IPTABLES firewalling (and transparent proxy)

[Forrest2000]

Hi guys, i'm working on a firewall with a transparent proxy (tinyproxy) and a content filter (dansuardian).

That's my network scheme:
Subnet 192.168.10.0/24 <---> 192.168.1.1 [Firewall] 192.168.1.2 <--(point2point)--> 192.168.1.1 CISCO Router (locked by ISP)

Now i have to write down some iptables roules to make everything work. Unfortunatly i have to be shure that my code is errorfree as i'm on a server of a public association and i cannot stop any service for more then a bunch of seconds.

So here's the code:

Code:

#This is the content of a sh executable loaded on boot 
 
IF_LAN="eth0" 
IF_EXT="eth1" 
PROXY_PORT="8080" 
 
iptables -F  
iptables -X  
iptables -P INPUT DROP 
iptables -P OUTPUT DROP 
iptables -P FORWARD DROP  
 
# Allow lan traffic to be accepted 
iptables -A INPUT -s 192.168.10.0/24 -i $IF_LAN -j ACCEPT  
 
# Allow 80, 443, 53 destinated traffic to be forwarded 
iptables -A FORWARD -s 192.168.10.0/24 -i $IF_LAN -o $IF_EXT  \
-j ACCEPT -p tcp -m multiport --dports 80,443 --sport 1024:65535                 
iptables -A FORWARD -p udp -i $IF_LAN -o $IF_EXT --dport 53 --sport 1024:65535 -j ACCEPT 
iptables -A FORWARD -p udp -i $IF_EXT -o $IF_LAN --sport 53 --dport 1024:65535 -j ACCEPT 
 
# Allow response from firewall to go back 
iptables -A INPUT -i $IF_LAN -m state -state ESTABLISHED,RELATED -j ACCEPT 
 
# I wander if MASQ is needed and i don't know why this line is here 
iptables -t nat -A POSTROUTING -o $IF_LAN -j MASQUERADE 
 
# Allow answers to the lan 
iptables -A OUTPUT -d 192.168.10.0/24 -o $IF_LAN -m state -state ESTABLISHED,RELATED -j ACCEPT 
 
# Allow  connection to the world from the firewall itself 
iptables -A OUTPUT -o $IF_EXT -j ACCEPT 
 
# Open SSH port for administration 
iptables -A INPUT -i $IF_LAN -p tcp -dport 22 -j ACCEPT 
iptables -A INPUT -i $IF_EXT -p tcp -dport 22 -j ACCEPT 
 
# Allow tinyproxy to communicate with www as it runs as  nobody 
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT 
 
# Redirecting everything outgoing to 80, to the content filter / transparent proxy 
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports $PROXY_PORT

I have some questions on what I found around the web (i'm too noob on iptables):
What means masquerading this way? (does output on LAN needs masq???)
Using a proxy in this transparent way for 80 traffic, will avoid using masquerading for all kind of traffic or i need to masquerade the subnet in postruting?

So anybody who wants to help, please correct this piece of bad code.
Thankyou all!

[canela]

A couple suggestions:

1. Masquerading is required to activate NAT for all the FORWARD rules.
2. The firewall will automatically use the IP address of its external interface for OUTPUT.
3. IP addresses assigned to your devices need to be unique and on separate networks for each LAN segment. You have assigned 192.168.1.1 twice. The point-to-point segment and the LAN are also asigned addresses from the same network block (192.168.1.0/24). You will need to change the subnet and ip address assignments of one segment.
4. It is also good to have two statements at the end of the FORWARD, INPUT and OUTPUT chains, one with a LOG (first) and the other with DROP (last). That way you can log all dropped packets in syslog.

Can you set up a lab to test beforehand? There will be a lot of things to test and this thread may not be able to provide answers in time.

[Forrest2000]

There was a typo in my configuration, the internal interface of firewall was 192.168.10.1 and not 192.168.1.1 so at least the address is uniqe.

Anyway i can't setup any kind of lab to test those things, does anybody know a software to simulate this?! Perheaps a network simulator or something that allow simulating network structures and iptables?

[Poundjd]

How will the 192.168.10.0/24 subnet talk to the 192.168.1.1 interface?

You may want to change the firewall interface to 10.1 or change the subnet or something.....

If you change the subnet things should talk.

/math follows
192.168.10.0/24 yeilds
=> 1100 0000 1010 1000 0000 1010 0000 0000 IP Address 192.168.10.0
=> 1111 1111 1111 1111 1111 1111 0000 0000 IP Net Mask 255.255.255.0 or /24
=> 1100 0000 1010 1000 0000 0001 0000 0001 IP Address 192.168.1.1

As you can see from the math they are not on the same IP subnet and so can't talk to each other, OF course I am assuming a normal netmask from the CIDR notation.
/nomath
-jeff