The UNIX and Linux Forums

The UNIX and Linux Forums (http://www.unix.com/index.php)
-   Security (http://www.unix.com/security/)
-   -   iptables Local Lan Issues (http://www.unix.com/security/228665-iptables-local-lan-issues.html)

metallica1973 06-19-2013 04:25 PM

iptables Local Lan Issues
 
I recently installed Centos 6 and is my SOHO firewall/router. The small network is layout like such:
Code:

        |--eth0(WAN)
Centos 6(firewall/router)
        |---eth1(LAN)
        |
    Switch
        |
        |
      LAN(192.168.3.0/27)
        |
        |
PCs ----Laptops---Printer

I can ping my devices from the firewall and talk to all my devices from the firewall(eth1). Now the issue is when I am on my laptop(on the LAN), oddly I can only talk to a few devices on my LAN(the firewall interface(eth1) and only the AP) but nothing else. I know it has to be something that I changed inadvertently by accident in my iptables ruleset that I cannot pinpoint out. Its a bit long but here it is:
Code:

#! /bin/sh

IPTABLES="/sbin/iptables"

case "$1" in
  stop)
      echo "Shutting down firewall..."
      $IPTABLES -F
      $IPTABLES -F -t mangle
      $IPTABLES -F -t nat
      $IPTABLES -X
      $IPTABLES -X -t mangle
      $IPTABLES -X -t nat
     
      $IPTABLES -P INPUT ACCEPT
      $IPTABLES -P OUTPUT ACCEPT
      $IPTABLES -P FORWARD ACCEPT
    echo "...done"
      ;;
  status)
      echo $"Table: filter"
      iptables --list
      echo $"Table: nat"
      iptables -t nat --list
      echo $"Table: mangle"
      iptables -t mangle --list
      ;;
  restart|reload)
      $0 stop
      $0 start
      ;;
  start)
  echo "Starting Firewall..."
    echo ""

##--------------------------Begin Firewall---------------------------------##

#----Default-Interfaces-----#
EXTIF="eth0"
INTIF="eth1"
#DMZ_IFACE="eth2"
INTLAN="192.168.3.0/27"
#DMZ_LAN="192.168.2.0/27"
#VONAGE="192.168.2.10"
#DMZ_VOIP_SERVER="192.168.2.2"
VPNIF="tun0"
VPNNET="192.168.4.0/27"
#VPNIP="192.168.4.1"
SQUID_BOX="127.0.0.1"
DG_PORT="8080"
#----Special Variables-----#

# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"

# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"

# Specification of X Window System (TCP) ports.
#XWINPORTS="6000:6063"

# Ports for IRC-Connection-Tracking
#IRCPORTS="6665,6666,6667,6668,6669,7000"

# DMZ UDP ports
#DMZUDP="1024:1030,5060:5065,10000:20000"
####PS2 PORTS####

#----Flood Variables-----#

# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"

# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"

# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"

echo "Loading IPTABLES modules"

dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
#/sbin/modprobe ip_conntrack_sip
#/sbin/modprobe ip_nat_sip
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
#/sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6

echo " --- "


#----Clear/Reset all chains-----#

#Clear all IPTABLES-chains

#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#----Set network sysctl options-----#
echo "Setting sysctl options"
#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo " --- "
echo "Creating user-chains"
#----Create logging chains-----#

#Invalid packets (not ESTABLISHED,RELATED or NEW)
$IPTABLES -N LINVALID
$IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP " --log-level 4
$IPTABLES -A LINVALID -j DROP
#TCP-Packets with one ore more bad flags
$IPTABLES -N LBADFLAG
$IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP " --log-level 4
$IPTABLES -A LBADFLAG -j DROP
#Logging of connection attempts on special ports (Trojan portscans, special services, etc.)
$IPTABLES -N LSPECIALPORT
$IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP " --log-level 4
$IPTABLES -A LSPECIALPORT -j DROP
       
#Logging of possible TCP-SYN-Floods
$IPTABLES -N LSYNFLOOD
$IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP " --log-level 4
$IPTABLES -A LSYNFLOOD -j DROP
       
#Logging of possible Ping-Floods
$IPTABLES -N LPINGFLOOD
$IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP " --log-level 4
$IPTABLES -A LPINGFLOOD -j DROP


#All other dropped packets
$IPTABLES -N LDROP
$IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP " --log-level 4
$IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP " --log-level 4
$IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP " --log-level 4
$IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP " --log-level 4
$IPTABLES -A LDROP -j DROP

#All other rejected packets
$IPTABLES -N LREJECT
$IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT " --log-level 4
$IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT " --log-level 4
$IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT " --log-level 4
$IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT " --log-level 4       
$IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A LREJECT -j REJECT

#----Create Accept-Chains-----#
#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
       
$IPTABLES -N TCPACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
$IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT

#----Create special User-Chains-----#

#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)

$IPTABLES -N CHECKBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG

        #Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)

#SMB-Traffic
$IPTABLES -N SMB
$IPTABLES -A SMB -p tcp --dport 137 -j DROP
$IPTABLES -A SMB -p tcp --dport 138 -j DROP
$IPTABLES -A SMB -p tcp --dport 139 -j DROP
$IPTABLES -A SMB -p tcp --dport 445 -j DROP
$IPTABLES -A SMB -p udp --dport 137 -j DROP
$IPTABLES -A SMB -p udp --dport 138 -j DROP
$IPTABLES -A SMB -p udp --dport 139 -j DROP
$IPTABLES -A SMB -p udp --dport 445 -j DROP
$IPTABLES -A SMB -p tcp --sport 137 -j DROP
$IPTABLES -A SMB -p tcp --sport 138 -j DROP
$IPTABLES -A SMB -p tcp --sport 139 -j DROP
$IPTABLES -A SMB -p tcp --sport 445 -j DROP
$IPTABLES -A SMB -p udp --sport 137 -j DROP
$IPTABLES -A SMB -p udp --sport 138 -j DROP
$IPTABLES -A SMB -p udp --sport 139 -j DROP
$IPTABLES -A SMB -p udp --sport 445 -j DROP

        #Inbound Special Ports
       
$IPTABLES -N SPECIALPORTS
               
#Deepthroat Scan
$IPTABLES -A SPECIALPORTS -p  tcp --dport 6670 -j LSPECIALPORT
 
#Subseven Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT 
 
#Netbus Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT
 
#Back Orifice scan
$IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT
 
#X-Win
#$IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS  -j LSPECIALPORT

#Hack'a'Tack 2000
$IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT

#ICMP/TRACEROUTE FILTERING
       
#Inbound ICMP/Traceroute
       
$IPTABLES -N ICMPINBOUND
               
#Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD

##Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP

#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP

#Block ICMP-address-mask (can help to prevent OS-fingerprinting)

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP


                  #Allow all other ICMP in
$IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT


       
        #Outbound ICMP/Traceroute
       
$IPTABLES -N ICMPOUTBOUND
       
                #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP
 
                  #Block ICMP-TTL-Expired
                #MS Traceroute (MS uses ICMP instead of UDp for tracert)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP
 
                  #Block ICMP-Parameter-Problem
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP
 
                  #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP

                  #Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP


                  ##Accept all other ICMP going out
$IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT

#----End User-Chains-----#       

echo " --- "

#----Start Ruleset-----#

echo "Implementing firewall rules..."

#################
## INPUT-Chain ## (everything that is addressed to the firewall itself)
#################

##GENERAL Filtering

  # Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A INPUT -m state --state INVALID -j LINVALID
 
  # Check TCP-Packets for Bad Flags
$IPTABLES -A INPUT -p tcp -j CHECKBADFLAG


##Packets FROM FIREWALL-BOX ITSELF

  #Local IF

$IPTABLES -A INPUT -i lo -j ACCEPT


#Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter)

$IPTABLES -A INPUT -d 127.0.0.0 -j LREJECT

#Tranparent proxy settings

#$IPTABLES -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP

##Packets FROM INTERNAL NET

 ##Allow unlimited traffic from internal network using legit addresses to firewall-box
 ##If protection from the internal interface is needed, alter it

$IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 12022 -m state --state NEW -j ACCEPT

###################################VPN############################################################

$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE --dport 1723 -j ACCEPT

# Allow TUN interface connections to OpenVPN server

$IPTABLES -A INPUT -i $VPNIF -j ACCEPT
$IPTABLES -A INPUT -i $VPNIF -j DROP

##ICMP & Traceroute filtering

  #Block UDP-Traceroute

$IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP

  #Drop all SMB-Traffic
$IPTABLES -A INPUT -i $EXTIF -j SMB
 
  #Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection)

$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset
 
############Separate logging of special portscans/connection attempts #######################

$IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS

 ##Allow ESTABLISHED/RELATED connections in
 
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j TCPACCEPT
 
#Transparent/Danguardian

#$IPTABLES -A INPUT  -i $INTIF -p tcp -s $INTLAN --dport $DG_PORT -m state --state NEW -j ACCEPT

##Catch all rule
$IPTABLES -A INPUT -j LDROP

##################
## Output-Chain ## (everything that comes directly from the Firewall-Box)
##################

##Packets TO FIREWALL-BOX ITSELF

  #Local IF
$IPTABLES -A OUTPUT -o lo -j ACCEPT

##Packets TO INTERNAL NET

  #Allow unlimited traffic to internal network using legit addresses

$IPTABLES -A OUTPUT -o $INTIF -s $INTLAN -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTIF -p ALL -j ACCEPT

$IPTABLES -A OUTPUT -o $INTIF -p ALL -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTIF -s $INTLAN -j ACCEPT

######################################## VPN #####################################################

$IPTABLES -A OUTPUT -o $EXTIF -s $VPNNET -j ACCEPT

$IPTABLES -A OUTPUT -o $VPNIF -s $VPNNET -j ACCEPT

$IPTABLES -A OUTPUT -o $VPNIF -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTIF -j ACCEPT

$IPTABLES -A OUTPUT -j LDROP

####################
## FORWARD-Chain  ## (everything that passes the firewall, incoming)
####################

##GENERAL Filtering

  #Kill invalid packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A FORWARD -m state --state INVALID -j LINVALID
 
  # Check TCP-Packets for Bad Flags
$IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG

  ##Silent Drops/Rejects (Things we don't want in our logs)

  #SMB
$IPTABLES -A FORWARD -o $EXTIF -j SMB

 ##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)

  #HTTP-Forwarding

##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp  -j ACCEPT

######################################## VPN ##################################################################

$IPTABLES -A FORWARD -i $VPNIF -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -i $VPNIF -s $VPNNET -j ACCEPT

$IPTABLES -A FORWARD -o $VPNIF -s $INTLAN  -j ACCEPT

$IPTABLES -A FORWARD -i $VPNIF -j ACCEPT

$IPTABLES -A FORWARD -o $VPNIF -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -j SMB
 
  ##Allow replies coming in
  $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT

########################################## DMZ #########################################################################

#$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j ACCEPT
#$IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -i $INTIF -o $DMZ_IFACE -j ACCEPT
#$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT 

#$IPTABLES -A FORWARD -p tcp -i $INTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 12444 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 5050:5065 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 10000:20000 -m state --state NEW -j ACCEPT

#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $VONAGE --dport 5050:5065 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $VONAGE --dport 10000:20000 -m state --state NEW -j ACCEPT

################################################## Zoneminder WEB Interface ##############################################################################3

#$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d 192.168.3.22 --dport 8080 -m state --state NEW -j ACCEPT

################################################## VOIP ASTERISK WEB Interface ##############################################################################3

#$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 80 -m state --state NEW -j ACCEPT

##Catch all rule/Deny every other forwarding

$IPTABLES -A FORWARD -j LDROP

################
## PREROUTING ##
################

##Port-Forwarding (--> Also see chain FORWARD)

######################################################## SSH ################################################################

#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 5900 -j DNAT --to-destination 192.168.3.30
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 12022 -j DNAT --to-destination $DMZ_SSH_SERVER

#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 8080 -j DNAT --to-destination 192.168.3.22

######################################################### HTTP ############################################################

#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j DNAT --to $WEB_FILTER:8080

#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j REDIRECT --to $WEB_FILTER:8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j REDIRECT --to $DG_PORT

#Transparent Proxy crap

$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp -d ! $SQUID_BOX --dport 80 -j REDIRECT --to-ports $DG_PORT

######################################### ASTERISK VOIP SERVER####################################################################################################
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 513 -j DNAT --to-destination $DMZ_VOIP_SERVER


#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 12444 -j DNAT --to-destination $DMZ_VOIP_SERVER

#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5065 -j DNAT --to-destination $DMZ_VOIP_SERVER
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_HTTPIP --dport 53 -j DNAT --to-destination $DMZ_PC_IP


#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5065 -j DNAT --to-destination $VONAGE

#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 10000:20000 -j DNAT --to-destination $VONAGE

###################
##  POSTROUTING  ##
###################

#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -d $SQUID_FILTER -j MASQUERADE

#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $DMZ_LAN -d $DMZ_IP -j MASQUERADE
 
  #Masquerade from Internal Net to External Net
  $IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE

#------End Ruleset------#

echo "...done"
echo ""


echo "--> IPTABLES firewall loaded/activated <--"


##--------------------------------End Firewall---------------------------------##

  ;;
  *)
      echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
      exit 1
esac

exit 0

I believe it would be an OUTPUT rule that is missing or wrong. ??

---------- Post updated at 04:25 PM ---------- Previous update was at 01:58 PM ----------

To paint a better picture, here is a nmap scan from my laptop looking for port 80 that is definately open that can be seen from the firewall itself

from the laptop sitting on the 192.168.3.0/27 subnet
Code:

Nmap scan report for 192.168.3.16
Host is up.
PORT  STATE    SERVICE
80/tcp filtered http

and respectively from the firewall
Code:

Nmap scan report for 192.168.3.16
Host is up (0.013s latency).
PORT  STATE SERVICE
80/tcp open  http

What is so weird is that there are some targets that I can see from both sides. I will have to run a sniffer and see what I can come up with.

DGPickett 06-19-2013 04:53 PM

Somewhere there should be a log you can tap or turn on to see what rule is stopping which packet.

metallica1973 06-27-2013 03:17 PM

update. oddly nothing show up in the logs so I created a completely different iptables ruleset using
Easy Firewall Generator for iptables
with these basic rule set:
Code:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
  104  8828 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
  605 75520 bad_packets  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
    0    0 DROP      all  --  *      *      0.0.0.0/0            224.0.0.1         
  86 14040 ACCEPT    all  --  eth1  *      192.168.3.0/27      0.0.0.0/0         
    0    0 ACCEPT    all  --  eth1  *      0.0.0.0/0            192.168.3.31       
    0    0 ACCEPT    udp  --  eth1  *      0.0.0.0/0            0.0.0.0/0          udp spt:68 dpt:67
    0    0 ACCEPT    all  --  eth1  *      192.168.3.0/27      0.0.0.0/0         
  519 61480 ACCEPT    all  --  eth0  *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:12022 state NEW
    0    0 tcp_inbound  tcp  --  eth0  *      0.0.0.0/0            0.0.0.0/0         
    0    0 udp_inbound  udp  --  eth0  *      0.0.0.0/0            0.0.0.0/0         
    0    0 icmp_packets  icmp --  eth0  *      0.0.0.0/0            0.0.0.0/0         
    0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          PKTTYPE = broadcast
    0    0 LOG        all  --  *      *      0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4 prefix `fp=INPUT:99 a=DROP '

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
19460  18M bad_packets  all  --  *      *      0.0.0.0/0            0.0.0.0/0         
 6692  364K tcp_outbound  tcp  --  eth1  *      0.0.0.0/0            0.0.0.0/0         
  567 39083 udp_outbound  udp  --  eth1  *      0.0.0.0/0            0.0.0.0/0         
    2  450 ACCEPT    all  --  eth1  *      0.0.0.0/0            0.0.0.0/0         
12172  17M ACCEPT    all  --  eth0  *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0    0 LOG        all  --  *      *      0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4 prefix `fp=FORWARD:99 a=DROP '
    0    0 ACCEPT    all  --  eth1  192.168.3.0/27  0.0.0.0/0            0.0.0.0/0         
    0    0 ACCEPT    all  --  192.168.3.0/27 eth1    0.0.0.0/0            0.0.0.0/0         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 DROP      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
  100  8660 ACCEPT    all  --  *      *      127.0.0.1            0.0.0.0/0         
    4  168 ACCEPT    all  --  *      lo      0.0.0.0/0            0.0.0.0/0         
  112  9065 ACCEPT    all  --  *      *      192.168.3.1          0.0.0.0/0         
    0    0 ACCEPT    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0         
  385 70632 ACCEPT    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0         
    0    0 LOG        all  --  *      *      0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4 prefix `fp=OUTPUT:99 a=DROP '

Chain bad_packets (2 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 LOG        all  --  eth0  *      192.168.3.0/27      0.0.0.0/0          LOG flags 0 level 4 prefix `fp=bad_packets:2 a=DROP '
    0    0 DROP      all  --  eth0  *      192.168.3.0/27      0.0.0.0/0         
  27  1188 LOG        all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID LOG flags 0 level 4 prefix `fp=bad_packets:1 a=DROP '
  27  1188 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
18861  17M bad_tcp_packets  tcp  --  *      *      0.0.0.0/0            0.0.0.0/0         
20038  18M RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0         

Chain bad_tcp_packets (1 references)
 pkts bytes target    prot opt in    out    source              destination       
 6775  377K RETURN    tcp  --  eth1  *      0.0.0.0/0            0.0.0.0/0         
    0    0 LOG        tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:!0x17/0x02 state NEW LOG flags 0 level 4 prefix `fp=bad_tcp_packets:1 a=DROP '
    0    0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:!0x17/0x02 state NEW
    0    0 LOG        tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x00 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:2 a=DROP '
    0    0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x00
    0    0 LOG        tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x3F LOG flags 0 level 4 prefix `fp=bad_tcp_packets:3 a=DROP '
    0    0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x3F
    0    0 LOG        tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x29 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:4 a=DROP '
    0    0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x29
    0    0 LOG        tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x37 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:5 a=DROP '
    0    0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x3F/0x37
    0    0 LOG        tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x06 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:6 a=DROP '
    0    0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x06
    0    0 LOG        tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x03/0x03 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:7 a=DROP '
    0    0 DROP      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x03/0x03
12086  17M RETURN    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0         

Chain icmp_packets (1 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 LOG        icmp -f  *      *      0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4 prefix `fp=icmp_packets:1 a=DROP '
    0    0 DROP      icmp -f  *      *      0.0.0.0/0            0.0.0.0/0         
    0    0 DROP      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          icmp type 8
    0    0 ACCEPT    icmp --  *      *      0.0.0.0/0            0.0.0.0/0          icmp type 11
    0    0 RETURN    icmp --  *      *      0.0.0.0/0            0.0.0.0/0         

Chain tcp_inbound (1 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 RETURN    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0         

Chain tcp_outbound (1 references)
 pkts bytes target    prot opt in    out    source              destination       
 6692  364K ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0         

Chain udp_inbound (1 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 DROP      udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:137
    0    0 DROP      udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:138
    0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
    0    0 RETURN    udp  --  *      *      0.0.0.0/0            0.0.0.0/0         

Chain udp_outbound (1 references)
 pkts bytes target    prot opt in    out    source              destination       
  567 39083 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0

and I still cannot communicate but with only certain ips within my LAN:

From my firewall:
Code:

  Starting Nmap 5.51 ( http://nmap.org ) at 2013-06-27 15:04 EDT
Initiating ARP Ping Scan at 15:04
Scanning 192.168.3.0 [1 port]
Completed ARP Ping Scan at 15:04, 0.42s elapsed (1 total hosts)
Nmap scan report for 192.168.3.0 [host down]
Initiating Parallel DNS resolution of 1 host. at 15:04
Completed Parallel DNS resolution of 1 host. at 15:04, 0.03s elapsed
Initiating ARP Ping Scan at 15:04
Scanning 30 hosts [1 port/host]
Completed ARP Ping Scan at 15:04, 1.35s elapsed (30 total hosts)
Initiating Parallel DNS resolution of 30 hosts. at 15:04
Completed Parallel DNS resolution of 30 hosts. at 15:04, 0.04s elapsed
Nmap scan report for 192.168.3.2 [host down]
Nmap scan report for 192.168.3.3 [host down]
Nmap scan report for 192.168.3.4 [host down]
Nmap scan report for 192.168.3.5 [host down]
Nmap scan report for 192.168.3.6 [host down]
Nmap scan report for 192.168.3.7 [host down]
Nmap scan report for 192.168.3.8 [host down]
Nmap scan report for 192.168.3.9 [host down]
Nmap scan report for 192.168.3.10 [host down]
Initiating Connect Scan at 15:04
Scanning 192.168.3.1 [1 port]
Completed Connect Scan at 15:04, 0.00s elapsed (1 total ports)
Nmap scan report for 192.168.3.1
Host is up (0.00013s latency).
PORT  STATE  SERVICE
80/tcp closed http

Nmap scan report for 192.168.3.12 [host down]
Nmap scan report for 192.168.3.13 [host down]
Nmap scan report for 192.168.3.15 [host down]
Nmap scan report for 192.168.3.16 [host down]
Nmap scan report for 192.168.3.17 [host down]
Nmap scan report for 192.168.3.19 [host down]
Nmap scan report for 192.168.3.21 [host down]
Nmap scan report for 192.168.3.22 [host down]
Nmap scan report for 192.168.3.23 [host down]
Nmap scan report for 192.168.3.24 [host down]
Nmap scan report for 192.168.3.25 [host down]
Nmap scan report for 192.168.3.26 [host down]
Nmap scan report for 192.168.3.27 [host down]
Nmap scan report for 192.168.3.28 [host down]
Nmap scan report for 192.168.3.29 [host down]
Nmap scan report for 192.168.3.30 [host down]
Nmap scan report for 192.168.3.31 [host down]
Initiating Connect Scan at 15:04
Scanning 4 hosts [1 port/host]
Discovered open port 80/tcp on 192.168.3.20
Completed Connect Scan at 15:04, 0.00s elapsed (4 total ports)
Nmap scan report for 192.168.3.11
Host is up (0.00068s latency).
PORT  STATE  SERVICE
80/tcp closed http
MAC Address: 02:03:05:CD:06:04 (ZyXEL Communications)

Nmap scan report for 192.168.3.14
Host is up (0.32s latency).
PORT  STATE  SERVICE
80/tcp closed http
MAC Address: A9:54:C2:0B:D1:70 (Unknown)

Nmap scan report for 192.168.3.18
Host is up (0.41s latency).
PORT  STATE  SERVICE
80/tcp closed http
MAC Address: C8:32:CA:DF:1B:79 (Unknown)

Nmap scan report for 192.168.3.20
Host is up (0.25s latency).
PORT  STATE SERVICE
80/tcp open  http
MAC Address: 7C:DD:90:39:65:3C (Unknown)

Read data files from: /usr/share/nmap
Nmap done: 32 IP addresses (5 hosts up) scanned in 1.96 seconds
          Raw packets sent: 61 (1.708KB) | Rcvd: 7 (196B)

and from a laptop within my LAN:
Code:

Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-27 15:04 EDT
Initiating ARP Ping Scan at 15:04
Scanning 14 hosts [1 port/host]
Completed ARP Ping Scan at 15:04, 0.43s elapsed (14 total hosts)
Initiating Parallel DNS resolution of 14 hosts. at 15:04
Completed Parallel DNS resolution of 14 hosts. at 15:04, 0.03s elapsed
Nmap scan report for 192.168.3.0 [host down]
Nmap scan report for 192.168.3.2 [host down]
Nmap scan report for 192.168.3.3 [host down]
Nmap scan report for 192.168.3.4 [host down]
Nmap scan report for 192.168.3.5 [host down]
Nmap scan report for 192.168.3.6 [host down]
Nmap scan report for 192.168.3.7 [host down]
Nmap scan report for 192.168.3.8 [host down]
Nmap scan report for 192.168.3.9 [host down]
Nmap scan report for 192.168.3.10 [host down]
Nmap scan report for 192.168.3.12 [host down]
Nmap scan report for 192.168.3.13 [host down]
Initiating Parallel DNS resolution of 1 host. at 15:04
Completed Parallel DNS resolution of 1 host. at 15:04, 0.02s elapsed
Initiating Connect Scan at 15:04
Scanning 2 hosts [1 port/host]
Completed Connect Scan at 15:04, 0.00s elapsed (2 total ports)
Nmap scan report for 192.168.3.1
Host is up (0.0038s latency).
PORT  STATE  SERVICE
80/tcp closed http
MAC Address: 00:19:5B:69:C3:B1 (D-Link)

Nmap scan report for 192.168.3.11
Host is up (0.0020s latency).
PORT  STATE  SERVICE
80/tcp closed http
MAC Address: 02:03:05:CD:06:04 (ZyXEL Communications)

Initiating ARP Ping Scan at 15:04
Scanning 17 hosts [1 port/host]
Completed ARP Ping Scan at 15:04, 0.81s elapsed (17 total hosts)
Nmap scan report for 192.168.3.15 [host down]
Nmap scan report for 192.168.3.16 [host down]
Nmap scan report for 192.168.3.17 [host down]
Nmap scan report for 192.168.3.18 [host down]
Nmap scan report for 192.168.3.19 [host down]
Nmap scan report for 192.168.3.20 [host down]
Nmap scan report for 192.168.3.21 [host down]
Nmap scan report for 192.168.3.22 [host down]
Nmap scan report for 192.168.3.23 [host down]
Nmap scan report for 192.168.3.24 [host down]
Nmap scan report for 192.168.3.25 [host down]
Nmap scan report for 192.168.3.26 [host down]
Nmap scan report for 192.168.3.27 [host down]
Nmap scan report for 192.168.3.28 [host down]
Nmap scan report for 192.168.3.29 [host down]
Nmap scan report for 192.168.3.30 [host down]
Nmap scan report for 192.168.3.31 [host down]
Initiating Connect Scan at 15:04
Scanning 192.168.3.14 [1 port]
Completed Connect Scan at 15:04, 0.00s elapsed (1 total ports)
Nmap scan report for 192.168.3.14
Host is up (0.00015s latency).
PORT  STATE  SERVICE
80/tcp closed http

Read data files from: /usr/bin/../share/nmap
Nmap done: 32 IP addresses (3 hosts up) scanned in 1.36 seconds
          Raw packets sent: 60 (1.680KB) | Rcvd: 2 (56B)

What rule am I missing?

DGPickett 06-27-2013 04:41 PM

Well, failure to communicate due to firewalling is going to log a refused packet.

If you are lacking something basic like a route, and the ICMP report back was blocked, that can also give this sort of error, but you said it worked with the old rules?

metallica1973 06-27-2013 09:50 PM

thanks for the reply. It didnt work with the old rules or the new. I am using CENTOS 6.4. Could it be something locally that is blocking packets to other host within the same subnet. This is really odd. I even did a packet capture and cant even see any icmp attempts at all orginating from the laptop in which it was envoked to the CENTOS firewall/gateway's interface.

DGPickett 06-28-2013 01:31 PM

What protocols do you want to use/are you testing with?

metallica1973 06-28-2013 04:56 PM

for now I am using ICMP pings and nmap SYN scans. I switched back to my original firewall rules and continue my research. These are my exact steps that I am using to test what is going on:

eth0 - internet
eth1 - LAN

On the server terminal 1:
Code:

root@cli>tail -f /var/log/*
terminal 2:
Code:

tcpdump -i eth1 -s 1600 -nvS -w sniff.pcap
and then from any laptop. I precede with my testing as normal

Code:

ping 192.168.3.18
and or
Code:

nmap -v -sT -p 80 192.168.3.18
which shows nothing from either the logs on the server and or in my packet capture that I look at through wireshark. But I can ping 192.168.3.18 find and can see TCP:80 open on the target just fine from the server. Its driving me crazy.


All times are GMT -4. The time now is 06:05 AM.

Linux and Unix Supported by: vBulletin
Search Engine Optimisation provided by DragonByte SEO v1.0.9 (Pro) - vBulletin Mods & Addons Copyright © 2014 DragonByte Technologies Ltd.
The UNIX and Linux Forums Content Copyright ©1993-2013. All Rights Reserved.
Forum Operations by The UNIX and Linux Forums