| View previous topic :: View next topic |
| Author |
Message |
Bonkie
Guru
Joined: 28 Oct 2002
Posts: 501
Location: Antwerpen, Belgium
|
 Posted: Wed Mar 23, 2005 10:23 pm Post subject: iptables help |
 |
|
I followed this howto (http://www.gentoo.org/doc/en/home-router-howto.xml) but when I do that, I cant reach the modem nor WAN from my router, although it works fine for my network (but I need WAN access on my router as well  )
This is my setup:
| Code: | DSL modem hacked as permanent router
|
| 10.0.0.0 network
|
my own router
|
| 192.168.1.0 network
|
my network |
This is the script I used:
| Code: | #!/bin/bash
# variables
DEVICE_WAN="eth0"
DEVICE_LAN="eth1"
LAN_NETWORK="192.168.1.0"
LAN_DESKIE="192.168.1.2"
# First we flush our current rules
iptables -F
iptables -t nat -F
# Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i $DEVICE_LAN -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! $DEVICE_LAN -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! $DEVICE_LAN -j REJECT
#
# Allow access to local services from WAN
#
# SSH
iptables -A INPUT -p TCP --dport ssh -i $DEVICE_WAN -j ACCEPT
# FTP
iptables -A INPUT -p TCP --dport 21 -i $DEVICE_WAN -j ACCEPT
# HTTP/HTTPS
iptables -A INPUT -p TCP --dport 80 -i $DEVICE_WAN -j ACCEPT
iptables -A INPUT -p TCP --dport 443 -i $DEVICE_WAN -j ACCEPT
# DROP TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP -i ! $DEVICE_LAN -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! $DEVICE_LAN -d 0/0 --dport 0:1023 -j DROP
# Rules for NAT
iptables -I FORWARD -i $DEVICE_LAN -d 192.168.1.0/255.255.0.0 -j DROP
iptables -A FORWARD -i $DEVICE_LAN -s 192.168.1.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i $DEVICE_WAN -d 192.168.1.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o $DEVICE_WAN -j MASQUERADE
#
# Port Forwarding
#
# Bittorrent forwarding
iptables -t nat -A PREROUTING -p tcp --dport 6881:6889 -i $DEVICE_WAN -j DNAT --to $LAN_DESKIE
# Tell kernel that IP Forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
|
Some info
| Code: | # uname -s -r -v
Linux 2.6.8 #1 Mon Jan 24 03:29:52 EST 2005
# lsmod | grep ip
ipt_state 2112 2
ipt_MASQUERADE 4032 1
iptable_filter 2944 1
iptable_nat 25260 2 ipt_MASQUERADE
ip_conntrack 35144 3 ipt_state,ipt_MASQUERADE,iptable_nat
ip_tables 18368 4 ipt_state,ipt_MASQUERADE,iptable_filter,iptable_nat
ipv6 262404 22
|
Can somebody point out what's wrong ??? Its hard to look for a solution if you dont know what the problem is 
_________________
"I would say we have a 50% chance of survival, but I consider myself an optimist so I'll give us 50,5% ..."
~ Arthur C. Clarke [Physics PHD,SF Writer], when asked about the chances of the human race's survival |
|
| Back to top |
|
 |
tutaepaki
Apprentice
Joined: 11 Nov 2003
Posts: 279
Location: New Zealand
|
| Posted: Thu Mar 24, 2005 3:46 am Post subject: |
|
|
Stuff to/from your router uses the INPUT/OUTPUT chains.
you've not set a default policy for anything, so anything you haven't explicitly denied, will be permitted. (Not a good thing, you should set a default drop policy, and then permit what you need)
Because the WAN address of your router is non-routable, (10.x.x.x) you need to nat that too. Try
| Code: | | iptables -t nat -A OUTPUT -o $DEVICE_WAN -j MASQUERADE |
The OUTPUT chain in
the nat tables is a special chain for traffic originating from the local device. |
|
| Back to top |
|
|
Nossie
Apprentice
Joined: 19 Apr 2002
Posts: 181
|
| Posted: Thu Mar 24, 2005 7:51 am Post subject: |
|
|
Have a look at the monmotha iptables script, it can do everything you want.
It is available through portage. |
|
| Back to top |
|
|
Bonkie
Guru
Joined: 28 Oct 2002
Posts: 501
Location: Antwerpen, Belgium
|
| Posted: Thu Mar 24, 2005 9:03 am Post subject: |
|
|
I have a working script, that's not the problem, I was just trying to understand why this one didn't work like I wanted. So thanx tutaepaki, I'll check that out.
_________________
"I would say we have a 50% chance of survival, but I consider myself an optimist so I'll give us 50,5% ..."
~ Arthur C. Clarke [Physics PHD,SF Writer], when asked about the chances of the human race's survival |
|
| Back to top |
|
|
renihs
Tux's lil' helper
Joined: 03 Mar 2004
Posts: 82
Location: Austria, Vienna
|
| Posted: Thu Mar 24, 2005 9:44 am Post subject: |
|
|
i didnt exactly catch what u described but maybe u didnt enable ip_forward? (doubtfull, or u would not have interenet access from your lan)
i often forget that...on my routers...lol 
_________________
Gentoos are the fastest underwater swimming birds, reaching speeds of 36 km/h (22.3 mph).
Height: 75cm (29in), Weight: 5.5kg
If you discover spelling errors, you are authorized to keep them. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
