LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Why doesn't my distro 9.0 setup work for the 13.1 distro (http://www.linuxquestions.org/questions/linux-networking-3/why-doesnt-my-distro-9-0-setup-work-for-the-13-1-distro-830568/)

OldBikerPete 09-06-2010 05:10 AM

Why doesn't my distro 9.0 setup work for the 13.1 distro
 
I have a linux box set up as a multi-purpose server for my home with three Windows client PC's. The linux box is based on a slightly modified Slackware 9.0 distribution using Linux 2.4.20 and an unfortinately old, slow AMD processor with a miserable 512Kb RAM. The linux box serves the CIFS file system to the Windows boxes, runs the SQUID HTTP proxy, the Apache web server, a print server, does masquerading, mail serving and a very effective firewall using iptables.

This system, although slow, has run perfectly for several years.

Let me say that again - This system works perfectly.

I had decided that now is the time to upgrade the hardware, so I bought a Gigabyte LGA775 motherboard which has two 1Gb network interfaces on it, an ASUS 256Mb PCI-E display card, 2Gb of DDR3 RAM, an Intel Core2-Quad processor and a bunch of 500Gb SATA drives to set up a RAID5 array (but I intend that the system boot off one of several 40Gb PATA drives I have).
I set up the processor, motherboard, display card, RAM, a SATA DVD Drive and a 40Gb PATA hard disk in a "breadboard" layout and installed distro 13.1, being careful to set up the static IP for the local network, dhcpcd to get an IP address from the cable modem (my internet connection) and to enable ip_forward in the network configuration.
Then I installed a script invoked by /etc/rc.d/rc.local which installed all the SAME iptables rules as my old Linux box. There was one minor glitch when I had to change 8 occurrences of "-d ! $LOCAL_NET to"
"! --destination $LOCAL_NET" but that was no problem. I also set up /etc/resolv.conf, /etc/hosts , the BIND server files etc. etc. exactly as in the old box.
I am able to ping mirror.aarnet.edu.au (this is at the heart of Australia's internet hub network - if it's down the whole bloody thing is down) and have the system find the correct IP from the designated nameservers and contact that server with a return trip time of 35ms. I am able to run a telnet session from one of the Windows boxes and edit files on the Linux server. So both network interfaces work and I've got them the right way around.
I am able to run FTP on one of the Windows boxes and connect through to mirror.aarnet.edu.au, although it seems to hang when I try a DIR (but then so does the old linux system).

BUT

No web browser can get a message from a Windows box through the new linux setup out to the outside world. I have done a fair amount of logging in iptables and the http packets on port 80 are being redirected to port 3128 HOWEVER, squid reports back that page "/" cannot be opened (it seems that the URL is not being passed across to squid). iptables does NOT report that any packets are outgoing during this exchange. If I comment out the REDIRECT instructions to iptables and re-run the script, then again try a web browser on one of the Windows boxes, Windows pops up a connection diagnostic, reporting that the (unspecified) page cannot be found.

Before you ask, yes, I have checked that /proc/sys/net/ipv4/ip_forward is set to 1.


Why is this so. Or in other words, HELP.

Peter.

OldBikerPete 09-09-2010 12:13 AM

BUMP
 
No ideas on this?

John VV 09-09-2010 04:48 AM

Quote:

Why doesn't my distro 9.0 setup work for the 13.1 distro
are you kidding ???
you are expecting settings and config files to work on a 4 versions newer OS
??? would you expect windows ME/2000 settings to work on win 7 ???

reset them back to the default and use the slack 13 tools to set the network connections and iptable rules
and aliases

OldBikerPete 09-09-2010 04:59 AM

Half-arsed reply.
 
Quote:

Originally Posted by John VV (Post 4092292)
are you kidding ???
you are expecting settings and config files to work on a 4 versions newer OS
??? would you expect windows ME/2000 settings to work on win 7 ???

Not hardly - as if I would expect it to be that simple.
Quote:

reset them back to the default and use the slack 13 tools to set the network connections and iptable rules
and aliases
Obviously you didn't read my post closely enough. I have set up two (different) ethernet NICs dhcpd, named, dhcpcd, inetd and they all work correctly. They would have to be working correctly for the FTP and telnet sessions I describe to work as described.

BTW I'm not now and never have run X.

IPTABLES and ip_forwarding are the functions not working. There are no clues in the relevant man pages as to why the newer version should behave differently to the old version. Over to you, lets see what you've got.

jschiwal 09-09-2010 05:34 AM

The location of ip_forwarding may have changed in your latest kernel. Several kernel modules that netfilter uses have different names. E.G. tc_conntrack is now nf_conntrack. An old firewall script may load modules by their old name. There may be other differences. In the latest version of ssh, you need to indicate the location of authorized_hosts with %h/.ssh/authorized_hosts instead of .ssh/authorized_hosts in /etc/ssh/sshd_config.
Code:

example of enabling ipv6 forwarding:
# enable IPv6 forwarding
#net.ipv6.conf.all.forwarding = 1

don't know but is net.ipv4.ip_forward depreciated?  What happens if net.ipv4.conf.all.forwarding=0 and net.ipv4.ip_forward=1?
/proc/sys/net/ipv4/conf/all/forwarding
/proc/sys/net/ipv4/conf/all/mc_forwarding
/proc/sys/net/ipv4/conf/default/forwarding
/proc/sys/net/ipv4/conf/default/mc_forwarding
...
/proc/sys/net/ipv4/ip_forward

Some configuration files may have moved into directories, instead of a single configuration file. This has been happening for quite some time for services and scripts like logrotate, xinetd, udev, and now even xorg.conf and profile. These directories tend to end with ".d". Software packages will drop a file in these directories instead of editing the existing global script. Your old configurations may exist in a script while a conflicting script exists in a directory.

One such directory on OpenSUSE is /etc/sysconfig/SuSEfirewall2.d/services/. I'm not running Slackware, but they may have adopted the same strategy.

For the services where you have problems, configure them from scratch using your distro's current tools if needed.

You may want to read the release notes for each newer version of Slackware. I found out about "%h" in sshd_config by reading a release note. Before that I couldn't ssh pubkey authentication working copying my old config sshd_config after upgrading.

OldBikerPete 09-09-2010 06:08 AM

Thanks for your helpful rely.
 
Quote:

Originally Posted by jschiwal (Post 4092325)
The location of ip_forwarding may have changed in your latest kernel. Several kernel modules that netfilter uses have different names. E.G. tc_conntrack is now nf_conntrack. An old firewall script may load modules by their old name. There may be other differences. In the latest version of ssh, you need to indicate the location of authorized_hosts with %h/.ssh/authorized_hosts instead of .ssh/authorized_hosts in /etc/ssh/sshd_config.
Code:

example of enabling ipv6 forwarding:
# enable IPv6 forwarding
#net.ipv6.conf.all.forwarding = 1

don't know but is net.ipv4.ip_forward depreciated?  What happens if net.ipv4.conf.all.forwarding=0 and net.ipv4.ip_forward=1?
/proc/sys/net/ipv4/conf/all/forwarding
/proc/sys/net/ipv4/conf/all/mc_forwarding
/proc/sys/net/ipv4/conf/default/forwarding
/proc/sys/net/ipv4/conf/default/mc_forwarding
...
/proc/sys/net/ipv4/ip_forward

Some configuration files may have moved into directories, instead of a single configuration file. This has been happening for quite some time for services and scripts like logrotate, xinetd, udev, and now even xorg.conf and profile. These directories tend to end with ".d". Software packages will drop a file in these directories instead of editing the existing global script. Your old configurations may exist in a script while a conflicting script exists in a directory.

One such directory on OpenSUSE is /etc/sysconfig/SuSEfirewall2.d/services/. I'm not running Slackware, but they may have adopted the same strategy.

For the services where you have problems, configure them from scratch using your distro's current tools if needed.

You may want to read the release notes for each newer version of Slackware. I found out about "%h" in sshd_config by reading a release note. Before that I couldn't ssh pubkey authentication working copying my old config sshd_config after upgrading.

I was under the initial impression that this board dealt with Slackware distributions only and accordingly left out that I am upgrading from Slackware 9.0 with Linux 2.4.20 to 13.1 using Linux 2.6.33.4 and the install DVD.
My method of upgrading is to install the entire default distibution (including the Huge-smp kernel precompiled and supplied with this distro)then get each of the functions I need running and tested one by one. Only if I find something missed out in the supplied kernel or I get everything I want working will I compile a kernel - and even then I will use one of the generic .config files supplied as a jumping-off point.
That being my workflow, I choose to disable as many options as possible during the scripted install and then enable them as I need them and only after reading any scripts and man pages involved.
Accordingly, I read through the /etc/rc.d/rc.ip_forwarding script and it sets the /proc/sys/net/ipv4/ip_forwarding flag. I don't recall enabling ipv6 at all (nor sshd or most of the other functions you mentioned).

Will things not work now if ipv6 and the relevant forwarding are not enabled?

jschiwal 09-09-2010 09:59 AM

I didn't mean to imply that you needed to enable ipv6. Only that I hadn't noticed "/proc/sys/net/ipv4/conf/all/forwarding" before.
The ssh difference was just an example of differences you can run into when copying old config files. It was an example I learned from experience after copying my old sshd_config file. When I read the release notes, I discovered the problem.

If your problem is with ip_tables, then print out your ip_tables rules. Read through your firewall script. There may be some kernel modules loaded at the start of the script. Make sure that those modules still exist, and haven't been renamed in the newest kernel release.

IMHO, you may not have a problem with ip_tables. Check the squid configuration and setup.

Did you run Squid "squid -z" to create the cache store directories?

OldBikerPete 09-10-2010 12:20 AM

Quote:

Originally Posted by jschiwal (Post 4092538)
I didn't mean to imply that you needed to enable ipv6. Only that I hadn't noticed "/proc/sys/net/ipv4/conf/all/forwarding" before.
The ssh difference was just an example of differences you can run into when copying old config files. It was an example I learned from experience after copying my old sshd_config file. When I read the release notes, I discovered the problem.

If your problem is with ip_tables, then print out your ip_tables rules. Read through your firewall script. There may be some kernel modules loaded at the start of the script. Make sure that those modules still exist, and haven't been renamed in the newest kernel release.

IMHO, you may not have a problem with ip_tables. Check the squid configuration and setup.

Did you run Squid "squid -z" to create the cache store directories?

Thank you for your helpful reply. _I_ wrote my iptables and firewall scripts and have now checked which modules named in it are available in the default Slackware 13.1 distro. They are all there except iptables_filter, iptables_mangle and iptables_nat. I will read through the appropriate .config script to ensure that these have been compiled embedded as I expect they will.
And yes, I have done squid -z. Much use of the iptables LOG facility has revealed that packets from a web browser on on XP client machine are being redirected to port 3128 and that squid does send the admin page to that browser reporting that the page "/" cannot be found. I deduce that the URL is not being passed correctly to squid. I have also tried removing the REDIRECT commands from the iptables script which, as you know, bypasses squid since port 80 packets should then be forwarded straight through. That produces the web browser's admin page saying that the URL cannot be found.
If you like, I will find a way to post my iptables script here for you to look at.

jschiwal 09-14-2010 07:57 PM

Probably any module you used before that had IP_ in the name now uses NF instead, with versions for IPv4 and IPv6.
Code:

CONFIG_IP_NF_FILTER=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_NF_NAT_SNMP_BASIC=m
CONFIG_NF_NAT_PROTO_DCCP=m
CONFIG_NF_NAT_PROTO_GRE=m
CONFIG_NF_NAT_PROTO_UDPLITE=m
CONFIG_NF_NAT_PROTO_SCTP=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_PPTP=m
CONFIG_NF_NAT_H323=m
CONFIG_NF_NAT_SIP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_BRIDGE_EBT_T_FILTER=m
CONFIG_BRIDGE_EBT_T_NAT=m
CONFIG_NET_ACT_NAT=m
CONFIG_BT_BNEP_MC_FILTER=y
CONFIG_BT_BNEP_PROTO_FILTER=y
CONFIG_NATIONAL_PHY=m
CONFIG_NATSEMI=m
CONFIG_PPP_FILTER=y
CONFIG_IPPP_FILTER=y


OldBikerPete 09-15-2010 12:06 AM

Thank you for that list jschiwal.
All now works.
I commented out the instruction which redirected forwarded port 80 packets to port 3128 for SQUID - cutting squid out of the equation. I also did a 'chmod a-x /etc/rc.d/rc.squid'. Then I concentrated on debugging and editing the iptables script.
I don't know what the exact problem was as I finished up doing a semi-redesign of the whole script and eventually, it worked.
I then re-enabled the redirection which supports squid and experimented with squid. I did not realise that squid-3.1.4 is an experimental version but when I did I downloaded squid-3.0.STABLE11, configured and tried to compile it - no luck. I kept getting simple syntax errors (such as a 'const char*' variable requiring a cast to 'char*' in a function call) so I dug out my previusly-working squid-2.3.STABLE4 and installed that and that now works. Sorting out later version problems can wait until I get the meat of the upgrade done.

Gratefully, Peter.

Here's my iptables script.
Quote:

#!/bin/bash
#
# firewall.cable
#
# New version to use iptables instead of ipchains
# Cable modem connected to interface eth3 and assigned default route/gateway
# LAN connected to device eth2 192.168.0.0/24
# dialin lines on devices ppp0 192.168.2.0/24
#
IPTABLES="/usr/local/sbin/iptables"
LOG_LEVEL="--log-level 6"
FILE_SERVER=192.168.0.16 # Static IP of local network NIC.
CABLE_IFACE=eth3
LAN_IFACE=eth2
DIALIN_IFACE=ppp0
LOCAL_NET=192.168.0.0/24
LOCAL_BCAST=192.168.0.255
DIALIN_NET=192.168.2.0/24
DIALIN_BCAST=192.168.2.255
NON_INTERNET=192.168.0.0/22
NON_INTERNET_BCAST=192.168.3.255
TO_INTERNET=" ! --destination $NON_INTERNET"
FROM_INTERNET=" ! --source $NON_INTERNET"
INTERNET=" ! $NON_INTERNET"
SUPPORT_SQUID=yes #Comment this out to disable SQUID support
#
# Get dynamic IP of cable NIC
CABLE_MODEM=`ifconfig $CABLE_IFACE | grep inet | awk '{ print $2 }' | sed --expression=s/addr://`
#
PROXY_SERVER=$FILE_SERVER
NAME_SERVER=$FILE_SERVER
SMTP_SERVER=$FILE_SERVER
DHCP_SERVER=$FILE_SERVER
HTTP_SERVER=$FILE_SERVER
POP3_SERVER=$FILE_SERVER
SMTP_SERVER=$FILE_SERVER
LPD_SERVER=$FILE_SERVER
#
# this is a temporary patch
MORE_CHECKING=ACCEPT
# Ensure dependencies are current for loading modules
/sbin/depmod -A
#
# Required modules
/sbin/modprobe ip_tables # tick
/sbin/modprobe ip_conntrack # tick
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG # tick
/sbin/modprobe ipt_limit # tick
/sbin/modprobe ipt_state # tick
#
# Non-required modules
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
#
# First, add to the log of internet usage
#echo >firewall.log
#date >>firewall.log
#$IPTABLES -L -v >>firewall.log
#echo '================ Finish ==================' >>firewall.log
#echo >>firewall.log
#
# Flush out all rules, set default policies
$IPTABLES -t filter -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -P OUTPUT DROP
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
#
############################################################################################
#
# Trouble-shooting & debugging
if test "$1" == "debug"; then
echo "netfilter and iptables operating in debugging mode"
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -j LOG $LOG_LEVEL
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -j LOG $LOG_LEVEL
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -p udp -j LOG $LOG_LEVEL
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -p tcp -j LOG $LOG_LEVEL
#
$IPTABLES -t filter -A INPUT -i $LAN_IFACE -p udp -j LOG $LOG_LEVEL
$IPTABLES -t filter -A INPUT -i $LAN_IFACE -p tcp -j LOG $LOG_LEVEL
$IPTABLES -t filter -A OUTPUT -o $LAN_IFACE -p udp -j LOG $LOG_LEVEL
$IPTABLES -t filter -A OUTPUT -o $LAN_IFACE -p tcp -j LOG $LOG_LEVEL
fi
#
#############################################################################################
#
# Accept any inputs from trusted sites
# These are Telstra's nameservers
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 144.140.70.30 -j ACCEPT #
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 144.140.71.16 -j ACCEPT #
# $IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 72.20.34.145 -j ACCEPT # uTorrent
#
############################################################################################
#
# Quietly block accesses from certain sources
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 192.168.0.0/16 -j DROP # these are private network address blocks
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 10.0.0.0/8 -j DROP # these are private network address blocks
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 66.70.20.61 -j DROP # www.fassia.net
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 65.60.37.116 -j DROP # www.fmn-media.com
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 216.242.75.52 -j DROP #
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 203.14.168.3 -j DROP # iinet.net.au
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 203.59.24.3 -j DROP # nameserver iinet.net.au
#
############################################################################################
#
# Quietly block some broadcast signals
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp --source-port 65535 -j DROP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --source-port 65535 -j DROP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp --dport 65535 -j DROP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 65535 -j DROP
#
############################################################################################
#
# Quietly block NETBIOS and SMB packets incoming over the internet
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp --dport 135:139 -j DROP #NETBIOS over IP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 135:139 -j DROP #NETBIOS over IP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp --source-port 135:139 -j DROP #
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --source-port 135:139 -j DROP #
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 445 -j DROP #SMB over IP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --source-port 445 -j DROP #
#
############################################################################################
#
# Create a rule quietly denying access from banned sites
#
#/etc/rc.d/bpalogin/firewall.Banned
#
# Input rules
#
# Allow incoming SYN packets (connect attempts) on ports #20 & #21 (FTP)
#$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 20 --syn -j $MORE_CHECKING
#$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 21 --syn -j $MORE_CHECKING
# Allow incoming SYN packets on mail port #25 (SMTP)
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 25 --syn -j $MORE_CHECKING
# Allow incoming SYN packets on web port #80 (HTTP)
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 80 --syn -j $MORE_CHECKING
#
###########################################################################################
#
# DROP and log all other attempts to login from the internet (SYN packets)
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --syn -j LOG $LOG_LEVEL
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --syn -j DROP
#
# DROP and log orphan fragments (because large packets are reassembled by the interface)
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -f -j LOG $LOG_LEVEL
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -f -j DROP
#
# DROP and log FINGER attempts from internet
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 79 -j LOG $LOG_LEVEL
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 79 -j DROP
#
# DROP and log PING attempts from internet
#$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp --dport 7 -j LOG $LOG_LEVEL
#$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp --dport 7 -j DROP
#
############################################################################################
#
# Enable internal transfers
$IPTABLES -t filter -A INPUT -i lo -j ACCEPT
#
# Allow input related to established outgoing connections
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
#
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp --dport 7 -j $MORE_CHECKING # PING
#$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 20 -j $MORE_CHECKING # FTP
#$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 21 -j $MORE_CHECKING # FTP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 25 -j $MORE_CHECKING # SMTP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 25 -j $MORE_CHECKING # SMTP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 37 -j $MORE_CHECKING # TIME
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 37 -j $MORE_CHECKING # TIME
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 42 -j $MORE_CHECKING # DNS
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 42 -j $MORE_CHECKING # DNS
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 53 -j $MORE_CHECKING # DNS
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 53 -j $MORE_CHECKING # DNS
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 67 -j $MORE_CHECKING # DHCP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 67 -j $MORE_CHECKING # DHCP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 68 -j $MORE_CHECKING # DHCP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 68 -j $MORE_CHECKING # DHCP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 80 -j $MORE_CHECKING # HTTP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 80 -j $MORE_CHECKING # HTTP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 110 -j $MORE_CHECKING # POP3
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 110 -j $MORE_CHECKING # POP3
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 443 -j $MORE_CHECKING # HTTPS
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 443 -j $MORE_CHECKING # HTTPS
# Because we are using NAT, many wierd port destinations from the
# internet will have to be acceptable
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 1024:65534 -j $MORE_CHECKING # NAT replies
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 1024:65534 -j $MORE_CHECKING # NAT replies
#
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -j LOG $LOG_LEVEL # log all other internet packets.
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -j DROP # and then drop them
#
#----------------------------------------------------------------------------
# Input rules for Local network
$IPTABLES -t filter -A INPUT -i $LAN_IFACE -p udp -d 255.255.255.255 --dport 67 -j ACCEPT # DHCP client b/cast
$IPTABLES -t filter -A INPUT -i $LAN_IFACE -s $LOCAL_NET -d $LOCAL_NET -j ACCEPT
$IPTABLES -t filter -A INPUT -i $LAN_IFACE -s $LOCAL_NET $TO_INTERNET -j ACCEPT
#
$IPTABLES -t filter -A INPUT -i $LAN_IFACE -s $LOCAL_NET -j LOG $LOG_LEVEL # Log all packets that don't fit the above
$IPTABLES -t filter -A INPUT -i $LAN_IFACE -s $LOCAL_NET -j DROP # and then drop them
#
# Input rules for dialin cients
# Log and DROP orphan fragments (because large packets are reassembled by the interface)
$IPTABLES -t filter -A INPUT -f -i $DIALIN_IFACE -j LOG $LOG_LEVEL
$IPTABLES -t filter -A INPUT -f -i $DIALIN_IFACE -j DROP
#
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp $TO_INTERNET --dport 0:65534 -j ACCEPT # ?
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp $TO_INTERNET --dport 0:65534 -j ACCEPT # ?
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -p tcp -s $DIALIN_NET --source-port 3 -d $FILE_SERVER --dport 3 -j ACCEPT # gateway p'col
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -p udp -s $DIALIN_NET --source-port 3 -d $FILE_SERVER --dport 3 -j ACCEPT # gateway p'col
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -p tcp -s $DIALIN_NET --source-port 3 -d $DIALIN_NET --dport 3 -j ACCEPT # gateway p'col
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -p udp -s $DIALIN_NET --source-port 3 -d $DIALIN_NET --dport 3 -j ACCEPT # gateway p'col
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $SMTP_SERVER --dport 25 -j ACCEPT # SMTP mail
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $SMTP_SERVER --dport 25 -j ACCEPT # SMTP mail
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $DIALIN_NET --dport 25 -j ACCEPT # SMTP mail
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $DIALIN_NET --dport 25 -j ACCEPT # SMTP mail
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $NAME_SERVER --dport 42 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $NAME_SERVER --dport 42 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $DIALIN_NET --dport 42 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $DIALIN_NET --dport 42 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $NAME_SERVER --dport 53 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $NAME_SERVER --dport 53 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $DIALIN_NET --dport 53 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $DIALIN_NET --dport 53 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d 255.255.255.255 --dport 67 -j ACCEPT # DHCP client b/cast
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $FILE_SERVER --dport 67 -j ACCEPT # bootps
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $FILE_SERVER --dport 67 -j ACCEPT # bootps
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $FILE_SERVER --dport 68 -j ACCEPT # bootpc
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $FILE_SERVER --dport 68 -j ACCEPT # bootpc
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $HTTP_SERVER --dport 80 -j ACCEPT # www
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $HTTP_SERVER --dport 80 -j ACCEPT # www
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $POP3_SERVER --dport 110 -j ACCEPT # POP3 mail
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $POP3_SERVER --dport 110 -j ACCEPT # POP3 mail
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $POP3_SERVER --dport 113 -j ACCEPT # TAP auth
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $DIALIN_BCAST --dport 137 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $DIALIN_BCAST --dport 137 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $FILE_SERVER --dport 137 -j ACCEPT # netbios-ns
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $FILE_SERVER --dport 137 -j ACCEPT # netbios-ns
#$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $LOCAL_BCAST --dport 137 -j ACCEPT # netbios-ns
#$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $LOCAL_BCAST --dport 137 -j ACCEPT # netbios-ns
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $DIALIN_BCAST --dport 138 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $DIALIN_BCAST --dport 138 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $FILE_SERVER --dport 138 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $FILE_SERVER --dport 138 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $DIALIN_BCAST --dport 139 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $DIALIN_BCAST --dport 139 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $FILE_SERVER --dport 139 -j ACCEPT # netbios-ssn
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $FILE_SERVER --dport 139 -j ACCEPT # netbios-ssn
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $FILE_SERVER --dport 445 -j ACCEPT # netbios-ssn
#
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $FILE_SERVER --dport 3128 -j ACCEPT # squid ?
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $FILE_SERVER --dport 3128 -j ACCEPT # ?
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $DIALIN_NET --dport 3128 -j ACCEPT # squid ?
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $DIALIN_NET --dport 3128 -j ACCEPT # ?

#
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -j LOG $LOG_LEVEL # Log all packets that don't fit the above
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -j DROP # and then drop them
#
###############################################################################
#
# NAT rules
if test "$SUPPORT_SQUID" != "" && test "$1" != "nosquid" && test "$2" != "nosquid"; then
echo "Redirection support for the SQUID web proxy is enabled"
$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -s $LOCAL_NET -p udp --dport 80 -j REDIRECT --to-ports 3128 # Squid proxy redir
$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -s $LOCAL_NET -p tcp --dport 80 -j REDIRECT --to-ports 3128 # Squid proxy redir
$IPTABLES -t nat -A PREROUTING -i $DIALIN_IFACE -s $DIALIN_NET -p udp --dport 80 -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A PREROUTING -i $DIALIN_IFACE -s $DIALIN_NET -p tcp --dport 80 -j REDIRECT --to-ports 3128
fi
$IPTABLES -t nat -A POSTROUTING -o $CABLE_IFACE -j SNAT --to-source $CABLE_MODEM
#
###############################################################################
#
# forwarding rules
# Forward incoming packets related to established outgoing connections
$IPTABLES -t filter -A FORWARD -i $CABLE_IFACE -o $LAN_IFACE -d $LOCAL_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $LAN_IFACE -o $CABLE_IFACE -s $LOCAL_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $CABLE_IFACE -o $DIALIN_IFACE -d $DIALIN_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $DIALIN_IFACE -o $CABLE_IFACE -s $DIALIN_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow specific traffic through and quietly dispose of the rest
$IPTABLES -t filter -A FORWARD -i $DIALIN_IFACE -s $DIALIN_NET -d $LOCAL_NET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $DIALIN_IFACE -s $DIALIN_NET -d $DIALIN_NET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $DIALIN_IFACE -s $DIALIN_NET $TO_INTERNET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $DIALIN_IFACE -s $DIALIN_NET -j LOG $LOG_LEVEL
$IPTABLES -t filter -A FORWARD -i $DIALIN_IFACE -s $DIALIN_NET -j DROP
#
$IPTABLES -t filter -A FORWARD -i $LAN_IFACE -s $LOCAL_NET -d $LOCAL_NET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $LAN_IFACE -s $LOCAL_NET -d $DIALIN_NET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $LAN_IFACE -s $LOCAL_NET $TO_INTERNET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $LAN_IFACE -s $LOCAL_NET -j LOG $LOG_LEVEL
$IPTABLES -t filter -A FORWARD -i $LAN_IFACE -s $LOCAL_NET -j DROP
#
$IPTABLES -t filter -A FORWARD -i $CABLE_IFACE $FROM_INTERNET -d $CABLE_MODEM -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $CABLE_IFACE $FROM_INTERNET -d $DIALIN_NET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $CABLE_IFACE $FROM_INTERNET -d $LOCAL_NET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $CABLE_IFACE -j LOG $LOG_LEVEL # Log all bad candidates for forwarding
$IPTABLES -t filter -A FORWARD -i $CABLE_IFACE -j DROP # and then drop them
#
###############################################################################
#
# Output rules
$IPTABLES -t filter -A OUTPUT -o lo -j ACCEPT
#
# DROP but don't log output attempts by local CIFS system
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -p tcp --dport 135:139 -j DROP
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -p udp --dport 135:139 -j DROP
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -p tcp --dport 445 -j DROP
# DROP but don't log output attempts by local DHCP system
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -p tcp --dport 67:68 -j DROP
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -p udp --dport 67:68 -j DROP
#
# Log all outgoing packets for debugging
#$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -j LOG $LOG_LEVEL
#
$IPTABLES -t filter -A OUTPUT -o $LAN_IFACE -p udp -d 255.255.255.255 --dport 68 -j ACCEPT # allow local BOOTP/DHCP Replies
$IPTABLES -t filter -A OUTPUT -o $LAN_IFACE -d $LOCAL_NET -j ACCEPT # allow all local traffic
$IPTABLES -t filter -A OUTPUT -o $DIALIN_IFACE -d $DIALIN_NET -j ACCEPT # allow all dial-in traffic
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE $TO_INTERNET -j ACCEPT # allow all outgoing access to internet
$IPTABLES -t filter -A OUTPUT -j LOG $LOG_LEVEL # Log all packets that don't fit the above
$IPTABLES -t filter -A OUTPUT -j DROP # and then drop them.
#
# Construct a list of firewall rules.
/etc/rc.d/bpalogin/createList.sh &
# Done!



All times are GMT -5. The time now is 06:18 PM.