HI, Problem get firewall going.
Paul Schulz
pschulz01 at gmail.com
Mon Jul 31 03:56:25 BST 2006
Neil,
After you have run you script, what is the contents of the iptables tables?
Are they what you expect?
# iptables -t nat -vL
Packets coming for the firewall can get nat'ed and sent out eth0
instread of eth1.
On my 'router/firewall' I have the following.. which works..
(It only NAT's packets coming from internal, to external IP addresses,
and auto-matically looks after the related return packets.)
Cheers,
Paul
-------
Internel Network is 192.168.10.0/24
External IP address: EXTIP
iptables -t nat -A POSTROUTING \
-s 192.168.10.0/255.255.255.0 \
-d ! 192.168.10.0/255.255.255.0 \
-j SNAT --to-source $EXTIP
echo 1 > /proc/sys/net/ipv4/ip_forward
On 7/31/06, Neil Dugan <ubuntu at butterflystitches.com.au> wrote:
> Hi I am new to this list, if this is the wrong place to ask let me know.
>
> I have setup a ubuntu box for internet access and also as a firewall.
> I can get on the internet from the firewall computer. :) From the
> other computer I can ping both interfaces of the firewall (i.e. eth0
> and eth1). :)
>
> But I can't ping the modem @ 192.168.1.1 :(
>
> The eth1 interface of the firewall does report receiving bytes (via.
> ifconfig) but I can't trace where that info is going. I put lots of
> LOG actions in the iptables to find out where the ping was going but
> none of them report anything. The program ethereal says the eth1
> interface is receiving lots of ARP requests for 192.168.1.1 but no
> answers are sent.
>
>
>
>
> Here is a basic layout of the network.
>
> -------------------
> | xxx.xxx.xxx.xxx |
> | ADSL modem |
> | 192.168.1.1 |
> -------------------
> |
> |
> |
> ----------------------
> | eth0 192.168.1.xxx |
> | firewall |
> | eth1 192.168.5.254 |
> ----------------------
> |
> |
> |
> ----------------------
> | eth0 192.168.5.xxx |
> | computer |
> ----------------------
>
>
> ----- /etc/init.d/iptables -----------
>
> #!/bin/sh
>
> IPTABLES=/sbin/iptables
>
> # which port is used for what
> INTERNAL=eth1
> EXTERNAL=eth0
>
> # need to find this dynamically
> EXTERNAL_IP=192.168.1.238
>
> INTERNAL_RANGE=192.168.5.0/24
>
> # which port skype uses
> SKYPE_PORT=23323
>
>
> case "$1" in
> start)
> echo -n "Starting IP Firewall and NAT..."
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/tcp_syncookies
>
> # Clear old rules
> $IPTABLES -X
> $IPTABLES -F
> $IPTABLES -Z
> $IPTABLES -X -t nat
> $IPTABLES -F -t nat
> $IPTABLES -Z -t nat
> $IPTABLES -X -t mangle
> $IPTABLES -F -t mangle
> $IPTABLES -Z -t mangle
>
> # INPUT Rules - Add to this section the ports you wish to explicitly
> allow connections on
> # Below are some common services that are commonly used
> # Comment out the lines to disable access to these services
> # The port numbers for other services you may wish to allow can be
> found in the /etc/services file
>
> # set the default for the input chain to drop
> $IPTABLES -P INPUT DROP
>
> $IPTABLES -A INPUT -t filter -j LOG --log-prefix "filter_input:"
> $IPTABLES -A OUTPUT -t filter -j LOG --log-prefix "filter_output:"
> $IPTABLES -A FORWARD -t filter -j LOG --log-prefix "filter_forward:"
>
> $IPTABLES -A PREROUTING -t nat -j LOG --log-prefix "nat_prerouting:"
> $IPTABLES -A POSTROUTING -t nat -j LOG --log-prefix "nat_postrouting:"
> $IPTABLES -A OUTPUT -t nat -j LOG --log-prefix "nat_output:"
>
> $IPTABLES -A INPUT -t mangle -j LOG --log-prefix "mangle_input:"
> $IPTABLES -A OUTPUT -t mangle -j LOG --log-prefix "mangle_output:"
> $IPTABLES -A POSTROUTING -t mangle -j LOG --log-prefix
> "mangle_postrouting:"
> $IPTABLES -A PREROUTING -t mangle -j LOG --log-prefix
> "mangle_prerouting:"
> $IPTABLES -A FORWARD -t mangle -j LOG --log-prefix "mangle_forward:"
>
>
> # allow allready started comunictions
> $IPTABLES -A INPUT -i $EXTERNAL -m state --state ESTABLISHED,RELATED
> -j ACCEPT #Allows connections you start
>
> # allow everything from the internal interface
> $IPTABLES -A INPUT -i $INTERNAL -j ACCEPT #Allows connections you start
>
>
> #Allow FTP Connections
> #$IPTABLES -A INPUT -i $EXTERNAL -p tcp --dport 21 -j ACCEPT
> #$IPTABLES -A INPUT -i $EXTERNAL -p udp --dport 21 -j ACCEPT
>
> #SSH Connections
> $IPTABLES -A INPUT -i $EXTERNAL -p tcp --dport 22 -j ACCEPT
>
> #SKYPE communications
> $IPTABLES -A INPUT -i eth0 -p udp --destination-port $SKYPE_PORT -j
> ACCEPT
>
> #HTTP Connections
> #$IPTABLES -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
>
> #HTTP SSL Connections
> #$IPTABLES -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
>
> #SAMBA related ports
> #$IPTABLES -A INPUT -i eth0 -p tcp --dport 137 -j ACCEPT
> #$IPTABLES -A INPUT -i eth0 -p tcp --dport 138 -j ACCEPT
> #$IPTABLES -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
> #$IPTABLES -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
> #$IPTABLES -A INPUT -i eth0 -p udp --dport 139 -j ACCEPT
>
> # Allow pings, but reject the rest
> $IPTABLES -A INPUT -i $EXTERNAL -p icmp -j ACCEPT
>
> # POSTROUTING statements for Many:1 NAT
> # (Connections originating from the entire home network)
> $IPTABLES -A FORWARD -o $EXTERNAL -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTERNAL -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> #$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT --to-source
> $EXTERNAL_IP
> $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
>
> # redirect a port to a particual ip addr.
> #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport www -j DNAT
> --to-dest 192.168.1.2
>
>
> # Reject everything else
> #$IPTABLES -A INPUT -j DROP
>
>
> echo "done."
> ;;
> stop)
> echo -n "Stopping IP Firewall and NAT..."
> $IPTABLES -X
> $IPTABLES -F
> $IPTABLES -Z
> $IPTABLES -X -t nat
> $IPTABLES -F -t nat
> $IPTABLES -Z -t nat
> $IPTABLES -X -t mangle
> $IPTABLES -F -t mangle
> $IPTABLES -Z -t mangle
>
> # block everything
> #$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,related -j
> ACCEPT
> #$IPTABLES -A INPUT -i eth0 -j REJECT
> echo "done."
> ;;
>
> restart)
> echo -n "Restarting IP Firewall and NAT..."
> $0 stop > /dev/null
> sleep 1
> $0 start > /dev/null
> ;;
>
> *)
> echo "Usage: $0 {start|stop|restart}"
> ;;
> esac
>
> -----------------------------------
>
>
> --
> ubuntu-au mailing list
> ubuntu-au at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-au
>
More information about the ubuntu-au
mailing list