kreon28
Apprentice
Joined: 08 Jul 2006
Posts: 165
|
 Posted: Sun Feb 04, 2007 11:30 am Post subject: Complicated firewall |
 |
|
Hi,
I've got problem with my firewall. I made a successful internet connection but it is working only without firewall and I know it is not safe at all!
I've got ADSL (PPOA) modem. My box is connected with another computer with two systems on it(Win'98 and Damn Small Linux-both of them have static IP-192.168.0.2). I made many iptables checks but to have working connection and then to share that connection with another computer I have to do these steps:
1. run a script:
| Code: | | /usr/sbin/pppd call speedtch |
then I have to
2. stop my firewall:
| Code: | | /etc/init.d/iptab stop |
a. My /etc/init.d/iptab script:
| Code: | #!/bin/bash
IPTABLES='/sbin/iptables'
# Set interface values
EXTIF='ppp0'
INTIF1='eth0'
INTIF2='eth2'
# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# forward LAN traffic from $INTIF1 to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
# forward LAN traffic from $INTIF2 to Internet interace $EXTIF
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
#echo -e " - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
#echo -e " - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
# block out all other Internet access on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
|
After that I was connected but NAT was disabled and I couldn't share my connection with another computer so I emerged firestarter knowing that it has some wizard. I thought that wizard would help me with nat and also could connect me with my other computer by (eth0)
So next thing I have to do is to start firestarter:
3.
-after many reading and clicking, firestarter started to working but blocked my whole ports. I added some rules and exception but nothing worked.
To get internet working I had to add insane rule. Allow ports from: "1-65535" to everyone!
But it is only as good as I stop firestarter and after that I start it again.
So we got through to the last step
4. in a firestarter window I had to stop firestarter and the click start.
Now everything is fine and everything is working, I mean my web browsers, my azureus and other torrens, my DC++. Also another computer who is connected to mine has internet also. And it has internet connection on both system : Win'98 and DSL too.
Last but not least. That computer who is connected to mine often takes a lot of thread so I found some simple script to cut it:
| Code: | | tc qdisc add dev eth0 root handle 1:0 tbf buffer 10KB limit 10KB rate 128kbit |
It works perfect 
It's cool but as I said before, such firewall is not firewall at all and another thing; as you can see it is a hassle to do these 4 steps just to have internet, so I'm not happy with it.
Anyone could help me to fix all of these? |
|
Networking & Security
