Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello,
I am stuck with dialup. haha laugh all you want. I have a computer on our home network that I've set up with apache, mysql, phpBB, etc just to try it all out. I would like to pass all the trafic from port 80 on THIS computer to the one on the network. I assume I would do it with iptables but I don't know how.
Also I would have to be able to start and stop it.
Originally posted by Kruncher Hello,
I am stuck with dialup. haha laugh all you want. I have a computer on our home network that I've set up with apache, mysql, phpBB, etc just to try it all out. I would like to pass all the traffic from port 80 on THIS computer to the one on the network. I assume I would do it with iptables but I don't know how.
Also I would have to be able to start and stop it.
Thank you.
Here's a little script, run it on the computer that connects to the Internet:
That's enough to disable NAT.
I have this in an init script, but it's Gentoo syntax.
Good News are, that you can do automatic NAT and much more installing firestarter, this iptables front end is very versatile, powerful and easy to user and set up. The only thing you need to enable NAT is having a separate device for your internal network and one for the outbound connection (i.e. a LAN and your dial-up or DSL connection). With the script, however, you can do NAT even in this case.
Firestarter is a nice option, because it's fast to deploy and you can manage your firewall in real time; opening or closing ports, enabling particular IPs to connect to determined ports or even completely close your network from outbound connections.
You don't have to bother for what ports are exported, as NAT translate the IP in a way that for an outside connection the visible port 80 is the one on your NATted machine (just remember not to enable a web server on the box which does the NATting).
BTW, I can remember that Mandriva has an own way of dealing with NAT. Not sure because it's a long time since I last saw a Mandrake running, but I'm completely sure it's there.
I've run the script and everything looks good:
lsmod shows that the module is loaded, iptables shows something:
"Chain FORWARD (policy DROP)
target prot opt source destination"
and ip_forward is 1.
Originally posted by Kruncher I've run the script and everything looks good:
lsmod shows that the module is loaded, iptables shows something:
"Chain FORWARD (policy DROP)
target prot opt source destination"
and ip_forward is 1.
It doesn't work. What else do I have to do?
* Check in the machine that shall be NATted if the default route is set to the NAT 'server', if not set it:
Code:
route add default gw IP-OF-NAT-SERVER
And in the machine which does NAT ensure that port 80 is not closed by the firewall.
More potential troublemakers:
Check /etc/hosts.deny and /etc/hosts/allow
If your outbound connection is dial-up, ISDN or a DSL-modem (not a router), check that the default gateway of this machine is set to the outbound device (ppp0,ippp0 or pppoe0). To set this the command is the same as above, just change the IP with the device:
Code:
route add default gw ppp0
This is normally done from the network configuration wizards such as the one in the Mandrake Config Center, Yast, or Red Hat Network Config.
Try this and ask again if it still doesn't work, I can't stat right now, but there are more things which can hinder communication. Test also the connectivity pinging form one machine to the other, as ICMP packages are not bound to ports you will know if the physical connection is OK or whether there is a failure in wiring, connection or the LAN-cards.
Nope, still doesn't work.
route shows this on the NAT 'server':
default DIALUPCOMPUTER 0.0.0.0 UG 0 0 0 eth0
default ROUTER 0.0.0.0 UG 0 0 0 eth0
(changed to protect my privacy)
Could the problem be that there are 2 defaults?
Originally posted by Kruncher Nope, still doesn't work.
route shows this on the NAT 'server':
default DIALUPCOMPUTER 0.0.0.0 UG 0 0 0 eth0
default ROUTER 0.0.0.0 UG 0 0 0 eth0
(changed to protect my privacy)
Could the problem be that there are 2 defaults?
Very probably. The default route of the NAT box should be only the router.
It's the other boxes which has to set the NAT box as default route.
Check also your firewall, test settings disabling it.
Originally posted by Kruncher Hello,
I am stuck with dialup. haha laugh all you want. I have a computer on our home network that I've set up with apache, mysql, phpBB, etc just to try it all out. I would like to pass all the trafic from port 80 on THIS computer to the one on the network. I assume I would do it with iptables but I don't know how.
Also I would have to be able to start and stop it.
Thank you.
I can post my iptables script that i'm working on that will forward traffic to your server behind the firewall.
Do know if it will be good enough for the security section so I'll post it here. Because of it's size I will need to post it in 2 parts, there is a limit to the amount of characters with each post. All you need to do is create a file called rc.firewall and copy the contents into script and save it in the /etc/rc.d directory. Then make executable for everyone by:
chmod 755 /etc/rc.d/rc.firewall
You may need to edit a few things at the top of the script to suit your version of linux. I made this script to suit slackware 9 but is easy to use on other version like fedora core. Dialup uses ppp0 as the interface so I have made that the default for your external interface. Some of the comments in the script I have been making during it's testing so if they don't make any sense or match up to the rules, I haven't had time to go through and edit them properly but It should be easy to follow.
Ive tested it on a router on my network and have had no trouble with it, also have a modified version for my workstations as well that seem to work fine, if you have any questions don't hesitate to ask.
#!/bin/sh
##
## This is the location of the iptables command
############################################################################
## Declare some variables, this should be the only area you need to configure anything unless you need to forward to services
## on your internal network.
##
## Edit your interface types (eg... eth0 eth1 ppp0)
##
## Default external interface
DEFAULT_EXTIF="ppp0"
## Default internal interface
DEFAULT_INTIF="eth0"
## Loopback interface
LOOPBACK="lo"
## Do you get your external ip-address from DHCP server. (yes or no)
LOOPBACK_IP="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D="224.0.0.0/4" # class D multicast addresses
CLASS_E="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
echo "Finished setting Reserved Networks/Class Variables"
############################################################################
## Block ip addresses of problem hosts
##
## I use portsentry to automatically add ip addresses to a file when a scan is detected, when the firewall
## is loaded, it will load rules to block all ip addreses in this file. You may also add addresses maually,
## you can specify them either as indivisual host 165.222.222.234 or a whole network 165.222.222.0/16.
##
## Note, there can only be one entry per line. You may find this extremely useful if you run a server
## on this machine of one internally on your network, you can add the ip addresses of known problem hosts
## and block them from connecting at all your servers.
## Allowed ip addresses that are permitted to connect directly to the machine itself, mostly used for administrative
## purposes from remote networks or to servers running on the internal network.
##
## e.g. ALLOWED_IP="224.25.168.0/24" or ALLOWED_IP="224.25.168.85"
##
#################################################################################################### ############
##
## You do not need to edit anything here in this section, this will determine network paramenters from static or DHCP assigned
## network interfaces.
##
## Note: This will not set the parameters of the network interfaces, (eg. ip-address, gateway or network id)
## this is done during setup of the operating system this will only retrieve the information and load
## it to the variables for the script. If you wish to set the interfaces manually, for slackware 9.0 edit the
## /etc/rc.d/rc.inet1 file other versions on unix/linux maybe in the same place.
##
## External Interface:
## If no interface is specified then set $DEFAULT_EXTIF as EXTIF
if [ "x$2" != "x" ]; then
EXTIF=$2
else
EXTIF=$DEFAULT_EXTIF
fi
echo External Interface: $EXTIF
## Determine external IP
EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
if [ "$EXTIP" = '' ]; then
echo "Aborting: Unable to determine the IP-address of $EXTIF !"
exit 1
fi
echo External IP: $EXTIP
## Determine external gateway
EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW
## Internal Interface:
## If no interface is specified then set $DEFAULT_INTIF as INTIF
if [ "x$3" != "x" ]; then
INTIF=$3
else
INTIF=$DEFAULT_INTIF
fi
echo Internal Interface: $INTIF
## Determine internal IP
INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
if [ "$INTIP" = '' ]; then
echo "Aborting: Unable to determine the IP-address of $INTIF !"
exit 1
fi
echo Internal IP: $INTIP
if [ $DHCP == "yes" ]; then
echo "IP-Address obtained from DHCP Server.....setting module 'ip_dynaddr' to '1' "
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
fi
#################################################################################################### ##########
## These are the logging-chains. They all have a certain limit of log-entries/sec to prevent log-flooding
##
##
##
echo "Start log and drop Rules"
## Invalid packets (not ESTABLISHED,RELATED or NEW)
$IPTABLES -N LOGINVALID
$IPTABLES -A LOGINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP "
$IPTABLES -A LOGINVALID -j DROP
## TCP-Packets with one ore more bad flags
$IPTABLES -N LOGBADFLAG
$IPTABLES -A LOGBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "
$IPTABLES -A LOGBADFLAG -j DROP
## Logging of possible TCP-SYN-Floods
$IPTABLES -N LOGSYNFLOOD
$IPTABLES -A LOGSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
$IPTABLES -A LOGSYNFLOOD -j DROP
## Logging of possible Ping-Floods
$IPTABLES -N LOGPINGFLOOD
$IPTABLES -A LOGPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
$IPTABLES -A LOGPINGFLOOD -j DROP
#################################################################################################### ##########
##
## Drop and log Reserved Internal Networks coming in on the external interface
echo "Setting incoming drop rules for reservered networks and classes"
# Incoming from internet
$IPTABLES -A INPUT -i $EXTIF -s $CLASS_A -j RESNET
$IPTABLES -A INPUT -i $EXTIF -s $CLASS_B -j RESNET
$IPTABLES -A INPUT -i $EXTIF -s $CLASS_C -j RESNET
$IPTABLES -A INPUT -i $EXTIF -s $CLASS_D -j RESNET
$IPTABLES -A INPUT -i $EXTIF -s $CLASS_E -j RESNET
$IPTABLES -A INPUT -i $EXTIF -s $LOOPBACK_IP -j RESNET
$IPTABLES -A INPUT -i $EXTIF -s $BROADCAST_SRC -j RESNET
$IPTABLES -A INPUT -i $EXTIF -s $BROADCAST_DEST -j RESNET
# drop and log attemps to use our IP address assgined to our external interface
#################################################################################################### ##########
## Log and drop connection attempts from explicitly blocked hosts.
##
## NOTICE: THIS IS WORK IN PROGRESS NOT TESTED FULLY AT THIS STAGE
##
echo "Loading Temp IP Blocklist Files"
if [ -f $BLOCKED_IP ]; then
while read BLOCKED; do
$IPTABLES -A INPUT -i $EXTIF -s $BLOCKED -j BLOCKED
done < $BLOCKED_IP
else
echo "firewall: Banned address/network file not found."
echo "0.0.0.0" > /etc/ipblock
fi
echo "Finished Temp Loading IP Blocklist Files..............."
# echo "Loading Permanent IP Blocklist Files"
# if [ -f $BLOCKEDPERM_IP ]; then
# while read BLOCKEDPERM; do
# $IPTABLES -A FORWARD -i $EXTIF -s $BLOCKEDPERM -j BLOCKED
# done < $BLOCKEDPERM_IP
# fi
# echo "Finished Permanent Loading IP Blocklist Files........."
#################################################################################################### ##########
## Allow for services running on this machine, or forward them to a specific server on your local network.
## Hosts in the /etc/ipblock list will not connect or be forwarded to any host on the local network. To allow
## a remote connection to the firewall itself, make sure place the ip-address of the allowed host in the
## /etc/hosts.allow file, please note that the /etc/hosts.deny file will not block a host from being accepted or
## forwarded throught the network by the net filter rules,only from connecting directly to the firewall machine
## itself. If running portsentry also place the ip address in the /usr/local/psionic/portsentry/portsentry.ignore file,
## otherwise you may be taken for a port scan and trigger an action that will place your ip address in the
## /etc/hosts.deny file and also add your ip address to /etc/ipblock and to iptables block rules, then you will be blocked by the firewall as well.
##
##
## Allow SSH access to firewall
# $IPTABLES -A INPUT -p tcp -i $EXTIF -s $ALLOWED_IP --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j CHECKBADFLAG
## Allow www to host behind firewall (change 192.168.1.1 to the ip-address of your server)
$IPTABLES -A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j CHECKBADFLAG
$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.1:80
$IPTABLES -A FORWARD -p tcp -o $INTIF -d 192.168.1.1 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#################################################################################################### ##########
## General Rules
##
## Now we need to add some rules to start filtering the packets entering the router from both interfaces
##
echo "Loading general rules......................"
##
## Lets kill and log any invalid packets to any interface, these are packets which are not NEW, ESTABLISHED or RELATED
echo "Dropping INVALID packets"
$IPTABLES -A INPUT -m state --state INVALID -j LOGINVALID
$IPTABLES -A FORWARD -m state --state INVALID -j LOGINVALID
$IPTABLES -A OUTPUT -m state --state INVALID -j LOGINVALID
#################################################################################################### ##########
## Lets drop some ports, these are ports which are not supposed to go beyond the network or to come in from the internet
## These usually are smb and netbios protocols.
$IPTABLES -A INPUT -p tcp -m multiport --dport $TCPBLOCK -j DROP
$IPTABLES -A INPUT -p udp -m multiport --dport $UDPBLOCK -j DROP
#################################################################################################### ##########
## Allow everything on the loopback interface
$IPTABLES -A INPUT -p icmp -i $EXTIF -d $EXTIP -j LOGDROP #---> drop local connections from internet
$IPTABLES -A FORWARD -p icmp -o $INTIF -d $INTLAN -m state --state ESTABLISHED,RELATED -j ICMPINBOUND
## ICMP Packets coming from our network going to the internet to increase security always have the source as your
## local network range, this will help to stop any bad activity leaving and going to the internet.
echo "ICMP Packets from Internal Network"
$IPTABLES -A INPUT -p icmp -i $INTIF -d $INTIP -j ICMPOUTBOUND # Allow pings from the internal network for testing connections
$IPTABLES -A FORWARD -p icmp -o $EXTIF -s $INTLAN -m state --state NEW,ESTABLISHED,RELATED -j ICMPOUTBOUND
## TCP Packets coming from the internet, first it will be sent to check for bad flags, if it passes that it must be
## ESTABLISHED or RELATED connections to then be passed to the TCPACCEPT chain, again it will be checked for SYN flooding
## before it can pass through to the FORWARD chain.
## TCP Packets from the internet
echo "TCP Packets from Internet"
$IPTABLES -A INPUT -p tcp -i $EXTIF -d $EXTIP -j LOGDROP #---> drop local connections
$IPTABLES -A FORWARD -p tcp -o $INTIF -d $INTLAN -m state --state ESTABLISHED,RELATED -j CHECKBADFLAG
## TCP Packets Now we do the same for our internal network allowing all to go out to the internet but still filtering it to make sure there
## is no flooding or any malicious activity going out.
## TCP Packets from our internal network
echo "TCP Packets from Internal Network"
$IPTABLES -A INPUT -p tcp -i $INTIF -s $INTLAN -j CHECKBADFLAG # Allow connection for the internal network to the firewall
$IPTABLES -A FORWARD -p tcp -o $EXTIF -s $INTLAN -m state --state NEW,ESTABLISHED,RELATED -j CHECKBADFLAG # Allow all internal traffic out to the internet
Wow, that's alot to go through.
Now I need to find a Bash tutorial and a Iptables tutorial.
I know only a little about bash and iptables.
I only have a very simple firewall running on my dailup pc:
iptables -F
iptables -X
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
Is there a simple way to forward port 80? If not I will just walkthrough your iptables script.
I believe using the fotoguy's script is an excellent idea.
However, you can configure bare minimum firewall by modifying your firewall script.
This is your original script=======================
iptables -F
iptables -X
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
===========================================
In your script, you don't have any ACCEPT target for FORWARD. Thus, everything forwarded by PREROUTING is directly sent to DROP target.
Thus, add the followings to your original script.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -d $LAN_IP --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW -d $LAN_IP --dport 443 -j ACCEPT
In addition to this, you need to turn off rp_filter of the desination computer. (HOWEVER, you should keep rp_filter on for the forwarding computer, which holds the above firewall script and works as the firewall for your internal network).
You can turn rp_filter off by echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter.
Originally posted by Kruncher Wow, that's alot to go through.
Now I need to find a Bash tutorial and a Iptables tutorial.
I know only a little about bash and iptables.
I only have a very simple firewall running on my dailup pc:
iptables -F
iptables -X
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
Is there a simple way to forward port 80? If not I will just walkthrough your iptables script.
Thank you.
I know little about bash and iptables myself, just learning it. lqorg_user idea is your best bet if my script is a little over the top. But if you use mine I have already put the rules in to forward to a ip-address to your web server, you just have to change your ip-address to suit. The script is setup for a router only, if it's running on a machine that you are usingas a workstation you will need to change the INPUT rules from:
$IPTABLES -A INPUT -p udp -i $EXTIF -d $EXTIP -j LOGDROP # Drop local connections from internet
$IPTABLES -A INPUT -p tcp -i $EXTIF -d $EXTIP -j LOGDROP #---> drop local connections
$IPTABLES -A INPUT -p icmp -i $EXTIF -d $EXTIP -j LOGDROP #---> drop local connections from internet
to:
$IPTABLES -A INPUT -p udp -i $EXTIF -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $EXTIF -d $EXTIP -m state --state ESTABLISHED,RELATED -j CHECKBADFLAG
$IPTABLES -A INPUT -p icmp -i $EXTIF -d $EXTIP --m state --state ESTABLISHED,RELATED -j ICMPINBOUND
iptables v1.3.3: Unknown arg `-j'
Try `iptables -h' or 'iptables --help' for more information.
./nat-up: line 15: DNAT: command not found
./nat-up: line 16: --to: command not found
iptables v1.3.3: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
./nat-up: line 20: 80: command not found
./nat-up: line 21: ACCEPT: command not found
iptables v1.3.3: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
./nat-up: line 23: 443: command not found
./nat-up: line 24: ACCEPT: command not found
Not sure why it gives me those errors.
I can find --dport in the man page.
Any more help would be nice, thank you.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.