LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-12-2003, 05:38 AM   #1
nishi_k_79
LQ Newbie
 
Registered: Apr 2003
Location: India
Posts: 10

Rep: Reputation: 0
LAN machines unable to connect to Internet through (firewall on )gateway


Hi,
I have my Linux machine connected as gateway on my network where machines are connected in a workgrp.
I have configured NAT and Firewall and can browse the Internet sites through the gateway.
However, LAN machines cannot browse the Internet when i put filter rules (given below)

Tracert from LAN machine shows following behaviour:
1 ...........Linuxmachine
2 * * * Request Timed Out.

Interfaces : eth0 : Connected to LAN.
Interfaces : eth1 : Connected to Internet


#############################################################
echo "CONFIGURING NAT"
echo "==============="
#############################################################
#iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.x.x.x
#iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 10.168.168.1-10.168.168.30


##**************RULES TO SET UP GATEWAY ***********************#
#############################################################
echo "FLUSH ALL RULES AND CHAINS"
#############################################################
echo "=========================="
iptables -F #Flush all the rules in filter and nat tables
iptables -X
iptables -t nat -F
iptables --delete-chain
iptables -t nat --delete-chain

#####################################################################
echo "ENABLES PACKET FORWARDING BY KERNEL"
####################################################################
echo "=========================="
echo 1 > /proc/sys/net/ipv4/ip_forward

#**************END GATEWAY RULES ***********************#

#**************FIREWALL RULES*********************************#

#############################################################
echo "DEFAULT POLICIES"
#############################################################
echo "=========================="
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT


#############################################################
echo "LOCAL TRAFFIC"
#############################################################
echo "=========================="
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

#ALLOW ALL ON INTERNAL ETH0
iptables -A INPUT -p all -i eth0 -s 10.168.168.0/24 -j ACCEPT
iptables -A OUTPUT -p all -o eth0 -s 10.168.168.0/24 -j ACCEPT
#############################################################
echo "ICMP RULES"
#############################################################
# This allows neighbouring machines to ping by ip addr.
echo "=========================="
iptables -A INPUT -p icmp -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -j ACCEPT

############################################################
echo "ALLOW SAMBA RULES"
############################################################
echo "=================="
iptables -A INPUT -p udp -s 10.168.168.0/24 --destination-port 137:139 -j ACCEPT
iptables -A INPUT -p tcp -s 10.168.168.0/24 --destination-port 137:139 -j ACCEPT

############################################################
echo "ALLOW SERVICES"
############################################################
echo "=============="
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT #OPEN HTTP PORT.
iptables -A INPUT -i eth1 -p udp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT #Open secure shell port
iptables -A INPUT -p udp -i eth1 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 53 -j ACCEPT #Open DNS port
iptables -A INPUT -p udp -i eth1 --dport 53 -j ACCEPT

############################################################
echo "BLOCK SERVICES"
############################################################
echo "=================="
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p udp -i eth1 -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 7100 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p udp -i eth1 -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 111 -j DROP
iptables -A INPUT -p udp -i eth1 -s 0/0 -d 0/0 --dport 111 -j DROP


####################################################################
echo "ENABLE CONNECTION TRACKING"
####################################################################
echo "=========================="
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

####################################################################
echo "ACCEPT ESTABLISHED CONNECTION"
####################################################################
echo "============================"
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT #reject-with tcp-reset

####################################################################
echo "ANTI SPOOFING RULES"
####################################################################
echo "=================="
#Deny outside packets from internet which claim to be from your loopback interface.
iptables -A INPUT -p all -s localhost -i eth1 -j DROP
iptables -A INPUT -p all -s x.x.x.x -i eth1 -j DROP

Thankz in advance...
 
Old 11-13-2003, 01:30 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I think you have your NAT set up incorrectly.
Try using this by itself:

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source xxx.xxx.xxx.xxx

I'm not 100% sure of this, but I believe the syntax of your DNAT rule tells the box to distribute incoming packets to one of the addresses in the 10.168.168.1-10.168.168.30 range in round-robin fashion. In fact you can use that exact rule to do a sort of "poor-mans" load balancing on a server farm. Using the SNAT by itself along with a rule to allow RELATED, ESTABLISHED connections should do the trick. I just tried it on my LAN and it worked properly. Also, put the NAT rules in after you flush the NAT table.
HTH
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
No Internet but LAN and VPN connect LAN work fine??? xavior SUSE / openSUSE 7 11-09-2005 01:14 PM
How do I connect dual nics in firewall to the gateway? scoobadiver Linux - Newbie 3 01-12-2004 05:03 PM
Machines connect to my ppp server but can´t use internet gomen Linux - Networking 0 08-08-2003 06:35 AM
ssh to multiple lan machines from the internet - How? v00d00101 Linux - Newbie 4 06-20-2003 01:39 PM
Unable to connect internet on LAN speerwani Linux - Networking 5 07-08-2002 10:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration