Help needed with firewall

[eZap]

I had some issues connecting via SSH within the wireless network and ended up FLUSHING the INPUT tables... big mistake...

Managed to get the B3 up and running again by using the recovery USB stick and a standard setup found on this forum, however I can only access the internet from PC's on the Wlan by setting INPUT and FORWARD to ACCEPT and therefore need some help setting the firewall up again correctly

What do I do wrong ?

Thanks in advance
eZap

root@b3:/home/soren# ifconfig
br0 Link encap:Ethernet HWaddr 00:0b:6b:e4:ee:0c
inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::222:2ff:fe00:22cd/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:135475 errors:0 dropped:0 overruns:0 frame:0
TX packets:57268 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15057206 (14.3 MiB) TX bytes:31258733 (29.8 MiB)

eth0 Link encap:Ethernet HWaddr 00:22:02:00:22:cc
inet addr:85.82.25.51 Bcast:85.82.25.55 Mask:255.255.255.248
inet6 addr: fe80::222:2ff:fe00:22cc/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:73724 errors:0 dropped:0 overruns:0 frame:0
TX packets:61387 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:32861988 (31.3 MiB) TX bytes:9090628 (8.6 MiB)
Interrupt:11

eth1 Link encap:Ethernet HWaddr 00:22:02:00:22:cd
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:15

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:103 errors:0 dropped:0 overruns:0 frame:0
TX packets:103 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8698 (8.4 KiB) TX bytes:8698 (8.4 KiB)

mon.wlan0 Link encap:UNSPEC HWaddr 00-0B-6B-E4-EE-0C-01-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11218 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1522106 (1.4 MiB) TX bytes:0 (0.0 B)

wlan0 Link encap:Ethernet HWaddr 00:0b:6b:e4:ee:0c
inet6 addr: fe80::20b:6bff:fee4:ee0c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:140361 errors:0 dropped:0 overruns:0 frame:0
TX packets:85409 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:18753969 (17.8 MiB) TX bytes:40006509 (38.1 MiB)

root@b3:/home/soren# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
85.82.25.48 0.0.0.0 255.255.255.248 U 0 0 0 eth0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
0.0.0.0 85.82.25.49 0.0.0.0 UG 0 0 0 eth0

root@b3:/home/soren# iptables-save
# Generated by iptables-save v1.4.8 on Tue Oct 18 22:07:08 2011
*nat
REROUTING ACCEPT [2909:159090]
:INPUT ACCEPT [194:26025]
:OUTPUT ACCEPT [74:7571]
OSTROUTING ACCEPT [14:3514]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Oct 18 22:07:08 2011
# Generated by iptables-save v1.4.8 on Tue Oct 18 22:07:08 2011
*filter
:INPUT ACCEPT [848:147547]
:FORWARD ACCEPT [2181:104539]
:OUTPUT ACCEPT [498:75181]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i wlan0 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Oct 18 22:07:08 2011
root@b3:/home/soren#

[Gordon]

On the B3 the interfaces wlan0 and eth1 are paired in a bridge: br0. This is the interface that Netfilter sees when you connect from the LAN

# Generated by iptables-save v1.4.8 on Tue Oct 18 22:07:08 2011
*nat
:PREROUTING ACCEPT [2909:159090]
:INPUT ACCEPT [194:26025]
:OUTPUT ACCEPT [74:7571]
:POSTROUTING ACCEPT [14:3514]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Oct 18 22:07:08 2011
# Generated by iptables-save v1.4.8 on Tue Oct 18 22:07:08 2011
*filter
:INPUT DROP [848:147547]
:FORWARD DROP [2181:104539]
:OUTPUT ACCEPT [498:75181]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Oct 18 22:07:08 2011

PS don't allow access to port 22 from the internet. It attracts little pestery beasties...

[eZap]

Thanks Gordon,

I'm aware of the potential port 22 issue, but I need thiss access until I have got the rest up and running.

Your suggested changes helped fixing the FORWARD part, so this is now set to DROP, however my Internet access from Wireless does still not work unless INPUT is set to ACCEPT.

Any suggestions ?

Thanks in advance
eZap

root@b3:/etc/network# iptables-save
# Generated by iptables-save v1.4.8 on Wed Oct 19 17:07:34 2011
*nat
REROUTING ACCEPT [1434:74220]
:INPUT ACCEPT [87:7589]
:OUTPUT ACCEPT [62:5869]
OSTROUTING ACCEPT [8:2310]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Oct 19 17:07:34 2011
# Generated by iptables-save v1.4.8 on Wed Oct 19 17:07:34 2011
*filter
:INPUT ACCEPT [33:3961]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [96:17742]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
COMMIT
# Completed on Wed Oct 19 17:07:34 2011

[eZap]

Managed to fix the problem by adding the line:
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

My wireless connected devices can now access the Internet again

Code: Select all

# Generated by iptables-save v1.4.8 on Wed Oct 19 18:50:13 2011
*nat
:PREROUTING ACCEPT [2113:111064]
:INPUT ACCEPT [156:12862]
:OUTPUT ACCEPT [131:10736]
:POSTROUTING ACCEPT [8:2584]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Oct 19 18:50:13 2011
# Generated by iptables-save v1.4.8 on Wed Oct 19 18:50:13 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [34:3304]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
COMMIT
# Completed on Wed Oct 19 18:50:13 2011

Br.
eZap

[Gordon]

I'm somewhat confused about that.

Since wireless connects to the B3 through br0 interface, the rule is already set to ACCEPT. The change inflicted by setting the policy for INPUT to ACCEPT is that it also allows full access to the B3 itself from the WAN (eth0) interface. There should not be any need to do so and I see no obvious reason why this would change anything in the FORWARD behaviour.

Thing is I've never used the iptables-save and iptables-restore commands before and I'm not real sure what the apparent port range does with what seems to be the policy. Possibly there's an issue with these port ranges that causes route-back to be blocked initially.

Try this one. This is a copy of the one I'm using with just the ipsec rules removed.

Code: Select all

# Generated by iptables-save v1.4.8 on Fri Sep 23 09:31:16 2011
*nat
:PREROUTING ACCEPT [6315:454938]
:INPUT ACCEPT [178:17370]
:OUTPUT ACCEPT [4943:387655]
:POSTROUTING ACCEPT [5139:413199]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Sep 23 09:31:16 2011
# Generated by iptables-save v1.4.8 on Fri Sep 23 09:31:16 2011
*filter
:INPUT DROP [6:312]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1262:133546]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -s 194.109.6.97/32 -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -s 194.109.6.97/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 500 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
COMMIT
# Completed on Fri Sep 23 09:31:16 2011
# Generated by iptables-save v1.4.8 on Fri Sep 23 09:31:16 2011
*mangle
:PREROUTING ACCEPT [542368:112356603]
:INPUT ACCEPT [499236:71914277]
:FORWARD ACCEPT [46360:40659315]
:OUTPUT ACCEPT [495478:936679294]
:POSTROUTING ACCEPT [543575:977424369]
COMMIT
# Completed on Fri Sep 23 09:31:16 2011

You'll probably want to change the 194.109.6.97 address. I left it in on purpose just to show how you can easily limit access to that ssh port.