Help with iptables, 2 nic's + 2 subnets
I have 2 Interfaces wlan0 and wlan1, 2 routers, [192.168.0.1 (lan) and 192.168.1.1 (Internet)].
I would like to configure iptables to do the following. Connect to the lan with wlan0 Connect to the Internet with wlan1 Share the wlan1 Internet connection with other computers on the lan. Use modem dial up (interface ppp0) as an Internet backup. I have had a problem with dialup ppp before. To get it to work, I had to delete the default gateway from the kernel routing table before launching the ppp daemon and then restart all the network interfaces when finished with dialup. I never liked that kludge and like to avoid that problem if possible. Thanks for any help. Bill |
IPtables
Hi.
I have an iptables script that I use on most of my gateways with a little modification. If you're interested I can send it to you with some explanation. Well, it doesn't need much explanation because it's commented and pretty straight forward. Regards, Odinn Burkni |
Quote:
My firewall started with: ------------- *filter :INPUT DROP [1956:130146] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [972602:1376127870] -A INPUT -p icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT COMMIT -------------- It is the default Frugalware Linux firewall with the --dport 22 lined added by me for ssh on the local lan. I have now added: iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT iptables -A INPUT -i wlan0 -m state --state NEW -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o wlan1 -j MASQUERADE I can ping the Linux router (using wlan0 address:192.168.0.1) from other computers on my lan, I can also ping its wlan1 address: 192.168.1.144 assigned by the cable router (DHCP). ssh works on my lan and the Linux router has Internet access. I cannot successfully ping the cable router (192.168.1.1) or any Internet address from other computers on my lan. I have a Dlink router that is functioning as a hub for my lan. Linux router routing table is: ip route ls 192.168.1.0/24 dev wlan1 proto kernel scope link src 192.168.1.144 192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.1 169.254.0.0/16 dev wlan1 scope link 127.0.0.0/8 dev lo scope link default via 192.168.1.1 dev wlan1 The default gateway points to the cable router. I used wireshark to watch the progress of packets through the Linux router. When I ping the cable router from my lan, the ping request gets a reply and it appears to be routed correctly but the ping reply fails to get to the originating computer. Below is a sample of the wireshark output. No. Time Source Destination Protocol Info 6 1.374607 192.168.0.50 192.168.1.1 ICMP Echo (ping) request Frame 6 (76 bytes on wire, 76 bytes captured) Linux cooked capture Internet Protocol, Src: 192.168.0.50 (192.168.0.50), Dst: 192.168.1.1 (192.168.1.1) Internet Control Message Protocol No. Time Source Destination Protocol Info 7 1.374644 192.168.1.144 192.168.1.1 ICMP Echo (ping) request Frame 7 (76 bytes on wire, 76 bytes captured) Linux cooked capture Internet Protocol, Src: 192.168.1.144 (192.168.1.144), Dst: 192.168.1.1 (192.168.1.1) Internet Control Message Protocol No. Time Source Destination Protocol Info 8 1.383860 192.168.1.1 192.168.1.144 ICMP Echo (ping) reply Frame 8 (76 bytes on wire, 76 bytes captured) Linux cooked capture Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.1.144 (192.168.1.144) Internet Control Message Protocol No. Time Source Destination Protocol Info 9 1.383885 192.168.1.1 192.168.0.50 ICMP Echo (ping) reply Frame 9 (76 bytes on wire, 76 bytes captured) Linux cooked capture Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.0.50 (192.168.0.50) Internet Control Message Protocol No. Time Source Destination Protocol Info 10 1.383890 192.168.1.1 192.168.0.50 ICMP Echo (ping) reply Frame 10 (76 bytes on wire, 76 bytes captured) Linux cooked capture Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.0.50 (192.168.0.50) Internet Control Message Protocol Bill |
Update
I got the Gateway part of the problem solved. Below are the commands to generate the firewall (most is from the Frugalware default firewall). Still working on the ppp problem.
#Clear iptables iptables -F iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -F -t nat iptables -F -t mangle iptables -X # Default policy drop input, accept output and forward iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # Only allow ssh on local lan iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT # Accept everything for loopback and lan, plus anything ESTABLISHED or RELATED iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i wlan0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable some icmp traffic iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT # Comment next line out to prevent responding to pings iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT # Internet shared with lan (wlan0 - lan, wlan1 - wan) # Translate traffic from lan to wan iptables -t nat -A POSTROUTING -o wlan1 -s 192.168.0.0/24 -j MASQUERADE # Only allow forwarded traffic from wan to lan if it is ESTABLISHED or RELATED iptables -A FORWARD -i wlan1 -m state --state NEW,INVALID -j DROP echo 1 > /proc/sys/net/ipv4/ip_forward Bill |
All times are GMT -5. The time now is 08:21 PM. |