bridging, tun/tap, qemu issues
Hello! I'm trying to give a guest OS (winXP) access to my network via a Linux bridge. I've followed the directions from other threads and other forums to the letter, but nothing seems to work.
The physical network interface on the host machine is eth0. It is connected to a Linksys router, which is itself connected to the Internet. The host machine has a static ip (192.168.1.4), but I want the guest OS to get its ip address via dhcp from the Linksys router. Here is the pertinent information, taken after qemu was started: Code:
# uname -r Code:
qemu -net tap -net nic -localtime -boot c -cdrom WinXP.iso WinXP.raw And for debian/dapper users, the contents of /etc/network/interfaces are: Code:
auto lo Code:
[17188948.764000] eth0: New link status: Connected (0001) I must be doing something painfully foolish, but I don't know enough about linux bridging to figure it out on my own. Can anyone offer some suggestions? Thank you very much! |
I think :scratch: I've identified my problem. There's no reason that bridging shouldn't work between a wireless and an ethernet medium. Both use the same frames, level 2 protocol, and MTU. However in order for bridging to work, the uplink NIC must be able to use different MAC addresses. Some wireless cards are notorious for being stuck with the factory MAC address. Although my wireless card isn't supposed to be one of these, ethereal suggests otherwise.
Bottom line is: if you're having trouble bridging between a wireless and a wired network, then chances are your hardware doesn't support it. Fortunately, this doesn't mean you need to resort to something slow or hackish like vpn or masquerading. Here's how I solved my problem with a 1:1 NAT. Assumptions: 1. Your network topology is something vaguely like this: Code:
---------- 3. You can (statically) allocate your Host OS multiple IP addresses (otherwise you must masquerade, discussed at the bottom). 4. This still works if you have more than one Guest OS, you'll just need to adjust accordingly. What to do: If you already have a bridge set up for this purpose, you'll need to get rid of it. Also, there is no longer any need for your network interfaces to be in promiscuous mode. Once you take down your bridge, you will need to reconfigure your network card. This assumes your bridge was br0, your network card is eth0, and that your Host OS has a static IP of 192.168.1.4. Code:
# ifconfig br0 down Code:
# route Code:
# route add default gw 192.168.1.1 The next step is to assign your Host OS a second IP address. You don't need to have multiple NIC's. This assumes that the second IP address you are going to use is 192.168.1.5. Code:
# ifconfig eth0:1 192.168.1.5 netmask 255.255.255.0 Code:
auto lo Our next step is to create a tun/tap interface for our Guest OS. If you are using qemu like I am, you can do something like: Code:
# qemu -net tap -net nic -localtime -boot c -cdrom WinXP.iso WinXP.raw Code:
-net tap -net nic You can verify that tap0 has been created by examining the output of: Code:
# ifconfig -a Code:
# ifconfig tap0 10.0.0.1 netmask 255.255.255.0 up Code:
# route Code:
# modprobe iptable_nat Code:
# iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.5 -j DNAT --to 10.0.0.2 Finally, configure your Guest OS to have the static IP address 10.0.0.2 with netmask 255.255.255.0 and gateway 10.0.0.1. Don't forget to give your Guest OS the appropriate DNS information! At this point, both your Host OS and your Guest OS should be able to access the Internet and the LAN with no problem. Here's an ascii-art diagram of what it looks like: Code:
If for some reason your Host OS only has one IP address, you will have to do 1:many NAT (masquerading). Masquerading is less desirable than 1:1 NAT because you have to worry about things like port forwarding. If you find yourself masquerading, don't worry about creating eth:1, eth:2, and so on. Instead of using the two iptables commands per Guest OS that I've shown you to forward packets, use just this one command to cover all Guest OS's: Code:
# iptables -t NAT -A POSTROUTING -o eth0 -j MASQUERADE References: http://linux-net.osdl.org/index.php/Bridge http://www.linux.org/docs/ldp/howto/...tiple-ips.html http://www.netfilter.org/documentati...NAT-HOWTO.html |
I will take up your kind offer but I have one eth card with one router/modem with a dynamic ip address.
My commands so far (assume numbers not in CLI just used as a reference) 1...modprobe iptable_nat 2....iptable -t nat -A POSTROUTING -o eth0 -j MASQUERADE ( I changed caps NAT to lowercase as it gave me a better result) 3....echo 1 > /proc/sys/net/ipv4/ip_forward 4...lsmod short output shows tun 8320 0 ipt_MASQUERADE 2496 1 iptable_nat 5892 1 ip_nat 13932 2 ipt_MASQUERADE,iptable_nat 5....ifconfig ifconfig eth0 Link encap:Ethernet HWaddr 00:0F:EA:53:32:06 inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1 RX packets:33327 errors:0 dropped:0 overruns:0 frame:0 TX packets:26949 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:40247662 (38.3 MiB) TX bytes:3221204 (3.0 MiB) Interrupt:16 Base address:0xa000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:368 (368.0 b) TX bytes:368 (368.0 b) tap0 Link encap:Ethernet HWaddr E6:9B:33:A1:06:00 inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:720 (720.0 b) TX bytes:0 (0.0 b) I also tried linking the tap0 to a diff address 192.168.1.101 6...route table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.0.0 * 255.255.255.0 U 0 0 0 tap0 192.168.1.0 * 255.255.255.0 U 5 0 0 eth0 169.254.0.0 * 255.255.0.0 U 5 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 192.168.1.254 0.0.0.0 UG 5 0 0 eth0 ______ the 169 address is apparently a failed DNS server but I am using the net as we speak.....and my /etc/resolv.conf has the nameservers of my ISP and my browser can find addresses. _________________ ouput of modified file 7....cat /etc/qemu-ifup #!/bin/bash /sbin/ifconfig $1 0.0.0.0 up sleep 10 Explain....I thought I should modify your file as you mention that you closed down bridging and not create eth0:1 etc 8.../etc/init.d/sshd start 9...qemu -m 320 -net tap -net nic -boot c /a/g/qemu/s.img There is a pause...no error messages and my slackware s.img starts __________________________ running ssh locally to each localhost or vitual machine works (host or vm) ssh name@localhost -p (port number) where name is real name and port number is changed to same as config file to host or vm. .....but when I try ....within the VM...the qemu os... ssh username@192.168.1.100 -p (port number) where username is actual username on host and port number is actual port number I configged for shh I am getting network unreachable _____________ so I wondered if it was a too restrictive firewall on host...as I had a nat firewall in router...I took the chance at disabled the host software firewall....with same result ___________ I have a /dev/net/tun....otherwise the ifconfig tap would have failed? I am not an experienced in tun/tap or this kind of networking so can you tell me what tests or where I have gone wrong please? if not thanks for reading such a long post and I hope those on dynamic ips can help me if possible. I am trying to eventually transfer files using SCP over ssh. |
aus9: Way to be brave and try masquerading your guest os! Note, though, that virtually all ethernet cards support network bridging. Bridging is easier to set up than masquerading, and in most cases it is preferable to using any kind of NAT. So if you haven't tried bridging yet, I suggest you do so and then masquerade only if bridging doesn't work. There are an abundance of good articles on bridging on Google.
Still want to masquerade? As a first order of business, get rid of that 169 address by using the route command. I don't think that's what's causing your problem, but it shouldn't be there to begin with. I think your steps 1-9 look good except for a few nitpicks. Quote:
Quote:
Code:
/sbin/ifconfig $1 10.0.0.1 netmask 255.255.255.0 Nitpicks aside, that the host can ssh into the guest and vice versa is an excellent sign. It means you configured the tun/tap network device correctly, so good job! :cool: I'm assuming that, as of step 9, your host can still connect to the Internet normally. As I understand it, your problem is that although the host and guest can talk to each other, the guest cannot talk to any computers beyond your host (i.e. to other computers on your LAN, or to the Internet). The most likely cause for this is improper masquerading by the host or incorrect routing tables on the guest. Before we continue: Quote:
Quote:
You can look at your current filter chain by issuing iptables -L. Pay special attention to the FORWARD and POSTROUTING filter chains. What is the default policy of your forward chain? If it is REJECT or DROP, add rules to explicitly allow forwarding between eth0 and tap0. Perhaps something like: Code:
iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Code:
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE Code:
echo 1 > /proc/sys/net/ipv4/ip_forward Code:
default 10.0.0.1 0.0.0.0 UG 0 0 0 eth0 Code:
route add default gw 10.0.0.1 In either case, I assume you've configured the guest with a static ip of 10.0.0.2 and a netmask of 255.255.255.0 (since your host and guest can talk on ssh, you probably did). The guest should not be configured to use dhcp! Hope this all helps. Please post back and let us know how things are! |
well thanks for the quick reply....I was trying Masquerade as I thought that was your suggestion.
2) my bad typo on command 7....it was set to 10.x.x.x. as per the route output shows at (5) for tap0 3) but I have mislead you....what I meant to say was that internal to each os....ssh works...but not ssh to each other which is why I wrote I was trying to transfer files. oh well. 4) I will have try again with the bridge utils and see if I have better luck. 5) in the mean time I have googled and found this http://www.hants.lug.org.uk/cgi-bin/...QemuNetworking which claims that if I had used the -user-net it was automatically firewalled....I did not but I mention just as a teaser and the link also talks of using the bridge and a slightly different qemu command I will get back to when I can and so thanks for your patience |
and my firewall may not be the only thing wrong...but I can not see even after using a script (called iptables after my last bad) heh heh
#!/bin/sh exec /sbin/modprobe iptable_nat exec /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE exec /sbin/iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT exec /sbin/iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward exec /etc/init.d/sshd start OR doing it manually but without the exec or /sbin as they are in my path. Then at your suggestion I looked at my firewall rules and not a mention of masquerade or tap0 so its a sick firewall. And I have yet to try bridge. looks like I won't solve it tonight. oh well |
kc8tbe
EDIT I just did a google to look for mentions of same in firewalls and did not find any (yet). is there is supposed to be mentions of masquerade and tap0 in a firewall configured as such?? my brain hurts so it good night and thanks for your patience |
aus9: So your host and guest can't talk to each other at all? This makes things more complicated! Please post the output of these commands as run on the host OS and also on the guest os (editing out sensitive information) so that I can get a better idea of what's going on. Please run the commands while the guest is running (as opposed to before starting qemu).
Code:
# route |
kc8tbe
The good news is I think (even tho I am inexperienced at networking issues) the answer is my firewall and without waiting for a reply I am going to rebuild my firewall script manually. I won't post my vm outputs as I intend to get a simple firewall on my host and then use it on my vm. But just to show you I have a sense of humour and not easily embarassed, I will reveal all your host requests. ________________________ HOST OUTPUT ONLY route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.0.0 * 255.255.255.0 U 0 0 0 tap0 192.168.1.0 * 255.255.255.0 U 5 0 0 eth0 169.254.0.0 * 255.255.0.0 U 5 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 192.168.1.254 0.0.0.0 UG 5 0 0 eth0 iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ACCEPT all -- 192.168.1.100 192.168.1.255 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem nicfilt all -- anywhere anywhere srcfilt all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem srcfilt all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem s1 all -- anywhere anywhere Chain f0to1 (3 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh state NEW ACCEPT tcp -- anywhere anywhere tcp spts:0:1023 dpt:ssh state NEW logdrop all -- anywhere anywhere Chain f1to0 (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:https state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:http state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:webcache state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:http-alt state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:8000 state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:8888 state NEW ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:ssh state NEW ACCEPT tcp -- anywhere anywhere tcp spts:0:1023 dpt:ssh state NEW logdrop all -- anywhere anywhere Chain logdrop (4 references) target prot opt source destination logdrop2 all -- anywhere anywhere limit: avg 1/sec burst 10 LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED ' DROP all -- anywhere anywhere Chain logdrop2 (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROPPED ' DROP all -- anywhere anywhere Chain logreject (0 references) target prot opt source destination logreject2 all -- anywhere anywhere limit: avg 1/sec burst 10 LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED ' REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable DROP all -- anywhere anywhere Chain logreject2 (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `REJECTED ' REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable DROP all -- anywhere anywhere Chain nicfilt (1 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere logdrop all -- anywhere anywhere Chain s0 (1 references) target prot opt source destination f0to1 all -- anywhere 192.168.1.100 f0to1 all -- anywhere 192.168.1.255 f0to1 all -- anywhere g.s.net logdrop all -- anywhere anywhere Chain s1 (1 references) target prot opt source destination f1to0 all -- anywhere anywhere Chain srcfilt (2 references) target prot opt source destination s0 all -- anywhere anywhere ifconfig -a eth0 Link encap:Ethernet HWaddr 00:0F:EA:53:32:06 inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1 RX packets:55 errors:0 dropped:0 overruns:0 frame:0 TX packets:63 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:27036 (26.4 KiB) TX bytes:7380 (7.2 KiB) Interrupt:16 Base address:0xa000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) tap0 Link encap:Ethernet HWaddr 7A:14:35:68:0F:04 inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) /etc/resolv.conf nameserver aa.bb.cc.dd (edit) nameserver aa.bb.cc.ee (edit) search dhcppc0 output of /etc/qemu-ifup #!/bin/bash /sbin/ifconfig $1 10.0.0.1 netmask 255.255.255.0 |
These rules are easier to understand when you look at the guarddog frontend
############################### ###### iptables firewall ###### ############################### logger -p auth.info -t guarddog Configuring iptables firewall now. [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Using iptables." [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetting firewall rules." # Shut down all traffic iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT DROP # Delete any existing chains iptables -F iptables -X # Load any special kernel modules. [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Loading kernel modules." [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Setting kernel parameters." # Turn on kernel IP spoof protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null # Set the TCP timestamps config echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null # Enable TCP SYN Cookie Protection if available test -e /proc/sys/net/ipv4/tcp_syncookies && echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 2> /dev/null # Log truly weird packets. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null echo 1 > /proc/sys/net/ipv4/conf/default/log_martians 2> /dev/null # Switch the current language for a moment GUARDDOG_BACKUP_LANG=$LANG GUARDDOG_BACKUP_LC_ALL=$LC_ALL LANG=US LC_ALL=US export LANG export LC_ALL # Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on. # Find the IPs of any ipsecX NICs IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1} /inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr:([[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0) grabip = 0}'`" # Build a list of NIC names and metching IPs IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)} /inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/) ip=substr($0,RSTART+10,RLENGTH-10) printf \"%s_%s\\n\",nic,ip }'`" # Restore the language setting LANG=$GUARDDOG_BACKUP_LANG LC_ALL=$GUARDDOG_BACKUP_LC_ALL export LANG export LC_ALL # Activate rp_filter for each NIC, except for NICs that are using # an IP that is involved with IPSEC. for X in $IP_NIC_PAIRS ; do NIC="`echo \"$X\" | cut -f 1 -d _`" IP="`echo \"$X\" | cut -f 2 -d _`" RPF="1" for SEC_IP in $IPSEC_IPS ; do if [[ $SEC_IP == $IP ]]; then RPF="0" fi done echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null done echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 2> /dev/null echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Configuring firewall rules." # Set up our logging and packet 'executing' chains iptables -N logdrop2 iptables -A logdrop2 -j LOG --log-prefix "DROPPED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence iptables -A logdrop2 -j DROP iptables -N logdrop iptables -A logdrop -m limit --limit 1/second --limit-burst 10 -j logdrop2 iptables -A logdrop -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4 iptables -A logdrop -j DROP iptables -N logreject2 iptables -A logreject2 -j LOG --log-prefix "REJECTED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence iptables -A logreject2 -p tcp -j REJECT --reject-with tcp-reset iptables -A logreject2 -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A logreject2 -j DROP iptables -N logreject iptables -A logreject -m limit --limit 1/second --limit-burst 10 -j logreject2 iptables -A logreject -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4 iptables -A logreject -p tcp -j REJECT --reject-with tcp-reset iptables -A logreject -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A logreject -j DROP # Allow loopback traffic. iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow DHCP clients. iptables -A INPUT -i eth0 -p udp --dport 68 --sport 67 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --dport 67 --sport 68 -j ACCEPT # Switch the current language for a moment GUARDDOG_BACKUP_LANG=$LANG GUARDDOG_BACKUP_LC_ALL=$LC_ALL LANG=US LC_ALL=US export LANG export LC_ALL # Accept broadcasts from ourself. IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)} /inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/) ip=substr($0,RSTART+10,RLENGTH-10) match($0,/Bcast:[[:digit:]\\.]+/) bcast = substr($0,RSTART+6,RLENGTH-6) printf \"%s_%s_%s\\n\",nic,ip,bcast }'`" # Restore the language setting LANG=$GUARDDOG_BACKUP_LANG LC_ALL=$GUARDDOG_BACKUP_LC_ALL export LANG export LC_ALL for X in $IP_BCAST_PAIRS ; do NIC="`echo \"$X\" | cut -f 1 -d _`" IP="`echo \"$X\" | cut -f 2 -d _`" BCAST="`echo \"$X\" | cut -f 3 -d _`" iptables -A INPUT -i $NIC -s $IP -d $BCAST -j ACCEPT done # Quickly allow anything that belongs to an already established connection. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow certain critical ICMP types iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT &> /dev/null # Dest unreachable iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded iptables -A FORWARD -p icmp --icmp-type time-exceeded -j ACCEPT &> /dev/null # Time exceeded iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem iptables -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT &> /dev/null # Parameter Problem # Switch the current language for a moment GUARDDOG_BACKUP_LANG=$LANG GUARDDOG_BACKUP_LC_ALL=$LC_ALL LANG=US LC_ALL=US export LANG export LC_ALL # Work out our local IPs. NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)} /inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/) printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) } /Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/) printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`" # Restore the language setting LANG=$GUARDDOG_BACKUP_LANG LC_ALL=$GUARDDOG_BACKUP_LC_ALL export LANG export LC_ALL # Create the nicfilt chain iptables -N nicfilt GOT_LO=0 NIC_COUNT=0 for X in $NIC_IP ; do NIC="`echo \"$X\" | cut -f 1 -d _`" iptables -A nicfilt -i $NIC -j RETURN # We also take this opportunity to see if we only have a lo interface. if [ $NIC == "lo" ]; then GOT_LO=1 fi let NIC_COUNT=$NIC_COUNT+1 done IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`" iptables -A nicfilt -j logdrop # Do we have just a lo interface? if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then MIN_MODE=1 else MIN_MODE=0 fi # Are there *any* interfaces? if [ $NIC_COUNT -eq 0 ] ; then MIN_MODE=1 fi # If we only have a lo interface or no interfaces then we assume that DNS # is not going to work and just skip any iptables calls that need DNS. # Create the filter chains # Create chain to filter traffic going from 'Internet' to 'Local' iptables -N f0to1 # Create chain to filter traffic going from 'Local' to 'Internet' iptables -N f1to0 # Add rules to the filter chains # Traffic from 'Internet' to 'Local' # Allow 'ssh' # Normal connection iptables -A f0to1 -p tcp --sport 1024:65535 --dport 22:22 -m state --state NEW -j ACCEPT # privileged source port (rhosts compat.) iptables -A f0to1 -p tcp --sport 0:1023 --dport 22:22 -m state --state NEW -j ACCEPT # Rejected traffic from 'Internet' to 'Local' # Traffic from 'Local' to 'Internet' # Allow 'https' iptables -A f1to0 -p tcp --sport 1024:5999 --dport 443:443 -m state --state NEW -j ACCEPT # Allow 'http' iptables -A f1to0 -p tcp --sport 1024:5999 --dport 80:80 -m state --state NEW -j ACCEPT iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8080:8080 -m state --state NEW -j ACCEPT iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8008:8008 -m state --state NEW -j ACCEPT iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8000:8000 -m state --state NEW -j ACCEPT iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8888:8888 -m state --state NEW -j ACCEPT # Allow 'domain' iptables -A f1to0 -p tcp --sport 0:65535 --dport 53:53 -m state --state NEW -j ACCEPT iptables -A f1to0 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT # Allow 'ssh' # Normal connection iptables -A f1to0 -p tcp --sport 1024:5999 --dport 22:22 -m state --state NEW -j ACCEPT # privileged source port (rhosts compat.) iptables -A f1to0 -p tcp --sport 0:1023 --dport 22:22 -m state --state NEW -j ACCEPT # Rejected traffic from 'Local' to 'Internet' # Place DROP and log rules at the end of our filter chains. # Failing all the rules above, we log and DROP the packet. iptables -A f0to1 -j logdrop # Failing all the rules above, we log and DROP the packet. iptables -A f1to0 -j logdrop # Add some temp DNS accept rules to the input and output chains. # This is so that we can pass domain names to ipchains and have iptables be # able to look it up without being blocked by the our half-complete firewall. if [ $MIN_MODE -eq 0 ] ; then iptables -A OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT iptables -A INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT iptables -A OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT iptables -A INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT fi # Chain to split traffic coming from zone 'Internet' by dest zone iptables -N s0 for X in $IPS ; do iptables -A s0 -d $X -j f0to1 done if [ $MIN_MODE -eq 0 ] ; then true # make sure this if [] has at least something in it. fi iptables -A s0 -j logdrop # Chain to split traffic coming from zone 'Local' by dest zone iptables -N s1 if [ $MIN_MODE -eq 0 ] ; then true # make sure this if [] has at least something in it. fi iptables -A s1 -j f1to0 # Create the srcfilt chain iptables -N srcfilt if [ $MIN_MODE -eq 0 ] ; then true # make sure this if [] has at least something in it. fi # Assume internet default rule iptables -A srcfilt -j s0 if [ $MIN_MODE -eq 0 ] ; then # Remove the temp DNS accept rules iptables -D OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT iptables -D INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT iptables -D OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT iptables -D INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT fi # The output chain is very simple. We direct everything to the # 'source is local' split chain. iptables -A OUTPUT -j s1 iptables -A INPUT -j nicfilt iptables -A INPUT -j srcfilt # All traffic on the forward chains goes to the srcfilt chain. iptables -A FORWARD -j srcfilt &> /dev/null logger -p auth.info -t guarddog Finished configuring firewall [ $GUARDDOG_VERBOSE -eq 1 ] && echo "Finished." fi; fi; true But as mentioned I no longer like this firewall as there is no *nat filter showing up which I found mentioned in an old doc I found from FIREWALLING WITH NETFILTER by Barry O'DONOVAN. Therefore, I withdraw my request for help. I will wander off into the electrical ether and if I have probs I will post my fw to the security forum. So thanks for your interest and motivating me to get off my butt and understand my iptables -L output. cheerio |
Impropper usage of "exec"...
[QUOTE=aus9]
#!/bin/sh exec /sbin/modprobe iptable_nat exec /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE exec /sbin/iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT exec /sbin/iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward exec /etc/init.d/sshd start /QUOTE] The script only executes the first statement because "exec" says replace the current running process with this command. Code:
/sbin/modprobe iptable_nat |
All times are GMT -5. The time now is 02:58 PM. |