HI, Problem get firewall going.

Neil Dugan ubuntu at butterflystitches.com.au
Mon Jul 31 02:30:14 BST 2006 

Hi I am new to this list, if this is the wrong place to ask let me know.

I have setup a ubuntu box for internet access and also as a firewall.
  I can get on the internet from the firewall computer. :)   From the
other computer I can ping both interfaces of the firewall (i.e. eth0
and eth1).  :)

But I can't ping the modem @ 192.168.1.1 :(

The eth1 interface of the firewall does report receiving bytes (via.
ifconfig) but I can't trace where that info is going.  I put lots of
LOG actions in the iptables to find out where the ping was going but
none of them report anything.  The program ethereal says the eth1
interface is receiving lots of ARP requests for 192.168.1.1 but no
answers are sent.




Here is a basic layout of the network.

  -------------------
|  xxx.xxx.xxx.xxx  |
|    ADSL modem     |
|  192.168.1.1      |
  -------------------
          |
          |
          |
  ----------------------
|  eth0 192.168.1.xxx  |
|     firewall         |
|  eth1 192.168.5.254  |
  ----------------------
          |
          |
          |
  ----------------------
|  eth0 192.168.5.xxx  |
|    computer          |
  ----------------------


----- /etc/init.d/iptables -----------

#!/bin/sh

IPTABLES=/sbin/iptables

# which port is used for what
INTERNAL=eth1
EXTERNAL=eth0

# need to find this dynamically
EXTERNAL_IP=192.168.1.238

INTERNAL_RANGE=192.168.5.0/24

# which port skype uses
SKYPE_PORT=23323


case "$1" in
start)
	echo -n "Starting IP Firewall and NAT..."
	echo "1" > /proc/sys/net/ipv4/ip_forward
	echo "1" > /proc/sys/net/ipv4/tcp_syncookies

	# Clear old rules
	$IPTABLES -X
	$IPTABLES -F
	$IPTABLES -Z
	$IPTABLES -X -t nat
	$IPTABLES -F -t nat
	$IPTABLES -Z -t nat
	$IPTABLES -X -t mangle
	$IPTABLES -F -t mangle
	$IPTABLES -Z -t mangle
	
	# INPUT Rules - Add to this section the ports you wish to explicitly
allow connections on
	# 	Below are some common services that are commonly used
	#	Comment out the lines to disable access to these services
	#	The port numbers for other services you may wish to allow can be
found in the /etc/services file

	# set the default for the input chain to drop
	$IPTABLES -P INPUT DROP

	$IPTABLES -A INPUT -t filter -j LOG --log-prefix "filter_input:"
	$IPTABLES -A OUTPUT -t filter -j LOG --log-prefix "filter_output:"
	$IPTABLES -A FORWARD -t filter -j LOG --log-prefix "filter_forward:"
	
	$IPTABLES -A PREROUTING -t nat -j LOG --log-prefix "nat_prerouting:"
	$IPTABLES -A POSTROUTING -t nat -j LOG --log-prefix "nat_postrouting:"
	$IPTABLES -A OUTPUT -t nat -j LOG --log-prefix "nat_output:"

	$IPTABLES -A INPUT -t mangle -j LOG --log-prefix "mangle_input:"
	$IPTABLES -A OUTPUT -t mangle -j LOG --log-prefix "mangle_output:"
	$IPTABLES -A POSTROUTING -t mangle -j LOG --log-prefix
"mangle_postrouting:"
	$IPTABLES -A PREROUTING -t mangle -j LOG --log-prefix
"mangle_prerouting:"
	$IPTABLES -A FORWARD -t mangle -j LOG --log-prefix "mangle_forward:"


	# allow allready started comunictions
	$IPTABLES -A INPUT -i $EXTERNAL -m state --state ESTABLISHED,RELATED
-j ACCEPT  #Allows connections you start

	# allow everything from the internal interface
	$IPTABLES -A INPUT -i $INTERNAL -j ACCEPT  #Allows connections you start


	#Allow FTP Connections
	#$IPTABLES -A INPUT -i $EXTERNAL -p tcp --dport 21 -j ACCEPT	
	#$IPTABLES -A INPUT -i $EXTERNAL -p udp --dport 21 -j ACCEPT

	#SSH Connections
	$IPTABLES -A INPUT -i $EXTERNAL -p tcp --dport 22 -j ACCEPT

	#SKYPE communications
	$IPTABLES -A INPUT -i eth0 -p udp --destination-port $SKYPE_PORT -j
ACCEPT

	#HTTP Connections
	#$IPTABLES -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

	#HTTP SSL Connections
	#$IPTABLES -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

	#SAMBA related ports
	#$IPTABLES -A INPUT -i eth0 -p tcp --dport 137 -j ACCEPT
	#$IPTABLES -A INPUT -i eth0 -p tcp --dport 138 -j ACCEPT
	#$IPTABLES -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
	#$IPTABLES -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
	#$IPTABLES -A INPUT -i eth0 -p udp --dport 139 -j ACCEPT

	# Allow pings, but reject the rest
	$IPTABLES -A INPUT -i $EXTERNAL -p icmp -j ACCEPT

	# POSTROUTING statements for Many:1 NAT
	# (Connections originating from the entire home network)
	$IPTABLES -A FORWARD -o $EXTERNAL -j ACCEPT
	$IPTABLES -A FORWARD -i $EXTERNAL -m state --state
ESTABLISHED,RELATED -j ACCEPT
	#$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL  -j SNAT --to-source
$EXTERNAL_IP
	$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE

	# redirect a port to a particual ip addr.
	#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport www -j DNAT
--to-dest 192.168.1.2


	# Reject everything else
	#$IPTABLES -A INPUT -j DROP


	echo "done."
	;;
stop)
	echo -n "Stopping IP Firewall and NAT..."
	$IPTABLES -X
	$IPTABLES -F
	$IPTABLES -Z
	$IPTABLES -X -t nat
	$IPTABLES -F -t nat
	$IPTABLES -Z -t nat
	$IPTABLES -X -t mangle
	$IPTABLES -F -t mangle
	$IPTABLES -Z -t mangle
	
	# block everything
	#$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,related -j
ACCEPT
	#$IPTABLES -A INPUT -i eth0 -j REJECT
	echo "done."
	;;

restart)
	echo -n "Restarting IP Firewall and NAT..."
	$0 stop > /dev/null
	sleep 1
	$0 start > /dev/null
	;;

*)
	echo "Usage: $0 {start|stop|restart}"
	;;
esac

-----------------------------------

More information about the ubuntu-au mailing list