From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Lister Subject: Re: Having trouble properly configuring my firewall Date: Tue, 24 Apr 2012 09:49:58 +0100 Message-ID: <4F966936.3090203@kickstone.co.uk> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Richard Thornton Cc: netfilter@vger.kernel.org A quick perusal, shows a couple of things. Firstly I'm not familiar with the conntrack or physdev modules, I'd just use the state module and -i respectively - but i'd imagine they do the same. Secondly, it is usually cleaner to set the policy on INPUT to drop and remove line 28. Add a rule to let anything on eth2 in (I assume it is safe). Remove the output rules, I generally don't drop outgoing stuff - unless you need to restrict access for a specific reason and then block that. Add rules to block eth5 from seeing anything internal. The same goes for FORWARD Also I assume you've enabled forwarding in the kernel Hope that helps On 24/04/2012 09:09, Richard Thornton wrote: > Hi, > > I hope you can help, please be gentle as it's my first time with raw > iptables, I have used other firewalls though. > > I have a working config, my internal network can get out to the > internet but because of a lack of understanding I have opened up SSH > on the firewall to the internet: > > 1# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012 > 2*mangle > 3:PREROUTING ACCEPT [3292:1334085] > 4:INPUT ACCEPT [462:36946] > 5:FORWARD ACCEPT [2826:1297011] > 6:OUTPUT ACCEPT [268:37651] > 7:POSTROUTING ACCEPT [3075:1327352] > 8-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss > --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu > 9COMMIT > 10# Completed on Tue Apr 24 16:51:19 2012 > 11# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012 > 12*nat > 13:PREROUTING ACCEPT [130:12667] > 14:INPUT ACCEPT [4:586] > 15:OUTPUT ACCEPT [4:264] > 16:POSTROUTING ACCEPT [0:0] > 17-A POSTROUTING -o ppp0 -j MASQUERADE > 18COMMIT > 19# Completed on Tue Apr 24 16:51:19 2012 > 20# Generated by iptables-save v1.4.12 on Tue Apr 24 16:51:19 2012 > 21*filter > 22:INPUT DROP [0:0] > 23:FORWARD DROP [0:0] > 24:OUTPUT DROP [0:0] > 25-A INPUT -i lo -j ACCEPT > 26-A INPUT -d 192.168.100.254/32 -p tcp -m physdev --physdev-in eth2 > -m tcp --dport 22 -j ACCEPT > 27-A INPUT -i ppp0 -j ACCEPT > 28-A INPUT -j DROP > 29-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > 30-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > 31-A FORWARD -i br0 -o ppp0 -j ACCEPT > 32-A FORWARD -j DROP > 33-A OUTPUT -o lo -j ACCEPT > 34-A OUTPUT -o br0 -j ACCEPT > 35-A OUTPUT -o ppp0 -j ACCEPT > 36-A OUTPUT -j DROP > 37COMMIT > 37# Completed on Tue Apr 24 16:51:19 2012 > > I believe my mistake is in either line 27 or line 35 but if I remove > either of them my firewall fails to be able to access the internet > locally for apt and stuff. > > To add some background basically I have the following running on an > ubuntu 12.04 server: > > ppp0 brought up on eth0 > br0 a bridge which includes wlan0 and eth2 (office lan) > eth3 (lab mgmt) > eth4 (lab) > eth5 (quarantined pc) > > So the firewall should be able to access the internet but the internet > should not be able to access the firewall. > Users on br0 should be able to access the internet, lab, lab mgmt, firewall > The lab should be able to access the internet > Lab mgmt should be able to access the internet, there are 8 IPs in > here and I have public IPs for them all but I need to setup SNAT and > fwknop doing DNAT to access them: > > iptables -t nat -A POSTROUTING -s x.x.x.x -o eth0 -j SNAT --to-source y.y.y.y > > With the above I am worried that this will conflict with line 17... > > I believe fwknop will handle the DNAT stuff automagically. > > The quarantined PC should be able to access the internet but nothing else > > I have a way to go :) > > Thanks for looking. > > Kind Regards > Richard > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- www.pricegoblin.co.uk