Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OK, how is the network set up? Do you have an external broadband device plugged into eth0 on one machine, and another network card connected to the rest of your network? Usually if you have an external device, it handles the internet sharing for your clients anyway, and you'd just need to set up port forwarding on that device for your servers (i.e no need for iptables). If you're trying to set up a firewall on a linux machine with only one network card, it would be possible for the other machines to just bypass it by using the address of the router as their gateway.
OK, sounds good! Now, grab the script from the top of this page http://en.tldp.org/HOWTO/IP-Masquera...-examples.html and save it on your system. Make it executable and run it as-is for now. Configure your local machines to use the firewall as their default gateway and see if you can access the net. That HOWTO should explain everything you want to know if you read the whole thing, but come back here if you're having problems you can't solve.
BTW, this doesn't allow anything back in to your network just yet. You'll need to add more lines to the script, like this:
Code:
# This allows forwarding of port 80
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# This does the actual forwarding of port 80
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 \
-j DNAT --to 192.168.0.2:80
i used exactly that you said, take out the script in that howto, run that iptables said nothing. tried to ping my ISP:s DNS 195.67.199.27 and that i can do from my server but cant nslookup some page or surfing, nothing without ping my ISP.
from my windows computer i can use msn but cant surf..
on this linux computer im sitting on now it works as it did before. And i used "netconfig" and setting up default gateway to the ipnumber to my router (linux computer)
Sorry, I'm not quite understanding what's happening. Which of these work and which don't? If they don't work, what do they give as an error?
Ping 195.67.199.27 from Windows
Ping 195.67.199.27 from Linux firewall
Ping www.yahoo.com from Windows
Ping www.yahoo.com from firewall
Browse to 66.94.230.52 from Windows
Browse to 66.94.230.52 from firewall
hmm on my http server i cant ping www.yahoo.com but can surf to 66.94.230.52 and ping 195.67.199.27 and 195.67.199.28 who is my ISP:s primary and secondary dns server.
I would say your http server is missing the nameservers in /etc/resolv.conf - make sure one line for each DNS server is there:
nameserver 195.67.199.27
nameserver 195.67.199.28
that iptables script for sharing internet connection before was(maybe it works, can you check it?):
echo 1 > /proc/sys/net/ipv4/ip_forward
# by default, nothing is forwarded.
iptables -P FORWARD DROP
# Allow all connections OUT and only related ones IN
#iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
No need to reboot - as soon as you've added those lines it should be able to browse directly to www.yahoo.com, and most internet tasks should work for you. I think the next task is making sure you can connect to your services from outside - did you add those two extra lines to the script you downloaded?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.