| View previous topic :: View next topic |
| Author |
Message |
cdeberry
n00b
Joined: 20 Feb 2004
Posts: 48
|
 Posted: Tue Jun 22, 2004 9:04 pm Post subject: iptables.. |
 |
|
I have read the faq and noobie guides for iptables.. but seems nothing is working to this point.
Here's my script:
| Code: |
#!/bin/bash
IPTABLES='/sbin/iptables -v'
echo 1 > /proc/sys/net/ipv4/ip_forward
# Set interface values
EXTIF='eth0'
INTIF='eth1'
# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# forward LAN traffic from $INTIF to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
#echo -e " - Allowing access to the SSH server & distcc"
$IPTABLES -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -p tcp --dport 3632 -j ACCEPT
|
I have removed my drop statements for simplicity and testing.. but this is what I need to start with. Running this gives me no routed packets through the external nic... Also, if anyone can give good information about logging through syslog or any other facility for that matter it would be greatly appreciated.
Setup as follows:
INTIF=192.168.0.1
EXTIF=1.2.3.4
Can get anywhere on internal net or external net from this host, but it will not route packets for internal network. IP tables modules are all compiled into the kernel as well... |
|
| Back to top |
|
 |
metalised
n00b
Joined: 28 Feb 2004
Posts: 14
|
|
| Back to top |
|
|
Xepher
n00b
Joined: 14 Mar 2003
Posts: 39
|
| Posted: Tue Jun 22, 2004 10:21 pm Post subject: |
|
|
I haven't read the guide you used, but if all you want is a NAT router/gateway then it should be fairly straight forward.
Your script has two lines doing the same thing, you only need one...
| Code: | # enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward |
Check that it worked with | Code: | | cat /proc/sys/net/ipv4/ip_forward |
If it still reads "0" you may want to try putting quotes around the "1" in the echo command.
Also, if you're not doing anything too complex, all you should need is a single NAT line...
| Code: | | /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
Try those two lines alone and see if it works. Make sure your internal lan machines are set to use the router's internal (eth1) ip for their default gateway.
If that works, then you can go and add more complex DROP/ACCEPT rules to secure it further.
Gentoo's got a nifty iptables save/restore script that comes with the iptables ebuild.
| Code: | | rc-update add iptables default |
and it will save/restore your iptable settings through reboot. If you edit /etc/conf.d/iptables and set ip forwarding to "yes" the init scripts will do everything your script is trying to do. Just add/remove your rules by hand until you get it working, and it'll save them across reboots. If you're paranoid, you can force it to save with
| Code: | | /etc/init.d/iptables save |
|
|
| Back to top |
|
|
DaveArb
Guru
Joined: 29 Apr 2004
Posts: 510
Location: Texas, USA
|
| Posted: Wed Jun 23, 2004 3:58 am Post subject: Re: iptables.. |
|
|
| cdeberry wrote: | I have read the faq and noobie guides for iptables.. but seems nothing is working to this point.
Here's my script:
| Code: |
<snip>
# forward LAN traffic from $INTIF to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
<snip>
|
|
You let the FORWARD table allow packets from INTIF to EXTIF, but you don't let them come back in again.
Why don't I see any REJECT or DROP destinations or policies?
Dave |
|
| Back to top |
|
|
Storm666
n00b
Joined: 21 Jun 2004
Posts: 3
|
| Posted: Wed Jun 23, 2004 5:37 pm Post subject: |
|
|
Paste the output of those command here for review if it still doesn't work after the suggestion above.
| Code: | | iptables -t nat -nvLx |
If you want to log what is happening on the foward chain, just add the following line at the end of your firewall script:
| Code: | | $IPTABLES -A FORWARD -j LOG --log-prefix "Forward Drop:" |
This will allow you to check your logs to see what's happen.
_________________
Never underestimate the power of stupid people in large group... |
|
| Back to top |
|
|
cdeberry
n00b
Joined: 20 Feb 2004
Posts: 48
|
| Posted: Tue Jun 29, 2004 3:47 pm Post subject: |
|
|
| Code: | sotf bin # iptables -L -v -n -x
Chain INPUT (policy DROP 10 packets, 472 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 127.0.0.1
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 127.0.0.1
265 19161 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
93 9902 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
38 46049 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 127.0.0.1
0 0 DROP tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spts:137:139
0 0 DROP udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spts:137:139
14 831 DROP all -- eth1 * !10.0.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 287 packets, 77410 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spts:137:139
0 0 DROP udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp spts:137:139
2 127 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW |
| Code: | sotf bin # iptables -t nat -n -v -L -x
Chain PREROUTING (policy ACCEPT 2103 packets, 183624 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 11 packets, 667 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 10.0.0.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination |
|
|
| Back to top |
|
|
|
Networking & Security
