LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 07-08-2004, 03:35 AM   #1
Rhapsodic
LQ Newbie
 
Registered: Oct 2002
Location: Kelowna, BC, Canada
Distribution: RedHat 8.0
Posts: 7

Rep: Reputation: 0
Question XP Box won't connect to internet thru RH9 Box (firewall/dhcpd), it can only ping fire


Hello,

I have a dual nic Linux Box (RH9) that I setup (or tried to) to be a firewall/dhcpd server.
Everything seem to start up properly (no error messages)

eth0 = card connected to lan (ip 192.168.0.0) sub 255.255.255.0

eth1 = card connected to internet..

so i only have xp box connected to the lan, i'm trying to get it connected to the net through my firewall, but is doesn't connect.. only connects to the firewall it seems..

Do I absoultely have to setup an iptables/NAT? or that just a popular way of doing things?
-It looks incredibly complicated...

::my dhcpd.conf file::

ddns-update-style interim;
ignore client-updates;

subnet 192.168.0.0 netmask 255.255.255.0 {

# --- default gateway
option routers 192.168.0.1;
# option subnet-mask 255.255.255.0;
# option nis-domain "domain.org";
option domain-name "bc.hsia.telus.net";
option domain-name-servers 209.53.4.130;

option time-offset -18000; # Eastern Standard Time
# option ntp-servers 192.168.1.100;
# option netbios-name-servers 192.168.1.100;

# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;

range dynamic-bootp 192.168.0.32 192.168.0.99;
default-lease-time 21600;
max-lease-time 46400;
option ip-forwarding on;

# we want the nameserver to appear at a fixed address
# host ns {
# next-server marvin.redhat.com;
# hardware ethernet 12:34:56:78:AB:CD;
# fixed-address 207.175.42.254;
# }

}
 
Old 07-08-2004, 02:38 PM   #2
otisthegbs
Member
 
Registered: May 2003
Location: Vancouver
Distribution: RH9
Posts: 100

Rep: Reputation: 15
Well if you can ping your firewall your half way there

1.) yes you have to use nat and iptables, how else can you call it a "firewall"?
2.) NAT stands for Network address translation it routes ip and stuff all over the place

your script for simple stuff is real easy

just copy and paste the stuff below into a file and give it a
chmod +x (filename)
then execute it

#!/bin/sh
# simple firewall made by otis cause this dude needed one
EXTIF = eth1
INTIF = eth0
IPADDR = `ifconfig eth1 | fgrep -i inet | cut -d : -f 2 | cut -d \ -f 1`
IPTABLES = /sbin/iptables
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -F
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTALBES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p TCP -m state --state INVALID -j DROP


and thats it! oh btw, its very insecure but it'll route
 
Old 07-09-2004, 12:33 AM   #3
myboysherman
LQ Newbie
 
Registered: Sep 2003
Distribution: Slackware
Posts: 18

Rep: Reputation: 0
I tweaked otis's script to give you a little bit of security. I also dropped the modprobe lines in the hope they won't be necessary (I've never needed them, anyway.) Also, iptables's path may differ on your machine so I changed that bit too. And I dropped the IPADDR variable since I didn't see it referenced anywhere else in the script.

This script will allow your internal machine to connect to the outside world, but nothing can connect to it (unless in response to your request of course, hence, ESTABLISHED,RELATED.)

I don't mean to be rude, Otis, I'm just bored right now so I figured I would gild your rose.

#!/bin/sh
# simple firewall made by otis cause this dude needed one
EXTIF=eth1
INTIF=eth0
IPTABLES=`which iptables`
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -F
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTALBES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTALBES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTALBES -A FORWARD -o $EXTIF -i $INTIF -j ACCEPT
 
Old 07-10-2004, 08:09 AM   #4
seow_ming
Member
 
Registered: Mar 2004
Location: Currently in China
Distribution: Fedora 9
Posts: 130

Rep: Reputation: 15
Hello,

I also have two computer which are:

first PC ---> win98
2nd PC ---> winXP + RH8.0 (dual boot)

My 2nd pc have 2 NIC and which is respectively connected to the internet and also the first PC for internet connection sharing while i'm using my winXP platform.

Which means, I just know how to make the internet connection sharing through winxp, but not LINUX.

Could somebody pelase show me how to do so? Your suggestion will be much appreciated.

Thankyou~

Adam
 
Old 07-10-2004, 03:02 PM   #5
otisthegbs
Member
 
Registered: May 2003
Location: Vancouver
Distribution: RH9
Posts: 100

Rep: Reputation: 15
Myboysherman: dude! tweak my script all you want.
I forgot to write the rule to use the IPADDR variable, its a dope rule too!

$IPTABLES -A INPUT -i $EXTIF -s $IPADDR -j DROP

it drops all connections from an external spoofed IP of your own, good rule!

oh and meow man post your question in a new thread man!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables and vsftpd on firewall box - can't connect radiowhiz Linux - Networking 6 03-30-2005 12:03 PM
can't connect to linux box on lan, or ping localhost banschu Linux - Networking 2 09-01-2004 10:16 PM
RH9 cannot ping WinXP box harnadem Linux - Networking 12 02-12-2004 09:35 AM
Can ping box to box thru router - good sign? toastermaker Linux - Networking 15 12-07-2003 12:00 AM
HELP ME!!! Can ping my sever box but can't access the internet elkrammer Linux - Networking 1 08-03-2002 10:15 AM


All times are GMT -5. The time now is 08:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration