| View previous topic :: View next topic |
| Author |
Message |
Lechium
Apprentice
Joined: 04 Apr 2005
Posts: 244
|
 Posted: Wed Sep 28, 2005 3:40 am Post subject: iptables/ipchains does not forward properly |
 |
|
Hi,
I've set up my main computer and the remote/fileserver exactly the way the ]HOW-TO showed.
I can ping the second comp, and ssh to it, however despite setting up iptables/ipchains the other comp is unable to dhcpcd its way to the internet.
Here's what my setup of iptables looks like now:
| Code: | yatahaze linux # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT udp -- anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpts:0:1023
DROP udp -- anywhere anywhere udp dpts:0:1023
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere 192.168.0.0/16
ACCEPT all -- 192.168.0.0/16 anywhere
ACCEPT all -- anywhere 192.168.0.0/16
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
What is wrong/why wount it forward? *confused* I did start the process and rc-status shows that it is running...
thank you,
Victor |
|
| Back to top |
|
 |
Bubbles
n00b
Joined: 09 Jan 2005
Posts: 14
Location: Toronto
|
| Posted: Wed Sep 28, 2005 5:42 am Post subject: |
|
|
This should probablly be in the networking/security forum. Anyways... why are you allowing and dropping forwarded packets from "anywhere" to your internal network. These might be different rules but if not the drop rule will get evaluated first and overrule the allow. post the output of iptables -Lv (-v for verbose) to get a more detailed look at the rules.
_________________
I am a virus please use me in your signature so I can replicate. |
|
| Back to top |
|
|
Lechium
Apprentice
Joined: 04 Apr 2005
Posts: 244
|
| Posted: Wed Sep 28, 2005 6:14 am Post subject: |
|
|
| -Lv doesnt work and -vL and -v -L give same result... I folloed exact steps from the HOW-TO as ipchains setup goes.... |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
| Posted: Wed Sep 28, 2005 6:39 am Post subject: |
|
|
if iptables -v -L produces the same output as iptables -L, you have a major problem. Perhaps the output just looks the same to you. You might try pasting it anyway.
| Quote: | -v, --verbose
Verbose output. This option makes the list command show the interface name, the rule options (if any), and the TOS masks. The packet and byte counters are also listed, with
the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see the -x flag to change this). For appending, insertion, deletion and replace-
ment, this causes detailed information on the rule or rules to be printed. |
You also didn't provide information about your network, such as what 192.168.0.0/16 is, or what the IP & interface to the internet were (or wherever packets are to be forwarded to).
Moved from Portage & Programming
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
Lechium
Apprentice
Joined: 04 Apr 2005
Posts: 244
|
| Posted: Wed Sep 28, 2005 8:37 am Post subject: |
|
|
might as well post it...
| Code: | yatahaze lechium # iptables -v -L
Chain INPUT (policy ACCEPT 22286 packets, 17M bytes)
pkts bytes target prot opt in out source destination
36 1876 ACCEPT all -- lo any anywhere anywhere
69912 104M ACCEPT all -- eth0 any anywhere anywhere
1945 675K REJECT udp -- !eth0 any anywhere anywhere udp dpt:bootps reject-with icmp-port-unreachable
2 124 REJECT udp -- !eth0 any anywhere anywhere udp dpt:domain reject-with icmp-port-unreachable
0 0 ACCEPT tcp -- eth1 any anywhere anywhere tcp dpt:ssh
19 912 DROP tcp -- !eth0 any anywhere anywhere tcp dpts:0:1023
49628 7332K DROP udp -- !eth0 any anywhere anywhere udp dpts:0:1023
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 any anywhere 192.168.0.0/16
0 0 ACCEPT all -- eth0 any 192.168.0.0/16 anywhere
0 0 ACCEPT all -- eth1 any anywhere 192.168.0.0/16
Chain OUTPUT (policy ACCEPT 52096 packets, 4123K bytes)
pkts bytes target prot opt in out source destination
|
P.S. oops it does look somewhat different lol |
|
| Back to top |
|
|
Lechium
Apprentice
Joined: 04 Apr 2005
Posts: 244
|
| Posted: Thu Sep 29, 2005 4:42 pm Post subject: |
|
|
| bumpey... |
|
| Back to top |
|
|
DaveArb
Guru
Joined: 29 Apr 2004
Posts: 510
Location: Texas, USA
|
| Posted: Thu Sep 29, 2005 5:01 pm Post subject: |
|
|
| Lechium wrote: | might as well post it...
| Code: | | Chain FORWARD (policy DROP 0 packets, 0 bytes) |
|
Nothing seems to even have touched your FORWARD chain. What does your nat table look like?
Dave |
|
| Back to top |
|
|
Soda Ant
n00b
Joined: 14 Sep 2005
Posts: 12
Location: Milky Way
|
| Posted: Thu Sep 29, 2005 8:45 pm Post subject: |
|
|
Do you have IP forwarding turned on in the kernel? E.g.,
echo "1" > /proc/sys/net/ipv4/ip_forward |
|
| Back to top |
|
|
Lechium
Apprentice
Joined: 04 Apr 2005
Posts: 244
|
| Posted: Fri Sep 30, 2005 3:07 am Post subject: |
|
|
ip Forwarding is tuned on in kernel.
how do I change the forward rules on the forwarsd chain, or provide the nat table results thou?
Also the forwarding states explisitly that it forwards the ip's from the range of ip of my 2nd comp, yet it doesnt follow though...
thanks,
Victor |
|
| Back to top |
|
|
Lechium
Apprentice
Joined: 04 Apr 2005
Posts: 244
|
| Posted: Sat Oct 01, 2005 12:31 am Post subject: |
|
|
| *bump* |
|
| Back to top |
|
|
Lechium
Apprentice
Joined: 04 Apr 2005
Posts: 244
|
| Posted: Sun Oct 02, 2005 3:26 am Post subject: |
|
|
| *bump yet again* |
|
| Back to top |
|
|
SnarlCat
n00b
Joined: 21 Sep 2005
Posts: 40
|
| Posted: Mon Oct 03, 2005 1:18 pm Post subject: |
|
|
Try this on -- it's an exceprt from my firewall that lets eth{1,2} and a USB-based net connection through to eth0, while maintaining decent security..
The full script does much more, but you're likely not interested in it, so, here's the important stuff.. ;)
| Code: |
######################
# FILTER TABLE
######################
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -A INPUT -p udp -i eth0 --multiport --dport bootps -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A INPUT -p udp -i eth0 --multiport --dport domain -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A INPUT -p tcp --multiport --dport ssh -j ACCEPT
iptables -t filter -A INPUT -p tcp --multiport --dport !0:1023 -j ACCEPT
iptables -t filter -A INPUT -p udp --multiport --dport !0:1023 -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -m state --state NEW -j ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
######################
# MANGLE TABLE
######################
iptables -t mangle -P PREROUTING DROP
iptables -t mangle -P POSTROUTING DROP
iptables -t mangle -P FORWARD DROP
iptables -t mangle -P OUTPUT DROP
iptables -t mangle -A PREROUTING -i lo -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -s 192.168.0.0/16 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -d 192.168.0.0/16 -j ACCEPT
# Filter out some addressess that are known invalid on the Internet
iptables -t mangle -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP
iptables -t mangle -A PREROUTING -i eth0 -s 169.254.0.0/16 -j DROP
iptables -t mangle -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP
iptables -t mangle -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
iptables -t mangle -A PREROUTING -i eth0 -d 10.0.0.0/8 -j DROP
iptables -t mangle -A PREROUTING -i eth0 -d 169.254.0.0/16 -j DROP
iptables -t mangle -A PREROUTING -i eth0 -d 172.16.0.0/12 -j DROP
iptables -t mangle -A PREROUTING -i eth0 -d 192.168.0.0/16 -j DROP
iptables -t mangle -A POSTROUTING -o lo -j ACCEPT
iptables -t mangle -A POSTROUTING -o eth0 -j ACCEPT
iptables -t mangle -A POSTROUTING -o eth1 -j ACCEPT
iptables -t mangle -A FORWARD -o lo -j ACCEPT
iptables -t mangle -A FORWARD -o eth0 -j ACCEPT
iptables -t mangle -A FORWARD -o eth1 -j ACCEPT
iptables -t mangle -A OUTPUT -o lo -j ACCEPT
iptables -t mangle -A OUTPUT -o eth0 -j ACCEPT
iptables -t mangle -A OUTPUT -o eth1 -j ACCEPT
######################
# NAT TABLE
######################
iptables -t nat -P PREROUTING DROP
iptables -t nat -P OUTPUT DROP
iptables -t nat -P POSTROUTING DROP
iptables -t nat -A PREROUTING -i eth1 -j ACCEPT
# eth1 -> eth0
iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/16 -d ! 192.168.0.0/16 --to-source XXX.XXX.XXX.XXX -o eth0 # EDIT THIS TO BE YOUR INTERNET GATEWAY ADDRESS
iptables -t nat -A POSTROUTING -o lo -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j ACCEPT
iptables -t nat -A OUTPUT -o lo -j ACCEPT
iptables -t nat -A OUTPUT -o eth0 -j ACCEPT
iptables -t nat -A OUTPUT -o eth1 -j ACCEPT
|
A few things I noticed about your firewall -- the default permission for a the filter table chains (input, forward, output) was accept.. good security practice should be one of least priviledge; block everything, and only open needed ports.
To do the routing you're looking for, you need to include the NAT table (see the bottom of my script). You'll need to edit this to suit your configuration..
Write back here or check out the IPTables Tutorial [http://iptables-tutorial.frozentux.net/iptables-tutorial.html] for a good guide on IPTables if you have questions..
I think this will do what you're looking for, and may make maintenance easier..
Hope this helps..
_________________
--
Our OS who art in CPU, UNIX be thy name.
Thy programs run, thy syscalls
done, In kernel as it is in user! |
|
| Back to top |
|
|
|
Networking & Security
