LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables ipforwarding (http://www.linuxquestions.org/questions/linux-networking-3/iptables-ipforwarding-803092/)

ok4life 04-20-2010 01:20 PM

iptables ipforwarding
 
I have a Fedora Box with chillispot loaded for a captive protal wifi network. I am needing my office lan to connenct to a controller on the WIFI network. I have tried many different firewall rules and have only momentarly able to ping something on the other network. here's some configuration info and my firewall rules that I thought should work.

FC 4

ETH0 - WAN (office lan 192.168.24.201/24)
ETH1 - LAN (brought up as 192.168.10.1/24)
tun0 - chilli 192.168.240.1

ETH1 is brought up as 192.168.10.1 and chilli brings up tun0 as 192.168.240.1/24/. I cant get my 192.168.24.0 to talk to either .10.0 or the 240.0 network. As you can see by my script I have other services running on this machine also, mail, radius, web, etc.... I commented out my rules drop forwards tried accepting with $IPTABLES -A FORWARD -i $EXTIF -j ACCEPT, #$IPTABLES -A FORWARD -o $EXTIF -j ACCEPT. That failed so I commented out and added $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT. Below is the whole script. I have ran iptables -F prior to running the script. I have also verified ip_forward is 1. My router for 24.0 net has a static route for 192.168.240.0 and 192.168.10.0 to the eth0. when I tracert 192.168.10.187 from 192.168.24.X it does trace back to the FC box and stops...

I hope I have explained everything right.... any help is appreciated.


Quote:

#!/bin/sh
#
# Firewall script
#
#
#########################################################################
# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
# $INTIF (eth1) as the internal interface (access points).
#


IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#################################################################################
# EXTIF #
#################################################################################

#POP3 MAIL
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 110 -j ACCEPT
#SMTP Mail
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 25 -j ACCEPT
# SSH
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
# FTP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 21 -j ACCEPT
# WWW
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 80 -j ACCEPT
# WWW
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 443 -j ACCEPT
# RADIUS Auth
$IPTABLES -A INPUT -i $EXTIF -p udp -m udp --dport 1812 -j ACCEPT
# Webmin
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 10000 -j ACCEPT
# Samba
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 137:139 -j ACCEPT
# Samba
$IPTABLES -A INPUT -i $EXTIF -p udp -m udp --dport 137:139 -j ACCEPT
# Samba
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 445 -j ACCEPT
# Webmin
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 10000 -j ACCEPT
##### Drop Others ######
$IPTABLES -A INPUT -i $EXTIF -j DROP


#################################################################################
# INTIF #
#################################################################################

#SMTP 25
$IPTABLES -A INPUT -i $INTIF -p tcp -m tcp --dport 25 -j ACCEPT
# SSH
$IPTABLES -A INPUT -i $INTIF -p tcp -m tcp --dport 22 -j ACCEPT
# FTP
$IPTABLES -A INPUT -i $INTIF -p tcp -m tcp --dport 21 -j ACCEPT
# WWW
$IPTABLES -A INPUT -i $INTIF -p tcp -m tcp --dport 80 -j ACCEPT
# ping
$IPTABLES -A INPUT -i $INTIF -p icmp --icmp-type echo-request -j ACCEPT
#### drop others ####
$IPTABLES -A INPUT -i $INTIF -j DROP

#################################################################################
# Input other interfaces #
#################################################################################

# port 80/443 apache
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
# port 3990 chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

#################################################################################
# Loopback #
################################################################################

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

################################################################################
# Enable NAT on output device
###############################################################################
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE



# Drop everything to and from $INTIF (forward)
#$IPTABLES -A FORWARD -i $INTIF -j DROP
#$IPTABLES -A FORWARD -o $INTIF -j DROP
# Accept forward from $EXTIF
#$IPTABLES -A FORWARD -i $EXTIF -j ACCEPT
#$IPTABLES -A FORWARD -o $EXTIF -j ACCEPT
#################################################################################
# Forward networks #
#################################################################################
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

#################################################################################
# Forward Port 3389 #
#################################################################################
#
#$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 3389 -j DNAT --to-destination 192.168.240.254
######################################################################### drop to 24.x Except Broadcast and Gateway and printer
########################################################################
#
#$IPTABLES -I FORWARD -m iprange --src-range 192.168.24.2-192.168.24.72 -j DROP
#$IPTABLES -I FORWARD -m iprange --src-range 192.168.24.74-192.168.24.253 -j DROP
#$IPTABLES -I FORWARD -m iprange --src-range 192.168.10.2-192.168.10.254 -j DROP


blackhole54 04-23-2010 07:03 AM

Hi,

I am somewhat familiar with iptables rules but not with tunnel devices (if that is even the right thing to call things like tun0). I don't immediately see anything wrong with your rules, but maybe I can give you some troubleshooting tips that will help you figure out what is going on.

If you use the -v option when listing out iptables rules you can see how many packets (and how many bytes) have matched each rule. (I like to use iptables -nvL for listing.) So for example, you can check to see if you have packets matching your DROP rule at the end of the INPUT chain. If you see such and you want more information about what is getting dropped, you can add a rule (prior to the DROP rule!) to log such packets using the -j LOG target.

If this doesn't give you enough information to figure things out, you might look into using a packet sniffer such as tcpdump or Wire Shark. You can get fairly elaborate (if you need to) in the matching criteria you use and I think you should be able to use them on any interface, including tun0. Hopefully between iptables' packet counts, logging, and packet sniffing you can figure out where packets are disappearing and why. If you can figure out where they are disappearing but not why, maybe I can give your some more help with the iptables rules.

Good luck.

SuperJediWombat! 04-23-2010 09:02 AM

can you give us the output of:
iptables-save
ifconfig
route -n
cat /proc/sys/net/ipv4/ip_forward

ok4life 04-26-2010 03:06 PM

UPDATE - Sorry it took so long I worked on it remotely got it working but stopped the captive portal, so I commented out all the stuff I was testing with and to make it work till I could get on property and work on it. long story short I got it working with config below. But I still have a problem. I don't want my 240.x network to talk to my 24.x net (except gateway) But I need my 24.0 net to talk to a single host of 192.168.240.254. Below is my current configs and outputs requested. I appreciate the help guys :-)


Firewall script
Code:

#!/bin/sh
#
# Firewall script
#
# Stillwaters Resort WIFI server Firwall rules 12-22-2006
# Updated 4/20/2010 added forwarding,ftp, and some extra security
#########################################################################
# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
# $INTIF (eth1) as the internal interface (access points).
#


IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#################################################################################
#                                EXTIF                                                #
#################################################################################

#POP3 MAIL
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 110 -j ACCEPT
#SMTP Mail
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 25 -j ACCEPT
# SSH
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
# FTP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 21  -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 20 -j ACCEPT
# HTTP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 80 -j ACCEPT
# HTTPS
#$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 443 -j ACCEPT
# RADIUS Auth
$IPTABLES -A INPUT -i $EXTIF -p udp -m udp --dport 1812 -j ACCEPT
# Webmin
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 10000 -j ACCEPT
# Samba
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 137:139 -j ACCEPT
# Samba
$IPTABLES -A INPUT -i $EXTIF -p udp -m udp --dport 137:139 -j ACCEPT
# Samba
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 445 -j ACCEPT
# ICMP reply
$IPTABLES -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j ACCEPT
##### Drop Others ######
$IPTABLES -A INPUT -i $EXTIF -j DROP


#################################################################################
#                                INTIF                                                #
#################################################################################

#SMTP 25
$IPTABLES -A INPUT -i $INTIF -p tcp -m tcp --dport 25 -j ACCEPT
# SSH
$IPTABLES -A INPUT -i $INTIF -p tcp -m tcp --dport 22 -j ACCEPT
# FTP
$IPTABLES -A INPUT -i $INTIF -p tcp -m tcp --dport 21 -j ACCEPT
# WWW
$IPTABLES -A INPUT -i $INTIF -p tcp -m tcp --dport 80 -j ACCEPT
# ICMP reply
$IPTABLES -A INPUT -i $INTIF -p icmp --icmp-type echo-request -j ACCEPT


#### drop others ####
$IPTABLES -A INPUT -i $INTIF -j DROP

#################################################################################
#                Input other interfaces                                                #
#################################################################################

# port 80/443 apache
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
# port 3990 chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

#################################################################################
#                        Loopback                                                #
################################################################################

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

################################################################################
#                Enable NAT on output device       
###############################################################################
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE



# Drop everything to and from $INTIF (forward)
#$IPTABLES -A FORWARD -i $INTIF -j DROP
#$IPTABLES -A FORWARD -o $INTIF -j DROP

#################################################################################
#                Forward                                                        #
#################################################################################
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT




#################################################################################
#                Forward Port 3389                                                        #
#################################################################################
#
#$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 3389 -j DNAT --to-destination 192.168.240.241
################################################################################
#                        drop to 24.x Except Broadcast and Gateway and printer
#                      Opened up some IP's to communicate with 192.168.240.254
################################################################################
#
$IPTABLES -I FORWARD -m iprange --src-range 192.168.24.2-192.168.24.16 -j DROP
$IPTABLES -I FORWARD -m iprange --src-range 192.168.24.18-192.168.24.69 -j DROP
$IPTABLES -I FORWARD -m iprange --src-range 192.168.24.74-192.168.24.254 -j DROP
$IPTABLES -I FORWARD -m iprange --src-range 192.168.10.2-192.168.10.254 -j DROP

iptables-save
Code:

[root@mail ~]# iptables-save
# Generated by iptables-save v1.3.0 on Mon Apr 26 13:56:13 2010
*filter
:FORWARD ACCEPT [166584:137210448]
:INPUT DROP [431:127275]
:OUTPUT ACCEPT [2891:532808]
-A FORWARD -m iprange --src-range 192.168.10.2-192.168.10.254 -j DROP
-A FORWARD -m iprange --src-range 192.168.24.74-192.168.24.254 -j DROP
-A FORWARD -m iprange --src-range 192.168.24.18-192.168.24.69 -j DROP
-A FORWARD -m iprange --src-range 192.168.24.2-192.168.24.16 -j DROP
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1812 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 137:139 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 137:139 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth1 -j DROP
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3990 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
# Completed on Mon Apr 26 13:56:13 2010
# Generated by iptables-save v1.3.0 on Mon Apr 26 13:56:13 2010
*nat
:OUTPUT ACCEPT [89:11397]
:POSTROUTING ACCEPT [38:6125]
:PREROUTING ACCEPT [58662:26278403]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Apr 26 13:56:13 2010

ifconfig
Code:

[root@mail ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:01:02:1D:64:45
          inet addr:192.168.24.201  Bcast:192.168.24.255  Mask:255.255.255.0
          inet6 addr: fe80::201:2ff:fe1d:6445/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:116982 errors:0 dropped:0 overruns:0 frame:0
          TX packets:125531 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:135281333 (129.0 MiB)  TX bytes:13885943 (13.2 MiB)
          Interrupt:11 Base address:0xe000

eth1      Link encap:Ethernet  HWaddr 00:40:33:AA:A7:AB
          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::240:33ff:feaa:a7ab/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:200844 errors:0 dropped:0 overruns:0 frame:0
          TX packets:210674 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:40325101 (38.4 MiB)  TX bytes:150568310 (143.5 MiB)
          Interrupt:10 Base address:0xdc00

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:220 errors:0 dropped:0 overruns:0 frame:0
          TX packets:220 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:23294 (22.7 KiB)  TX bytes:23294 (22.7 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.240.1  P-t-P:192.168.240.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING  MTU:1500  Metric:1
          RX packets:63141 errors:0 dropped:0 overruns:0 frame:0
          TX packets:107462 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:6171741 (5.8 MiB)  TX bytes:132998062 (126.8 MiB)

route -n
Code:

[root@mail ~]# route -n
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
192.168.240.0  0.0.0.0        255.255.255.0  U    0      0        0 tun0
192.168.10.0    0.0.0.0        255.255.255.0  U    0      0        0 eth1
192.168.24.0    0.0.0.0        255.255.255.0  U    0      0        0 eth0
169.254.0.0    0.0.0.0        255.255.0.0    U    0      0        0 eth1
0.0.0.0        192.168.24.1    0.0.0.0        UG    0      0        0 eth0

Code:

[root@mail ~]# cat /proc/sys/net/ipv4/ip_forward
1


SuperJediWombat! 04-27-2010 03:09 AM

If you change the policy of your FORWARD chain to drop, this will work if you add it in to the forward section of your firewall script:
Code:

iptables -A FORWARD -i tun0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -d 192.168.240.254 -j ACCEPT

At the moment 166584 packets have matched your default forward policy of accept, so changing the policy to DROP may have unintended consequences. If you do not want to change the default policy, add this instead of the above rules:
Code:

iptables -A FORWARD -i tun0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -d 192.168.240.254 -j ACCEPT
iptables -A FORWARD -i tun0 -j DROP
iptables -A FORWARD -o tun0 -j DROP



All times are GMT -5. The time now is 08:32 AM.