Wednesday, March 16, 2016

linux - iptables NAT/Forwarding with external ADSL router; PCs on the network can't access the internet



I'm setting up a firewall/gateway (Ubuntu server 8.04.1)



The firewall has three NIC's:

eth0 192.168.0.2
eth1 192.168.1.2
eth2 192.168.2.2



eth1 is connected directly to the ADSL router (which also has NAT on it)
The IP of the ADSL router is 192.168.1.1



PCs on 192.168.0.x need access to the internet via the router
(The gateway is set to 192.168.0.2, for each of them)




Servers on 192.168.2.x receive traffic from the internet



Here's the firewall script as I have it so far (UPDATED):



#!/bin/bash

# Local - eth0 - 192.168.0.*
# Comms - eth1 - 192.168.1.*
# Servr - eth2 - 192.168.2.*


iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

iptables -P INPUT DROP

iptables -P FORWARD DROP
iptables -P OUTPUT DROP


# Loopback

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT



# SSH

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT


# DNS

iptables -A OUTPUT -p udp -o eth1 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

iptables -A INPUT -p udp -i eth2 --sport 53 -j ACCEPT


# Firewall outgoing (access 80,443,53 from the firewall itself; don't open up for unrelated incoming connections)

iptables -A OUTPUT -o eth1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth1 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT


iptables -A OUTPUT -o eth1 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT


# NAT

iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -i eth2 -j ACCEPT

iptables -A FORWARD -o eth2 -j ACCEPT

echo 1 >/proc/sys/net/ipv4/ip_forward
iptables --table nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A FORWARD -i eth2 -p tcp -m multiport --dports 80,443 -j ACCEPT

iptables -A FORWARD -i eth0 -p udp -m multiport --dports 53 -j ACCEPT
iptables -A FORWARD -i eth2 -p udp -m multiport --dports 53 -j ACCEPT


iptables -A FORWARD -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


# Allow responses

iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -p udp -m state --state ESTABLISHED -j ACCEPT


# Load balance


iptables -A PREROUTING -i eth1 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.2.81
iptables -A PREROUTING -i eth1 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.2.82
iptables -A PREROUTING -i eth1 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.2.83


# ICMP

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT


iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables -N icmp_accept
iptables -A icmp_accept -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type ttl-exceeded -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp_accept -p icmp --icmp-type parameter-problem -j ACCEPT

iptables -A FORWARD -p icmp -j icmp_accept


# Anti DoS

#iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT


# Logging


iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -j LOG --log-prefix "IPTABLES-DROP " --log-level 4
iptables -A LOGGING -j DROP


Firewall's gateway is set to 192.168.1.1



cat /etc/network/interfaces:




auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.0.2
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255


auto eth1
iface eth1 inet static
address 192.168.1.2
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
dns-nameservers 192.168.1.1

auto eth2

iface eth2 inet static
address 192.168.2.2
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255


ip route list
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.2
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2

192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2
default via 192.168.1.1 dev eth1 metric 100



The firewall




  • can ping IPs on the internet

  • can't http to IPs on the internet




The PCs
- can ping the firewall
- can't http / ping IPs on the internet



Already ran:
sysctl -w net.ipv4.ip_forward=1



This was more or less the recommended configuration as I gathered from various sites.
Any suggestions on how I can get the PCs to access sites on the internet through the firewall?




Thanks


Answer



I would replace



iptables -A FORWARD -i eth1 -p tcp ! --syn -j ACCEPT


with



iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT



Also I don't see any rules for your gateways traffic, except icmp (INPUT and OUTPUT).


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...