[lug] iptables, windows & ipmasq

Ben Luey lueyb at jilau1.Colorado.EDU
Wed Mar 24 09:52:47 MST 2004 

Take 2 on weird routing problems. I took out my PRE and POSTROUTING NAT
options and that fixed the ping problems. But now windows boxes
*sometimes* can't access the internet.

Here's the setup:

My router has ip address 10.0.0.1 and is configured with the attached
iptables. Netmast 255.255.255.0

Linux box, has ip 10.0.0.X, gateway: 10.0.0.1 and it works fine. DNS:
external

Windows boxes: ip 10.0.0.X, gateway: 10.0.0.1, external DNS.

Sometimes everything works fine. Sometimes, the firewall doesn't respond
to any packest from windows boxes. I can ping 10.0.0.1, but I can't ssh to
it and I can't get outside. If I turn off all the security in iptables
(default policy, allow, etc) nothing changes. If I log packets, I can't
see the windows machines trying to access anything. If I put back the
security stuff in iptables and wait, sometimes everything works again.
Once it is working, it seems to stay working until I change something, but
I'm not sure about that. I've tried rebooting both the firewall and the
windows boxes, but no luck

How can this be? Why is the linux box without problems? How can things
magically start working? And when things aren't, why can't I see the
packets getting to the firewall? Any ideas greatly appreciated.

Thanks,

Ben






Ben Luey
lueyb at jilau1.colorado.edu
-------------- next part --------------
#!/bin/sh
myip=128.138.107.165

IPTABLES=/sbin/iptables


##Default route, deny input, and forward, allow outgoing
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

##Clear every rule in iptables
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -F -t nat
$IPTABLES -F
$IPTABLES -X

#Define a chain to log and drop packets
$IPTABLES -N droplog
$IPTABLES -t filter -A droplog -j LOG --log-prefix="Dropped "
$IPTABLES -t filter -A droplog -j DROP

##Define a chain to allow and log packets
$IPTABLES -N allowlog
$IPTABLES -t filter -A allowlog -j LOG --log-prefix="Allowed "
$IPTABLES -t filter -A allowlog -j ACCEPT

##debuing stuff, don't run
#$IPTABLES -A FORWARD -j allowlog
#$IPTABLES -A INPUT -j allowlog
#$IPTABLES -A OUTPUT -j allowlog

##Some anti-spoofing stuff
$IPTABLES -A FORWARD -i eth1 -s ! 10.0.0.1/24 -j droplog
$IPTABLES -A FORWARD -i eth0 -s 192.168.0.0/16 -j droplog
$IPTABLES -A FORWARD -i eth0 -s 172.16.0.0/12 -j droplog
$IPTABLES -A FORWARD -i eth0 -s 10.0.0.0/8 -j droplog

##Allow stuff on the LO interface ??why??
$IPTABLES -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

#Allow forwarding from internal to external
$IPTABLES -A FORWARD -i eth1 -o eth0 -j allowlog

#allow related packets to flow back from external to internal
$IPTABLES -A INPUT -i eth0 -d $myip -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

#some debuging test, I think
#$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#Masquerade packets
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#allow ssh from internal
$IPTABLES -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT

More information about the LUG mailing list