LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 03-14-2004, 12:42 AM   #1
furryhit
LQ Newbie
 
Registered: Mar 2004
Posts: 1

Rep: Reputation: 0
cant get iptables nat/server script correct


ok im trying to set up a gateway between my router and lan. i think my problem is something with the iptables script. eth1 is lan eth0 is wan. when i have it set up i cant get an response from the machine over the network.

echo "FIrewall Script Started"
iptables --flush
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p icmp -j ACCEPT

iptables -A INPUT -i eth1 -s 192.168.0.2 -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.0.3 -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.0.4 -j ACCEPT

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
itpables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i eth0 -p udp -j DROP

iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -j DROP
iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
 
Old 03-14-2004, 09:35 AM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
Try the MASQUERADE on eth0..

and add an INPUT rule to ACCEPT NEW traffic on eth0 from specific sources..

Last edited by peter_robb; 03-14-2004 at 09:42 AM.
 
Old 03-14-2004, 10:00 AM   #3
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
Some extra comments to help tidy up the rules....

You have a DROP policy for both INPUT & FORWARD chains.

Therefore you don't need DROP rules..
unless they filter unwanted stuff for a later ACCEPT rule..
(Which you aren't doing here)

Anything not mentioned in the rules, gets to the end of the chain & the DROP policy gets them..

It looks from your question that you can't see what is happening (or not happening)
Add some (lots of) -j LOG rules to keep an eye on the DROPPED packets.
Start with one at the end of each chain, then, if it's not enough, at the beginning of each chain, then before & after each rule..

eg
Code:
echo "FIrewall Script Started"
iptables --flush
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth1 -s 192.168.0.2 -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.0.3 -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.0.4 -j ACCEPT

iptables -A INPUT -i eth0 -j LOG --log-prefix "incoming " --log-level 6
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -j LOG --log-prefix "INPUT_2 " --log-level 6
iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -i eth0 -j LOG --log-prefix "INPUT_end " --log-level 6
iptables -A INPUT -i eth0 -m state --state NEW -j allowed_ip

iptables -A allowed_ip -s x.x.x.x -j ACCEPT

iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
Have a read of this iptables tutorial for detailed explanations..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NAT/router iptables script don_wombat Linux - Networking 9 09-16-2005 11:11 AM
FTP server (Windows) behind NAT (IPtables) SWAT Linux - Newbie 10 01-08-2004 01:54 PM
Is this correct DEF for NAT? Thom_Redhat Linux - General 1 09-10-2003 06:20 PM
is this iptables script correct? pollux0 Linux - Security 2 12-14-2002 03:38 PM
Is this iptables script correct?????? pollux0 Linux - General 0 12-13-2002 12:11 PM


All times are GMT -5. The time now is 06:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration