LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-11-2009, 05:47 PM   #1
Mogget
Member
 
Registered: Dec 2008
Location: Norway
Distribution: Debian
Posts: 43

Rep: Reputation: 15
Iptables firewall and gateway for local network not working.


Hello.

In short i can not get the gateway to work for my local network and i have no clue where i'm going wrong in the script. It seems the gateway doesn't work, but if i log in through ssh using "ssh 10.0.0.150" from the client and from there try to ssh through my outside IP address it works. So if i'm not mistaking i need help with the gateway part but the firewall is ok.

I have an ADSL modem which forwards everything to server. The server is to accept inbound ssh so i can log in both from local network and the internet. Also it should function as a gateway for my home computer.

Server and client use Slack 12.1.

The ADSL modem (10.0.0.1) is forwarding everything to 10.0.0.150 (Server/Gateway)

The server only has one NIC. It should only accept packages from 10.0.0.2 (Client) with state NEW,RELATED,ESTABLISHED and from modem (10.0.0.1) with state RELATED,ESTABLISHED. Also it should accept inbound SSH request both local and from the internet.

Code:
# Disabling routing temporarily
echo 0 > $IP_FORWARD

# Loading the NAT module
modprobe iptable_nat

# Flushing and deleting all chains and tables
$IPT -F
$IPT -X

# Setting standard action for all chains
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Allowing established and related connections on all chains 
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -o eth0 -s 10.0.0.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i eth0 -s 10.0.0.1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allowing local loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Allow inbound services
$IPT -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT #SSH server

# Making this machine a gateway for the pc on the network       
$IPT -A POSTROUTING -t nat -o eth0 -s 10.0.0.2 -j MASQUERADE

# Rejecting all outbound packets that are not allready set
$IPT -A OUTPUT -j REJECT

# Enabling routing again
echo 1 > $IP_FORWARD
Also i have set gateway for server to modems ip and the gateway for the client to server ip. In case someone is thinking i'm doing something wrong there.

Also this is besides the main question but when changing "netconfig" options how do i reboot the network without rebooting the pc? It gets a little bit tiring after a while.

I would greatly appreciate any help on what i'm doing wrong because to me this seems logical and correct. Thank you for your time in advance.
 
Old 03-11-2009, 06:18 PM   #2
millgates
Member
 
Registered: Feb 2009
Location: 192.168.x.x
Distribution: Slackware
Posts: 651

Rep: Reputation: 269Reputation: 269Reputation: 269
i had allmost the same problem at home and while i am not entirely sure of it i think you actually need 2 nic on the server to make that work. At least i didn't make it work - i had to buy another ethernet card, then everythink went ok.

i don't know if it's correct solution, but i believe that running a network script such as /etc/rc.d/rc.inet1 or so should reboot the network.
good luck with your problem
 
Old 03-11-2009, 06:52 PM   #3
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
You may want to add something like
Code:
$IPT -A tcp_packets_INET_in -p TCP -i eth0 --dport ssh -j LOG \
--log-prefix "Ext ssh" --log-level info
to see what's going on.

Here's my equivalent rule:
Code:
$IPT -A INPUT -p TCP -i eth0 --dport ssh -j ACCEPT
and it may be that the NEW is too restrictive, even with the ESTABLISHED,RELATED

Opening you firewall more and doing some sniffing with wireshark will help if the logging suggested above doesn't.
 
Old 03-12-2009, 12:30 AM   #4
Mogget
Member
 
Registered: Dec 2008
Location: Norway
Distribution: Debian
Posts: 43

Original Poster
Rep: Reputation: 15
I'm sorry. I think i was not clear on what the problem is.

The SSH server is accepting and working both on the local IP and my outside internet ip adress, meaning if i log into the server using SSH on my local ip adress from the client and then using SSH once again on my outside IP adress i get access to the same server.

The proble is when i for example try to use this pc for everything else like everyday browsing etc the packets will not work through the server. I have to set the modem as a gateway on the client and forward everything to this pc again before it will work.

I was told i could do this with just one NIC, but maybe that is to much to hope for. Normally i would just forward everything to this computer from the Modem and just forward those ports i need to the server but i have this weird Zyxel modem which will not allow a configuration like that.
 
Old 03-12-2009, 12:41 AM   #5
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Gotcha.

I haven't done this the way you are setting it up, but it certainly works across subnets if you use an alias on the NIC, but I don't see why it won't work like this.

But what you have won't work - you'e dropping all forwards aside from those that are established aren't you?

looks to me like you should add a forward rule to allow http from the LAN to outside.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables forwarding from gateway back to the inside network casolorz Linux - Networking 5 02-03-2009 03:18 PM
Gateway to local area network routing issue tungaw2001 Linux - Networking 1 11-10-2008 08:59 AM
Need help debugging iptables firewall/nat gateway jcllings Linux - Networking 4 11-08-2008 05:19 PM
Using openSUSE 10.2 as a gateway for a local network karnaf Suse/Novell 8 05-30-2007 06:24 PM
router/firewall can't use local network zoffmann Linux - Networking 13 07-02-2005 01:53 PM


All times are GMT -5. The time now is 11:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration