* Help with Masquerading
@ 2003-01-05 15:19 Subba Rao
2003-01-05 16:06 ` Rob Sterenborg
2003-01-05 19:00 ` Joel Newkirk
0 siblings, 2 replies; 3+ messages in thread
From: Subba Rao @ 2003-01-05 15:19 UTC (permalink / raw)
To: netfilter
Hi
My system is running kernel 2.4.20 with iptables compiled into the
kernel. The system has 2 interfaces. ETH0 is connected to the Internet
(via cablemodem) and ETH1 is connected to my home LAN which has only one
W2K laptop.
My W2K is configured with the Linux system as the gateway. Both systems
can ping each other.
However my laptop is not able to go out to the Internet.
I am desperately trying to make my W2K laptop connect to the Internet.
Please let me know how to make this work.
Thank you in advance.
Subba Rao
subba3@cablespeed.com
#!/bin/sh
echo "Starting Firewall....."
INTERNAL_NET="10.0.0.0/24"
INTERNET=`ifconfig eth0 | grep inet | cut -d : -f 2 | cut -d \ -f 1`
# Flush the tables
/usr/sbin/iptables -F INPUT
/usr/sbin/iptables -F OUTPUT
/usr/sbin/iptables -F FORWARD
/usr/sbin/iptables -t nat -F
# Set default policies for packet entering this box
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Allow some packets in but accept all those on the internal interface
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth1 -j ACCEPT
# Masquerade internal system with the public IP address
iptables -t nat -A POSTROUTING -d $INTERNAL_NET -o $INTERNET -j ACCEPT
iptables -t nat -A POSTROUTING -o $INTERNET -s $INTERNAL_NET -j MASQUERADE
# Block inbound connections
/usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: Help with Masquerading
2003-01-05 15:19 Help with Masquerading Subba Rao
@ 2003-01-05 16:06 ` Rob Sterenborg
2003-01-05 19:00 ` Joel Newkirk
1 sibling, 0 replies; 3+ messages in thread
From: Rob Sterenborg @ 2003-01-05 16:06 UTC (permalink / raw)
To: Subba Rao, netfilter
> My W2K is configured with the Linux system as the gateway.
> Both systems
> can ping each other.
> However my laptop is not able to go out to the Internet.
<snip>
> #!/bin/sh
>
> echo "Starting Firewall....."
>
> INTERNAL_NET="10.0.0.0/24"
>
> INTERNET=`ifconfig eth0 | grep inet | cut -d : -f 2 | cut
> -d \ -f 1`
>
> # Flush the tables
> /usr/sbin/iptables -F INPUT
> /usr/sbin/iptables -F OUTPUT
> /usr/sbin/iptables -F FORWARD
> /usr/sbin/iptables -t nat -F
>
> # Set default policies for packet entering this box
>
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
>
> # Allow some packets in but accept all those on the
> internal interface
> /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
> /usr/sbin/iptables -A INPUT -i eth0 -j ACCEPT
> /usr/sbin/iptables -A INPUT -i eth1 -j ACCEPT
You have set the default policy to DROP, and now you're going to
accept anything on eth0 ? You said that eth0 was the inet interface..
"iptables -P INPUT DROP" doesn't make much sense now.
>
> # Masquerade internal system with the public IP address
>
> iptables -t nat -A POSTROUTING -d $INTERNAL_NET -o
> $INTERNET -j ACCEPT
You shouldn't do this. The next (MASQ) rule won't be processed.
> iptables -t nat -A POSTROUTING -o $INTERNET -s
> $INTERNAL_NET -j MASQUERADE
>
> # Block inbound connections
>
> /usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j DROP
If you just don't do "iptables -A INPUT -i eth0 -j ACCEPT" then you
don't have to do this.
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Let's rewrite all of the above to :
# Disable IP Forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# Clear the chains
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F POSTROUTING
# Set default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# ACCEPT connections on local and lan interface
# If you don't run any servers, you don't want to INPUT ACCEPT for
eth0
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
# ACCEPT RELATED and ESTABLISHED connections for the FORWARD chain,
# ACCEPT FORWARDing from lan to internet.
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -s $INTERNAL_NET -j ACCEPT
# Use MASQUERADE if you have a dynamic IP address (dhcp)
# Use SNAT if you have a static IP address
iptables -t nat -A POSTROUTING -s $INTERNAL_NET -o eth0 -j MASQUERADE
### OR ###
iptables -t nat -A POSTROUTING -s $INTERNAL_NET -j SNAT --to-source
$INET_IP
# Enable IP Forwading
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
That should do it I think.
Rob
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Help with Masquerading
2003-01-05 15:19 Help with Masquerading Subba Rao
2003-01-05 16:06 ` Rob Sterenborg
@ 2003-01-05 19:00 ` Joel Newkirk
1 sibling, 0 replies; 3+ messages in thread
From: Joel Newkirk @ 2003-01-05 19:00 UTC (permalink / raw)
To: Subba Rao, netfilter
On Sunday 05 January 2003 10:19 am, Subba Rao wrote:
> Hi
>
> My system is running kernel 2.4.20 with iptables compiled into the
> kernel. The system has 2 interfaces. ETH0 is connected to the Internet
> (via cablemodem) and ETH1 is connected to my home LAN which has only
> one W2K laptop.
>
> My W2K is configured with the Linux system as the gateway. Both
> systems can ping each other.
> However my laptop is not able to go out to the Internet.
>
> I am desperately trying to make my W2K laptop connect to the Internet.
>
> Please let me know how to make this work.
>
> Thank you in advance.
>
> Subba Rao
> subba3@cablespeed.com
>
> #!/bin/sh
>
> echo "Starting Firewall....."
>
> INTERNAL_NET="10.0.0.0/24"
>
> INTERNET=`ifconfig eth0 | grep inet | cut -d : -f 2 | cut -d \ -f 1`
This is extracting the IP address of your external connection from the
output of 'ifconfig eth0' - Are you on a dynamic IP with a long
lease-time? If so you may get away with using this with SNAT. If
you're on a static IP this is unnecessary, just use the actual IP in the
script. If your IP changes fairly frequently, don't bother with this
and just use MASQUERADE target.
> # Flush the tables
> /usr/sbin/iptables -F INPUT
> /usr/sbin/iptables -F OUTPUT
> /usr/sbin/iptables -F FORWARD
> /usr/sbin/iptables -t nat -F
>
> # Set default policies for packet entering this box
>
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
Set FORWARD policy to DROP as well. The only things you want this box to
forward are those you explicitly allow. Try using these rules for a
start:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -p udp --dport 53 -j ACCEPT
these should allow the laptop to browse the web. For other services,
like email, add appropriate rules for the needed ports. The first rule
here accepts any packet that is part of and ESTABLISHED connection, or
RELATED to one, regardless of it's source. The remainder allow
explicitly defined connections from the LAN to be forwarded to the
internet. With these three rules the laptop can connect out, but the
internet cannot connect in, only respond to a connection initiated by
the laptop.
> # Allow some packets in but accept all those on the internal interface
> /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
> /usr/sbin/iptables -A INPUT -i eth0 -j ACCEPT
> /usr/sbin/iptables -A INPUT -i eth1 -j ACCEPT
The second one means anyone on the internet can connect to your firewall
box on any port, bypassing the DROP policy you set. Bad idea. The
third means any connection from local network to the firewall machine
directly is accepted, which is OK since only your laptop is on the local
network, but is a bad idea for a large network.
> # Masquerade internal system with the public IP address
>
> iptables -t nat -A POSTROUTING -d $INTERNAL_NET -o $INTERNET -j ACCEPT
> iptables -t nat -A POSTROUTING -o $INTERNET -s $INTERNAL_NET -j
> MASQUERADE
First rule here is bad.
A - Destination IP of local network should never be going out internet
connection, so it should never match anything.
B - If your intention is to ACCEPT anything from internet going TO local
network, you shouldn't because:
C - PREROUTING and POSTROUTING chains of NAT table are for NAT only, not
filtering, so you should just rely on accept policy. Only time you
should ACCEPT in a NAT chain rule is if you want to bypass a later rule,
IE you can ACCEPT specific traffic, then NAT whatever remains.
D - INTERNET is set to be the IP address of eth1, your external
connection. "-o" and "-i" matches are for interfaces, not IPs, so you
should use something like "-o eth1" or "-i eth0" here.
Second rule here is bad as well, for reason D above. Also, you are using
MASQUERADE target, which is fine if you have a dynamic IP, but you are
going to the trouble of determining your public IP at the start, which
leads me to think you intend to use it directly in a SNAT. If you are
on dynamic IP stick with MASQUERADE, if static IP use "-j SNAT --to
$INTERNET", based on your assignment above, or better yet just assign
the IP in the script instead of extracting it from the output of
'ifconfig eth1' at the top.
> # Block inbound connections
>
> /usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j DROP
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
The first one here turns on forwarding, but if you're using MASQUERADE
target you need to enable dynamic IP tracking as well, with:
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
j
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-01-05 19:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-05 15:19 Help with Masquerading Subba Rao
2003-01-05 16:06 ` Rob Sterenborg
2003-01-05 19:00 ` Joel Newkirk
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox