static IP to dynamic IP

static IP to dynamic IP

[kate]

Hi, I am trying to modify a fw script that would work
for my small lan, except I need to change references
of static IP and SNAT. to eth0 and MASQUERADE, - but
when I run the script it gives me Bad argument `eth0'

The script is below, with my notes on changes I've
made so far. Any help greatly appreciated.

#(1) Policies (default) - modified with notation
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# (2) User defined chain for ACCEPTed TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP

# (3) INPUT chain rules

# Rules for incoming packets from LAN
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/16 -j
ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.1 -j
ACCEPT
iptables -A INPUT -p ALL -i lo -s -i eth0 -j ACCEPT
## WAS -> ... 123.45.67.89 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j
ACCEPT

# Rules for incoming packets from Internet
# Packets for established connections
iptables -A INPUT -p ALL -d -i eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
## WAS - > ... -d 123.45.67.89 -m...

# TCP Rules (edit as services needed)
iptables -A INPUT -p TCP -i eth0 -s 0/0
--destination-port 21 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0
--destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0
--destination-port 80 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0
--destination-port 443 -j okay

# UDP Rules
# iptables -A INPUT -p UDP -i eth0 -s 0/0
--destination-port 53 -j okay
# iptables -A INPUT -p UDP -i eth0 -s 0/0
--destination-port 2074 -j okay

# ICMP rules
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8
-j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type
11 -j ACCEPT

# (4) FORWARD chain rules
# Accept the packets we want to forward
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT

# (5) OUTPUT chain rules
# Only output packets with local addresses (no
spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s -i eth0 -j ACCEPT
## WAS -> ... 123.45.67.89 -j ACCEPT

# (6) POSTROUTING chain rules
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
## was -> ... -j SNAT --to-source 123.45.67.89



		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 

Re: static IP to dynamic IP

[kate]

--- kate <kate7234@yahoo.com> wrote:

> Hi, I am trying to modify a fw script that would
> work
> for my small lan, except I need to change references
> of static IP and SNAT. to eth0 and MASQUERADE, - but
> when I run the script it gives me Bad argument
> `eth0'

It is Linux kernel 2.6 FC2
Thanks in advance
kate


		

RE: static IP to dynamic IP

[Rob Sterenborg]

netfilter-bounces@lists.netfilter.org wrote:
> --- kate <kate7234@yahoo.com> wrote:
> 
>> Hi, I am trying to modify a fw script that would work for my small
>> lan, except I need to change references of static IP and SNAT. to
>> eth0 and MASQUERADE, - but when I run the script it gives me Bad
>> argument `eth0'
> 
> It is Linux kernel 2.6 FC2
> Thanks in advance
> kate

Do you have and did you load the module ipt_MASQUERADE ?


Gr,
Rob

Re: static IP to dynamic IP

[Jason Opperisano]

On Fri, Oct 15, 2004 at 10:44:56AM -0700, kate wrote:
> Hi, I am trying to modify a fw script that would work
> for my small lan, except I need to change references
> of static IP and SNAT. to eth0 and MASQUERADE, - but
> when I run the script it gives me Bad argument `eth0'

in general--you can find the line where any bash script blows up by
running:  bash -x script.sh

> The script is below, with my notes on changes I've
> made so far. Any help greatly appreciated.
> 
> #(1) Policies (default) - modified with notation
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> 
> # (2) User defined chain for ACCEPTed TCP packets
> iptables -N okay
> iptables -A okay -p TCP --syn -j ACCEPT
> iptables -A okay -p TCP -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A okay -p TCP -j DROP
> 
> # (3) INPUT chain rules
> 
> # Rules for incoming packets from LAN
> iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/16 -j
> ACCEPT
> iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 192.168.1.1 -j
> ACCEPT
> iptables -A INPUT -p ALL -i lo -s -i eth0 -j ACCEPT

but i can tell you that the above line is the one blowing up.  you have
specified "-s" with no IP address following it...you've also specified
"-i" twice--which doesn't make any sense--a packet only has one inbound
interface.

> ## WAS -> ... 123.45.67.89 -j ACCEPT
> iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j
> ACCEPT
> 
> # Rules for incoming packets from Internet
> # Packets for established connections
> iptables -A INPUT -p ALL -d -i eth0 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> ## WAS - > ... -d 123.45.67.89 -m...

k--i guess i see your pattern here...you need to figure out what
your IP address actually is earlier in the script and just use the IP
address--there's no magic "substitute the IP of the interface" variable
with iptables (except for MASQ which we get to later).  one of the 8
million (i've counted) ways to do this would be:

ETH0_IP=`ip -4 -o addr sh eth0 | awk '{print $4}' | cut -d"/" -f1`

and then reference $ETH0_IP wherever you need the IP address of eth0.

[ snip ]

> # (6) POSTROUTING chain rules
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> ## was -> ... -j SNAT --to-source 123.45.67.89

yes--MASQ is the proper way to SNAT with a dynamic IP.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: static IP to dynamic IP

[kate]

--- Jason Opperisano <opie@817west.com> wrote:

> On Fri, Oct 15, 2004 at 10:44:56AM -0700, kate
> wrote:
> > Hi, I am trying to modify a fw script that would
> work
> in general--you can find the line where any bash
> script blows up by
> running:  bash -x script.sh
> 
> > The script is below, with my notes on changes I've
> > made so far. Any help greatly appreciated.
> > 
> > #(1) Policies (default) - modified with notation
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> > 
> > # (2) User defined chain for ACCEPTed TCP packets
> > iptables -N okay
> > iptables -A okay -p TCP --syn -j ACCEPT
> > iptables -A okay -p TCP -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> > iptables -A okay -p TCP -j DROP
> > 
> > # (3) INPUT chain rules
> > 
> > # Rules for incoming packets from LAN
> > iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/16
> -j
> > ACCEPT
> > iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j
> ACCEPT
> > iptables -A INPUT -p ALL -i lo -s 192.168.1.1 -j
> > ACCEPT
> > iptables -A INPUT -p ALL -i lo -s -i eth0 -j
> ACCEPT
> 
> but i can tell you that the above line is the one
> blowing up.  you have
> specified "-s" with no IP address following
> it...you've also specified
> "-i" twice--which doesn't make any sense--a packet
> only has one inbound
> interface.
> 
> > ## WAS -> ... 123.45.67.89 -j ACCEPT
> > iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255
> -j
> > ACCEPT
> > 
> > # Rules for incoming packets from Internet
> > # Packets for established connections
> > iptables -A INPUT -p ALL -d -i eth0 -m state
> --state
> > ESTABLISHED,RELATED -j ACCEPT
> > ## WAS - > ... -d 123.45.67.89 -m...
> 
> k--i guess i see your pattern here...you need to
> figure out what
> your IP address actually is earlier in the script
> and just use the IP
> address--there's no magic "substitute the IP of the
> interface" variable
> with iptables (except for MASQ which we get to
> later).  one of the 8
> million (i've counted) ways to do this would be:
> 
> ETH0_IP=`ip -4 -o addr sh eth0 | awk '{print $4}' |
> cut -d"/" -f1`
> 
> and then reference $ETH0_IP wherever you need the IP
> address of eth0.
> 
> [ snip ]
> 
> > # (6) POSTROUTING chain rules
> > iptables -t nat -A POSTROUTING -o eth0 -j
> MASQUERADE
> > ## was -> ... -j SNAT --to-source 123.45.67.89
> 
> yes--MASQ is the proper way to SNAT with a dynamic
> IP.

> Jason Opperisano <opie@817west.com>
 
1. yes I have ipt_MASQUERADE loaded.
2. my logic was to substitute any static_ip refernce
with -i eth0, but you're saying that doesn't work.
Would refernce to the box eg. myfw.mydomain.com work
instead of ip_static ?

Your neat script, where would I place that in my fw
script? at the top? Does it need anything else to make
it work?

you can see that I am new at this!
tia
kate



		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 

Re: static IP to dynamic IP

[Jason Opperisano]

On Fri, Oct 15, 2004 at 11:41:06AM -0700, kate wrote:
> 1. yes I have ipt_MASQUERADE loaded.
> 2. my logic was to substitute any static_ip refernce
> with -i eth0, but you're saying that doesn't work.

no--it doesn't work.  might be a nice feature request...but alas at the
current state of technology--no dice.

> Would refernce to the box eg. myfw.mydomain.com work
> instead of ip_static ?

nope--same problem, essentially.  when you use an FQDN in a rule--it is
resolved to an IP address once, at the time the rule is loaded.

> Your neat script, where would I place that in my fw
> script? at the top? Does it need anything else to make
> it work?

it's really just a variable declaration, but yeah--at the top would be a
good place for it.

once you have a script that can figure out your IP addresses for you at
the time of execution--the only other piece you need is to reload your
rules each time your IP address changes--the man page of your particular
DHCP client should have details on how to execute a script on IP
change.

this also isn't as big a deal in practice as it may seem--my firewall on
my cable modem at my house has had the same IP address since 11-27-2003
(the day i upgraded it).

> you can see that I am new at this!

s'alright--that's what these lists are for.  a good read for newbies is
the IPTables Tutorial, located at:

http://iptables-tutorial.frozentux.net/iptables-tutorial.html

-j

-- 
Jason Opperisano <opie@817west.com>

Re: static IP to dynamic IP

[kate]

--- Jason Opperisano <opie@817west.com> wrote:

> On Fri, Oct 15, 2004 at 11:41:06AM -0700, kate
> wrote:
> > 1. yes I have ipt_MASQUERADE loaded.
> > 2. my logic was to substitute any static_ip
<snip>
> > Your neat script, where would I place that in my
> fw
> > script? at the top? Does it need anything else to
> make
> > it work?
> 
> it's really just a variable declaration, but
> yeah--at the top would be a
> good place for it.
<snip> 
> > you can see that I am new at this!
> 
> s'alright--that's what these lists are for.  a good

Jason-
Thanks - it works ! -L resolves names of boxes too.
I have another question, but I'll post under different
subject:
Kate


		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com