LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-19-2004, 12:55 PM   #1
vaat
LQ Newbie
 
Registered: Dec 2004
Posts: 5

Rep: Reputation: 0
nat routing


Hi guys,

i am pretty new to linux, but I installed fedora 3 at the server right now. I enabled internet connection sharing through the following statements:

modprobe ipt_MASQUERADE
iptables -F; iptables -t nat -F; iptables -t mangle -F
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipadres"
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -P INPUT DROP
iptables -A FORWARD -i eth0 -o eth0 -j REJECT

Th efirst line fails, but the remaining didn't. It all works, but if I do a speedtest my server is twice as fast as the windows xp clients. I get 930 KByte/sec at the server and 420 KByte/sec at my windows xp client. Can I do something to speed up the internet connection at the clients ???

I have a adsl conenction from demon.

Thanxs a lot ...
 
Old 12-19-2004, 01:34 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
You shouldn't use the MASQUERADE module unless you have a changing ip number, eg via dialup..
It takes a lot of time to check the address for each packet..

SNAT and the other modules load automatically, so stay with that..

What's the idea of the FORWARD rule?
You will find FC3 has a reverse path filter turned on already to drop those..

Try the rules like this..
Code:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipadres"
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ! eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
 
Old 12-19-2004, 01:54 PM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Re: nat routing

these rules i'm posting are basically the same thing, i just did a little janitorial work on them...

i'm not so sure why any of this would be cutting your bandwidth in half on the clients, though...

Code:
modprobe ip_tables
modprobe ip_conntrack

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -X -t nat
iptables -X -t mangle
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipaddress"
do you still have the same effect on the client side while using these commands??


Last edited by win32sux; 12-19-2004 at 01:58 PM.
 
Old 12-20-2004, 03:59 PM   #4
vaat
LQ Newbie
 
Registered: Dec 2004
Posts: 5

Original Poster
Rep: Reputation: 0
Re: Re: nat routing

Quote:
Originally posted by win32sux
these rules i'm posting are basically the same thing, i just did a little janitorial work on them...

i'm not so sure why any of this would be cutting your bandwidth in half on the clients, though...

Code:
modprobe ip_tables
modprobe ip_conntrack

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -X -t nat
iptables -X -t mangle
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipaddress"
do you still have the same effect on the client side while using these commands??


I did some cleanup at the clients and managed to speed things up. Speeds are now 730 KBytes/sec. So only 200 Kbytes/sec less than the connection at the server. The firefox browser is helping me with one client to improve the speed with 200 Kbytes/sec, while at the remaining clients it doesn't matter to use either one.
Can someone review the comments that I made at the statements. I just installed linux two days ago for my very first time and are still a newby. Are they correct ??

Can I just save this script to make it permanent by doing iptables-save -c > /etc/iptables-save

Code:
echo "1" > /proc/sys/net/ipv4/ip_forward = enables ip forwarding

iptables -F = deleting (flush) all rules in iptables chains
iptables -F -t nat = deleting all rules in nat chain
iptables -F -t mangle = deleting all rules in mangle chain
iptables -X = delete empty chain
iptables -X -t nat = delete empty chain
iptables -X -t mangle = delete empty chain
iptables -P INPUT DROP = change input chain policy to drop all packets
iptables -P OUTPUT ACCEPT = change output chain policy to accept all packets
iptables -P FORWARD DROP = change forward chain policy to drop all packets
iptables -t nat -P PREROUTING ACCEPT = change chain policy in nat table to accept all packets in the prerouting state
iptables -t nat -P POSTROUTING ACCEPT = change chain policy in nat table to accept all packets in the postrouting state

iptables -A INPUT -i lo -j ACCEPT = append rule to input chain to accept all packets at the ... lo = localhost  ??
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT = append rule to input chain: If a packet is not creating a new connection dan accept the packet at all interfaces. This rules accepts packets from  the outside world, but only if there is already a connection. The outside world can not send packets which are not asked for ??
iptables -A INPUT -i eth1 -m state --state NEW -j ACCEPT = append rule to input chain. This rule accepts incoming packets at interface eth1 if a packet is creating a new connection. This is the interface connected to the local area network. Computers at the lan are creating new connections, that's way it is accepting connections at that interface.

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT = append rule to forward chain. This rule forwards packets only when there is already a esthablished connection, but forwards it in both directions.
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT = append rule to forward chain. This rule forwards packets at incoming interface eth1 to outgoing interface eth0 when the packet is creating a new connection.

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipaddress" = append rule to nat chain. This rule forwards packets just before the go out. The rule is forwarded to the SNAT module (masquerading), which is forwarding packets to my ip adress of my ISP.
So basically only my clients can connect to the internet by creating connections and sending packets to the server. No outside party can connect to my network by itself, because all packets with --state NEW are immediately dropped.

Last edited by vaat; 12-20-2004 at 04:09 PM.
 
Old 12-20-2004, 04:54 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
i think you can save it like that, but i'm not sure... what i do is i put all my rules in a shell script and then i run the script at startup... the way to do that kinda varies between distros... on slackware, which is what i use, you just save your firewall script as /etc/rc.d/rc.firewall and that's pretty much it... of course it needs to have the execute permissions set and stuff... anyways, the thing is i don't remember how red hat handles this, so i can't really say, but here's the rules i posted, except now they are in "shell script" format... i also put in a few comments and added conntrack modules for FTP and optionally IRC...

Code:
#!/bin/sh

IPT="/sbin/iptables"

# Load some modules:
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ip_conntrack_irc


# Enable packet forwarding:
echo "1" > /proc/sys/net/ipv4/ip_forward

# Flush everything and set policies:
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT

# Accept all input coming from myself:
$IPT -A INPUT -i lo -j ACCEPT

# Accept all input packets which belong to established connections:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept all input packets starting new connections on eth1:
$IPT -A INPUT -i eth1 -m state --state NEW -j ACCEPT

# Allow forwarding of packets belonging to established connections:
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow forwarding of packets starting new connections from eth1 out to eth0:
$IPT -A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT

# Change the source IP address on outgoing forwarded packets to "ipaddress":
$IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipaddress"
this page has lot's of good links to info on iptables:

http://www.linuxguruz.com/iptables/


Last edited by win32sux; 12-20-2004 at 05:31 PM.
 
Old 12-20-2004, 05:26 PM   #6
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
The Fedora way of saving is to use the file /etc/sysconfig/iptables

It is created using service iptables save which saves any active rules there..
So you'll need to get the rules in a state like win32sux has them, (not using = as a comment start) and get them loaded once, probably manually, then save them.

They are automagically loaded at boot from the /etc/rc.d/rc5.d/ directory..

Also be sure to replace "ipaddress" with the actual eth0 ip address in
$IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipaddress"

As a comment, there are only a few modules which don't autoload when the rule is entered, notably ftp and irc..
Generally, loading modules without knowing what state the rules are in can be considered dangerous.. Generally loading them after the rules are in place is better policy, or at least after they are flushed, when you can be sure of their state..
Likewise the ip_forward..
 
Old 12-20-2004, 05:38 PM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
i have updated the script using peter_robb's excellent advice:

Code:
#!/bin/sh

IPT="/sbin/iptables"

# Disable packet forwarding while we get ready:
echo "0" > /proc/sys/net/ipv4/ip_forward

# Flush everything and set policies:
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT

# Load some modules:
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_irc

# Accept all input packets coming from myself:
$IPT -A INPUT -i lo -j ACCEPT

# Accept all input packets which belong to established connections:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept all input packets starting new connections on eth1:
$IPT -A INPUT -i eth1 -m state --state NEW -j ACCEPT

# Allow forwarding of packets which belong to established connections:
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow forwarding of packets starting new connections from the LAN to the Internet:
$IPT -A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT

# Change the source IP address on outgoing forwarded packets to "ipaddress":
$IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to "ipaddress"

# Enable packet forwarding now that everything is set:
echo "1" > /proc/sys/net/ipv4/ip_forward

Last edited by win32sux; 12-20-2004 at 05:42 PM.
 
Old 12-21-2004, 08:14 AM   #8
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
Ok.. that's good..

May I suggest some final polish.. (the shiny stuff)

Change "ipaddress" to a field value and specify it at the beginning of the script..
And drop the first 2 module loads..
(Actually, nat requires conntrack in order to work, but not every system will autoload from that..)
And comment out the last 2 policy lines as it's their default already..
Code:
#!/bin/sh

IPT="/sbin/iptables"

# Enter your internet interface's ip address here..
IPADDRESS="x.x.x.x"

# Disable packet forwarding while we get ready:
echo "0" > /proc/sys/net/ipv4/ip_forward

# Flush everything and set policies:
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
# $IPT -t nat -P PREROUTING ACCEPT  #this is already it's default
# $IPT -t nat -P POSTROUTING ACCEPT  #this is already it's default

# Load some modules:
# /sbin/modprobe ip_tables
# /sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_irc

# Accept all input packets coming from myself:
$IPT -A INPUT -i lo -j ACCEPT

# Accept all input packets which belong to established connections:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept all input packets starting new connections on eth1:
$IPT -A INPUT -i eth1 -m state --state NEW -j ACCEPT

# Allow forwarding of packets which belong to established connections:
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow forwarding of packets starting new connections from the LAN to the Internet:
$IPT -A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT

# Change the source IP address on outgoing forwarded packets to IPADDRESS:
$IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to $IPADDRESS

# Enable packet forwarding now that everything is set:
echo "1" > /proc/sys/net/ipv4/ip_forward

Last edited by peter_robb; 12-21-2004 at 08:16 AM.
 
Old 12-21-2004, 09:51 AM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
i went ahead and added a couple things, too...

Code:
#!/bin/sh

# Set the variables that will be used:
IPT="/sbin/iptables"
LAN_IFACE="eth1"
INET_IFACE="eth0"
INET_IP="x.x.x.x"

# Disable packet forwarding while we get ready:
echo "0" > /proc/sys/net/ipv4/ip_forward

# Set some anti-crap parameters:
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

# Flush everything and set policies:
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
# These are the defaults, but lets make sure they are set:
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT

# Load some modules which we'll probably need:
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_irc

# Accept all input packets coming from myself:
$IPT -A INPUT -i lo -j ACCEPT

# Accept all input packets which belong to already established connections:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept all input packets starting new connections from the LAN.
# It would be a good idea to change this so that only needed traffic is allowed,
# instead of accepting everything from the LAN, even if you completely trust your LAN:
$IPT -A INPUT -i $LAN_IFACE -m state --state NEW -j ACCEPT

# Allow forwarding of packets which belong to already established connections:
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow forwarding of packets starting new connections (from the LAN to the Internet):
$IPT -A FORWARD -i $LAN_IFACE -o $INET_IFACE -m state --state NEW -j ACCEPT

# Change the source IP address on outgoing forwarded packets to $INET_IP:
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP

# Enable packet forwarding now that everything is set:
echo "1" > /proc/sys/net/ipv4/ip_forward
 
Old 12-21-2004, 01:38 PM   #10
vaat
LQ Newbie
 
Registered: Dec 2004
Posts: 5

Original Poster
Rep: Reputation: 0
Hi guys,

you should get payed for this ...

I am very busy at the moment to resolve some of the issues that put me to a hold in some of the oracle api's for AQ (advanced queueing) of xml messages.

I learn a lot from you guys, but will review the scripts you made tomorrow and will post if it works for me.

Thanxs again for taking the time to teach a newbie ...
 
Old 02-16-2005, 04:36 AM   #11
vaat
LQ Newbie
 
Registered: Dec 2004
Posts: 5

Original Poster
Rep: Reputation: 0
thanxs for your help.

It is working for a while, but any advice or commonts on open ports on the server in this way ?

Do you actually use the iptables directly to do all this or is there some tool ?

Last edited by vaat; 02-16-2005 at 04:37 AM.
 
Old 02-16-2005, 10:02 AM   #12
vaat
LQ Newbie
 
Registered: Dec 2004
Posts: 5

Original Poster
Rep: Reputation: 0
fix it ...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Two-way NAT routing MPowers Linux - Networking 3 06-24-2005 03:24 PM
routing through nat booyah Linux - Networking 3 01-17-2004 08:40 PM
real routing under nat routing nothingmuch Linux - Networking 4 10-27-2003 03:11 PM
Routing behind NAT bax *BSD 5 04-26-2003 05:38 PM
Routing and nat Morning_Star Linux - Networking 5 02-11-2003 11:31 AM


All times are GMT -5. The time now is 03:53 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration