LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 11-21-2008, 03:21 AM   #1
jennifer.ayag
LQ Newbie
 
Registered: Nov 2008
Posts: 16

Rep: Reputation: 0
Don't have internet connection using this iptable rules


Can anyone please help me? I want to ask if my rules are correct.

Here's my setup:

IP ADD provided by the ISP: 121.x.x.133
ROUTER'S IP (ALSO AS GATEWAY): 192.168.1.1
External IP: 192.168.1.98 (ETH0)
Internal IP: 192.168.1.99 (ETH1)
Subnet Mask: 255.255.255.0

Here are my rules:

INPUT (DefaultROP)
ACCEPT if state of connection is ESTABLISHED, RELATED
ACCEPT if input interface is lo
ACCEPT if protocol if ICMP
ACCEPT if source is 127.0.0.1 and destination is 127.0.0.1
ACCEPT if protocol is TCP and destination port is 80
ACCEPT if protocol is TCP and destination port is 22
ACCEPT if protocol is TCP and destination port is 53
ACCEPT if protocol is UDP and destination port is 22
ACCEPT if protocol is TCP and destination port is 20:21
ACCEPT if protocol is TCP and destination port is 443
ACCEPT if protocol is TCP and input interface is ETH1 and destination port is 10000

FORWARD (DefaultROP)
ACCEPT if state of connection is ESTABLISHED, RELATED
ACCEPT if input interface is ETH0 and output interface is ETH1
ACCEPT if input interface is ETH1 and output interface is ETH0

OUTPUT (DefaultROP)
ACCEPT if state of connection is ESTABLISHED, RELATED
ACCEPT if output interface is lo
ACCEPT if protocol if ICMP
ACCEPT if source is 127.0.0.1 and destination is 127.0.0.1
ACCEPT if protocol is TCP and source port is 80
ACCEPT if protocol is TCP and source port is 22
ACCEPT if protocol is TCP and source port is 53
ACCEPT if protocol is UDP and source port is 22
ACCEPT if protocol is TCP and source port is 20:21
ACCEPT if protocol is TCP and source port is 443
ACCEPT if protocol is TCP and input interface is ETH1 and source port is 10000

POSTROUTING (Default:ACCEPT)

SNAT if output interface is ETH0 (IP for SNAT is 121.x.x.133)

Rules above won't allow me to access any sites in my web browser. Also my email.

Thanks in advance.
 
Old 11-21-2008, 09:39 AM   #2
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,095
Blog Entries: 2

Rep: Reputation: 111Reputation: 111
Is this box being directly used or is it a gateway box? If its direct then you need to kind of swap your input/output rules (unless you are running services on that box then you'll need to just add to the rules). If its a gateway box the you might want to MASQUERADE instead of SNAT, they are essentially the same, but I think MASQ'ing covers more protocols (I could easily be wrong on this).

Last edited by estabroo; 11-21-2008 at 09:48 AM. Reason: re-write after re-reading question
 
Old 11-21-2008, 10:54 AM   #3
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
I can't really see the problem in the rules, so this might sound a bit crazy, but can you get so far as to ping the Gateway? Can you ping Google.com, can you ping 209.85.171.99? Basic checks I know but might help in finding the problem. Also (this won't be the problem), but shouldn't port 22 be TCP not UDP?

Last edited by r3sistance; 11-21-2008 at 10:56 AM.
 
Old 11-24-2008, 02:28 AM   #4
jennifer.ayag
LQ Newbie
 
Registered: Nov 2008
Posts: 16

Original Poster
Rep: Reputation: 0
Quote:
Is this box being directly used or is it a gateway box? If its direct then you need to kind of swap your input/output rules (unless you are running services on that box then you'll need to just add to the rules). If its a gateway box the you might want to MASQUERADE instead of SNAT, they are essentially the same, but I think MASQ'ing covers more protocols (I could easily be wrong on this).
This box is the gateway box. Here's the set up of the network

INTERNET >> ROUTER >> FIREWALL MACHINE >> SWITCH >> LAN

I also tried the MASQUERADE rule but it results to nothing.

Quote:
I can't really see the problem in the rules, so this might sound a bit crazy, but can you get so far as to ping the Gateway? Can you ping Google.com, can you ping 209.85.171.99? Basic checks I know but might help in finding the problem. Also (this won't be the problem), but shouldn't port 22 be TCP not UDP?
If i ping using the firewall machine...it can and it also ping other sites but when i use any of the computers conencted to the LAN it cannot ping or browse any sites.

Quote:
ACCEPT if protocol is TCP and destination port is 22
ACCEPT if protocol is TCP and destination port is 53
ACCEPT if protocol is UDP and destination port is 22
sorry, this is a typo error

this should be port 53 not 22

I also tried to flush the iptable rules and accept everything but still the computer connected to the LAN can't access the net.

what could be the problem? correct me if i'm wrong...i thought this has nothing to do with the iptables. but i wonder wht couold be the problem. I'm new with linux and i'm really having a hard time figuring out the problem.
 
Old 11-24-2008, 09:44 AM   #5
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,095
Blog Entries: 2

Rep: Reputation: 111Reputation: 111
Did you turn on forwarding?
check with cat /proc/sys/net/ipv4/ip_forward
set with echo 1 > /proc/sys/net/ipv4/ip_forward
and you can set it permanently in /etc/sysctl.conf (on most linux distros)
 
Old 11-24-2008, 10:38 AM   #6
salter
Member
 
Registered: Oct 2008
Posts: 100

Rep: Reputation: 15
Can you a sample network setting from one of the LAN client PC'?

I wonder if the problem stems for your mixture of IP addresses used for gateway, eth0 and eth1. My routers so far always had the same IP for the gateway and one of the ethernet cards. On the other hand, maybe I was just lucky that it worked at all.

Last edited by Tinkster; 10-30-2010 at 05:18 PM.
 
Old 11-24-2008, 11:29 AM   #7
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
Quote:
Originally Posted by jennifer.ayag View Post
I also tried to flush the iptable rules and accept everything but still the computer connected to the LAN can't access the net.
you didn't have to go that far, you could have just done "/etc/init.d/iptables stop" to test if the problem was your firewall. However if you turn your firewall off and it still does not connect outwardly then the problem is not the firewall at all but your network settings. As said above do you have ipforwarding on?

Also on the machines within your network, have you ensured that they are using 192.168.1.99 as their gateway address since I assume that this machine you are dealing with is acting as a firewall and thus they must all pass through this connection?

Last edited by r3sistance; 11-24-2008 at 11:32 AM.
 
Old 11-24-2008, 07:37 PM   #8
jennifer.ayag
LQ Newbie
 
Registered: Nov 2008
Posts: 16

Original Poster
Rep: Reputation: 0
Quote:
Did you turn on forwarding?
check with cat /proc/sys/net/ipv4/ip_forward
set with echo 1 > /proc/sys/net/ipv4/ip_forward
and you can set it permanently in /etc/sysctl.conf (on most linux distros)
Yes, I did turn on the forwarding

Quote:
Can you a sample network setting from one of the LAN client PC'?

I wonder if the problem stems for your mixture of IP addresses used for gateway, eth0 and eth1. My routers so far always had the same IP for the gateway and one of the ethernet cards. On the other hand, maybe I was just lucky that it worked at all.
This is the network config of one of the computers in lan:


ipadd: 192.168.1.107
netmask: 255.255.255.0
gateway: 192.168.1.1

Quote:
As said above do you have ipforwarding on?

Also on the machines within your network, have you ensured that they are using 192.168.1.99 as their gateway address since I assume that this machine you are dealing with is acting as a firewall and thus they must all pass through this connection?
Yes, I turned on the forwarding
Re gateway the network config of one of the computers in the is:

ipadd: 192.168.1.107
netmask: 255.255.255.0
gateway: 192.168.1.1

I'll try to change the gateway to 192.168.1.99

I'll post the result after changing the gateway.

Another question guys....

How would i check if what ports are open using the command prompt?

I want to know if i really opened up the ports needed.
 
Old 11-24-2008, 09:48 PM   #9
jennifer.ayag
LQ Newbie
 
Registered: Nov 2008
Posts: 16

Original Poster
Rep: Reputation: 0
hello guys! My firewall is working now....

Quote:
Also on the machines within your network, have you ensured that they are using 192.168.1.99 as their gateway address since I assume that this machine you are dealing with is acting as a firewall and thus they must all pass through this connection?
I changed the gateway of the computers connected on the LAN, and then when I try browsing..it works.....

Thanks a lot guys!

I will now configure the squid proxy...I hope I can.

I'll keep posting what's the result re may configuration and will ask for your help/suggestions
 
Old 11-25-2008, 03:51 AM   #10
jennifer.ayag
LQ Newbie
 
Registered: Nov 2008
Posts: 16

Original Poster
Rep: Reputation: 0
guys, i had another question

This is regarding squid proxy...why can't i connect to internet if i set the proxy?

my default port for proxy is 8000

I added this rules on my iptables

ACCEPT if protocol is TCP and destination port is 8000 (INPUT RULE)
ACCEPT if protocol is TCP and source port is 8000 (OUTPUT RULE)

Please help me again
 
Old 11-25-2008, 04:35 AM   #11
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,627

Rep: Reputation: Disabled
Thats not the default port for the squid. You set squid to work on 3128. So you need to tell the browser to connect to net through proxy by giving its ip address and the port 8000 that you have configured it to work on. It will not work by default. Another thing to ask, is your squid running in transparent mode? If yes then forget the browser settings. Also search the LQ forums for transparent squid.
You need not set the second rule. For web browsing port 80 is used. So you need to accept the connections originating from port 80 that you already have done.

Last edited by linuxlover.chaitanya; 11-25-2008 at 04:37 AM.
 
Old 11-25-2008, 08:27 AM   #12
jennifer.ayag
LQ Newbie
 
Registered: Nov 2008
Posts: 16

Original Poster
Rep: Reputation: 0
Do I need to do some port redirection for the port used by squid?
I didn't set the squid in transparent mode...
 
Old 11-25-2008, 07:57 PM   #13
jennifer.ayag
LQ Newbie
 
Registered: Nov 2008
Posts: 16

Original Poster
Rep: Reputation: 0
Quote:
Do I need to do some port redirection for the port used by squid?
I didn't set the squid in transparent mode...
Hi again! I made some rule setting in PREROUTING using DNAT and now i can browse the net using the proxy.
Here's the rule i used:

DNAT if the protocol is TCP and input interface is ETH0 and the destination port is 80. (wherein the destination ip is 192.168.1.99:8000)

My question is.....Does that rule will make my firewall secure?

Are all my rules will make our lan protected from any hacking.
 
Old 11-25-2008, 08:20 PM   #14
r3sistance
Senior Member
 
Registered: Mar 2004
Location: UK
Distribution: CentOS 5.4, Mac OS 10.4 (tiger)
Posts: 1,005

Rep: Reputation: 79
Using a firewall and Nat does increase security alot but protecting against hacking is never 100% possible, effectively all you can do is make it as hard as you can and deter hackers as much as possible, you can use certain techniques like sacrifical machines that log all access to them and then block the associated ips as such... but I'd never ever say any machine connected to the internet is fully protected against hacking .

Last edited by r3sistance; 11-25-2008 at 08:21 PM.
 
Old 11-25-2008, 11:41 PM   #15
jennifer.ayag
LQ Newbie
 
Registered: Nov 2008
Posts: 16

Original Poster
Rep: Reputation: 0
Thanks!!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptable rules, your opinions linuxcbon Linux - Security 7 08-16-2008 05:54 PM
IPTable rules RecoilUK Linux - Security 1 05-27-2005 07:25 PM
Remove iptable rules greenthing Linux - Networking 11 03-03-2005 08:15 AM
Verifying IPTable rules... Ateo Linux - Networking 1 02-02-2005 03:33 PM
Help with IPtable Rules aqoliveira Linux - Security 3 12-10-2003 10:00 AM


All times are GMT -5. The time now is 07:26 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration