LAN to WORLD
Na het uitvoeren van de DNAT declaraties met hierin Chain FORWARD (policy DROP) is het niet meer mogelijk om vanuit de WEB-servers (101 en 102) het internet te bereiken en apt te gebruiken.
Hoofdoorzaak blijkt de onmogelijkheid om een DNS te bereiken.
In de opgave staat dat poorten apt moet werken. poorten 80 en 443 zijn hiervoor nodig, maar natuurlijk ook DNS poort 53 (udp)
Verder moeten poorten 22 en 80 van LAN naar buiten toe open staan.
Voor mail kan later een oplossing worden gebouwd en zal ooit minstens poort 25 moeten worden opegezet.
Om het netwerk te debuggen (vroeg of laat gaat er wel iets mis)lijkt ping van binnen naar buiten ook onontbeerlijk.
Al deze protocollen moeten doorheen de FORWARD chain van BINNEN naar BUITEN.
- inventaris
De huidige FORWARD chain bevat reeds de volgende interessante regels:... iptables -vP FORWARD DROP ## destination forward ports iptables -vA FORWARD -p TCP --dport 22 -j ACCEPT iptables -vA FORWARD -p TCP --dport 80 -j ACCEPT ... ### forward related established iptables -vA FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ...De hogere declaraties zijn niet voorzien van input of output poorten (voorbeeld:
-i eth0) en werken dus in alle richtingen. We zouden dan ook websites moeten kunnen openen ensshverbindingen leggen met ip-adressen.
Maaraptwerkt met domeinnamen, dus moet DNS ook worden toegelaten.
Bovendien werd er gevraagd om ook SMTP te kunnen gebruiken,
en tenslotte zouden we het nuttig vinden te kunnen pingen naar buiten.
- LAN to WORLD declaraties
De volgende declaraties lossen de hoger vermelde problemen op:#### open ports from LAN to WORLD #### already open in section Destination NAT (declaration goes both ways) # # already open ## iptables -vA FORWARD -p TCP --dport 22 -j ACCEPT # already open ## iptables -vA FORWARD -p TCP --dport 80 -j ACCEPT # #### ping iptables -vA FORWARD -p ICMP -j ACCEPT #### smtp iptables -vA FORWARD -p TCP --dport 25 -j ACCEPT #### dns iptables -vA FORWARD -p UDP --dport 53 -j ACCEPT #### https iptables -vA FORWARD -p TCP --dport 443 -j ACCEPT # #### already open ## iptables -vA FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT - testen
Vanuit web101
DNS:user@ub164-WEB101:~$ nslookup vrt.be Server: 10.28.100.10 Address: 10.28.100.10#53 Non-authoritative answer: Name: vrt.be Address: 52.209.17.179 Name: vrt.be Address: 52.214.170.224
PING:user@ub164-WEB101:~$ ping bnix.be PING bnix.be (193.190.130.50) 56(84) bytes of data. 64 bytes from fiorano.belnet.be (193.190.130.50): icmp_seq=1 ttl=52 time=14.0 ms 64 bytes from fiorano.belnet.be (193.190.130.50): icmp_seq=2 ttl=52 time=15.9 ms 64 bytes from fiorano.belnet.be (193.190.130.50): icmp_seq=3 ttl=52 time=13.2 ms
SMTP:user@ub164-WEB101:~$ telnet smtp.telenet.be 25 Trying 195.130.132.11... Connected to smtp.telenet.be. Escape character is '^]'. 220 andre.telenet-ops.be bizsmtp ESMTP server ready quit 221 2.0.0 andre.telenet-ops.be bizsmtp closing connection Connection closed by foreign host.
HTTP:user@ub164-WEB101:~$ lynx perdu.com Looking up 'perdu.com' firstPerdu sur l'Internet ? Pas de panique, on va vous aider * <----- vous êtes ici
APT:user@ub164-WEB101:~$ sudo apt update [sudo] password for user: ***************** Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB] Hit:2 http://be.archive.ubuntu.com/ubuntu xenial InRelease Get:3 http://be.archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB] Get:4 http://be.archive.ubuntu.com/ubuntu xenial-backports InRelease [102 kB] Get:5 http://be.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [668 kB] Get:6 http://be.archive.ubuntu.com/ubuntu xenial-updates/main i386 Packages [631 kB] Fetched 1.605 kB in 0s (1.870 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done 117 packages can be upgraded. Run 'apt list --upgradable' to see them. - het volledige iptables script
#! /bin/bash # # iptables-script # bvdb ( 02/11/2017 ) ###################################################### # # v = verbose, X = flush tables, F = delete non standard chains # general iptables -vX iptables -vF # nat and masquerading -t refers to table iptables -vt nat -F iptables -vt nat -X # mangling TCP header iptables -vt mangle -F iptables -vt mangle -X # reset policies -P refers to policies iptables -vP OUTPUT ACCEPT # turn off routing # echo 0 > /proc/sys/net/ipv4/ip_forward # turn on routing echo 1 > /proc/sys/net/ipv4/ip_forward ###### Dit is heel belangrijk in je script -- ###### dan zie je wat je aan het doen bent: # ##>> my network interfaces: enp0s3 = 10.104.200.254/16 >> buiten ##>> my network interfaces: enp0s8 = 192.168.200.254/24 >> binnen ### implement NAT routing # ## NAT routing - enp0s3 is buiten en een unprotected network # het ip address aan de buitenkant van onze firewall is 10.104.200.254 (outside address) # iptables -vt nat -A POSTROUTING -o enp0s3 -j SNAT --to 10.104.200.254 ## INPUT chain lo + ports 10022 iptables -vP INPUT DROP iptables -vA INPUT -i lo -j ACCEPT iptables -vA INPUT -p TCP --dport 10022 -j ACCEPT iptables -vA INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #### Destination NAT - iptables -vP FORWARD DROP ## destination forward ports iptables -vA FORWARD -p TCP --dport 22 -j ACCEPT iptables -vA FORWARD -p TCP --dport 80 -j ACCEPT ## port 10122 >> web101:22 iptables -vt nat -A PREROUTING -p TCP --dport 10122 -j DNAT --to 192.168.200.101:22 iptables -vA FORWARD -p TCP --dport 10122 -j ACCEPT ## port 10222 >> web102:22 iptables -vt nat -A PREROUTING -p TCP --dport 10222 -j DNAT --to 192.168.200.102:22 iptables -vA FORWARD -p TCP --dport 10222 -j ACCEPT ## port 8081 >> web101:80 iptables -vt nat -A PREROUTING -p TCP --dport 8081 -j DNAT --to 192.168.200.101:80 iptables -vA FORWARD -p TCP --dport 8081 -j ACCEPT ## port 8082 >> web102:80 iptables -vt nat -A PREROUTING -p TCP --dport 8082 -j DNAT --to 192.168.200.102:80 iptables -vA FORWARD -p TCP --dport 8082 -j ACCEPT ### forward related established iptables -vA FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #### open ports from LAN to WORLD ## already open ## iptables -vA FORWARD -p TCP --dport 22 -j ACCEPT ## already open ## iptables -vA FORWARD -p TCP --dport 80 -j ACCEPT #### already open in section Destination NAT (declaration goes both ways) iptables -vA FORWARD -p ICMP -j ACCEPT iptables -vA FORWARD -p TCP --dport 25 -j ACCEPT iptables -vA FORWARD -p UDP --dport 53 -j ACCEPT iptables -vA FORWARD -p TCP --dport 443 -j ACCEPT ## already open ## iptables -vA FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ### PRINT iptables configuration ### # echo ">>>>> iptables -n -L" iptables -n -L echo "--------------" #echo ">>>>> iptables -S" #iptables -S #echo "--------------" echo ">>>>> iptables -t nat -L" iptables -t nat -L echo "--------------" #echo ">>>>> iptables -t mangle -L" #iptables -t mangle -L #echo "--------------" echo "routing set: " `cat /proc/sys/net/ipv4/ip_forward` echo "==============" - output
Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Flushing chain `PREROUTING' Flushing chain `INPUT' Flushing chain `OUTPUT' Flushing chain `POSTROUTING' Flushing chain `PREROUTING' Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Flushing chain `POSTROUTING' SNAT all opt -- in * out enp0s3 0.0.0.0/0 -> 0.0.0.0/0 to:10.104.200.254 ACCEPT all opt -- in lo out * 0.0.0.0/0 -> 0.0.0.0/0 ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:10022 ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:22 ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80 DNAT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:10122 to:192.168.200.101:22 ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:10122 DNAT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:10222 to:192.168.200.102:22 ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:10222 DNAT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:8081 to:192.168.200.101:80 ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:8081 DNAT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:8082 to:192.168.200.102:80 ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:8082 ACCEPT all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:25 ACCEPT udp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 udp dpt:53 ACCEPT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:443 >>>>> iptables -n -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10022 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain FORWARD (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10122 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10222 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8082 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 Chain OUTPUT (policy ACCEPT) target prot opt source destination -------------- >>>>> iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:10122 to:192.168.200.101:22 DNAT tcp -- anywhere anywhere tcp dpt:10222 to:192.168.200.102:22 DNAT tcp -- anywhere anywhere tcp dpt:tproxy to:192.168.200.101:80 DNAT tcp -- anywhere anywhere tcp dpt:8082 to:192.168.200.102:80 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- anywhere anywhere to:10.104.200.254 -------------- routing set: 1 ==============