* Help with Masquerading @ 2003-01-05 15:19 Subba Rao 2003-01-05 16:06 ` Rob Sterenborg 2003-01-05 19:00 ` Joel Newkirk 0 siblings, 2 replies; 3+ messages in thread From: Subba Rao @ 2003-01-05 15:19 UTC (permalink / raw) To: netfilter Hi My system is running kernel 2.4.20 with iptables compiled into the kernel. The system has 2 interfaces. ETH0 is connected to the Internet (via cablemodem) and ETH1 is connected to my home LAN which has only one W2K laptop. My W2K is configured with the Linux system as the gateway. Both systems can ping each other. However my laptop is not able to go out to the Internet. I am desperately trying to make my W2K laptop connect to the Internet. Please let me know how to make this work. Thank you in advance. Subba Rao subba3@cablespeed.com #!/bin/sh echo "Starting Firewall....." INTERNAL_NET="10.0.0.0/24" INTERNET=`ifconfig eth0 | grep inet | cut -d : -f 2 | cut -d \ -f 1` # Flush the tables /usr/sbin/iptables -F INPUT /usr/sbin/iptables -F OUTPUT /usr/sbin/iptables -F FORWARD /usr/sbin/iptables -t nat -F # Set default policies for packet entering this box iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # Allow some packets in but accept all those on the internal interface /usr/sbin/iptables -A INPUT -i lo -j ACCEPT /usr/sbin/iptables -A INPUT -i eth0 -j ACCEPT /usr/sbin/iptables -A INPUT -i eth1 -j ACCEPT # Masquerade internal system with the public IP address iptables -t nat -A POSTROUTING -d $INTERNAL_NET -o $INTERNET -j ACCEPT iptables -t nat -A POSTROUTING -o $INTERNET -s $INTERNAL_NET -j MASQUERADE # Block inbound connections /usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j DROP echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/tcp_syncookies ^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: Help with Masquerading 2003-01-05 15:19 Help with Masquerading Subba Rao @ 2003-01-05 16:06 ` Rob Sterenborg 2003-01-05 19:00 ` Joel Newkirk 1 sibling, 0 replies; 3+ messages in thread From: Rob Sterenborg @ 2003-01-05 16:06 UTC (permalink / raw) To: Subba Rao, netfilter > My W2K is configured with the Linux system as the gateway. > Both systems > can ping each other. > However my laptop is not able to go out to the Internet. <snip> > #!/bin/sh > > echo "Starting Firewall....." > > INTERNAL_NET="10.0.0.0/24" > > INTERNET=`ifconfig eth0 | grep inet | cut -d : -f 2 | cut > -d \ -f 1` > > # Flush the tables > /usr/sbin/iptables -F INPUT > /usr/sbin/iptables -F OUTPUT > /usr/sbin/iptables -F FORWARD > /usr/sbin/iptables -t nat -F > > # Set default policies for packet entering this box > > iptables -P INPUT DROP > iptables -P OUTPUT ACCEPT > iptables -P FORWARD ACCEPT > > # Allow some packets in but accept all those on the > internal interface > /usr/sbin/iptables -A INPUT -i lo -j ACCEPT > /usr/sbin/iptables -A INPUT -i eth0 -j ACCEPT > /usr/sbin/iptables -A INPUT -i eth1 -j ACCEPT You have set the default policy to DROP, and now you're going to accept anything on eth0 ? You said that eth0 was the inet interface.. "iptables -P INPUT DROP" doesn't make much sense now. > > # Masquerade internal system with the public IP address > > iptables -t nat -A POSTROUTING -d $INTERNAL_NET -o > $INTERNET -j ACCEPT You shouldn't do this. The next (MASQ) rule won't be processed. > iptables -t nat -A POSTROUTING -o $INTERNET -s > $INTERNAL_NET -j MASQUERADE > > # Block inbound connections > > /usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j DROP If you just don't do "iptables -A INPUT -i eth0 -j ACCEPT" then you don't have to do this. > echo 1 > /proc/sys/net/ipv4/ip_forward > echo 1 > /proc/sys/net/ipv4/tcp_syncookies Let's rewrite all of the above to : # Disable IP Forwarding echo 0 > /proc/sys/net/ipv4/ip_forward # Clear the chains iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -t nat -F POSTROUTING # Set default policy iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # ACCEPT connections on local and lan interface # If you don't run any servers, you don't want to INPUT ACCEPT for eth0 iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT # ACCEPT RELATED and ESTABLISHED connections for the FORWARD chain, # ACCEPT FORWARDing from lan to internet. iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth1 -s $INTERNAL_NET -j ACCEPT # Use MASQUERADE if you have a dynamic IP address (dhcp) # Use SNAT if you have a static IP address iptables -t nat -A POSTROUTING -s $INTERNAL_NET -o eth0 -j MASQUERADE ### OR ### iptables -t nat -A POSTROUTING -s $INTERNAL_NET -j SNAT --to-source $INET_IP # Enable IP Forwading echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/tcp_syncookies That should do it I think. Rob ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Help with Masquerading 2003-01-05 15:19 Help with Masquerading Subba Rao 2003-01-05 16:06 ` Rob Sterenborg @ 2003-01-05 19:00 ` Joel Newkirk 1 sibling, 0 replies; 3+ messages in thread From: Joel Newkirk @ 2003-01-05 19:00 UTC (permalink / raw) To: Subba Rao, netfilter On Sunday 05 January 2003 10:19 am, Subba Rao wrote: > Hi > > My system is running kernel 2.4.20 with iptables compiled into the > kernel. The system has 2 interfaces. ETH0 is connected to the Internet > (via cablemodem) and ETH1 is connected to my home LAN which has only > one W2K laptop. > > My W2K is configured with the Linux system as the gateway. Both > systems can ping each other. > However my laptop is not able to go out to the Internet. > > I am desperately trying to make my W2K laptop connect to the Internet. > > Please let me know how to make this work. > > Thank you in advance. > > Subba Rao > subba3@cablespeed.com > > #!/bin/sh > > echo "Starting Firewall....." > > INTERNAL_NET="10.0.0.0/24" > > INTERNET=`ifconfig eth0 | grep inet | cut -d : -f 2 | cut -d \ -f 1` This is extracting the IP address of your external connection from the output of 'ifconfig eth0' - Are you on a dynamic IP with a long lease-time? If so you may get away with using this with SNAT. If you're on a static IP this is unnecessary, just use the actual IP in the script. If your IP changes fairly frequently, don't bother with this and just use MASQUERADE target. > # Flush the tables > /usr/sbin/iptables -F INPUT > /usr/sbin/iptables -F OUTPUT > /usr/sbin/iptables -F FORWARD > /usr/sbin/iptables -t nat -F > > # Set default policies for packet entering this box > > iptables -P INPUT DROP > iptables -P OUTPUT ACCEPT > iptables -P FORWARD ACCEPT Set FORWARD policy to DROP as well. The only things you want this box to forward are those you explicitly allow. Try using these rules for a start: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i eth1 -p udp --dport 53 -j ACCEPT these should allow the laptop to browse the web. For other services, like email, add appropriate rules for the needed ports. The first rule here accepts any packet that is part of and ESTABLISHED connection, or RELATED to one, regardless of it's source. The remainder allow explicitly defined connections from the LAN to be forwarded to the internet. With these three rules the laptop can connect out, but the internet cannot connect in, only respond to a connection initiated by the laptop. > # Allow some packets in but accept all those on the internal interface > /usr/sbin/iptables -A INPUT -i lo -j ACCEPT > /usr/sbin/iptables -A INPUT -i eth0 -j ACCEPT > /usr/sbin/iptables -A INPUT -i eth1 -j ACCEPT The second one means anyone on the internet can connect to your firewall box on any port, bypassing the DROP policy you set. Bad idea. The third means any connection from local network to the firewall machine directly is accepted, which is OK since only your laptop is on the local network, but is a bad idea for a large network. > # Masquerade internal system with the public IP address > > iptables -t nat -A POSTROUTING -d $INTERNAL_NET -o $INTERNET -j ACCEPT > iptables -t nat -A POSTROUTING -o $INTERNET -s $INTERNAL_NET -j > MASQUERADE First rule here is bad. A - Destination IP of local network should never be going out internet connection, so it should never match anything. B - If your intention is to ACCEPT anything from internet going TO local network, you shouldn't because: C - PREROUTING and POSTROUTING chains of NAT table are for NAT only, not filtering, so you should just rely on accept policy. Only time you should ACCEPT in a NAT chain rule is if you want to bypass a later rule, IE you can ACCEPT specific traffic, then NAT whatever remains. D - INTERNET is set to be the IP address of eth1, your external connection. "-o" and "-i" matches are for interfaces, not IPs, so you should use something like "-o eth1" or "-i eth0" here. Second rule here is bad as well, for reason D above. Also, you are using MASQUERADE target, which is fine if you have a dynamic IP, but you are going to the trouble of determining your public IP at the start, which leads me to think you intend to use it directly in a SNAT. If you are on dynamic IP stick with MASQUERADE, if static IP use "-j SNAT --to $INTERNET", based on your assignment above, or better yet just assign the IP in the script instead of extracting it from the output of 'ifconfig eth1' at the top. > # Block inbound connections > > /usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j DROP > > echo 1 > /proc/sys/net/ipv4/ip_forward > echo 1 > /proc/sys/net/ipv4/tcp_syncookies The first one here turns on forwarding, but if you're using MASQUERADE target you need to enable dynamic IP tracking as well, with: echo "1" > /proc/sys/net/ipv4/ip_dynaddr j ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-01-05 19:00 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-01-05 15:19 Help with Masquerading Subba Rao 2003-01-05 16:06 ` Rob Sterenborg 2003-01-05 19:00 ` Joel Newkirk
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox