
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports
8080
$IPTABLES -A OUTPUT -j ACCEPT -m state --state NEW -o eth0 -p tcp --dport 80
##********************************************************************
##Battlecom
#$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port 2300:2400
-i $EXTIF -j DNAT --to $BATTLECOMIP
#$IPTABLES -t nat -A PREROUTING -d $EXTIP -p udp --destination-port 2300:2400
-i $EXTIF -j DNAT --to $BATTLECOMIP
#$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port 47624 -i
$EXTIF -j DNAT --to $BATTLECOMIP:47624
# $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --destination-port 8022 -i
$EXTIF -j DNAT --to $SIGAPSSHIP:22
###################
## POSTROUTING ##
###################
#Masquerade from Internal Net to External Net
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
#------End Ruleset------#
echo "...done"
echo ""
echo "--> IPTABLES firewall loaded/activated <--"
##--------------------------------End
Firewall---------------------------------##
;;
*)
echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
exit 1
esac
exit 0
O SAPO já está livre de vírus com a Panda Software, fique você também!
Clique em: http://antivirus.sapo.pt
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Cisco VPN Client + Cisco 800 + Firewall
2004-10-21 19:01 Cisco VPN Client + Cisco 800 + Firewall shore
@ 2004-10-21 19:29 ` Jason Opperisano
2004-10-27 11:23 ` shore
0 siblings, 1 reply; 4+ messages in thread
From: Jason Opperisano @ 2004-10-21 19:29 UTC (permalink / raw)
To: netfilter
On Thu, Oct 21, 2004 at 08:01:15PM +0100, shore@sapo.pt wrote:
> Hi,
>
> I don't know how to start, so I'll just start by showing how my network is
> build:
>
>
> Internet
> |
> |
> Cisco(800)(dsl modem/router)
> 192.168.10.254
> |
> |
> 192.168.10.1(eth0)
> Firewall
> 192.168.0.50(eht1)
> |
> |
> LAN 192.168.0.0/24
>
>
> The Cisco is controled by the ISP, so I can't change any configuration on it,
> only if I ask them to. The Firewall is running squid also.
>
> The ISP configured the Cisco modem/router to accept VPN connections from the
> internet with Cisco VPN client, and to attribute them a 10.0.0.0/8 range ip.
> The problem is I can't access the LAN from the VPN clients. I'm not an iptables
> master, but i've already searched everywhere for a solution and could't find
> one. Mostly, I think, because I didn't want to get rid of my Firewall script,
> it is doing a nice job so far.
>
> Thanks
before i start parsing through 800 lines of firewall script, i gotta ask
this first--when you connect with the cisco vpn client out on the
internet--what shows up in the list of "secured routes?" is it
192.168.0.0/24? is it 0.0.0.0/0.0.0.0? or is it 192.168.10.0/24?
-j
--
Jason Opperisano <opie@817west.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Cisco VPN Client + Cisco 800 + Firewall
2004-10-21 19:29 ` Jason Opperisano
@ 2004-10-27 11:23 ` shore
2004-10-27 20:15 ` Jason Opperisano
0 siblings, 1 reply; 4+ messages in thread
From: shore @ 2004-10-27 11:23 UTC (permalink / raw)
To: netfilter
Anyone ??
> On Thu, Oct 21, 2004 at 08:01:15PM +0100, shore@sapo.pt wrote:
> > Hi,
> >
> > I don't know how to start, so I'll just start by showing how my network is
> > build:
> >
> >
> > Internet
> > |
> > |
> > Cisco(800)(dsl modem/router)
> > 192.168.10.254
> > |
> > |
> > 192.168.10.1(eth0)
> > Firewall
> > 192.168.0.50(eht1)
> > |
> > |
> > LAN 192.168.0.0/24
> >
> >
> > The Cisco is controled by the ISP, so I can't change any configuration on
> it,
> > only if I ask them to. The Firewall is running squid also.
> >
> > The ISP configured the Cisco modem/router to accept VPN connections from
> the
> > internet with Cisco VPN client, and to attribute them a 10.0.0.0/8 range
> ip.
> > The problem is I can't access the LAN from the VPN clients. I'm not an
> iptables
> > master, but i've already searched everywhere for a solution and could't
> find
> > one. Mostly, I think, because I didn't want to get rid of my Firewall
> script,
> > it is doing a nice job so far.
> >
> > Thanks
>
> before i start parsing through 800 lines of firewall script, i gotta ask
> this first--when you connect with the cisco vpn client out on the
> internet--what shows up in the list of "secured routes?" is it
> 192.168.0.0/24? is it 0.0.0.0/0.0.0.0? or is it 192.168.10.0/24?
>
> -j
>
> --
> Jason Opperisano <opie@817west.com>
>
>
O SAPO já está livre de vírus com a Panda Software, fique você também!
Clique em: http://antivirus.sapo.pt
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Cisco VPN Client + Cisco 800 + Firewall
2004-10-27 11:23 ` shore
@ 2004-10-27 20:15 ` Jason Opperisano
0 siblings, 0 replies; 4+ messages in thread
From: Jason Opperisano @ 2004-10-27 20:15 UTC (permalink / raw)
To: netfilter
On Wed, Oct 27, 2004 at 12:23:54PM +0100, shore@sapo.pt wrote:
>
>
> Anyone ??
>
not to over-simplify things, but where in your firewall rules do you
allow the VPN pool IP's (the 10.0.0.0/8) into your internal network?
also--while your script may be readable to you, it may be
incomprehensible to others--the preferred method of posting your rules
to this list is with the output of:
iptables -t mangle -vnxL && iptables -t nat -vnxL && iptables -vnxL
the other possible break in the chain is this: does the cisco 800 have
a static route on it along the lines of:
192.168.0.0/24 via 192.168.10.1
or are you relying on NAT to eliminate the need for routing?
you may also want to clue us in to what you testing methodology is (i.e.
what are you trying to connect to with the VPN client).
-j
--
Jason Opperisano <opie@817west.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-10-27 20:15 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-10-21 19:01 Cisco VPN Client + Cisco 800 + Firewall shore
2004-10-21 19:29 ` Jason Opperisano
2004-10-27 11:23 ` shore
2004-10-27 20:15 ` Jason Opperisano
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.