Ok, Let's try again...

I found a distro that is really cool, beasead on Knoppix that is basead on Debian: Kurumin Linux.

I' Loved the apt-get and dpkg that is really cool...

Whell, this is my problem (again):

The Knoppix box is instaled on hd, and I have 2 interfaces:

eth0 - connected to ISP (that brings up ppp0 interface)
eth1 - connected to local lan with ip 192.168.0.10/24

The Windows XP box is 192.168.0.1/24

I Installed the last Iptables and squid and bind (named). The XP box can browse the internet via port 3128. Very fast than previous solution: Wingate + Win2000 Server.

The XP box can resolve dns addr on internet via dns in Linux box.

The Linux box can connect to internet and access ports 25 and 110.

The Windows XP cant' connect to any mail server from ISP: They can resolv the smtp server address but can't connect.

My question is: I need to modify squid, iptables, or what?

Any help (again) is very welcome!

MarcSant.

Here is a copy of my script that load iptables on startup:


# Firewall Script by: Carlos E. Morimotto
# www.guiadoharware.net

#!/bin/bash

firewall_start(){

# open access for local lan
iptables -A INPUT -p tcp --syn -s 192.168.0.0/255.255.255.0 -j ACCEPT

# drop pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Protect for trojans, DOS, and others stupid things
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD --protocol tcp --tcp-flags ALL SYN,ACK -j DROP
iptables -A FORWARD -m unclean -j DROP

# open loopback interface
iptables -A INPUT -p tcp --syn -s 127.0.0.1/255.0.0.0 -j ACCEPT

# drop all other stuff
iptables -A INPUT -p tcp --syn -j DROP

# user message
echo "Starting Firewall..."
sleep 2
echo "OK."

}
firewall_stop(){
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}

case "$1" in
"start")
firewall_start
;;
"stop")
firewall_stop
echo "Stopping Firewall..."
sleep 2
echo "OK."
;;
"restart")
echo "Stopping Firewall..."
sleep 1
echo "OK."
firewall_stop; firewall_start
;;
*)
iptables -L -n
esac

In your firewall_start() routine, you need:

iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT

to forward all packets from the LAN to the Internet, including to your ISP's SMTP server.

Also, I noticed that you aren't using NAT masquerading. But, if you're interested, the line is:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Whell... Great... I Will try this.

And, what is masquereading ? What is the pros and cons?

Tks!

MarcSant.

Hi spurious,

I put these lines on my script, below these lines:

# open local lan
iptables -A INPUT -p tcp --syn -s 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT

But, dont work yet.

There is another place to put then?

Tks for help!

MarcSant.

Your post didn't mention that you were having problems connecting to the Internet from your Windows workstations, so I assumed that you had that working, especially since you wrote that your Linux box was working as a squid proxy and dns server.

Network Address Translation (NAT) is also known as "IP Masquerading". It is the method that your three computers use to do "Internet Sharing". Most residential Internet Service Providers assign only one IP address per household. So, your Linux box, being the one connected to the Internet, is ready to go.

However, if you want your Windows boxes to connect and surf the Internet, the Linux box has to route the IP packets and translate the internal 192.168.xx.xx addresses from your home LAN to the single IP address linking you to the Internet. This is "network address translation", or "IP masquerading".

Since your Windows box was surfing the web via your squid proxy, you didn't notice that it was failing to actually connect to the Internet. Your proxy solution is more secure than masquerading, since your Windows boxes aren't directly connecting the Internet. However, if you want to send and receive e-mail on your Windows box, you will have to operate an e-mail server (such as Postfix) on your Linux box to fetch and send e-mail from your LAN to your ISP's SMTP server. I can't offer any advice on this since I don't run an e-mail server.

So, if you want to IP Masquerade, in addition to the lines I posted earlier, you also need:

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

to enable IP packet forwarding from eth0 to eth1 in your Linux box. I posted an IPTABLES script in this thread here. It's much simpler than yours, so adapt what you need. Also, read the online Linux Network Administrator's Guide, linked in my .sig.

Masquereading = NAT.

OK, NAT I understand. In Windows 2000, I've used ISA Server 2000, that the rules is much easier to implement... but is very expensive for Brazilian reality. Because this, in a great number of customers I try to put Linux, that is much faster and requires much lower hardware. And is very cheaper too...

My XP Boxes conect to internet and browse web pages without any problem. The only problem is send and receive e-mails.

I don't need the sendmail or postfix, the main idea is the XP boxes send mail trhough the firewall.

Well, I will try the line that you show me. And read the docs....

Anyway, Tks for your help ;-)

MarcSant.

Whell, I find the way to permit my Windows XP boxes to acess internet.

I Put this line on script:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0/0 -o ppp0 -j MASQUERADE

This says:

make nat and allow all packets from Local Lan to any IP using interface ppp0

I installed the named (I say it before?) and adjust resolv.conf, and gw default.

That is. All Windows XP boxes are browsing in Internet, and open e-mail and using messenger clients.

All access from ports coming outside from Local Lan (internet) is stealth.

Incredible... This solution is running on a K6II-550 processor with 128MB Ram. The cost of this hardware is less than 250 US$ here in Brazil. In USA, probably is more lower than this. (20Gb of hard disk, cdrom drive, 1.44 drive, two lan adapters, VGA card with 32Mb).

I put on this:

named
squid
iptables
samba

And, the CPU use for 10 clients machines is almost of time at 90% iddle.

NEWER I will put these services on a Windows machine with this hardware.

Whell, I want to THANK to all people that have help me with this issue.

And, if I can help anyone here (I admit that is little dificult, but...) I will help.

Once more, very thanks for nice people that write (and read) here.

MarcSant.

Congratulations on your setup.

Thanks!

Whell, I guess that I have forgot something...

I can connect to Any ftp server, input password, but, when FTP server is retrieving directory contents... The ftp client stops and show a message that directory list cannot be retrieved.

This occur for any FTP server. If I connect a XP box directly on cable modem, I can connect to ftp server and retrieve directory list.

Any ideia?

MarcSant.