Ubuntu
iptables package

regression: iptables firewall not routing all packets

Bug #320899 reported by Lupine on 2009-01-24

Affects		Status	Importance	Assigned to	Milestone
	iptables (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

Binary package hint: iptables

I have, until recently, been running a BLFS server with the following iptables firewall script:

#!/bin/sh

IPTABLES=`which iptables`
TC=`which tc`
DEPMOD=`which depmod`
MODPROBE=`which modprobe`
GREP=`which grep`
AWK=`which awk`
SED=`which sed`
IFCONFIG=`which ifconfig`
EXTIF="eth0"
EXTIP="`$IFCONFIG $EXTIF | $AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
INTIF="eth1"
INTIP="192.168.5.1/32"
INTNET="192.168.5.0/24"
UNIVERSE="0.0.0.0/0"

################################################## #
# Turn on IP-Forwarding and Dynamic-Addressing
#
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

################################################## #
# Clearing any existing rules and setting default policy..
#
#first clear any settings
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -Z

################################################## #
# DROPs: drop certain packets without logging or anything
#

# ICMP stuff
$IPTABLES -A INPUT -i $EXTIF -p icmp -j DROP

# DROP without logging stuff that I really don't care about....Micr$not's SMB probes...etc.
$IPTABLES -A INPUT -i $EXTIF -p udp -d $EXTIP --dport 135:139 -j DROP #M$
$IPTABLES -A INPUT -i $EXTIF -p udp -d $EXTIP --dport 445 -j DROP #M$
$IPTABLES -A INPUT -i $EXTIF -p udp -d $EXTIP --dport 1434 -j DROP #M$
$IPTABLES -A INPUT -i $EXTIF -p udp -d $EXTIP --dport 1025:1027 -j DROP #M$
$IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport 21 -j DROP #FTP
$IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport 53 -j DROP #DNS

################################################## #
# Create DROP and LOG chaning
#
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -d $EXTIP -j ULOG --ulog-nlgroup 1 --ulog-prefix "FIREWALL: "
#$IPTABLES -A drop-and-log-it -d $EXTIP -j LOG --log-prefix "FIREWALL: "
$IPTABLES -A drop-and-log-it -j DROP

################################################## #
# INPUT: Incoming traffic from various interfaces.
# All rulesets are already flushed and set to a default policy of DROP.
#

# loopback interfaces are valid.
$IPTABLES -A INPUT -i lo -j ACCEPT

# allow internal networks
$IPTABLES -A INPUT -s $INTNET -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

# allow already established connections and permit new related connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# catch all rule, all other incoming is denied and logged.
$IPTABLES -A INPUT -j drop-and-log-it

################################################## #
# OUTPUT: Outgoing traffic from various interfaces.
# All rulesets are already flushed and set to a default policy of DROP.
#

# loopback interface is valid.
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interface, any source going to local net is valid
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

# anything outgoing on remote interface is valid
$IPTABLES -A OUTPUT -j ACCEPT

# Catch all rule, all other outgoing is denied and logged.
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

################################################## #
# FORWARD: Enable Forwarding and thus IPMASQ
# All rulesets are already flushed and set to a default policy of DROP.
#

# Allow all connections OUT and only existing/related IN
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Catch all rule, all other forwarding is denied and logged.
$IPTABLES -A FORWARD -j drop-and-log-it

# Enabling SNAT (MASQUERADE) functionality on $EXTIF
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

...this script was written after reading over the documentation found here: https://help.ubuntu.com/community/Router I've now upgraded to Ubuntu 8.10 Desktop (and Server) and this script no longer works. This script worked on countless BLFS images prior to the Ubuntu upgrade.

I have duplicated this issue on Ubuntu Desktop 8.10 as well as Ubuntu Server 8.10, and I have had posts of other users that upgraded from Hardy to Intrepid, and this issue started happening to them. This issue has been discussed here: http://ubuntuforums.org/showthread.php?t=1044885 As was discussed in this thread, the amazing thing is that I can ping and traceroute to www.ubuntu.com (and other sites) from the internal workstations, but they can not surf the web, connect to IRC/IM...etc. It is as if only ICMP packets are being allowed through. I have already tried to disable apparmor and ufw, but that makes no difference.

Steps to reproduce this issue:

1.) Build up Ubuntu Server with 2 network cards in it, one for LAN and one for WAN
2.) Setup eth0 for WAN and eth1 for LAN (adjust as needed) (config file attached)
4.) Install and configure DNS/DHCP services to listen on eth1 LAN interface (config files will be attached)
5.) Run the above (or attached) firewall.start script
6.) Ping www.ubuntu.com (this should work)
7.) Launch FireFox and go to www.ubuntu.com, and you should see this fail

This script should work the same as it has worked in the past on other Linux installations.