[SOLVED] Routing via Iptables won´t work

tiuz · 02-23-2010, 05:49 AM

Hello,

I have setup a linuxbox running a dhcp and dns server for the internal LAN to work as Router/Gateway for the LAN.

The box has two network interfaces (eth0 - connected to the LAN - and eth1 directly connected to the ADSL Modem) the internet connection is initiated with pptp and when the connection is established it´s reachable via ppp0.

I have then setup this iptables rules, but for some reason forwarding to the internal LAN won´t work, i get the correct IP´s and so on, but nothing comes back from the router and i have no idea why.

# EXTERNAL=eth1 directly connected to ADSL-Modem
# INTERNAL=eth0
# Internet=ppp0 after initiating the connection with pptp
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -p all -j ACCEPT
iptables -A OUTPUT -o eth0 -p all -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p all -s localhost -i ppp0 -j DROP
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i eth0 -j ACCEPT

So everything from the internet should be blocked expect the connections initiated by one of the boxes on the LAN and of course the router, and everything from the internal net to the router should be accepted.

Thanks for any hints / help.

tiuz

smoker · 02-23-2010, 06:08 AM

iptables -A INPUT -p all -s localhost -i ppp0 -j DROP

What are you trying to do with that line ?
It looks like any input that comes from localhost via the interface ppp0 is dropped.
How can that be ? How can a packet be sourced from localhost but come in through ppp0 ? Surely in the best case that drops all packets coming in from the world.

http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html

http://www.netfilter.org/documentati...T-HOWTO-8.html

http://www.netfilter.org/documentati...O-4.html#ss4.1

tiuz · 02-23-2010, 08:21 AM

> iptables -A INPUT -p all -s localhost -i ppp0 -j DROP

Takes from

http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html

Section:

Adding more security rules to your gateway:

I can´t remember everything on that since it´s been ages since i last setup a FW via iptables but i guess it´s something to do with "spoofing"

> What are you trying to do with that line ?
> It looks like any input that comes from localhost via the interface ppp0 > is dropped.
> How can that be ? How can a packet be sourced from localhost but come in > through ppp0 ? Surely in the best case that drops all packets coming in > from the world.
>
> http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html
>
> http://www.netfilter.org/documentati...T-HOWTO-8.html
>
> http://www.netfilter.org/documentati...O-4.html#ss4.1

Thanks !!

smoker · 02-23-2010, 09:15 AM

Ok, I see now.

How about your last line :

iptables -A FORWARD -i eth0 -j ACCEPT

shouldn't there be a -o option too ?

iptables -A FORWARD -o eth0 -j ACCEPT

and perhaps put both those lines before the :

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

?

http://www.redhat.com/docs/manuals/e...l-ipt-fwd.html
and the page that follows it.

regards

Alan

tiuz · 02-23-2010, 02:21 PM

Ahh YES ! That was the trick :-)

Thanks very much !!

Perhaps i should save the configfile this time :-)

smoker · 02-23-2010, 05:27 PM

No worries,

please understand I am learning just as much as you are here.
I am no guru, but I like a nice problem.
Luckily I have the time to find these things out at the moment.

I'm as pleased as you are.

Glad I could help.

regards

Alan

ps. did you put those lines before the masquerade line in the end ?