LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-08-2004, 10:29 PM   #1
lrt2003
Member
 
Registered: Mar 2004
Distribution: Fedora 10
Posts: 182

Rep: Reputation: 30
ipmasquarade newbie problems


hi guys

I read the ipmasquarade documentation (well, skimmed.. it's huge!)

I am using this on my host computer (connecting through the internet through eth1 (usb adapter), eth0 is a crossover cable to another computer).... both want them to have internet access, and share files between them. yes, I know, only with the host on, is the other be able to use internet.. that's ok

#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.75
#
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
# using IPTABLES.
#
# Once IP Masquerading has been tested, with this simple
# ruleset, it is highly recommended to use a stronger
# IPTABLES ruleset either given later in this HOWTO or
# from another reputable resource.
#
#
#
# Log:
# 0.75 - Added more kernel modules to the comments section
# 0.74 - the ruleset now uses modprobe vs. insmod
# 0.73 - REJECT is not a legal policy yet; back to DROP
# 0.72 - Changed the default block behavior to REJECT not DROP
# 0.71 - Added clarification that PPPoE users need to use
# "ppp0" instead of "eth0" for their external interface
# 0.70 - Added commented option for IRC nat module
# - Added additional use of environment variables
# - Added additional formatting
# 0.63 - Added support for the IRC IPTABLES module
# 0.62 - Fixed a typo on the MASQ enable line that used eth0
# instead of $EXTIF
# 0.61 - Changed the firewall to use variables for the internal
# and external interfaces.
# 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
# all forwarded packets but it didn't have a rule to ACCEPT
# any packets to be forwarded either
# - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
# 0.50 - Initial draft
#

echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"


# The location of the iptables and kernel module programs
#
# If your Linux distribution came with a copy of iptables,
# most likely all the programs will be located in /sbin. If
# you manually compiled iptables, the default location will
# be in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
#IPTABLES=/sbin/iptables
IPTABLES=iptables
DEPMOD=depmod
MODPROBE=modprobe


#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" is external and "eth1" is internal"
#
#
# NOTE: If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables above. For example:
#
# If you are a PPPoE or analog modem user:
#
# EXTIF="ppp0"
#
#
EXTIF="eth1"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"


#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==


echo -en " loading modules: "

# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a

# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
# options as MODULES. If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
# NOTE: The following items are listed ONLY for informational reasons.
# There is no reason to manual load these modules unless your
# kernel is either mis-configured or you intentionally disabled
# the kernel module autoloader.
#

# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
# modules are shown below but are commented out from loading.
# ===============================================================

echo "----------------------------------------------------------------------"

#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
$MODPROBE ip_tables


#Load the IPTABLES filtering module - "iptable_filter"
# - Loaded automatically when filter policies are activated


#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack


#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp


#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc


#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
$MODPROBE iptable_nat


#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp


#Loads the IRC NAT functionality into the core IPTABLES code
# Required to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to activate
#
#echo -e "ip_nat_irc"
#$MODPROBE ip_nat_irc

echo "----------------------------------------------------------------------"

# Just to be complete, here is a partial list of some of the other
# IPTABLES kernel modules and their function. Please note that most
# of these modules (the ipt ones) are automatically loaded by the
# master kernel module for proper operation and don't need to be
# manually loaded.
# --------------------------------------------------------------------
#
# ip_nat_snmp_basic - this module allows for proper NATing of some
# SNMP traffic
#
# iptable_mangle - this target allows for packets to be
# manipulated for things like the TCPMSS
# option, etc.
#
# --
#
# ipt_mark - this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
#
# ipt_limit - this target allows for packets to be limited to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within a range
# of port numbers vs. listing each port individually
#
# ipt_state - this match allows to catch packets with various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets that have invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
#
# ipt_LOG - this target allows for packets to be
# logged
#
# ipt_REJECT - this target DROPs the packet and returns
# a configurable ICMP packet back to the
# sender.
#

echo -e " Done loading modules.\n"



#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward


# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
#
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr


# Enable simple IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal LAN address in the
# 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
# connecting to the Internet on external interface "eth0". This
# example will MASQ internal traffic out to the Internet but not
# allow non-initiated traffic into your internal network.
#
#
# ** Please change the above network numbers, subnet mask, and your
# *** Internet connection interface name to match your setup
#


#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP (REJECT is not a valid policy)
#
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

ok, I run that on host computer.

next, I go on to my second computer (uses eth0 through network card).. and can't seem to fix up the internet connection. I tried this:

(in /etc/rc.d/rc.inet1.conf)

IPADDR[0]="192.168.0.2"
NETMASK[0]="255.255.255.0"

GATEWAY="198.168.0.1"

(in /etc/resolv.conf)

search woot

[ that is the hostname ]

any ideas, fellas? btw, I have no real assigned IPs, the host goes on DHCPCD values.. IP changes all the time.. it's a home setup.. I just kinda "made up" those private numbers, well, they are the defaults for private IPs, right?
 
Old 06-09-2004, 10:20 AM   #2
zedmelon
Member
 
Registered: Jun 2004
Location: colorado, USA
Distribution: slack, oBSD
Posts: 119

Rep: Reputation: 22
First, a few related things that could help...

If you don't compose firewall rulesets all the time (I don't), there will always be little bugs that don't work the first time quite the way you planned. Keeping the principles in mind and going step by step will simplify things immensely. Hopefully, a flaw in your ruleset will block more than you want. Unfortunately, that's not always the case, and you can pass traffic that you don't want and not even know it.

I haven't personally used IPtables under Linux, so I can't help you with syntactical discrepancies here, but the best way to implement firewall rules anytime you're uncertain is to start with just the basic two- or three-rule plan, and add one rule at a time, testing as you go. When you find out which rule breaks the intended funtion, you know where to search for a fix. If you're concerned about security while testing, you can unplug the cable between tests, but if you start with everything blocked by default and then add rules to pass only what you want, it shouldn't be an issue.

Something like this:
Code:
1.  block everything coming in on the external if
2.  pass everything coming in on the internal if
As you add rules (pass web traffic in to here, pass mail in to there, pass traffic out to everywhere, etc), keep testing and see where your intended traffic gets stopped.

I noticed this part here:
Code:
#IPTABLES=/sbin/iptables
IPTABLES=iptables
DEPMOD=depmod
MODPROBE=modprobe
It's always good scripting practice to define variables like this with the absolute path. I'd recommend using "/sbin/depmod" (or whatever) instead of just "depmod." Leave as little as possible to interpretation errors.

You also might want to flesh out your /etc/resolv.conf a bit more (on the internal machine):
Code:
lookup file bind
search woot
nameserver x.x.x.x      x.x.x.x
The first line says "check /etc/hosts and then look for a nameserver." Then you can put important hosts in your local file and still reach them if DNS fails.
Of course, for x.x.x.x use whatever nameservers they assign you with your IP address.

You might even find masquarading isn't even your issue. Can the external machine reach the Internet? Can the boxes can ping one another? If your internal machine doesn't know how to get out (or how to find something out there), it won't hit its target. Be sure you've configured the internal interface to use the IP the other machine needs for a gateway. And tcpdump is a great tool to see what packets are hitting an interface, although you can get a lot of data VERY quickly.

As I said, I've never firewalled in Linux, but this tutorial looks to have been written by someone who knows more than just the basics. Hopefully the information is still current.
http://www.siliconvalleyccie.com/lin...bles-intro.htm

This one too:
http://www.netfilter.org/documentati...NAT-HOWTO.html

If not, I found the first one here, and one of these others is bound to do the trick:
http://www.google.com/search?num=50&...+ip+masquerade

Good luck, and when you're done, let us all know your IP so we can torture-test your firewall for you. ;)
 
Old 06-11-2004, 06:21 AM   #3
lrt2003
Member
 
Registered: Mar 2004
Distribution: Fedora 10
Posts: 182

Original Poster
Rep: Reputation: 30
thanks, more reading for me
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Newbie problems... :( DARKGuy Mandriva 3 08-23-2005 10:48 PM
newbie has some problems SirrusX Slackware 33 11-21-2004 08:48 PM
Not so newbie, but having X problems, just the same... polonius19 Linux - Newbie 3 08-12-2004 05:37 PM
Newbie having problems... Sirus Linux - Wireless Networking 3 06-02-2004 09:28 AM
newbie having device problems carlcromer Linux - Software 8 04-16-2001 12:40 AM


All times are GMT -5. The time now is 10:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration