bridging, tun/tap, qemu issues
 

Hello! I'm trying to give a guest OS (winXP) access to my network via a Linux bridge. I've followed the directions from other threads and other forums to the letter, but nothing seems to work.

The physical network interface on the host machine is eth0. It is connected to a Linksys router, which is itself connected to the Internet. The host machine has a static ip (192.168.1.4), but I want the guest OS to get its ip address via dhcp from the Linksys router.

Here is the pertinent information, taken after qemu was started:
I've verified that the kernel modules tun and bridge are loaded. I start qemu with:
Which does not produce any errors

And for debian/dapper users, the contents of /etc/network/interfaces are:
Finally, a snapshot from dmesg:
Network access on the host machine works fine, but the guest OS cannot retrieve an ip address and cannot access the network if assigned a static ip address from within the guest OS. I don't know if this is relevant, but I also cannot get network access by running "dhclient tap0" or "ifconfig tap0 192.168.1.5 netmask 255.255.255.0" from the host machine.

I must be doing something painfully foolish, but I don't know enough about linux bridging to figure it out on my own. Can anyone offer some suggestions? Thank you very much!

I think :scratch: I've identified my problem. There's no reason that bridging shouldn't work between a wireless and an ethernet medium. Both use the same frames, level 2 protocol, and MTU. However in order for bridging to work, the uplink NIC must be able to use different MAC addresses. Some wireless cards are notorious for being stuck with the factory MAC address. Although my wireless card isn't supposed to be one of these, ethereal suggests otherwise.

Bottom line is: if you're having trouble bridging between a wireless and a wired network, then chances are your hardware doesn't support it. Fortunately, this doesn't mean you need to resort to something slow or hackish like vpn or masquerading. Here's how I solved my problem with a 1:1 NAT.

Assumptions:
1. Your network topology is something vaguely like this:
2. Your kernel is compiled with support for iptables and NAT, and you have iptables installed.
3. You can (statically) allocate your Host OS multiple IP addresses (otherwise you must masquerade, discussed at the bottom).
4. This still works if you have more than one Guest OS, you'll just need to adjust accordingly.

What to do:
If you already have a bridge set up for this purpose, you'll need to get rid of it. Also, there is no longer any need for your network interfaces to be in promiscuous mode. Once you take down your bridge, you will need to reconfigure your network card. This assumes your bridge was br0, your network card is eth0, and that your Host OS has a static IP of 192.168.1.4.
Your routing table should now look like this:
If the last line is missing, you can add it with:
Also, don't forget to update DNS information in /etc/resolv.conf as necessary. Your Host OS should now be able to access the Internet and LAN normally.

The next step is to assign your Host OS a second IP address. You don't need to have multiple NIC's. This assumes that the second IP address you are going to use is 192.168.1.5.
Debian users can do this to their /etc/network/interfaces:
For now, this IP address will remain unused (except by applications that bind to 0.0.0.0, or those that bind to 192.168.1.5 explicitly). Traffic to and from your Host OS will pass through 192.168.1.4.

Our next step is to create a tun/tap interface for our Guest OS. If you are using qemu like I am, you can do something like:
The important part here is:
Which instructs qemu to emulate a network card for the Guest OS and connect that emulated network card to a tun/tap device, which we will assume is tap0. Make sure you are using a recent version of qemu; I'm using version 0.8.0.

You can verify that tap0 has been created by examining the output of:
Now you need to assign tap0 an IP address on your Host OS:
Now the routing table on your Host OS should look like this:
Next, make sure the NAT module is loaded into your kernel, and enable forwarding in your kernel:
Now you are ready to set up the 1:1 NAT with iptables.
Hint: add commands from the start of qemu onwards to /etc/qemu-ifup. /etc/qemu-ifup is called by qemu right after qemu creates the tun/tap device, and the name of the new tun/tap device (i.e. tap0) is passed as the first argument (i.e. $1).

Finally, configure your Guest OS to have the static IP address 10.0.0.2 with netmask 255.255.255.0 and gateway 10.0.0.1. Don't forget to give your Guest OS the appropriate DNS information! At this point, both your Host OS and your Guest OS should be able to access the Internet and the LAN with no problem.

Here's an ascii-art diagram of what it looks like:
For additional Guest OS's, configure tap1 with IP address 10.0.1.1 and netmask 255.255.255.0, and configure the Guest OS to have IP address 10.0.1.2 with gateway 10.0.1.1. Create eth:2 with address 192.168.1.6 and use iptables to forward packets between 10.0.1.1 and 192.168.1.6.

If for some reason your Host OS only has one IP address, you will have to do 1:many NAT (masquerading). Masquerading is less desirable than 1:1 NAT because you have to worry about things like port forwarding. If you find yourself masquerading, don't worry about creating eth:1, eth:2, and so on. Instead of using the two iptables commands per Guest OS that I've shown you to forward packets, use just this one command to cover all Guest OS's:
I hope you find this mini-HOWTO informative. Please post any questions to this thread, and I'll try to answer them!

References:
http://linux-net.osdl.org/index.php/Bridge
http://www.linux.org/docs/ldp/howto/...tiple-ips.html
http://www.netfilter.org/documentati...NAT-HOWTO.html

I will take up your kind offer but I have one eth card with one router/modem with a dynamic ip address.

My commands so far (assume numbers not in CLI just used as a reference)
1...modprobe iptable_nat
2....iptable -t nat -A POSTROUTING -o eth0 -j MASQUERADE

( I changed caps NAT to lowercase as it gave me a better result)
3....echo 1 > /proc/sys/net/ipv4/ip_forward

4...lsmod short output shows
tun 8320 0
ipt_MASQUERADE 2496 1
iptable_nat 5892 1
ip_nat 13932 2 ipt_MASQUERADE,iptable_nat

5....ifconfig
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0F:EA:53:32:06
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1
RX packets:33327 errors:0 dropped:0 overruns:0 frame:0
TX packets:26949 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:40247662 (38.3 MiB) TX bytes:3221204 (3.0 MiB)
Interrupt:16 Base address:0xa000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:368 (368.0 b) TX bytes:368 (368.0 b)

tap0 Link encap:Ethernet HWaddr E6:9B:33:A1:06:00
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:720 (720.0 b) TX bytes:0 (0.0 b)

I also tried linking the tap0 to a diff address 192.168.1.101

6...route
table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 tap0
192.168.1.0 * 255.255.255.0 U 5 0 0 eth0
169.254.0.0 * 255.255.0.0 U 5 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.1.254 0.0.0.0 UG 5 0 0 eth0


______
the 169 address is apparently a failed DNS server but I am using the net as we speak.....and my /etc/resolv.conf has the nameservers of my ISP and my browser can find addresses.
_________________

ouput of modified file
7....cat /etc/qemu-ifup
#!/bin/bash

/sbin/ifconfig $1 0.0.0.0 up
sleep 10


Explain....I thought I should modify your file as you mention that you closed down bridging and not create eth0:1 etc


8.../etc/init.d/sshd start
9...qemu -m 320 -net tap -net nic -boot c /a/g/qemu/s.img

There is a pause...no error messages and my slackware s.img starts

__________________________

running ssh locally to each localhost or vitual machine works
(host or vm)
ssh name@localhost -p (port number)
where name is real name and port number is changed to same as config file to host or vm.


.....but when I try ....within the VM...the qemu os...

ssh username@192.168.1.100 -p (port number)
where username is actual username on host and port number is actual port number I configged for shh I am getting network unreachable

_____________

so I wondered if it was a too restrictive firewall on host...as I had a nat firewall in router...I took the chance at disabled the host software firewall....with same result

___________

I have a /dev/net/tun....otherwise the ifconfig tap would have failed?


I am not an experienced in tun/tap or this kind of networking so can you tell me what tests or where I have gone wrong please?

if not thanks for reading such a long post and I hope those on dynamic ips can help me if possible.

I am trying to eventually transfer files using SCP over ssh.

aus9: Way to be brave and try masquerading your guest os! Note, though, that virtually all ethernet cards support network bridging. Bridging is easier to set up than masquerading, and in most cases it is preferable to using any kind of NAT. So if you haven't tried bridging yet, I suggest you do so and then masquerade only if bridging doesn't work. There are an abundance of good articles on bridging on Google.

Still want to masquerade? As a first order of business, get rid of that 169 address by using the route command. I don't think that's what's causing your problem, but it shouldn't be there to begin with.

I think your steps 1-9 look good except for a few nitpicks.
Not going to work. Keep it as 10.0.0.1.
I would have used:
So that I wouldn't have to reconfigure tap0 to have that IP address and netmask in a separate step. In fact, since every command you issue (modprobe, iptables, echo) will need to be re-issued if you reboot your host, I would recommend adding these to your qemu-ifup script as well. Also, the sleep 10 is not necessary.

Nitpicks aside, that the host can ssh into the guest and vice versa is an excellent sign. It means you configured the tun/tap network device correctly, so good job! :cool:

I'm assuming that, as of step 9, your host can still connect to the Internet normally. As I understand it, your problem is that although the host and guest can talk to each other, the guest cannot talk to any computers beyond your host (i.e. to other computers on your LAN, or to the Internet). The most likely cause for this is improper masquerading by the host or incorrect routing tables on the guest.

Before we continue:
Please take note that it is iptables running on your host that actually performs the masquerading. Turning off your host's firewall effectively turns off masquerading, so leave the host's firewall on! That said:
Looks correct (except that I think you meant iptables instead of iptable) so it is entirely possible that an overly restrictive filter chain on the host is confounding your attempt to masquerade. Let's check for this without turning your host's firewall off.

You can look at your current filter chain by issuing iptables -L. Pay special attention to the FORWARD and POSTROUTING filter chains. What is the default policy of your forward chain? If it is REJECT or DROP, add rules to explicitly allow forwarding between eth0 and tap0. Perhaps something like:
Are there any rules above your's in the POSTROUTING or MASQUERADING chain that would DROP or REJECT packets? If so, delete them with iptables -D, or insert your own rules above them with iptables -I. For example:
Becomes:
Also, make sure you didn't forget:
Try again and see if your guest os can access the Internet (or indeed, even talk to the host os via ssh). If fixing up your host's firewall's filter chains didn't work, then perhaps the guest os is not configured with the correct default gateway. It sounds like your guest os is linux, in which case you can check by issuing the command route. If the output of route on your guest doesn't contain:
Then you can fix this by issuing the following on your guest:
If your guest is a Windows variant, you can set up the default gw by right-clicking on the icon associated with your network card and choosing Properties.

In either case, I assume you've configured the guest with a static ip of 10.0.0.2 and a netmask of 255.255.255.0 (since your host and guest can talk on ssh, you probably did). The guest should not be configured to use dhcp!

Hope this all helps. Please post back and let us know how things are!

well thanks for the quick reply....I was trying Masquerade as I thought that was your suggestion.

2) my bad typo on command 7....it was set to 10.x.x.x. as per the route output shows at (5) for tap0

3) but I have mislead you....what I meant to say was that internal to each os....ssh works...but not ssh to each other which is why I wrote I was trying to transfer files. oh well.

4) I will have try again with the bridge utils and see if I have better luck.

5) in the mean time I have googled and found this

http://www.hants.lug.org.uk/cgi-bin/...QemuNetworking

which claims that if I had used the -user-net it was automatically firewalled....I did not but I mention just as a teaser

and the link also talks of using the bridge and a slightly different qemu command

I will get back to when I can and so thanks for your patience

and my firewall may not be the only thing wrong...but I can not see even after using a script (called iptables after my last bad) heh heh
#!/bin/sh

exec /sbin/modprobe iptable_nat
exec /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
exec /sbin/iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT
exec /sbin/iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
exec /etc/init.d/sshd start


OR doing it manually but without the exec or /sbin as they are in my path.

Then at your suggestion I looked at my firewall rules and not a mention of masquerade or tap0 so its a sick firewall.

And I have yet to try bridge.


looks like I won't solve it tonight.

oh well

kc8tbe

EDIT


I just did a google to look for mentions of same in firewalls and did not find any (yet).

is there is supposed to be mentions of masquerade and tap0 in a firewall configured as such??

my brain hurts so it good night and thanks for your patience

aus9: So your host and guest can't talk to each other at all? This makes things more complicated! Please post the output of these commands as run on the host OS and also on the guest os (editing out sensitive information) so that I can get a better idea of what's going on. Please run the commands while the guest is running (as opposed to before starting qemu).
If you are in a hurry, try asking for help on the #qemu irc channel at freenode.net.

kc8tbe

The good news is I think (even tho I am inexperienced at networking issues) the answer is my firewall and without waiting for a reply I am going to rebuild my firewall script manually.

I won't post my vm outputs as I intend to get a simple firewall on my host and then use it on my vm.

But just to show you I have a sense of humour and not easily embarassed, I will reveal all your host requests.

________________________
HOST OUTPUT ONLY

route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 tap0
192.168.1.0 * 255.255.255.0 U 5 0 0 eth0
169.254.0.0 * 255.255.0.0 U 5 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.1.254 0.0.0.0 UG 5 0 0 eth0

iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT all -- 192.168.1.100 192.168.1.255
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
nicfilt all -- anywhere anywhere
srcfilt all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
srcfilt all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
s1 all -- anywhere anywhere

Chain f0to1 (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:0:1023 dpt:ssh state NEW
logdrop all -- anywhere anywhere

Chain f1to0 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:https state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:http state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:webcache state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:http-alt state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:8000 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:8888 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:ssh state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:0:1023 dpt:ssh state NEW
logdrop all -- anywhere anywhere

Chain logdrop (4 references)
target prot opt source destination
logdrop2 all -- anywhere anywhere limit: avg 1/sec burst 10
LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
DROP all -- anywhere anywhere

Chain logdrop2 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROPPED '
DROP all -- anywhere anywhere

Chain logreject (0 references)
target prot opt source destination
logreject2 all -- anywhere anywhere limit: avg 1/sec burst 10
LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- anywhere anywhere

Chain logreject2 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `REJECTED '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- anywhere anywhere

Chain nicfilt (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
logdrop all -- anywhere anywhere

Chain s0 (1 references)
target prot opt source destination
f0to1 all -- anywhere 192.168.1.100
f0to1 all -- anywhere 192.168.1.255
f0to1 all -- anywhere g.s.net
logdrop all -- anywhere anywhere

Chain s1 (1 references)
target prot opt source destination
f1to0 all -- anywhere anywhere

Chain srcfilt (2 references)
target prot opt source destination
s0 all -- anywhere anywhere

ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:0F:EA:53:32:06
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1492 Metric:1
RX packets:55 errors:0 dropped:0 overruns:0 frame:0
TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:27036 (26.4 KiB) TX bytes:7380 (7.2 KiB)
Interrupt:16 Base address:0xa000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

tap0 Link encap:Ethernet HWaddr 7A:14:35:68:0F:04
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

/etc/resolv.conf
nameserver aa.bb.cc.dd (edit)
nameserver aa.bb.cc.ee (edit)
search dhcppc0


output of /etc/qemu-ifup
#!/bin/bash

/sbin/ifconfig $1 10.0.0.1 netmask 255.255.255.0

These rules are easier to understand when you look at the guarddog frontend

###############################
###### iptables firewall ######
###############################
logger -p auth.info -t guarddog Configuring iptables firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Using iptables."
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetting firewall rules."
# Shut down all traffic
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

# Delete any existing chains
iptables -F
iptables -X

# Load any special kernel modules.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Loading kernel modules."

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Setting kernel parameters."
# Turn on kernel IP spoof protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Set the TCP timestamps config
echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null
# Enable TCP SYN Cookie Protection if available
test -e /proc/sys/net/ipv4/tcp_syncookies && echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 2> /dev/null
# Log truly weird packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians 2> /dev/null
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on.
# Find the IPs of any ipsecX NICs
IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1}
/inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr:([[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0)
grabip = 0}'`"
# Build a list of NIC names and metching IPs
IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
printf \"%s_%s\\n\",nic,ip }'`"

# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL

# Activate rp_filter for each NIC, except for NICs that are using
# an IP that is involved with IPSEC.
for X in $IP_NIC_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
RPF="1"
for SEC_IP in $IPSEC_IPS ; do
if [[ $SEC_IP == $IP ]]; then
RPF="0"
fi
done
echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null
done

echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 2> /dev/null
echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null

[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Configuring firewall rules."
# Set up our logging and packet 'executing' chains
iptables -N logdrop2
iptables -A logdrop2 -j LOG --log-prefix "DROPPED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logdrop2 -j DROP
iptables -N logdrop
iptables -A logdrop -m limit --limit 1/second --limit-burst 10 -j logdrop2
iptables -A logdrop -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
iptables -A logdrop -j DROP
iptables -N logreject2
iptables -A logreject2 -j LOG --log-prefix "REJECTED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logreject2 -p tcp -j REJECT --reject-with tcp-reset
iptables -A logreject2 -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A logreject2 -j DROP
iptables -N logreject
iptables -A logreject -m limit --limit 1/second --limit-burst 10 -j logreject2
iptables -A logreject -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
iptables -A logreject -p tcp -j REJECT --reject-with tcp-reset
iptables -A logreject -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A logreject -j DROP

# Allow loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow DHCP clients.
iptables -A INPUT -i eth0 -p udp --dport 68 --sport 67 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 67 --sport 68 -j ACCEPT

# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Accept broadcasts from ourself.
IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
match($0,/Bcast:[[:digit:]\\.]+/)
bcast = substr($0,RSTART+6,RLENGTH-6)
printf \"%s_%s_%s\\n\",nic,ip,bcast }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
for X in $IP_BCAST_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
BCAST="`echo \"$X\" | cut -f 3 -d _`"
iptables -A INPUT -i $NIC -s $IP -d $BCAST -j ACCEPT
done

# Quickly allow anything that belongs to an already established connection.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow certain critical ICMP types
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT &> /dev/null # Dest unreachable
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A FORWARD -p icmp --icmp-type time-exceeded -j ACCEPT &> /dev/null # Time exceeded
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT &> /dev/null # Parameter Problem

# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Work out our local IPs.
NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)}
/inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) }
/Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Create the nicfilt chain
iptables -N nicfilt
GOT_LO=0
NIC_COUNT=0
for X in $NIC_IP ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
iptables -A nicfilt -i $NIC -j RETURN
# We also take this opportunity to see if we only have a lo interface.
if [ $NIC == "lo" ]; then
GOT_LO=1
fi
let NIC_COUNT=$NIC_COUNT+1
done
IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`"
iptables -A nicfilt -j logdrop
# Do we have just a lo interface?
if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then
MIN_MODE=1
else
MIN_MODE=0
fi
# Are there *any* interfaces?
if [ $NIC_COUNT -eq 0 ] ; then
MIN_MODE=1
fi
# If we only have a lo interface or no interfaces then we assume that DNS
# is not going to work and just skip any iptables calls that need DNS.

# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Local'
iptables -N f0to1
# Create chain to filter traffic going from 'Local' to 'Internet'
iptables -N f1to0
# Add rules to the filter chains

# Traffic from 'Internet' to 'Local'
# Allow 'ssh'
# Normal connection
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 22:22 -m state --state NEW -j ACCEPT
# privileged source port (rhosts compat.)
iptables -A f0to1 -p tcp --sport 0:1023 --dport 22:22 -m state --state NEW -j ACCEPT

# Rejected traffic from 'Internet' to 'Local'

# Traffic from 'Local' to 'Internet'
# Allow 'https'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 443:443 -m state --state NEW -j ACCEPT
# Allow 'http'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 80:80 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8080:8080 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8008:8008 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8000:8000 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8888:8888 -m state --state NEW -j ACCEPT
# Allow 'domain'
iptables -A f1to0 -p tcp --sport 0:65535 --dport 53:53 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
# Allow 'ssh'
# Normal connection
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 22:22 -m state --state NEW -j ACCEPT
# privileged source port (rhosts compat.)
iptables -A f1to0 -p tcp --sport 0:1023 --dport 22:22 -m state --state NEW -j ACCEPT

# Rejected traffic from 'Local' to 'Internet'

# Place DROP and log rules at the end of our filter chains.
# Failing all the rules above, we log and DROP the packet.
iptables -A f0to1 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f1to0 -j logdrop

# Add some temp DNS accept rules to the input and output chains.
# This is so that we can pass domain names to ipchains and have iptables be
# able to look it up without being blocked by the our half-complete firewall.
if [ $MIN_MODE -eq 0 ] ; then
iptables -A OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi

# Chain to split traffic coming from zone 'Internet' by dest zone
iptables -N s0
for X in $IPS ; do
iptables -A s0 -d $X -j f0to1
done
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
iptables -A s0 -j logdrop

# Chain to split traffic coming from zone 'Local' by dest zone
iptables -N s1
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
iptables -A s1 -j f1to0
# Create the srcfilt chain
iptables -N srcfilt
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
# Assume internet default rule
iptables -A srcfilt -j s0

if [ $MIN_MODE -eq 0 ] ; then
# Remove the temp DNS accept rules
iptables -D OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -D OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi

# The output chain is very simple. We direct everything to the
# 'source is local' split chain.
iptables -A OUTPUT -j s1

iptables -A INPUT -j nicfilt
iptables -A INPUT -j srcfilt

# All traffic on the forward chains goes to the srcfilt chain.
iptables -A FORWARD -j srcfilt &> /dev/null

logger -p auth.info -t guarddog Finished configuring firewall
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Finished."
fi;
fi;
true


But as mentioned I no longer like this firewall as there is no

*nat filter

showing up which I found mentioned in an old doc I found from
FIREWALLING WITH NETFILTER by Barry O'DONOVAN.

Therefore, I withdraw my request for help. I will wander off into the electrical ether and if I have probs I will post my fw to the security forum.

So thanks for your interest and motivating me to get off my butt and understand my iptables -L output.

cheerio

Impropper usage of "exec"...
 

[QUOTE=aus9]
#!/bin/sh

exec /sbin/modprobe iptable_nat
exec /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
exec /sbin/iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT
exec /sbin/iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
exec /etc/init.d/sshd start

/QUOTE]

The script only executes the first statement because "exec" says replace the current running process with this command.