[ILUG] iptables firewall question

Wed Feb 2 16:41:17 GMT 2011

Hello,
a tricky security firewall question:
I have a web server on the lan, I set up the port 80 on the wan to be the
web server on the lan.
The problem is, that I see the web server on the wan ip address, but I can
also reach the lan ip address. I have the wan as eth0.3, the lan as br-lan.
What I'm doing wrong? I thought I set up DNAT correctly

+ iptables -A INPUT -m state --state INVALID -j DROP
+ iptables -A OUTPUT -m state --state INVALID -j DROP
+ iptables -A FORWARD -m state --state INVALID -j DROP
+ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+ iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+ iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+ iptables -A INPUT -i lo -j ACCEPT
+ iptables -A OUTPUT -o lo -j ACCEPT
+ iptables -N syn_flood
+ iptables -A syn_flood -p tcp --syn -m limit --limit 25/second
--limit-burst 50 -j RETURN
+ iptables -A syn_flood -j DROP
+ iptables -A INPUT -p tcp --syn -j syn_flood
+ iptables -N input_rule
+ iptables -N output_rule
+ iptables -A INPUT -j input_rule
+ iptables -A OUTPUT -j output_rule
+ iptables -N input
+ iptables -N output
+ iptables -N forward
+ iptables -A INPUT -j input
+ iptables -A OUTPUT -j output
+ iptables -A FORWARD -j forward
+ iptables -N reject
+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset
+ iptables -A reject -j REJECT --reject-with icmp-port-unreachable
+ iptables -P INPUT ACCEPT
+ iptables -P OUTPUT ACCEPT
+ iptables -P FORWARD ACCEPT
+ iptables -N zone_lan
+ iptables -N zone_lan_MSSFIX
+ iptables -N zone_lan_ACCEPT
+ iptables -N zone_lan_DROP
+ iptables -N zone_lan_REJECT
+ iptables -N zone_lan_forward
+ iptables -A zone_lan_forward -j zone_lan_REJECT
+ iptables -A zone_lan -j zone_lan_ACCEPT
+ iptables -A output -j zone_lan_ACCEPT
+ iptables -N zone_lan_nat -t nat
+ iptables -N zone_lan_prerouting -t nat
+ iptables -N input_lan
+ iptables -N forwarding_lan
+ iptables -I zone_lan 1 -j input_lan
+ iptables -I zone_lan_forward 1 -j forwarding_lan
+ iptables -N zone_wan
+ iptables -N zone_wan_ACCEPT
+ iptables -N zone_wan_DROP
+ iptables -N zone_wan_REJECT
+ iptables -N zone_wan_forward
+ iptables -A zone_wan_forward -j zone_wan_REJECT
+ iptables -A zone_wan -j zone_wan_REJECT
+ iptables -A output -j zone_wan_ACCEPT
+ iptables -N zone_wan_prerouting -t nat
+ iptables -N input_wan
+ iptables -N forwarding_wan
+ iptables -I zone_wan 1 -j input_wan
+ iptables -I zone_wan_forward 1 -j forwarding_wan
+ iptables -N zone_wanvoice
+ iptables -N zone_wanvoice_ACCEPT
+ iptables -N zone_wanvoice_DROP
+ iptables -N zone_wanvoice_REJECT
+ iptables -N zone_wanvoice_forward
+ iptables -A zone_wanvoice_forward -j zone_wanvoice_REJECT
+ iptables -A zone_wanvoice -j zone_wanvoice_ACCEPT
+ iptables -A output -j zone_wanvoice_ACCEPT
+ iptables -N zone_wanvoice_nat -t nat
+ iptables -N zone_wanvoice_prerouting -t nat
+ iptables -N input_wanvoice
+ iptables -N forwarding_wanvoice
+ iptables -I zone_wanvoice 1 -j input_wanvoice
+ iptables -I zone_wanvoice_forward 1 -j forwarding_wanvoice
+ iptables -I zone_lan_forward 1 -p all -j zone_wan_ACCEPT
+ iptables -I input 1 -p icmp -j ACCEPT
*+ iptables -A zone_wan_prerouting -t nat -p tcp -i eth0.3 -d 65.65.8.1
--dport 80 -j DNAT --to-destination 192.168.199.4:80
+ iptables -I zone_wan_forward 1 -p tcp -i eth0.3 -o br-lan -d 192.168.199.4
--dport 80 -m state --state NEW -j ACCEPT*
+ iptables -t nat -I zone_lan_prerouting 1 -j ACCEPT --protocol tcp --dport
80 --destination localhost
+ iptables -t nat -I zone_lan_prerouting 1 -j ACCEPT --protocol tcp --dport
8081 --destination localhost
+ iptables -t filter -I zone_lan 1 -j ACCEPT --protocol tcp --dport 80
+ iptables -t filter -I zone_lan 1 -j ACCEPT --protocol tcp --dport 8081
+ iptables -A input -i br-lan -j zone_lan
+ iptables -I zone_lan_MSSFIX 1 -o br-lan -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu
+ iptables -I zone_lan_ACCEPT 1 -o br-lan -j ACCEPT
+ iptables -I zone_lan_DROP 1 -o br-lan -j DROP
+ iptables -I zone_lan_REJECT 1 -o br-lan -j reject
+ iptables -I zone_lan_ACCEPT 1 -i br-lan -j ACCEPT
+ iptables -I zone_lan_DROP 1 -i br-lan -j DROP
+ iptables -I zone_lan_REJECT 1 -i br-lan -j reject
+ iptables -I PREROUTING 1 -t nat -i br-lan -j zone_lan_prerouting
+ iptables -A forward -i br-lan -j zone_lan_forward
+ iptables -A input -i eth0.3 -j zone_wan
+ iptables -I zone_wan_ACCEPT 1 -o eth0.3 -j ACCEPT
+ iptables -I zone_wan_DROP 1 -o eth0.3 -j DROP
+ iptables -I zone_wan_REJECT 1 -o eth0.3 -j reject
+ iptables -I zone_wan_ACCEPT 1 -i eth0.3 -j ACCEPT
+ iptables -I zone_wan_DROP 1 -i eth0.3 -j DROP
+ iptables -I zone_wan_REJECT 1 -i eth0.3 -j reject
+ iptables -I PREROUTING 1 -t nat -i eth0.3 -j zone_wan_prerouting
+ iptables -A forward -i eth0.3 -j zone_wan_forward

Tables hit:

# iptables -vL -n | more
Chain INPUT (policy ACCEPT 7 packets, 1472 bytes)
 pkts bytes target     prot opt in     out     source
destination
  133  7872 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
   16  4645 input_rule  all  --  *      *       0.0.0.0/0
0.0.0.0/0
   15  4258 input      all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
   24  1440 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID
   94 12553 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
 1060 51132 forward    all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
 1169 62352 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED

Chain forward (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 zone_lan_forward  all  --  br-lan *       0.0.0.0/0
0.0.0.0/0
 1060 51132 zone_wan_forward  all  --  eth0.3 *       0.0.0.0/0
0.0.0.0/0

Chain input (1 references)
 pkts bytes target     prot opt in     out     source
destination
    7  2709 zone_lan   all  --  br-lan *       0.0.0.0/0
0.0.0.0/0

Chain reject (4 references)
 pkts bytes target     prot opt in     out     source
destination
 1012 44592 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           reject-with tcp-reset
   24  5232 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           reject-with icmp-port-unreachable

Chain zone_lan (1 references)
 pkts bytes target     prot opt in     out     source
destination
    7  2709 input_lan  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    7  2709 zone_lan_ACCEPT  all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain zone_lan_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source
destination
    7  2709 ACCEPT     all  --  br-lan *       0.0.0.0/0
0.0.0.0/0

Chain zone_wan_REJECT (2 references)
 pkts bytes target     prot opt in     out     source
destination
 1036 49824 reject     all  --  eth0.3 *       0.0.0.0/0
0.0.0.0/0

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source
destination
   24  1308 ACCEPT     tcp  --  eth0.3 br-lan  0.0.0.0/0
192.168.199.4       tcp dpt:80 state NEW
 1036 49824 forwarding_wan  all  --  *      *       0.0.0.0/0
0.0.0.0/0
 1036 49824 zone_wan_REJECT  all  --  *      *       0.0.0.0/0
0.0.0.0/0

#
# iptables -vL -t nat -n
Chain PREROUTING (policy ACCEPT 7470 packets, 499K bytes)
 pkts bytes target     prot opt in     out     source
destination
 1068 51888 zone_wan_prerouting  all  --  eth0.3 *       0.0.0.0/0
0.0.0.0/0
   15  1327 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0
0.0.0.0/0

-- 
'The Magic Is In the Movement'

|_|0|_|
|_|_|0|
|0|0|0|

 .           ..         .           .       .           .           .

      .         .            .          .       .

            .         ..xxxxxxxxxx....               .       .             .

    .             MWMWMWWMWMWMWMWMWMWMWMWMW                       .
              IIIIMWMWMWMWMWMWMWMWMWMWMWMWMWMttii:        .
 .      IIYVVXMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWxx...         .           .

     IWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMWMx..
   IIWMWMWMWMWMWMWMWMWBY%MARCO_SAVO_NMWMWMWMWMWMWMWMWMWMWMWMWMx..
    ""MWMWMWMWMWM"""""""".  .:..   ."""""MWMWMWMWMWMWMWMWMWMWMWMWMWti.

 .     ""   . `  .: . :. : .  . :.  .  . . .  """"MWMWMWMWMWMWMWMWMWMWMWMWMti
        . .   :` . :   .  .'.' '....xxxxx...,'. '   ' ."""YWMWMWMWMWMWMWMWMWMW+

     ; . ` .  . : . .' :  . ..XXXXXXXXXXXXXXXXXXXXx.    `     . "YWMWMWMWMWMWMW
.    .  .  .    . .   .  ..XXXXXXXXWWWWWWWWWWWWWWWWXXXX.  .     .     """"""
        ' :  : . : .  ...XXXXXWWW"   W88N88 at 888888WWWWWXX.   .   .       . .

   . ' .    . :   ...XXXXXXWWW"    M88N88GGGGGG888^8M "WMBX.          .   ..  :
         :     ..XXXXXXXXWWW"     M88888WWRWWWMW8oo88M   WWMX.     .    :
           "XXXXXXXXXXXXWW"       WN8888WWWWW  W8@@@8M    BMBRX.         .  : :

  .       XXXXXXXX=MMWW":  .      W8N888WWWWWWWW88888W      XRBRXX.  .       .
     ....  ""XXXXXMM::::. .        W8 at 889WWWWWM8@8N8W      . . :RRXx.
         ``...'''  MMM::.:.  .      W888N89999888 at 8W      . . ::::"RXV    .  :

 .       ..'''''      MMMm::.  .      WW888N88888WW     .  . mmMMMMMRXx
      ..' .            ""MMmm .  .       WWWWWWW   . :. :,miMM"""  : ""`
    .                .       ""MMMMmm . .  .  .   ._,mMMMM"""  :  ' .  :

               .                  ""MMMMMMMMMMMMM""" .  : . '   .        .
                     .              .     .    .                      .
.                                         .          .         .

                         ''~``
                        ( o o )

+------------------.oooO--(_)--Oooo.------------------+
|                (_Marco_)---(_Savo_)                 |
|                    .oooO                            |
|                    (   )   Oooo.                    |
+---------------------\ (----(   )--------------------+
                       \_)    ) /
                             (_/

"E la luce fu!" - And there was light