| View previous topic :: View next topic |
| Author |
Message |
andrewy
l33t
Joined: 07 Apr 2004
Posts: 602
|
 Posted: Thu Dec 02, 2004 11:19 pm Post subject: iptables masquerading, cant access LAN computers |
 |
|
wlan0 is connected to a LAN with 192.168.1.x IP addresses, on that LAN is a router that connects me to the internet. eth0 is connected to another computer via an uplink cable, eth0 has the ip 192.168.2.1 and the computer it's connected to is 192.168.2.100.
I can access the internet from 192.168.2.100 (computer on uplink cable), but when I try to connect to 192.168.1.103 (or any of the other LAN ip addresses) from that computer, it fails.
I know very little about iptables, so I'm guessing it's a problem in the rules I'm using.
Could someone please tell me how to change the rules so that I can connect to 192.168.1.103 from 192.168.2.100?
Here are the rules:
| Code: |
iptables -A INPUT -i eth0 -p tcp --dport 3074 -j DROP
iptables -A INPUT -i eth0 -p udp --dport 3074 -j DROP
iptables -A INPUT -i eth0 -p udp --dport 88 -j DROP
iptables -A OUTPUT -o eth0 -p tcp --dport 3074 -j DROP
iptables -A OUTPUT -o eth0 -p udp --dport 3074 -j DROP
iptables -A OUTPUT -o eth0 -p udp --dport 88 -j DROP
iptables -A OUTPUT -o wlan0 -p tcp --dport 3074 -j DROP
iptables -A OUTPUT -o wlan0 -p udp --dport 3074 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 3074 -j DROP
iptables -A FORWARD -i eth0 -p udp --dport 3074 -j DROP
iptables -A FORWARD -i eth0 -p udp --dport 88 -j DROP
iptables -A INPUT -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i wlan0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o eth0
iptables -A FORWARD -o wlan0 -i eth0
|
Thanks! |
|
| Back to top |
|
 |
tmoneyksu
n00b
Joined: 16 Mar 2003
Posts: 30
|
| Posted: Fri Dec 03, 2004 3:51 pm Post subject: |
|
|
On your INPUT chain where you accept connections, you may have to explicitly specifiy a source ip/network by using the '-s' option. It would look something like this
| Code: |
iptables -A INPUT -i eth0 -s 192.168.0.0/255.255.0.0 -j ACCEPT
|
I'm not absolutely certain of this, but you might give it a shot. Hopefully someone else can give some better insight. |
|
| Back to top |
|
|
Taladar
Guru
Joined: 09 Oct 2004
Posts: 458
Location: Bielefeld, Germany
|
| Posted: Fri Dec 03, 2004 5:12 pm Post subject: |
|
|
You got some things mixed up here. What you want to do is routing. iptables does filtering and packet mangling (NAT, Masquerading,...).
To achieve your goal you should remove all the lines from your script except the "-j DROP" ones on top and enable IP-Forwarding in /etc/sysctl.conf where you should insert the line:
| Code: |
net.ipv4.ip_forward = 1
|
If you have a line like that with "= 0" you have to remove it.
Then you need to set the gateway for 192.168.1.0/24 on your 192.168.2.100 machine to 192.168.2.1 with the following lines in /etc/conf.d/net
| Code: |
routes_eth0=(
"-net 192.168.1.0/24 gw 192.168.2.1"
)
|
Of course this assumes your 192.168.2.1 box is connected to eth0 of the 192.168.2.100 box. If this isn't the case you should change it accordingly.
With that changes you should be able to connect to 192.168.1.0/24 hosts from your 192.168.2.100 machine.
Last edited by Taladar on Sat Dec 04, 2004 3:27 pm; edited 1 time in total |
|
| Back to top |
|
|
andrewy
l33t
Joined: 07 Apr 2004
Posts: 602
|
| Posted: Sat Dec 04, 2004 1:55 am Post subject: |
|
|
interesting Taladar, I've never seen it done that way.
That will still allow the pc uplinked to eth0 to access the internet (IP addresses outside of the 192.168.1.0 range)? Would I set the default gateway on that pc to 192.168.1.1 (my router) instead of 192.168.2.1 (eth0) maybe? |
|
| Back to top |
|
|
|
Networking & Security
