HI, Problem get firewall going.

Paul Schulz pschulz01 at gmail.com
Mon Jul 31 03:56:25 BST 2006


Neil,

After you have run you script, what is the contents of the iptables tables?
Are they what you expect?

# iptables -t nat -vL

Packets coming for the firewall can get nat'ed and sent out eth0
instread of eth1.

On my 'router/firewall' I have the following.. which works..
(It only NAT's packets coming from internal, to external IP addresses,
and auto-matically looks after the related return packets.)

Cheers,
Paul
-------
Internel Network is 192.168.10.0/24
External IP address: EXTIP

iptables -t nat -A POSTROUTING \
           -s 192.168.10.0/255.255.255.0 \
           -d ! 192.168.10.0/255.255.255.0 \
           -j SNAT --to-source $EXTIP

echo 1 > /proc/sys/net/ipv4/ip_forward

On 7/31/06, Neil Dugan <ubuntu at butterflystitches.com.au> wrote:
> Hi I am new to this list, if this is the wrong place to ask let me know.
>
> I have setup a ubuntu box for internet access and also as a firewall.
>   I can get on the internet from the firewall computer. :)   From the
> other computer I can ping both interfaces of the firewall (i.e. eth0
> and eth1).  :)
>
> But I can't ping the modem @ 192.168.1.1 :(
>
> The eth1 interface of the firewall does report receiving bytes (via.
> ifconfig) but I can't trace where that info is going.  I put lots of
> LOG actions in the iptables to find out where the ping was going but
> none of them report anything.  The program ethereal says the eth1
> interface is receiving lots of ARP requests for 192.168.1.1 but no
> answers are sent.
>
>
>
>
> Here is a basic layout of the network.
>
>   -------------------
> |  xxx.xxx.xxx.xxx  |
> |    ADSL modem     |
> |  192.168.1.1      |
>   -------------------
>           |
>           |
>           |
>   ----------------------
> |  eth0 192.168.1.xxx  |
> |     firewall         |
> |  eth1 192.168.5.254  |
>   ----------------------
>           |
>           |
>           |
>   ----------------------
> |  eth0 192.168.5.xxx  |
> |    computer          |
>   ----------------------
>
>
> ----- /etc/init.d/iptables -----------
>
> #!/bin/sh
>
> IPTABLES=/sbin/iptables
>
> # which port is used for what
> INTERNAL=eth1
> EXTERNAL=eth0
>
> # need to find this dynamically
> EXTERNAL_IP=192.168.1.238
>
> INTERNAL_RANGE=192.168.5.0/24
>
> # which port skype uses
> SKYPE_PORT=23323
>
>
> case "$1" in
> start)
>         echo -n "Starting IP Firewall and NAT..."
>         echo "1" > /proc/sys/net/ipv4/ip_forward
>         echo "1" > /proc/sys/net/ipv4/tcp_syncookies
>
>         # Clear old rules
>         $IPTABLES -X
>         $IPTABLES -F
>         $IPTABLES -Z
>         $IPTABLES -X -t nat
>         $IPTABLES -F -t nat
>         $IPTABLES -Z -t nat
>         $IPTABLES -X -t mangle
>         $IPTABLES -F -t mangle
>         $IPTABLES -Z -t mangle
>
>         # INPUT Rules - Add to this section the ports you wish to explicitly
> allow connections on
>         #       Below are some common services that are commonly used
>         #       Comment out the lines to disable access to these services
>         #       The port numbers for other services you may wish to allow can be
> found in the /etc/services file
>
>         # set the default for the input chain to drop
>         $IPTABLES -P INPUT DROP
>
>         $IPTABLES -A INPUT -t filter -j LOG --log-prefix "filter_input:"
>         $IPTABLES -A OUTPUT -t filter -j LOG --log-prefix "filter_output:"
>         $IPTABLES -A FORWARD -t filter -j LOG --log-prefix "filter_forward:"
>
>         $IPTABLES -A PREROUTING -t nat -j LOG --log-prefix "nat_prerouting:"
>         $IPTABLES -A POSTROUTING -t nat -j LOG --log-prefix "nat_postrouting:"
>         $IPTABLES -A OUTPUT -t nat -j LOG --log-prefix "nat_output:"
>
>         $IPTABLES -A INPUT -t mangle -j LOG --log-prefix "mangle_input:"
>         $IPTABLES -A OUTPUT -t mangle -j LOG --log-prefix "mangle_output:"
>         $IPTABLES -A POSTROUTING -t mangle -j LOG --log-prefix
> "mangle_postrouting:"
>         $IPTABLES -A PREROUTING -t mangle -j LOG --log-prefix
> "mangle_prerouting:"
>         $IPTABLES -A FORWARD -t mangle -j LOG --log-prefix "mangle_forward:"
>
>
>         # allow allready started comunictions
>         $IPTABLES -A INPUT -i $EXTERNAL -m state --state ESTABLISHED,RELATED
> -j ACCEPT  #Allows connections you start
>
>         # allow everything from the internal interface
>         $IPTABLES -A INPUT -i $INTERNAL -j ACCEPT  #Allows connections you start
>
>
>         #Allow FTP Connections
>         #$IPTABLES -A INPUT -i $EXTERNAL -p tcp --dport 21 -j ACCEPT
>         #$IPTABLES -A INPUT -i $EXTERNAL -p udp --dport 21 -j ACCEPT
>
>         #SSH Connections
>         $IPTABLES -A INPUT -i $EXTERNAL -p tcp --dport 22 -j ACCEPT
>
>         #SKYPE communications
>         $IPTABLES -A INPUT -i eth0 -p udp --destination-port $SKYPE_PORT -j
> ACCEPT
>
>         #HTTP Connections
>         #$IPTABLES -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
>
>         #HTTP SSL Connections
>         #$IPTABLES -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
>
>         #SAMBA related ports
>         #$IPTABLES -A INPUT -i eth0 -p tcp --dport 137 -j ACCEPT
>         #$IPTABLES -A INPUT -i eth0 -p tcp --dport 138 -j ACCEPT
>         #$IPTABLES -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
>         #$IPTABLES -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
>         #$IPTABLES -A INPUT -i eth0 -p udp --dport 139 -j ACCEPT
>
>         # Allow pings, but reject the rest
>         $IPTABLES -A INPUT -i $EXTERNAL -p icmp -j ACCEPT
>
>         # POSTROUTING statements for Many:1 NAT
>         # (Connections originating from the entire home network)
>         $IPTABLES -A FORWARD -o $EXTERNAL -j ACCEPT
>         $IPTABLES -A FORWARD -i $EXTERNAL -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>         #$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL  -j SNAT --to-source
> $EXTERNAL_IP
>         $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
>
>         # redirect a port to a particual ip addr.
>         #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport www -j DNAT
> --to-dest 192.168.1.2
>
>
>         # Reject everything else
>         #$IPTABLES -A INPUT -j DROP
>
>
>         echo "done."
>         ;;
> stop)
>         echo -n "Stopping IP Firewall and NAT..."
>         $IPTABLES -X
>         $IPTABLES -F
>         $IPTABLES -Z
>         $IPTABLES -X -t nat
>         $IPTABLES -F -t nat
>         $IPTABLES -Z -t nat
>         $IPTABLES -X -t mangle
>         $IPTABLES -F -t mangle
>         $IPTABLES -Z -t mangle
>
>         # block everything
>         #$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,related -j
> ACCEPT
>         #$IPTABLES -A INPUT -i eth0 -j REJECT
>         echo "done."
>         ;;
>
> restart)
>         echo -n "Restarting IP Firewall and NAT..."
>         $0 stop > /dev/null
>         sleep 1
>         $0 start > /dev/null
>         ;;
>
> *)
>         echo "Usage: $0 {start|stop|restart}"
>         ;;
> esac
>
> -----------------------------------
>
>
> --
> ubuntu-au mailing list
> ubuntu-au at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-au
>



More information about the ubuntu-au mailing list