iptables: restricting forwarding??
 

Hi,

We have shared our dialup internet connection accross 4 users on our network of 30 guys. One user, who is acting as the gateway, is running Fedora Core3. Using an iptables config script, we have restricted access to the four of us..but that doesnt seem to be working..everyone can acces the net :-( .the script is below, please point out the errors..

also, how do i determine which users are being forwarded (i mean, which of them are accessing the net thru the gateway )at a particular instant? and then, how do i bump them off? which commands do i use?

heres my iptables config script::
========================================

============================================

Thanx in advance,

Mayank

Thank you kindly. This information is very usefull for me. Great site! Thanks again!


<link removed by moderator>

Anything that is being forwarded by the FC gateway is going to use the FORWARD chain. Looking at your script, I don't see how you are restricting forwarding at all. I also don't see any default policies for any of the chains, so if you aren't setting the policy, it automagically becomes 'ACCEPT'. Therefore anything that doesn't specifically match a rule will reach the default policy (ACCEPT) and get forwarded. Maybe if you described how you would like to restrict access (by IP address, MAC address, etc) we can come up with a solution. It might also help top give a brief description of you network and what eth0/1/2 are connected to.

Sorry, i have posted a clean script, the was we got it off the net..unfortunately, the edited script got lost,,hope u can still help..:-(

The FC gateway has the dialup interface connected to ppp0, so all FORWARD requests should be routed to it. The only NIC present in it is connected to eth0, so all the requests come from there.

One unpleasant thing we had noticed was that people would change their IP to one of the four that were allowed, and would thus fool the firewall...thus MAC level authentication would be better..but i suppose that can be spoofed too..

Thanx in anticipation,

Mayank

Another query i had was:
How do i determine which users are being forwarded to ppp0 at a particular instant? "netstat -an" does show all of them , how do i determine which ones are simply accessing my LAN shares, and which ones are being forwarded? And then, how do i drop their connections?

Heres the actual script we`re using, with the rules etc set


==============================================
==================================================


regards

Mayank

Set your default policy for the FORWARD chain to DROP at the beginning of the script. So any packets which don't match any of the forwarding rules will get dropped:
Your forwarding rules are ok, but you should limit traffic being forwarded into the LAN to established or related states. Otherwise it might be possible for someone to remotely access the LAN.
If you wish to restrict access by MAC address, simply find the MAC addresses from the clients and replace the forwarding rules above with:
To find the clients mac addresses quickly, just use the arp command to display the current IP<->MAC mappings. Also, remember that restricting by MAC addresses only works for systems on the same physical network. It is possible to spoof MAC addresses fairly easily, so you might want to take a look at arpstar or arpwatch.

Thanx to Capt_Caveman, it seems to be working fine now. However, theres a peculiar problem we`re facing:
From the clients, no browser is able to open rediffmail.com, google images, or get to their yahoo mail inbox..the browsers time out while connecting to these sites. (there may be other such sites that are unreachable) Other sites work fine.

Among the 4 people sharing the Internet connection, two are running Fedore Core 3, while the others run Windoze. This behavious comes up only in the Linux *client*, the gateway linux box and the windoz clients work fine. One of theLinux boxes is acting as the server.

Further, this behavious is replicated if either of the Fedora Core boxes are made the gateway. And like i sed, only the linux *client * has this problem..ive even tried reinstalling Linux on both the Linux boxes, to no avail!

Does anyone here have a clue?

Regards,
Mayank

Make sure that ecn is off:
cat /proc/sys/net/ipv4/tcp_ecn (make sure it's 0)

Also linux clients can occasionally have problems with mtu size and DF flag. Try adding:
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Hi, Capt_Caveman
That did not seem to have any effect on the linux client, As you instructed, i tried this on the gateway:

Also, i typed in the rule you had mentioned on the bash prompt..no change in the clienf`s problem

Regards
Mayank

Try turning ICMP back on:
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all