I cant get it up!!
i cant get the ip filtering working(firewall, iptables linux 2.4x)
From internal client i can ping the internal NIC and external NIC on the firewall but nothing past that including the internet. eth0(to extern) ip=212.51.51.5 nm=255.255.255.0 nw=212.51.51.0 bc=212.51.51.255 gw=212.51.51.1(router ip address to internet) eth1(to intern) ip=212.51.51.6 nm=255.255.255.0 nw=212.51.51.0 bc=212.51.51.255 intern client ip=212.51.51.7 nm=255.255.255.0 nw=212.51.51.0 bc=212.51.51.255 gw=212.51.51.6 |
you need to get the linux box connected to the internet with dns working first using dhcpcd or static ip depending on your internet connection
then enable ip forwarding Code:
Code:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE |
I think you also have to explicitly forward traffic to and from your internal clients on the FORWARD rule:
iptables -A FORWARD -i 212.51.51.6 -s 212.51.51.7 -j ACCEPT iptables -A FORWARD -i 212.51.51.5 -d 212.51.51.7 -j ACCEPT |
Everything depends on your network configuration and services required on it.
the one rule is only for ip masq, the other rules you have will determine what gets through and what does not. look here for some good rule sets http://www.linuxguruz.org/iptables/ |
thanks for the replys!!
i will not be using IP MASQ. I dont know if this will pose as a problem since both sides of the firewall are on the same subnet 255.255.255.0. All i want to do is setup up the filtering. I have tried the iptables that meatwad said and i used the echo 1 script as well and i still cannot ping past the firewall. I can still ping both NICS on the firewall( internal and external) just not anything past that. thanks again. |
ok, so these are valid ips for each machine. I see..
the default gateway must be set to the internet default gateway on all machines |
so even the clients behind the firewall(and the two NICs on the firewall itself) will use 212.51.51.1(cisco router to internet) for the default gateway?
the iptables script is iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward (i can add the security later, i just need the forading to work) i have tried all this and still i get no response when pinging the computers on the other side of the firewall |
What do you have in /etc/host.allow and /etc/host.deny?
does the linux box have a connection? the ip address is correct on both interfaces? check it out with .. ifconfig check the routing make sure you have a default route route -n fire up iptraf and see what's going through the linux box |
this is the setup, cant ping 212.51.51.1 from client. but can ping 212.51.51.5 and 212.51.51.6 from client. Can also ping 212.51.51.1 and www.lycos.com from 212.51.51.5 (eth0 on firewall).
internet | | cisco router IP=212.51.51.1 NM=255.255.255.0 | | +--------------------------------------------------+ |eth0 IP=212.51.51.5 NM=255.255.255.0| | |linux firewall | |eth1 IP=212.51.51.6 NM=255.255.255.0| +--------------------------------------------------+ | | client IP=212.51.51.7 NM=255.255.255.0 |
Can you ping sites on the net by ip? If so you might not have your dns nameservers setup right.
Make sure the internal client machine has nameserver entries in the file /etc/resolv.conf |
did you try iptraf yet?
|
no i cant ping anything on the net by ip. someone informed me that firewalls like this will not work becauseit is not setup as a router between subnets and thats why it is not working. are they correct? if you look on the diagram i have put both sides of the firewall on the same subnet....
thanks |
Usually, or at least the way I've always seen it done and the way I do it, is to assign your internal machines IPs from the private classes like 10.85.0.0 and 192.168.0.0
I am by no means a networking guru but if you can't ping anything outside your network with by IP address you have issues there. |
ok, since you refuse to try iptraf :) just kidding
tell the person that said it can't be done to hold on just a minute I am going to use some commands here, some may be unnessary but if you get errors let us know. just run them and then we will see where we are at. first we will load some modules, if you get errors here then we need to know it Code:
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward Code:
cool, lets proceed Code:
Code:
now if you run route it should be empty we will add some routes Code:
setup all clients with the same default gateway 212.51.51.1 setup clients and linux router with the correct dns click the affero button below and rate this thread |
Now while that works great! And it is probably what you wanted. Look at this as another solution
This is RedHat, other distros may have boot scripts in a different place. Adjust this as needed. Backup files first.. Code:
cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0 Code:
echo DEVICE=eth0 > /etc/sysconfig/network-scripts/ifcfg-eth0 I am calling it rc.br0 Code:
echo "#!/bin/sh" > /etc/rc.d/rc.br0 Option #1 If there is dhcp on the network you can add this Code:
Option #2 If there is no dhcp then manually assign an ip and routing. Replace xxx.xxx.xxx.xxx with the ip of choice, and yyy.yyy.yyy.yyy with the default gateway Code:
echo "ifconfig br0 xxx.xxx.xxx.xxx" >> /etc/rc.d/rc.br0 for dns to work on this machine Option #3 Don't set an ip, the computer will not have an ip and will be invisible Ok, That's it for the script.. We need to set permissions on our new file Code:
chmod 755 /etc/rc.d/rc.br0 Now we are ready to run the script to setup the bridge if your interfaces are up you bring them down first Code:
ifconfig eth0 down Code:
/etc/rc.d/rc.br0 & If you want it to come up at boot this will set it up Code:
echo "/etc/rc.d/rc.br0" >> /etc/rc.d/rc.local One of the main advantages is that dhcp and other broadcast protocols will work through the bridge. They will not work through a proxy arp. |
All times are GMT -5. The time now is 06:14 PM. |