Monday, July 25, 2005

Firewall Server Problem

Greetings,

 

I’ve built a Debian firewall server for a small business network, and there have been some problems.

 

First of all, I have eth0 as an external interface (it’s a dual-homed server). Eth1 is setup as the internal interface. An Ethernet cable connects the internal interface to a switch which then splits the connection to an internal router/switch (Linksys) and to a web server. I have added rules to forward port 80 traffic to that web server. The first problem I am having is that any internal traffic to the web server, either in the DMZ or in the internal network behind the router/switch, cannot connect to the website via DNS name or even the website’s IP; however, those same systems can connect via the internal IP (192.168.2.25) including the internal network behind the router/switch (on a different network). Additionally, I cannot ping anything lower than the web server from anything higher than the web server. In other words, a computer behind the router/switch can ping the web server but the web server could not ping that system or either gateway in the router/switch. Any other internet traffic to any other site works perfectly fine on any system

 

The firewall script I am using is largely written from a guide as I am somewhat new to iptables as of 2 months ago (found at http://www.aboutdebian.com/firewall.htm). The script is as follows (note that my static IP has been changed so that it is not so readily known to the public):

 

#!/bin/sh

 

echo -e "\n\nSETTING UP IPTABLES FIREWALL..."

 

 

# Enter the designation for the Internal Interface

INTIF="eth1"

 

# NETWORK address of the Internal Interface

INTNET="192.168.2.0/24"

 

# IP address of the Internal Interface

INTIP="192.168.2.110"

 

# Enter the designation for the External Interface

EXTIF="eth0"

 

EXTIP="6x.7x.17x.21x"

 

# --------  No more variable setting beyond this point  --------

 

 

echo "Loading required stateful/NAT kernel modules..."

 

/sbin/depmod -a

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_conntrack_irc

/sbin/modprobe iptable_nat

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_nat_irc

 

echo "    Enabling IP forwarding..."

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

 

echo "    External interface: $EXTIF"

echo "       External interface IP address is: $EXTIP"

echo "    Loading firewall server rules..."

 

UNIVERSE="0.0.0.0/0"

 

# Clear any existing rules and setting default policy to DROP

iptables -P INPUT DROP

iptables -F INPUT

iptables -P OUTPUT DROP

iptables -F OUTPUT

iptables -P FORWARD DROP

iptables -F FORWARD

iptables -F -t nat

 

# Flush the user chain.. if it exists

if [ "`iptables -L | grep drop-and-log-it`" ]; then

   iptables -F drop-and-log-it

fi

 

# Delete all User-specified chains

iptables -X

 

# Reset all IPTABLES counters

iptables -Z

 

# Creating a DROP chain

iptables -N drop-and-log-it

iptables -A drop-and-log-it -j LOG --log-level info

iptables -A drop-and-log-it -j REJECT

 

echo -e "     - Loading INPUT rulesets"

 

#######################################################################

# INPUT: Incoming traffic from various interfaces.  All rulesets are

#        already flushed and set to a default policy of DROP.

#

 

# loopback interfaces are valid.

iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

 

# local interface, local machines, going anywhere is valid

iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

 

# remote interface, claiming to be local machines, IP spoofing, get lost

iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

 

# remote interface, any source, going to permanent PPP address is valid

iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

 

# Blocked Ports

# SSH from outside the network

#iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 22 -j DROP

# AUTH from outside the network

#iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 113 -j DROP

# FTP from outside the network

#iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 21 -j DROP

 

# Allow any related traffic coming back to the MASQ server in

iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

 

# Catch all rule, all other incoming is denied and logged.

iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

 

 

echo -e "     - Loading OUTPUT rulesets"

 

#######################################################################

# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are

#         already flushed and set to a default policy of DROP.

#

 

# loopback interface is valid.

iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

 

# local interfaces, any source going to local net is valid

iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

 

# local interface, any source going to local net is valid

iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

 

# outgoing to local net on remote interface, stuffed routing, deny

iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

 

# anything else outgoing on remote interface is valid

iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

 

# Catch all rule, all other outgoing is denied and logged.

iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

 

 

echo -e "     - Loading FORWARD rulesets"

 

#######################################################################

# FORWARD: Enable Forwarding and thus IPMASQ

#          Allow all connections OUT and only existing/related IN

 

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

 

# Web Server

iptables -A FORWARD -i $EXTIF -o $INTIF -d 192.168.2.25 -p tcp --dport 80 -j ACCEPT

 

# Catch all rule, all other forwarding is denied and logged.

iptables -A FORWARD -j drop-and-log-it

 

# Enable SNAT (MASQUERADE) functionality on $EXTIF

iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

 

# DNAT PAT to WWW

iptables -t nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 80 -j DNAT --to 192.168.2.25

 

 

echo  "    Implementing change to routing table"

route add -net 192.168.3.0/24 gw 192.168.2.19

 

echo -e "    Firewall server rule loading complete\n\n"

 

The route line has been added to properly route traffic to the router/switch. This script is set to run at boot time near the end. After it runs, the iptables –L command looks as such(once again, some names changed do to privacy):

 

Chain INPUT (policy DROP)

target     prot opt source               destination        

ACCEPT     all  --  anywhere             anywhere           

ACCEPT     all  --  192.168.2.0/24       anywhere           

drop-and-log-it  all  --  192.168.2.0/24       anywhere           

ACCEPT     all  --  anywhere             www.****.org       

ACCEPT     all  --  anywhere             www.****.org        state RELATED,ESTABLISHED

drop-and-log-it  all  --  anywhere             anywhere            

 

Chain FORWARD (policy DROP)

target     prot opt source               destination        

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere           

ACCEPT     tcp  --  anywhere             192.168.2.25        tcp dpt:www

drop-and-log-it  all  --  anywhere             anywhere           

 

Chain OUTPUT (policy DROP)

target     prot opt source               destination        

ACCEPT     all  --  anywhere             anywhere           

ACCEPT     all  --  www.****.org         192.168.2.0/24     

ACCEPT     all  --  192.168.2.110        192.168.2.0/24     

drop-and-log-it  all  --  anywhere             192.168.2.0/24     

ACCEPT     all  --  www.****.org         anywhere           

drop-and-log-it  all  --  anywhere             anywhere           

 

Chain drop-and-log-it (5 references)

target     prot opt source               destination        

LOG        all  --  anywhere             anywhere            LOG level info

REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

 

 

And, for additional information, the routing table looks as such:

 

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

68.79.174.208   *               255.255.255.240 U     0      0        0 eth0

192.168.3.0     192.168.2.19    255.255.255.0   UG    0      0        0 eth1

192.168.2.0     *               255.255.255.0   U     0      0        0 eth1

default         6x.7x.17x.xxx.i 0.0.0.0         UG    0      0        0 eth0

 

Finally, my /etc/network/interfaces file (with the edited lines):

 

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

 

# The loopback network interface

auto lo

iface lo inet loopback

 

auto eth0

iface eth0 inet static

                             address 6x.7x.17x.21x

                             netmask 255.255.255.240

                             gateway 6x.7x.17x.xxx

 

auto eth1

iface eth1 inet static

                             address 192.168.2.110

                             netmask 255.255.255.0

 

Any insight into the problem would be much appreciated. If there is any confusion, please forgive me and feel free to ask me to clarify. Thank you.

 

Bill Shepherd

 

No comments:

Post a Comment