LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-19-2008, 10:56 PM   #1
Zafoid
LQ Newbie
 
Registered: Sep 2008
Posts: 13

Rep: Reputation: 0
IP Forwarding/firewall issues


Hi,
I have just setup a slackware server using 12.1.
Samba is working well as is dhcpd
Tried setting up a connection to the internet using pppoe-start function and it connects ok however I cannot access the internet on the xp box that is connected to the network. I have turned on ip forwarding and configured this as per its instructions. I have a static IP and have set the firewall accordingly. I have two ethernet cards;
eth0 which connects to the internal network and eth1 which connects to the intenet (adsl2) via a D Link 300G modem. As I said however it does not appear to be a problem with connecting it appears either to be a firewall problem or an ip packet forwarding problem and right now I am a little lost.

The fire wall file is below;



#!/bin/bash

#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#
# Author : Ted Cooper (elc@elcsplace.com) of Earth #
# Created : 16-11-2001 #
# Modif : 10-07-2002 #
#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#
# Firewall for Linux 2.4.x with iptables #
#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#
# This script remains the intellectual property of Ted Cooper. #
# Editing is allowed to keep up to date with changes on this system, #
# however, permission must be sought to use this script on any other #
# system. #
# #
# If you need a hand with this, call me or email me. #
#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#

# Location of the iptables program
IPTABLES="/usr/sbin/iptables"
#IPTABLES="echo"

DEBUG="1"

# Here's something new. This script now clears on demand.. and starts,
# and stats. And rotates.

case "$1" in
'clear')
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F -t nat
$IPTABLES -X -t nat ;;
'rotate')
echo "Not yet implemented..."
exit 0 ;;
'start')

# Set default policies to drop any evil packets that come in during setup.
DEFAULT_POLICY="DROP"
$IPTABLES -P INPUT $DEFAULT_POLICY
$IPTABLES -P FORWARD $DEFAULT_POLICY
$IPTABLES -P OUTPUT $DEFAULT_POLICY

# Flush the main tables.
$IPTABLES -F
$IPTABLES -X

# Flush the NAT tables
$IPTABLES -F -t nat
$IPTABLES -X -t nat

# Go the config..
# Outside interface
O_IN="outside_in"
O_OUT="outside_out"
O_IF="ppp0" # CHANGE
O_ICMP="outside_icmp"
O_IP="DYNAMIC" # CHANGE NB "DYNAMIC" IF NOT STATIC if static change to allocated address
O_ACC="outside_accept"
O_ACCO="outside_accept_out"

# Inside Interface
I_IN="inside_in"
I_OUT="inside_out"
I_IF="eth0"
I_ICMP="inside_icmp"
I_IP="192.168.1.1" # CHANGE
I_NW="192.168.1.0/24" # CHANGE
I_ACC="inside_accept"
I_ACCO="inside_accept_out"

# Checking tables
CHECKF="check_tcp_flags"
BUZZOFF="ignore"

# Forwarding setup.

# Short cuts to make typing easier
ALLFLAGS="--log-level 7 --log-tcp-sequence --log-ip-options --log-tcp-options"
ONESECLIM="-m limit --limit 1/s --limit-burst 5"
LOGA="-j LOG --log-level 7 --log-tcp-sequence --log-ip-options --log-tcp-options --log-prefix"

# Create the tables
$IPTABLES -N $O_IN
$IPTABLES -N $I_IN
$IPTABLES -N $I_ACC
$IPTABLES -N $O_ACC
$IPTABLES -N $I_ICMP
$IPTABLES -N $O_ICMP
$IPTABLES -N $O_OUT
$IPTABLES -N $I_OUT
$IPTABLES -N $O_ACCO
$IPTABLES -N $I_ACCO
$IPTABLES -N $CHECKF
$IPTABLES -N $BUZZOFF

if [ "$DEBUG" = "1" ]; then echo "Done creating tables..." ; fi

# Jump to the tables responsible for each interface
$IPTABLES -A INPUT -i $I_IF -s $I_IP -j ACCEPT
#$IPTABLES -A INPUT -i lo -s $I_IP -j ACCEPT
#$IPTABLES -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $O_IF -j $O_IN
$IPTABLES -A INPUT -i $I_IF -j $I_IN
$IPTABLES -A INPUT -i $V_IF -j $V_IN
$IPTABLES -A INPUT $ONESECLIM $LOGA "NO_MATCH_IN: "

if [ "$DEBUG" = "1" ]; then echo "Done INPUT table..." ; fi

# eth0_in table for the incomming eth0 if
$IPTABLES -A $I_IN -p icmp -j $I_ICMP
$IPTABLES -A $I_IN -m state --state INVALID -j DROP
$IPTABLES -A $I_IN -m state --state NEW -j $I_ACC
$IPTABLES -A $I_IN -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A $I_IN -m state --state RELATED -j ACCEPT
$IPTABLES -A $I_IN -j $CHECKF

if [ "$DEBUG" = "1" ]; then echo "Done inside_in table..." ; fi

# ppp0_in tables for the incomming ppp0 if
$IPTABLES -A $O_IN -p icmp -j $O_ICMP
$IPTABLES -A $O_IN -m state --state INVALID -j DROP
$IPTABLES -A $O_IN -m state --state NEW -j $O_ACC
$IPTABLES -A $O_IN -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A $O_IN -m state --state RELATED -j ACCEPT
$IPTABLES -A $O_IN -j $CHECKF
#$IPTABLES -A $O_IN -j ACCEPT

if [ "$DEBUG" = "1" ]; then echo "Done outside_in table..." ; fi


# Acceptable new connections on outside interface
# SPECIAL TUNNEL RULES
#$IPTABLES -A $O_ACC -d $O_IP -s 202.7.64.68 -j ACCEPT
# END SPECIAL TUNNEL RULES.
$IPTABLES -A $O_ACC -p tcp -m multiport --destination-port 22,25,53,80,110,123,143 $ONESECLIM -j LOG --log-prefix "AO1: " $ALLFLAGS
$IPTABLES -A $O_ACC -p tcp --dport 22 -j ACCEPT
$IPTABLES -A $O_ACC -p tcp --dport 80 -j ACCEPT

if [ "$DEBUG" = "1" ]; then echo "Done outside_accept table..." ; fi

# Acceptable new connections on inside interface
$IPTABLES -A $I_ACC -p tcp -m multiport --destination-port 21,23,53,80,137,138,139,143,445,8080,22002 $ONESECLIM $LOGA "AI1: "
$IPTABLES -A $I_ACC -p udp -m multiport --destination-port 53,67,137,138,139 $ONESECLIM $LOGA "AI2: "
$IPTABLES -A $I_ACC -p tcp --dport 21 -j ACCEPT
$IPTABLES -A $I_ACC -p tcp --dport 22 -j ACCEPT
$IPTABLES -A $I_ACC -p tcp --dport 25 -j ACCEPT
$IPTABLES -A $I_ACC -p tcp --dport 53 -j ACCEPT
#$IPTABLES -A $I_ACC -p tcp --dport 80 -j ACCEPT
$IPTABLES -A $I_ACC -p tcp --dport 110 -j ACCEPT
$IPTABLES -A $I_ACC -p tcp --dport 137 -j ACCEPT
$IPTABLES -A $I_ACC -p tcp --dport 138 -j ACCEPT
$IPTABLES -A $I_ACC -p tcp --dport 139 -j ACCEPT
$IPTABLES -A $I_ACC -p tcp --dport 143 -j ACCEPT
$IPTABLES -A $I_ACC -p tcp --dport 445 -j ACCEPT
$IPTABLES -A $I_ACC -p udp --dport 53 -j ACCEPT
$IPTABLES -A $I_ACC -p udp --dport 137 -j ACCEPT
$IPTABLES -A $I_ACC -p udp --dport 138 -j ACCEPT
$IPTABLES -A $I_ACC -p udp --dport 139 -j ACCEPT
$IPTABLES -A $I_ACC -p udp --dport 177 -j ACCEPT
$IPTABLES -A $I_ACC -p tcp --dport 113 $ONESECLIM $LOGA "RI1: "
$IPTABLES -A $I_ACC -p tcp --dport 113 -j REJECT

if [ "$DEBUG" = "1" ]; then echo "Done inside_accept table..." ; fi

#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#
# ICMP limiting. Linux already limits, but that's just not enough.

$IPTABLES -A $O_ICMP -m limit --limit 1/s --limit-burst 5 -j ACCEPT
$IPTABLES -A $O_ICMP -m limit --limit 1/m --limit-burst 1 -j LOG --log-prefix "ICMP Excess: " --log-level 7 --log-ip-options --log-tcp-options
$IPTABLES -A $O_ICMP -j DROP

$IPTABLES -A $I_ICMP -m limit --limit 1/s --limit-burst 5 -j ACCEPT
$IPTABLES -A $I_ICMP -m limit --limit 1/m --limit-burst 1 -j LOG --log-prefix "ICMP Excess: " --log-level 7 --log-ip-options --log-tcp-options
$IPTABLES -A $I_ICMP -j DROP

if [ "$DEBUG" = "1" ]; then echo "Done ICMP limiting table..." ; fi

# Outing from box
$IPTABLES -A OUTPUT -o $I_IF -d $I_IP -j ACCEPT
$IPTABLES -A OUTPUT -o lo -d $I_IP -j ACCEPT
$IPTABLES -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s $O_IP -d $O_IP -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s $I_NW -d $O_IP -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s $V_NW -d $V_IP -j ACCEPT
$IPTABLES -A OUTPUT -o $I_IF -j $I_OUT
$IPTABLES -A OUTPUT -o $O_IF -j $O_OUT
$IPTABLES -A OUTPUT -o $V_IF -j $V_OUT
$IPTABLES -A OUTPUT -m limit --limit 1/m --limit-burst 5 -j LOG --log-prefix "No Match Out: " $ALLFLAGS

if [ "$DEBUG" = "1" ]; then echo "Done OUTPUT table..." ; fi

# Out ppp
$IPTABLES -A $O_OUT -m state --state INVALID -j DROP
$IPTABLES -A $O_OUT -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A $O_OUT -m state --state RELATED -j ACCEPT
$IPTABLES -A $O_OUT -m state --state NEW -j $O_ACCO

if [ "$DEBUG" = "1" ]; then echo "Done outside_out table..." ; fi

# Out eth
$IPTABLES -A $I_OUT -m state --state INVALID -j DROP
$IPTABLES -A $I_OUT -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A $I_OUT -m state --state RELATED -j ACCEPT
$IPTABLES -A $I_OUT -m state --state NEW -j $I_ACCO

if [ "$DEBUG" = "1" ]; then echo "Done inside_out table..." ; fi

# Bah! Allow all of it. Sif there are evil people in the world.
# Accept ppp out
$IPTABLES -A $O_ACCO -j ACCEPT

# Accept eth out
$IPTABLES -A $I_ACCO -j ACCEPT

if [ "$DEBUG" = "1" ]; then echo "Done out,in,tun accept tables..." ; fi

#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#
# Forwarding stuff.

F_ICMP="forward_icmp"
$IPTABLES -N $F_ICMP

if [ "$DEBUG" = "1" ]; then echo "Done FORWARD networks table..." ; fi

S1_IP="192.168.42.3" # Mail server. and RTS.

# Everything going to a server dropped by now.. this is now MASQ computers
$IPTABLES -A FORWARD -p icmp -j $F_ICMP
$IPTABLES -A FORWARD -s $I_NW -o $O_IF -j ACCEPT

$IPTABLES -A FORWARD -d $I_NW -i $O_IF -j ACCEPT

# Check the flags of anything left over.. then...
# log anything left over, will be dropped by default policy.
$IPTABLES -A FORWARD -j $CHECKF
$IPTABLES -A FORWARD -j LOG --log-level 7 --log-prefix "NO_MATCH_FWD: "


#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#
# Masquerade. SNAT. DNAT. This is all one big mess with what's above.

if [ "$O_IP" = "DYNAMIC" ]; then
$IPTABLES -t nat -A POSTROUTING -s $I_NW -d ! $I_NW -j MASQUERADE else
$IPTABLES -t nat -A POSTROUTING -s $I_NW -d ! $I_NW -j SNAT --to-source $O_IP fi


#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#=-=#
# Checking for strange packets.
# Check for things such as syn floods and xmas tree and so on.
# Also does the blanket dropping of those packets so accept before calling here
$IPTABLES -A $CHECKF -j $BUZZOFF
# SYN.
$IPTABLES -A $CHECKF -p tcp --syn -m limit --limit 1/s --limit-burst 5 -j LOG --log-prefix "SYN Hit: " $ALLFLAGS
$IPTABLES -A $CHECKF -p tcp --syn -j DROP
# XMAS
$IPTABLES -A $CHECKF -p tcp --tcp-flags ALL FIN,URG,PSH $ONESECLIM -j LOG --log-prefix "XMAS Hit: " $ALLFLAGS
$IPTABLES -A $CHECKF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# FIN
$IPTABLES -A $CHECKF -p tcp --tcp-flags ALL FIN $ONESECLIM -j LOG --log-prefix "FIN Hit: " $ALLFLAGS
$IPTABLES -A $CHECKF -p tcp --tcp-flags ALL FIN -j DROP
# NULL
$IPTABLES -A $CHECKF -p tcp --tcp-flags ALL NONE $ONESECLIM -j LOG --log-prefix "NULL Hit: " $ALLFLAGS
$IPTABLES -A $CHECKF -p tcp --tcp-flags ALL NONE -j DROP


;;
*)
echo "usage: start|clear|rotate"
exit 0 ;;
esac



The above firewall has worked without problems on other servers so I cannot see why it is not working on this one.

Thanks
 
Old 10-22-2008, 06:26 PM   #2
camh
Member
 
Registered: Feb 2005
Distribution: Slack/Debian
Posts: 163
Blog Entries: 2

Rep: Reputation: 33
Might be a silly question, but are you running a local DNS server on the linux box? If not, do you have the nameserver set to your ISP's DNS IP on the windows machine?
 
Old 11-14-2008, 10:09 PM   #3
Zafoid
LQ Newbie
 
Registered: Sep 2008
Posts: 13

Original Poster
Rep: Reputation: 0
some rules were missing

Thanks for your help,
it turns out that when I copied it across some of the lines that were supposed to be there in the last section were missing. Thay were added plus a couple of other changes else where and hey presto it worked. It did take a few hours on and off looking through it and talking to a couple of other programmers to sort it out because it had been working on another linux server that we had running.

Thanks for your help,

Craig
 
Old 11-14-2008, 11:58 PM   #4
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 12,549
Blog Entries: 23

Rep: Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943Reputation: 1943
Hi,

Make the changes to your rather long 'iptable' post so it will be correct. Note where the changes are made.

BTW, I would use the vbcode tags to enclose your data/lists. That way the post is easier to move through plus it looks clean.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall Forwarding Suse help! Cobra243 Linux - Newbie 0 09-04-2006 07:42 AM
Simple Port Forwarding Firewall - not forwarding MadTurki Linux - Security 14 04-09-2006 01:08 PM
Firewall/NAT issues with X-Server w/ SSH forwarding JMCraig Linux - Security 1 01-25-2005 01:51 AM
Firewall with ip forwarding axis Slackware 0 08-28-2003 09:47 PM
forwarding x11 via thru a firewall fddi1 Linux - Security 1 09-28-2001 10:56 AM


All times are GMT -5. The time now is 05:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration