Is Wolfgang Kueter a jerk or… how to configure iptables?
I’m trying to accomplish what I believe should be a simple task with iptables—replace my DSL router with a linux box. The linux box also routes packets to other machines on the LAN based on destination IP address (the box receives packets for multiple IP addresses from the Internet) and port number, and blocks other packets based on originator IP and port number, but as I understand the firewalling and inbound routing chains are totally separate from the outbound NAT functionality. In any case, the inbound stuff works perfectly now.
It seems simple enough to set up a box, where eth0 faces the Internet and eth1 faces the LAN, to act as a gateway or proxy to the LAN:
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
And that actually works perfectly, except that a Windows box inside my LAN is unable to connect to a VPN outside the LAN, while it worked fine with the Buffalo router I had in place before. All other services are properly accessible through the gateway.
So I posted a description of my situation to comp.security.firewalls. I admit that I have, at best, a basic understanding of iptables, but I have read the manpage and documentation and gotten it to do 99% of what I need with the exception of this VPN issue.
In response, a “Wolfgang Kueter” called me clueless multiple times, said that I had no idea what I was doing, and that I “misunderstand almost everything,” and that I should pay a professional to do it for me and read books on TCP/IP and the IPSec protocol specification itself. Other newsgroup postings by this fellow have a similar tone, e.g. building a security suite (Q: What combination of software firewall, anti-virus, etc., are you using and have you noticed any discernable effect on performance? A: None, because they are useless crap. … I don’t use such crap, so how could I?).
Steve suggests that Web 2.0 should have some way to tag people like this as jerks, and their reputation would then follow them around on the web. Since that technology doesn’t yet exist, the next best thing, I suppose, is to just blog about it and hope this entry turns up in a search on the person’s name. Abrasive responses to legitimate requests for help from people hoping to learn something don’t do anything to advance the free software movement. I suppose this kind of person will always exist, but I wish they didn’t.
I don’t want to be petty about this sort of thing, but I actually don’t think I need to hire a professional or read books about TCP/IP and the IPSec protocol specification itself to configure a Linux box as a residential gateway. Does anyone disagree?
Mick Jan 28
What a twat … must be a OpenBSD user.
I like the dual boxes to keep the spam bots out. I think I suggested that on your blog a while ago, how’s it working out?
Adam Rosi-Kessel Jan 28
Thanks for your support, Mick. :). The dual box spam bot trap is working pretty well–it catches about 10-15 entries per day. Some of those would have been caught by my keyword filter, but every little bit helps. So far no false positives. I’ve also found filtering for the field “excerpt” (which isn’t a field on this blog, but is on others) is very effective at catching spam writebacks.
Anonymous Jan 28
Identifying the assholes
Adam Rosi-Kessel Jan 28
Actually, it’s not true that “excerpt” is not a field–it’s just that it’s a field only for trackbacks (links from other blogs), not writebacks, but the spammers include that field in their writeback entries.
Guido Trotter Jan 28
I think you just need a:
iptables -t nat -A PREROUTING -p udp -d –dport 500 -j DNAT –to
Also simply saying
$IPT -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
might help…
Also you might want to be a bit more conservative about your policies…
Adam Rosi-Kessel Jan 28
Thanks, Guido. I’ll try that from home tonight. I agree that I should be more conservative–I was trying just as a first pass to get things to work. Once I’ve established that I will certainly limit the ruleset.
David Lazar Jan 28
What an asshole he was…
Ok, as far as I know, the line:
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
is not necessary. You just must make sure that IP forwarding is enabled (echo 1 > /proc/sys/net/ipv4/ip_forward, see /usr/share/doc/iptables/README.Debian.gz, the “quick start” section).
The line I referred to looks redundant, since iptables only filters packets, and if forwarding is enabled the packets you were filtering would have been allowed anyway.
If the VPN application still doesn’t work, try dumping the traffic (with tcpdump -i eth1) and see what is it trying to do (i.e. what ports is it using).
Best of luck!
Jamie Jan 28
I wonder what this Wolfgang’s grandparents were doing doing World War II.
Jon Dowland Jan 28
You are right, he is behaving like an arse. Unfortunately, reading that thread has left a bad taste in my mouth, as it no doubt has in yours. Next time, listen to the little voice in your head that says “don’t give him the benefit of the doubt, just killfile him right there.”
Maitland Jan 28
Perhaps the VPN issue has something to do with MTU and IP fragmentation interacting with NAT…
Good luck.
Maitland Jan 28
Perhaps the VPN issue has something to do with MTU and IP fragmentation interacting with NAT…
Good luck.
Joachim Nilsson Jan 28
I actually came to Linux NAT & pf from OpenBSD. I never really learned to understand iptables, the user interface really is useless to me.
I use Shorewall today on most machines I sysadmin for, it wraps all iptables magic in a few simple text-based configuration files. Very useful.
Too bad I’ve now signed on to work for a die-hard iptables company… :-)
Willi Mann Jan 28
I’ve learned iptables by http://iptables-tutorial.frozentux.net/iptables-tutorial.html
It’s the first link in the “Tutorials” section on the netfilter homepage :-)
skippy Jan 28
I’ve found Shorewall to be an excellent iptables front-end, and have been using it for quite some time. It has wonderful support for the major VPN solutions, and the whole thing is thoroughly documented.
Goswin von Brederlow Jan 28
re David Lazar :
The IP forwarding in linux only works if it is activated. That is independent to what iptables does. So only with forwarding enabled can IP frames enter the FORWARD chain(s) and eventualy be forwarded.
The
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
line can be useless or usefull depending on circumstances.
I’m assuming your (Adam) FORWARD policy is DENY so this line allows forwarding to go from eth1 to eth0 (but not the reverse). You then need to allow established connections to go the other way as Guido suggested. He also included RELATED, which are connections initiated in responce to some chatter on another connection, e.g. when ftp sends a PORT command for the data connect RELATED allows that ip/port combination to also go through the firewall and nat. ip_contrack_* and ip_nat_* modules take care of that.
As to your initial problem:
Add a “-j LOG –log-prefix ‘name of chain'” at the end of each chain before packets get rejected and watch what you kill. It is best to do this with an idle network with just the ipsec attempts so you don’t get swamped.
MfG
Goswin
Wolfgang Kueter Jan 28
When I read through through the comments I see really nothing that is tecnically correct except from mentioning port 500/udp. And no, I hardly use (Open) BSD. But I read RfC’s. So should some others here to get some clue.