Firewall Behind a Linksys Router

toffe0202 · 08-05-2004, 10:05 PM

Hello ppl, I would like to ask for help in configuring my iptables firewall. Any help would be appreciated.

Here is the setup.

I have a Linksys router that can share internet connection in my house and I have a dsl line with a dynamic ipaddress. They say that the Router has a firewall capability but i want to make a linux firewall, cuz i know that it is bettter.

I would like to put my firewall between the router and my network to ensure security.

I have read some faqs, docu's and howto's of iptables and came up with this script, pls tell me if there are things i need to change because I cant browse the internet on the firewall.

I havent put the local network connection to connect because i want to test the firewall first by itself.

My router's ip address is 192.168.1.1

#!/bin/bash

# - Interface eth0 is the internet interface

# Initialize all the chains

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain

# If a packet doesn't match one of the built in chains, then Drop it

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

#allow loopback traffic

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow outbound DNS queries from the FW and the replies too

iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 \
-j ACCEPT

iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 \
-j ACCEPT

# Allow port 80 (www) and 443 (https) connections to the firewall
# I want to surf on the firewall for testing purposes

iptables -A OUTPUT -j ACCEPT -m state --state NEW \
-o eth0 -p tcp -m multiport --dport 80,443 --sport 1024:65535

iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED \
-i eth0 -p tcp

I would like to resolve the fact that i cant browse on the firewall using these setting.

Capt_Caveman · 08-05-2004, 10:24 PM

I think you need an ESTABLISHED,RELATED rule for the OUTPUT chain as well. Otherwise only the first packet will be allowed out and nothing else.

toffe0202 · 08-05-2004, 10:26 PM

iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED \
-i eth0 -p tcp

Capt_Caveman · 08-05-2004, 10:27 PM

btw, depending on what linksys model you are using, it might be a linux firewall as well:

http://www.linksys.com/support/gpl.asp

ppuru · 08-05-2004, 10:29 PM

To allow others use internet from behind your linux router, you would need to add a MASQUERADE rule. As you have successfully built a firewall script with some reading, I would leave the onus on you to do some more reading to get the MASQUERADE in place.

You would also need to enable ip forwarding .. in one of the following ways

edit /etc/sysctl.conf and add/modify the following parameter

net.ipv4.ip_forward=1

OR

echo 1 > /proc/sys/net/ipv4/ip_forward

Capt_Caveman · 08-05-2004, 10:29 PM

Quote:

Originally posted by toffe0202
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED \
-i eth0 -p tcp

I believe that's the same one you had before, right? I think what you looking for is:

iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED \
-i eth0 -p tcp

toffe0202 · 08-05-2004, 10:30 PM

yes i forgot the model but it also has firewall capabilities that i can turn off.
from the script do you think that there is something wrong in it? btw thanks for the reply.

toffe0202 · 08-05-2004, 10:33 PM

mr. ppuru, i have read ip masqurading, and i still have no plans in touching it because of the firewall no been able to surf the web. Thanks anyway.

Capt_Caveman · 08-05-2004, 10:34 PM

Quote:

Originally posted by toffe0202
from the script do you think that there is something wrong in it? btw thanks for the reply.

Yes, it certainly doesn't work. Try adding the iptables line from my previous post. Btw, welcome to linuxquestions.org!

toffe0202 · 08-05-2004, 10:37 PM

Thank Capt_Caveman, and i'm proud of being a member.

ppuru · 08-05-2004, 11:15 PM

toffe0202, just a doubt .. perhaps you need to enable MASQUERADING on the LinkSys router to allow 192.168 traffic on the internet.

nex6 · 08-06-2004, 01:00 AM

Firewalling a box behind a firewall is a good idea, but puting a firewall/router and having it NAT the LAN behind it is not so good. that comes under NAT'ing a NAT which is not a good practice.

You will have less network problems if you leave the Linksys up and firewall each box themselfs.

just my 2 cents.

-Nex6

toffe0202 · 08-06-2004, 02:56 AM

I have solved the WWW problem by doing this

# Allow www outbound to 80.
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow www outbound to 443.
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

I can now surf provided that i know the ipaddress of the site that i'm goin to surf.

I know that its a DNS problem, and i added logging at the end of my script to solve it but when i booted up again in CLI, the monitor is clogged up by logs continously and i cant see the shell. Is there a way to turn the logging from reflecting on my monitor so i can just look at the logs at /var/log like other normal linux users do?

nex6 · 08-06-2004, 04:11 PM

Try, hard coding the DNS servers, instead of DHCP.

and sure port 53 TCP and UDP has outbound access.

-Nex6