regression: iptables firewall not routing all packets
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iptables (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: iptables
I have, until recently, been running a BLFS server with the following iptables firewall script:
#!/bin/sh
IPTABLES=`which iptables`
TC=`which tc`
DEPMOD=`which depmod`
MODPROBE=`which modprobe`
GREP=`which grep`
AWK=`which awk`
SED=`which sed`
IFCONFIG=`which ifconfig`
EXTIF="eth0"
EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/
INTIF="eth1"
INTIP="
INTNET=
UNIVERSE=
#######
# Turn on IP-Forwarding and Dynamic-Addressing
#
echo 1 > /proc/sys/
echo 1 > /proc/sys/
#######
# Clearing any existing rules and setting default policy..
#
#first clear any settings
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -Z
#######
# DROPs: drop certain packets without logging or anything
#
# ICMP stuff
$IPTABLES -A INPUT -i $EXTIF -p icmp -j DROP
# DROP without logging stuff that I really don't care about....Micr$not's SMB probes...etc.
$IPTABLES -A INPUT -i $EXTIF -p udp -d $EXTIP --dport 135:139 -j DROP #M$
$IPTABLES -A INPUT -i $EXTIF -p udp -d $EXTIP --dport 445 -j DROP #M$
$IPTABLES -A INPUT -i $EXTIF -p udp -d $EXTIP --dport 1434 -j DROP #M$
$IPTABLES -A INPUT -i $EXTIF -p udp -d $EXTIP --dport 1025:1027 -j DROP #M$
$IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport 21 -j DROP #FTP
$IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport 53 -j DROP #DNS
#######
# Create DROP and LOG chaning
#
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -d $EXTIP -j ULOG --ulog-nlgroup 1 --ulog-prefix "FIREWALL: "
#$IPTABLES -A drop-and-log-it -d $EXTIP -j LOG --log-prefix "FIREWALL: "
$IPTABLES -A drop-and-log-it -j DROP
#######
# INPUT: Incoming traffic from various interfaces.
# All rulesets are already flushed and set to a default policy of DROP.
#
# loopback interfaces are valid.
$IPTABLES -A INPUT -i lo -j ACCEPT
# allow internal networks
$IPTABLES -A INPUT -s $INTNET -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
# allow already established connections and permit new related connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# catch all rule, all other incoming is denied and logged.
$IPTABLES -A INPUT -j drop-and-log-it
#######
# OUTPUT: Outgoing traffic from various interfaces.
# All rulesets are already flushed and set to a default policy of DROP.
#
# loopback interface is valid.
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interface, any source going to local net is valid
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
# anything outgoing on remote interface is valid
$IPTABLES -A OUTPUT -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
#######
# FORWARD: Enable Forwarding and thus IPMASQ
# All rulesets are already flushed and set to a default policy of DROP.
#
# Allow all connections OUT and only existing/related IN
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
$IPTABLES -A FORWARD -j drop-and-log-it
# Enabling SNAT (MASQUERADE) functionality on $EXTIF
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
...this script was written after reading over the documentation found here: https:/
I have duplicated this issue on Ubuntu Desktop 8.10 as well as Ubuntu Server 8.10, and I have had posts of other users that upgraded from Hardy to Intrepid, and this issue started happening to them. This issue has been discussed here: http://
Steps to reproduce this issue:
1.) Build up Ubuntu Server with 2 network cards in it, one for LAN and one for WAN
2.) Setup eth0 for WAN and eth1 for LAN (adjust as needed) (config file attached)
4.) Install and configure DNS/DHCP services to listen on eth1 LAN interface (config files will be attached)
5.) Run the above (or attached) firewall.start script
6.) Ping www.ubuntu.com (this should work)
7.) Launch FireFox and go to www.ubuntu.com, and you should see this fail
This script should work the same as it has worked in the past on other Linux installations.
Just wanted to clarify something...the server itself can still surf the web, connect to IRC...etc. It is just the clients that can not. They can ping/traceroute ...but that is it. They can't browse, IRC or IM to anything outside of the server.