firewall - Allow access from outside network with dmz and iptables

  • Ivan

    I'm having a problem with my home network. So my setup is like this:

    enter image description here

    In my Router (using Ubuntu desktop v11.04), I installed squid proxy as my transparent proxy.

    So I would like to use dyndns to my home network so I could be access my server from the internet, and also I installed CCTV camera and I would like to enable watching it from internet.

    The problem is I cannot access it from outside the net.
    I already set DMZ in my modem to my router ip.

    My first guess is because i'm using iptables to redirect all inside network to use squid.
    And not allow from outside traffic to my inside network.
    Here is my iptables script:

    # squid server IP
    # Interface connected to Internet
    # Interface connected to LAN
    # Squid port
    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    # Load IPTABLES modules for NAT and IP conntrack support
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    # For win xp ftp client
    #modprobe ip_nat_ftp
    echo 1 > /proc/sys/net/ipv4/ip_forward
    # Setting default filter policy
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    # Allow UDP, DNS and Passive FTP
    iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
    # set this system as a router for Rest of LAN
    iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
    iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
    # unlimited access to LAN
    iptables -A INPUT -i $LAN_IN -j ACCEPT
    iptables -A OUTPUT -o $LAN_IN -j ACCEPT
    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka     transparent proxy
    iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to     $SQUID_SERVER:$SQUID_PORT
    # if it is same system
    iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port     $SQUID_PORT
    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP

    If you know where did I miss, please advice me.
    Thanks for all your help and I really appreciate it.

  • Answers
  • Raystafarian

    Just an opinion, but it seems to me that you're only forwarding port 80 connection to SQUID:
    iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT

    Shouldn't all packets be forwarded over to SQUID (especially DNS , and the port used by the camera)?

  • Related Question

    linux - iptables: Allow only HTTP access for web browsing
  • user1448260

    Have a linux box, want it locked down but just be able to surf internet on it. Why is this script blocking http too?

    iptables -F
    #Set default policies for INPUT, FORWARD and OUTPUT chains
    iptables -P INPUT DROP                
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    # Allow TCP connections on tcp port 80
    iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
    # Set access for localhost
    iptables -A INPUT -i lo -j ACCEPT
    # List rules
    iptables -L -v

  • Related Answers
  • Michael Kjörling

    Because the rule

    iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

    with a DROP policy on the OUTPUT chain requires two things which are highly relevant here:

    1. The connection must already have been established
    2. The source port must be 80/tcp

    Source ports below 1024 are privileged, and generally aren't used for outgoing connections even when the socket owning process is running as root. You are more likely to see a high source port number going out, well above 30000 seems to be common.

    There is also no way to establish a connection, since the only outgoing traffic that is allowed must be related to an already established connection.

    Hence, in practice, nothing can match this rule.

    Try instead:

    iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT

    which should allow any outbound connections to destination TCP port 80 where the traffic is routed through eth0, which is much more in line with what you want.

    And then as has been pointed out, don't forget about HTTPS, DNS, ...

  • DragonLord

    If possible, try to flush ip tables and see if you actually can connect via http. (iptables -F)

    Like Darth Android was saying, make sure you aren't trying to connect via https.

    Also, do you have more than one ethernet interface? Or is your ethernet interface called something else besides eth0. a quick ifconfig will show you what your interface names are.

  • Timothy Baldwin

    You also need to allow ICMP in both directions or path MTU discovery and error recovery by trying a different IP address will be broken.

    Generally you want to allow all ESTABLISHED and RELATED traffic.