LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   LAN machines unable to connect to Internet through (firewall on )gateway (http://www.linuxquestions.org/questions/linux-security-4/lan-machines-unable-to-connect-to-internet-through-firewall-on-gateway-115149/)

nishi_k_79 11-12-2003 05:38 AM

LAN machines unable to connect to Internet through (firewall on )gateway
 
Hi,
I have my Linux machine connected as gateway on my network where machines are connected in a workgrp.
I have configured NAT and Firewall and can browse the Internet sites through the gateway.
However, LAN machines cannot browse the Internet when i put filter rules (given below)

Tracert from LAN machine shows following behaviour:
1 ...........Linuxmachine
2 * * * Request Timed Out.

Interfaces : eth0 : Connected to LAN.
Interfaces : eth1 : Connected to Internet


#############################################################
echo "CONFIGURING NAT"
echo "==============="
#############################################################
#iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.x.x.x
#iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 10.168.168.1-10.168.168.30


##**************RULES TO SET UP GATEWAY ***********************#
#############################################################
echo "FLUSH ALL RULES AND CHAINS"
#############################################################
echo "=========================="
iptables -F #Flush all the rules in filter and nat tables
iptables -X
iptables -t nat -F
iptables --delete-chain
iptables -t nat --delete-chain

#####################################################################
echo "ENABLES PACKET FORWARDING BY KERNEL"
####################################################################
echo "=========================="
echo 1 > /proc/sys/net/ipv4/ip_forward

#**************END GATEWAY RULES ***********************#

#**************FIREWALL RULES*********************************#

#############################################################
echo "DEFAULT POLICIES"
#############################################################
echo "=========================="
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT


#############################################################
echo "LOCAL TRAFFIC"
#############################################################
echo "=========================="
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

#ALLOW ALL ON INTERNAL ETH0
iptables -A INPUT -p all -i eth0 -s 10.168.168.0/24 -j ACCEPT
iptables -A OUTPUT -p all -o eth0 -s 10.168.168.0/24 -j ACCEPT
#############################################################
echo "ICMP RULES"
#############################################################
# This allows neighbouring machines to ping by ip addr.
echo "=========================="
iptables -A INPUT -p icmp -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -j ACCEPT

############################################################
echo "ALLOW SAMBA RULES"
############################################################
echo "=================="
iptables -A INPUT -p udp -s 10.168.168.0/24 --destination-port 137:139 -j ACCEPT
iptables -A INPUT -p tcp -s 10.168.168.0/24 --destination-port 137:139 -j ACCEPT

############################################################
echo "ALLOW SERVICES"
############################################################
echo "=============="
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT #OPEN HTTP PORT.
iptables -A INPUT -i eth1 -p udp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT #Open secure shell port
iptables -A INPUT -p udp -i eth1 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 53 -j ACCEPT #Open DNS port
iptables -A INPUT -p udp -i eth1 --dport 53 -j ACCEPT

############################################################
echo "BLOCK SERVICES"
############################################################
echo "=================="
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p udp -i eth1 -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 7100 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p udp -i eth1 -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 111 -j DROP
iptables -A INPUT -p udp -i eth1 -s 0/0 -d 0/0 --dport 111 -j DROP


####################################################################
echo "ENABLE CONNECTION TRACKING"
####################################################################
echo "=========================="
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

####################################################################
echo "ACCEPT ESTABLISHED CONNECTION"
####################################################################
echo "============================"
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT #reject-with tcp-reset

####################################################################
echo "ANTI SPOOFING RULES"
####################################################################
echo "=================="
#Deny outside packets from internet which claim to be from your loopback interface.
iptables -A INPUT -p all -s localhost -i eth1 -j DROP
iptables -A INPUT -p all -s x.x.x.x -i eth1 -j DROP

Thankz in advance...

Capt_Caveman 11-13-2003 01:30 PM

I think you have your NAT set up incorrectly.
Try using this by itself:

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx

I'm not 100% sure of this, but I believe the syntax of your DNAT rule tells the box to distribute incoming packets to one of the addresses in the 10.168.168.1-10.168.168.30 range in round-robin fashion. In fact you can use that exact rule to do a sort of "poor-mans" load balancing on a server farm. Using the SNAT by itself along with a rule to allow RELATED, ESTABLISHED connections should do the trick. I just tried it on my LAN and it worked properly. Also, put the NAT rules in after you flush the NAT table.
HTH


All times are GMT -5. The time now is 07:06 PM.