Quote:
Originally Posted by OdinnBurkni
Hi.
I have an iptables script that I use on most of my gateways with a little modification. If you're interested I can send it to you with some explanation. Well, it doesn't need much explanation because it's commented and pretty straight forward.
|
I would like to see that script. I have made some progress but am not done yet.
My firewall started with:
-------------
*filter
:INPUT DROP [1956:130146]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [972602:1376127870]
-A INPUT -p icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -j ACCEPT
-A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
--------------
It is the default Frugalware Linux firewall with the --dport 22 lined added by me for ssh on the local lan.
I have now added:
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
iptables -A INPUT -i wlan0 -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o wlan1 -j MASQUERADE
I can ping the Linux router (using wlan0 address:192.168.0.1) from other computers on my lan, I can also ping its wlan1 address: 192.168.1.144 assigned by the cable router (DHCP). ssh works on my lan and the Linux router has Internet access.
I cannot successfully ping the cable router (192.168.1.1) or any Internet address from other computers on my lan. I have a Dlink router that is functioning as a hub for my lan.
Linux router routing table is:
ip route ls
192.168.1.0/24 dev wlan1 proto kernel scope link src 192.168.1.144
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.1
169.254.0.0/16 dev wlan1 scope link
127.0.0.0/8 dev lo scope link
default via 192.168.1.1 dev wlan1
The default gateway points to the cable router.
I used wireshark to watch the progress of packets through the Linux router. When I ping the cable router from my lan, the ping request gets a reply and it appears to be routed correctly but the ping reply fails to get to the originating computer.
Below is a sample of the wireshark output.
No. Time Source Destination Protocol Info
6 1.374607 192.168.0.50 192.168.1.1 ICMP Echo (ping) request
Frame 6 (76 bytes on wire, 76 bytes captured)
Linux cooked capture
Internet Protocol, Src: 192.168.0.50 (192.168.0.50), Dst: 192.168.1.1 (192.168.1.1)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
7 1.374644 192.168.1.144 192.168.1.1 ICMP Echo (ping) request
Frame 7 (76 bytes on wire, 76 bytes captured)
Linux cooked capture
Internet Protocol, Src: 192.168.1.144 (192.168.1.144), Dst: 192.168.1.1 (192.168.1.1)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
8 1.383860 192.168.1.1 192.168.1.144 ICMP Echo (ping) reply
Frame 8 (76 bytes on wire, 76 bytes captured)
Linux cooked capture
Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.1.144 (192.168.1.144)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
9 1.383885 192.168.1.1 192.168.0.50 ICMP Echo (ping) reply
Frame 9 (76 bytes on wire, 76 bytes captured)
Linux cooked capture
Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.0.50 (192.168.0.50)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
10 1.383890 192.168.1.1 192.168.0.50 ICMP Echo (ping) reply
Frame 10 (76 bytes on wire, 76 bytes captured)
Linux cooked capture
Internet Protocol, Src: 192.168.1.1 (192.168.1.1), Dst: 192.168.0.50 (192.168.0.50)
Internet Control Message Protocol
Bill