LinuxQuestions.org - nat routing

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - nat routing (https://www.linuxquestions.org/questions/linux-networking-3/nat-routing-268086/)

Hi guys,

i am pretty new to linux, but I installed fedora 3 at the server right now. I enabled internet connection sharing through the following statements:

modprobe ipt_MASQUERADE
iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipadres"
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -P INPUT DROP
iptables -A FORWARD -i eth0 -o eth0 -j REJECT

Th efirst line fails, but the remaining didn't. It all works, but if I do a speedtest my server is twice as fast as the windows xp clients. I get 930 KByte/sec at the server and 420 KByte/sec at my windows xp client. Can I do something to speed up the internet connection at the clients ???

I have a adsl conenction from demon.

Thanxs a lot ...

You shouldn't use the MASQUERADE module unless you have a changing ip number, eg via dialup..
It takes a lot of time to check the address for each packet..

SNAT and the other modules load automatically, so stay with that..

What's the idea of the FORWARD rule?
You will find FC3 has a reverse path filter turned on already to drop those..

Try the rules like this..

Code:

iptables -F

iptables -X

iptables -t nat -F

iptables -t nat -X

iptables -t mangle -F

iptables -t mangle -X

iptables -P INPUT DROP

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipadres"

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i ! eth0 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

these rules i'm posting are basically the same thing, i just did a little janitorial work on them...

i'm not so sure why any of this would be cutting your bandwidth in half on the clients, though...

Code:

modprobe ip_tables

modprobe ip_conntrack



echo "1" > /proc/sys/net/ipv4/ip_forward



iptables -F

iptables -F -t nat

iptables -F -t mangle

iptables -X

iptables -X -t nat

iptables -X -t mangle

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

iptables -t nat -P PREROUTING ACCEPT

iptables -t nat -P POSTROUTING ACCEPT



iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth1 -m state --state NEW -j ACCEPT



iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT



iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipaddress"

do you still have the same effect on the client side while using these commands??

Re: Re: nat routing

Quote:

Originally posted by win32sux
these rules i'm posting are basically the same thing, i just did a little janitorial work on them...

i'm not so sure why any of this would be cutting your bandwidth in half on the clients, though...

Code:

modprobe ip_tables modprobe ip_conntrack echo "1" > /proc/sys/net/ipv4/ip_forward iptables -F iptables -F -t nat iptables -F -t mangle iptables -X iptables -X -t nat iptables -X -t mangle iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -m state --state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipaddress"

do you still have the same effect on the client side while using these commands??

I did some cleanup at the clients and managed to speed things up. Speeds are now 730 KBytes/sec. So only 200 Kbytes/sec less than the connection at the server. The firefox browser is helping me with one client to improve the speed with 200 Kbytes/sec, while at the remaining clients it doesn't matter to use either one.
Can someone review the comments that I made at the statements. I just installed linux two days ago for my very first time and are still a newby. Are they correct ??

Can I just save this script to make it permanent by doing iptables-save -c > /etc/iptables-save

Code:



echo "1" > /proc/sys/net/ipv4/ip_forward = enables ip forwarding



iptables -F = deleting (flush) all rules in iptables chains

iptables -F -t nat = deleting all rules in nat chain

iptables -F -t mangle = deleting all rules in mangle chain

iptables -X = delete empty chain

iptables -X -t nat = delete empty chain

iptables -X -t mangle = delete empty chain

iptables -P INPUT DROP = change input chain policy to drop all packets

iptables -P OUTPUT ACCEPT = change output chain policy to accept all packets

iptables -P FORWARD DROP = change forward chain policy to drop all packets

iptables -t nat -P PREROUTING ACCEPT = change chain policy in nat table to accept all packets in the prerouting state

iptables -t nat -P POSTROUTING ACCEPT = change chain policy in nat table to accept all packets in the postrouting state



iptables -A INPUT -i lo -j ACCEPT = append rule to input chain to accept all packets at the ... lo = localhost  ??

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT = append rule to input chain: If a packet is not creating a new connection dan accept the packet at all interfaces. This rules accepts packets from  the outside world, but only if there is already a connection. The outside world can not send packets which are not asked for ??

iptables -A INPUT -i eth1 -m state --state NEW -j ACCEPT = append rule to input chain. This rule accepts incoming packets at interface eth1 if a packet is creating a new connection. This is the interface connected to the local area network. Computers at the lan are creating new connections, that's way it is accepting connections at that interface.



iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT = append rule to forward chain. This rule forwards packets only when there is already a esthablished connection, but forwards it in both directions.

iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT = append rule to forward chain. This rule forwards packets at incoming interface eth1 to outgoing interface eth0 when the packet is creating a new connection.



iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipaddress" = append rule to nat chain. This rule forwards packets just before the go out. The rule is forwarded to the SNAT module (masquerading), which is forwarding packets to my ip adress of my ISP.

So basically only my clients can connect to the internet by creating connections and sending packets to the server. No outside party can connect to my network by itself, because all packets with --state NEW are immediately dropped.

i think you can save it like that, but i'm not sure... what i do is i put all my rules in a shell script and then i run the script at startup... the way to do that kinda varies between distros... on slackware, which is what i use, you just save your firewall script as /etc/rc.d/rc.firewall and that's pretty much it... of course it needs to have the execute permissions set and stuff... anyways, the thing is i don't remember how red hat handles this, so i can't really say, but here's the rules i posted, except now they are in "shell script" format... i also put in a few comments and added conntrack modules for FTP and optionally IRC...

Code:

#!/bin/sh



IPT="/sbin/iptables"



# Load some modules:

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_conntrack_ftp

#/sbin/modprobe ip_nat_irc

#/sbin/modprobe ip_conntrack_irc





# Enable packet forwarding:

echo "1" > /proc/sys/net/ipv4/ip_forward



# Flush everything and set policies:

$IPT -F

$IPT -F -t nat

$IPT -F -t mangle

$IPT -X

$IPT -X -t nat

$IPT -X -t mangle

$IPT -P INPUT DROP

$IPT -P OUTPUT ACCEPT

$IPT -P FORWARD DROP

$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT



# Accept all input coming from myself:

$IPT -A INPUT -i lo -j ACCEPT



# Accept all input packets which belong to established connections:

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



# Accept all input packets starting new connections on eth1:

$IPT -A INPUT -i eth1 -m state --state NEW -j ACCEPT



# Allow forwarding of packets belonging to established connections:

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



# Allow forwarding of packets starting new connections from eth1 out to eth0:

$IPT -A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT



# Change the source IP address on outgoing forwarded packets to "ipaddress":

$IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipaddress"

this page has lot's of good links to info on iptables:

http://www.linuxguruz.com/iptables/

The Fedora way of saving is to use the file /etc/sysconfig/iptables

It is created using service iptables save which saves any active rules there..
So you'll need to get the rules in a state like win32sux has them, (not using = as a comment start) and get them loaded once, probably manually, then save them.

They are automagically loaded at boot from the /etc/rc.d/rc5.d/ directory..

Also be sure to replace "ipaddress" with the actual eth0 ip address in
$IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipaddress"

As a comment, there are only a few modules which don't autoload when the rule is entered, notably ftp and irc..
Generally, loading modules without knowing what state the rules are in can be considered dangerous.. Generally loading them after the rules are in place is better policy, or at least after they are flushed, when you can be sure of their state..
Likewise the ip_forward..

i have updated the script using peter_robb's excellent advice:

Code:

#!/bin/sh



IPT="/sbin/iptables"



# Disable packet forwarding while we get ready:

echo "0" > /proc/sys/net/ipv4/ip_forward



# Flush everything and set policies:

$IPT -F

$IPT -F -t nat

$IPT -F -t mangle

$IPT -X

$IPT -X -t nat

$IPT -X -t mangle

$IPT -P INPUT DROP

$IPT -P OUTPUT ACCEPT

$IPT -P FORWARD DROP

$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT



# Load some modules:

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_nat_irc

/sbin/modprobe ip_conntrack_irc



# Accept all input packets coming from myself:

$IPT -A INPUT -i lo -j ACCEPT



# Accept all input packets which belong to established connections:

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



# Accept all input packets starting new connections on eth1:

$IPT -A INPUT -i eth1 -m state --state NEW -j ACCEPT



# Allow forwarding of packets which belong to established connections:

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



# Allow forwarding of packets starting new connections from the LAN to the Internet:

$IPT -A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT



# Change the source IP address on outgoing forwarded packets to "ipaddress":

$IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipaddress"



# Enable packet forwarding now that everything is set:

echo "1" > /proc/sys/net/ipv4/ip_forward

Ok.. that's good..

May I suggest some final polish.. (the shiny stuff)

Change "ipaddress" to a field value and specify it at the beginning of the script..
And drop the first 2 module loads..
(Actually, nat requires conntrack in order to work, but not every system will autoload from that..)
And comment out the last 2 policy lines as it's their default already..

Code:

#!/bin/sh



IPT="/sbin/iptables"



# Enter your internet interface's ip address here..

IPADDRESS="x.x.x.x"



# Disable packet forwarding while we get ready:

echo "0" > /proc/sys/net/ipv4/ip_forward



# Flush everything and set policies:

$IPT -F

$IPT -F -t nat

$IPT -F -t mangle

$IPT -X

$IPT -X -t nat

$IPT -X -t mangle

$IPT -P INPUT DROP

$IPT -P OUTPUT ACCEPT

$IPT -P FORWARD DROP

# $IPT -t nat -P PREROUTING ACCEPT  #this is already it's default

# $IPT -t nat -P POSTROUTING ACCEPT  #this is already it's default



# Load some modules:

# /sbin/modprobe ip_tables

# /sbin/modprobe ip_conntrack

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_nat_irc

/sbin/modprobe ip_conntrack_irc



# Accept all input packets coming from myself:

$IPT -A INPUT -i lo -j ACCEPT



# Accept all input packets which belong to established connections:

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



# Accept all input packets starting new connections on eth1:

$IPT -A INPUT -i eth1 -m state --state NEW -j ACCEPT



# Allow forwarding of packets which belong to established connections:

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



# Allow forwarding of packets starting new connections from the LAN to the Internet:

$IPT -A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT



# Change the source IP address on outgoing forwarded packets to IPADDRESS:

$IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to $IPADDRESS



# Enable packet forwarding now that everything is set:

echo "1" > /proc/sys/net/ipv4/ip_forward

i went ahead and added a couple things, too...

Code:

#!/bin/sh



# Set the variables that will be used:

IPT="/sbin/iptables"

LAN_IFACE="eth1"

INET_IFACE="eth0"

INET_IP="x.x.x.x"



# Disable packet forwarding while we get ready:

echo "0" > /proc/sys/net/ipv4/ip_forward



# Set some anti-crap parameters:

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo "0" > /proc/sys/net/ipv4/tcp_timestamps

echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

echo "1" > /proc/sys/net/ipv4/conf/all/log_martians



# Flush everything and set policies:

$IPT -F

$IPT -F -t nat

$IPT -F -t mangle

$IPT -X

$IPT -X -t nat

$IPT -X -t mangle

$IPT -P INPUT DROP

$IPT -P OUTPUT ACCEPT

$IPT -P FORWARD DROP

# These are the defaults, but lets make sure they are set:

$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT



# Load some modules which we'll probably need:

/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_nat_irc

/sbin/modprobe ip_conntrack_irc



# Accept all input packets coming from myself:

$IPT -A INPUT -i lo -j ACCEPT



# Accept all input packets which belong to already established connections:

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



# Accept all input packets starting new connections from the LAN.

# It would be a good idea to change this so that only needed traffic is allowed,

# instead of accepting everything from the LAN, even if you completely trust your LAN:

$IPT -A INPUT -i $LAN_IFACE -m state --state NEW -j ACCEPT



# Allow forwarding of packets which belong to already established connections:

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



# Allow forwarding of packets starting new connections (from the LAN to the Internet):

$IPT -A FORWARD -i $LAN_IFACE -o $INET_IFACE -m state --state NEW -j ACCEPT



# Change the source IP address on outgoing forwarded packets to $INET_IP:

$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP



# Enable packet forwarding now that everything is set:

echo "1" > /proc/sys/net/ipv4/ip_forward

Hi guys,

you should get payed for this ... :D

I am very busy at the moment to resolve some of the issues that put me to a hold in some of the oracle api's for AQ (advanced queueing) of xml messages.

I learn a lot from you guys, but will review the scripts you made tomorrow and will post if it works for me.

Thanxs again for taking the time to teach a newbie ...

thanxs for your help.

It is working for a while, but any advice or commonts on open ports on the server in this way ?

Do you actually use the iptables directly to do all this or is there some tool ?