Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, Im attempting to setup a simple network gateway with a with firewall functionality. For some reason this task is providing to be more of a challange than I thought.
My situation: 2 ethernet cards, eth0 is dynamically configured by isp, eth1 is statically assigned ip address 111.222.333.1 and is associated with a dhcpd server which assigns ip's to servers and such on subnets (this works fine). My private subnet is 111.222.333.32/27 with a broadcast address of 111.222.333.63 and is what I am experimenting with when trying to get this to work.
For now I have set iptables to allow everything, so that I can get the router working before I close off ports. Basically these are the commands I used to setup iptables:
iptables -A INPUT -j LOG --log-level notice --log-prefix IPTABLES:
iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -j LOG --log-level notice --log-prefix IPTABLES:
iptables -A OUTPUT -j ACCEPT
iptables -A FORWARD -j LOG --log-level notice --log-prefix IPTABLES:
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
I also have tried doing the following, but with no avail yet (leaving these out does not solve the problem either):
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 111.222.333.63 (private subnet broadcast)
iptables it nat -A PREROUTING -i eth1 -j DNAT --to 0.0.0.0
As for 'route':
111.222.333.32 * 255.255.255.224 eth1
111.222.333.0 * 255.255.255.224 eth1
111.222.333.0 * 255.255.255.0 eth1
aaa.bbb.ccc.ddd * 255.255.255.252 eth0
default aaa.bbb.ccc.1 0.0.0 eth0
(where add.bbb.ccc.ddd is my isp's network)
I have also added a static route to 111.222.333.1 (eth1) which did not work. As well as removing one or both of the 111.222.333.0 entries which also did not work.
Finally, checking the iptables logs I discover that hosts on my private subnet are sucessfully attempting to reach their destination via eth1 (logs show connections for port 53 - dns, as i am attempting to connect to the web via a browser on my end host) but after several of these attempts, the iptables responds by sending an ICMP signal back to the client of type 3 or 'Destination Unreachable'.
Thats about it. I am completely stumped with this one. I'm not sure why something that is so simple is proving to be so hard. If anyone has any ideas or sees any flaws in my thinking, please relay you ideas on. Thanks alot.
Still no luck :-(
I have seemed to try everything, I've played around with both route and iptables; defining routes and rules in hope of getting something to work, but it still wont.
If noone has any ideas concerning my problem, then maybe you could recommend a utility or such to help me find the problem easier. I could especially use something to read the iptables log output out of /var/log/messages, as it is very cryptic and hard to read. Since I dont have X installed on my gateway it would have to be something cmd line based.
Anyways, If anyone has any suggestions please post, and I will keep this post updated if I make any breakthroughs.
If you want my advice to be honest with you you can spare yourself this whole mess in a few simple clicks but you need to have X ........ there is this firewall called firestarter it is a GUI firewall it enables you to start internet connection with an easy to use firewall in a few seconds .......I used to have lot of probs everytime i used to install a linux gateway "not a great network guru here"... but since I started using firestarter Iam finishing the network configuration in 10 minutes max
Solved! After much much much (note the date between posts) debugging I found that the problem occured because my internel clients were sending DNS queries to my gateway for web sites I was trying to access, and my gateway was not forwarding this request to my isp's DNS server. After compiling and installing BIND, and creating the named.conf file as so;
my gateway successfully forwarded packets. (To be technically correct, it was forwarding packets all along, but I was trying to access external sites via url and not ip, because my "genious intellect" :-) )
Anyways, I hope this helps anyone in a similar rut, and I would like to once again thank all those that helped me solving my problem.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
