I cant get it up!!

i cant get the ip filtering working(firewall, iptables linux 2.4x)
From internal client i can ping the internal NIC and external NIC on the firewall but nothing past that including the internet.

eth0(to extern)
ip=212.51.51.5
nm=255.255.255.0
nw=212.51.51.0
bc=212.51.51.255
gw=212.51.51.1(router ip address to internet)

eth1(to intern)
ip=212.51.51.6
nm=255.255.255.0
nw=212.51.51.0
bc=212.51.51.255

intern client
ip=212.51.51.7
nm=255.255.255.0
nw=212.51.51.0
bc=212.51.51.255
gw=212.51.51.6

you need to get the linux box connected to the internet with dns working first using dhcpcd or static ip depending on your internet connection


then enable ip forwarding

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

then you can setup iptables masquerade with an acceptable set of firewall rules including ( eth1 = internet interface )

Code:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

if dhcp is not doing it you need to setup clients dns to valid dns servers, and the gateway to the interface they connect to

I think you also have to explicitly forward traffic to and from your internal clients on the FORWARD rule:

iptables -A FORWARD -i 212.51.51.6 -s 212.51.51.7 -j ACCEPT
iptables -A FORWARD -i 212.51.51.5 -d 212.51.51.7 -j ACCEPT

Everything depends on your network configuration and services required on it.

the one rule is only for ip masq, the other rules you have will determine what gets through and what does not.


look here for some good rule sets
http://www.linuxguruz.org/iptables/

thanks for the replys!!

i will not be using IP MASQ. I dont know if this will pose as a problem since both sides of the firewall are on the same subnet 255.255.255.0. All i want to do is setup up the filtering. I have tried the iptables that meatwad said and i used the echo 1 script as well and i still cannot ping past the firewall. I can still ping both NICS on the firewall( internal and external) just not anything past that.

thanks again.

ok, so these are valid ips for each machine. I see..

the default gateway must be set to the internet default gateway on all machines

so even the clients behind the firewall(and the two NICs on the firewall itself) will use 212.51.51.1(cisco router to internet) for the default gateway?

the iptables script is

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

(i can add the security later, i just need the forading to work)

i have tried all this and still i get no response when pinging the computers on the other side of the firewall

What do you have in /etc/host.allow and /etc/host.deny?

does the linux box have a connection?
the ip address is correct on both interfaces?
check it out with ..

ifconfig

check the routing
make sure you have a default route

route -n

fire up iptraf and see what's going through the linux box

this is the setup, cant ping 212.51.51.1 from client. but can ping 212.51.51.5 and 212.51.51.6 from client. Can also ping 212.51.51.1 and www.lycos.com from 212.51.51.5 (eth0 on firewall).

internet
|
|
cisco router IP=212.51.51.1 NM=255.255.255.0
|
|
+--------------------------------------------------+
|eth0 IP=212.51.51.5 NM=255.255.255.0|
|
|linux firewall
|
|eth1 IP=212.51.51.6 NM=255.255.255.0|
+--------------------------------------------------+
|
|
client IP=212.51.51.7 NM=255.255.255.0

Can you ping sites on the net by ip? If so you might not have your dns nameservers setup right.

Make sure the internal client machine has nameserver entries in the file /etc/resolv.conf

did you try iptraf yet?

no i cant ping anything on the net by ip. someone informed me that firewalls like this will not work becauseit is not setup as a router between subnets and thats why it is not working. are they correct? if you look on the diagram i have put both sides of the firewall on the same subnet....

thanks

Usually, or at least the way I've always seen it done and the way I do it, is to assign your internal machines IPs from the private classes like 10.85.0.0 and 192.168.0.0

I am by no means a networking guru but if you can't ping anything outside your network with by IP address you have issues there.

ok, since you refuse to try iptraf just kidding

tell the person that said it can't be done to hold on just a minute


I am going to use some commands here, some may be unnessary but if you get errors let us know. just run them and then we will see where we are at.

first we will load some modules, if you get errors here then we need to know it

Code:

modprobe ip_tables
modprobe ip_conntrack

now we will set up some forwarding rules

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

now I want to see if the values are set

Code:

cat /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/conf/eth0/proxy_arp
cat /proc/sys/net/ipv4/conf/eth1/proxy_arp

ok, did they all return a 1?

cool, lets proceed

Code:

service iptables stop

ifconfig eth0 down
ifconfig eth1 down

ifconfig should show lo only at this point

Code:

ifconfig eth0 212.51.51.5 netmask 255.255.255.255
ifconfig eth1 212.51.51.6 netmask 255.255.255.255

ok run ifconfig and make sure the ips and netmasks are correct

now if you run route it should be empty


we will add some routes

Code:

route add 212.51.51.5 eth0
route add 212.51.51.6 eth1
route add 212.51.51.7 eth1
route add 212.51.51.1 eth0
route add default gw 212.51.51.1

setup all clients with the same default gateway 212.51.51.1
setup clients and linux router with the correct dns
click the affero button below and rate this thread

Now while that works great! And it is probably what you wanted. Look at this as another solution



This is RedHat, other distros may have boot scripts in a different place. Adjust this as needed.

Backup files first..

Code:

cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0
.bak

cp /etc/sysconfig/network-scripts/ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth1
.bak

now we will create new files for the interfaces..

Code:

echo DEVICE=eth0 > /etc/sysconfig/network-scripts/ifcfg-eth0
echo ONBOOT=no >> /etc/sysconfig/network-scripts/ifcfg-eth0
echo DEVICE=eth1 > /etc/sysconfig/network-scripts/ifcfg-eth1
echo ONBOOT=no >> /etc/sysconfig/network-scripts/ifcfg-eth1
echo DEVICE=br0 > /etc/sysconfig/network-scripts/ifcfg-br0
echo ONBOOT=no >> /etc/sysconfig/network-scripts/ifcfg-br0

We are going to create a file that can be run to configure the interface..
I am calling it rc.br0

Code:

echo "#!/bin/sh" > /etc/rc.d/rc.br0
echo "brctl addbr br0" >> /etc/rc.d/rc.br0
echo "brctl addif br0 eth0" >> /etc/rc.d/rc.br0
echo "brctl addif br0 eth1" >> /etc/rc.d/rc.br0

echo "ip link set br0 up" >> /etc/rc.d/rc.br0
echo "ip link set eth0 up" >> /etc/rc.d/rc.br0
echo "ip link set eth1 up" >> /etc/rc.d/rc.br0

echo "Starting up Interface br0" >> /etc/rc.d/rc.br0
echo "This will take 60 seconds" >> /etc/rc.d/rc.br0

Now you have some options, only choose one of them

Option #1

If there is dhcp on the network you can add this

Code:

echo "dhcpcd br0" >> /etc/rc.d/rc.br0

Option #2

If there is no dhcp then manually assign an ip and routing.
Replace xxx.xxx.xxx.xxx with the ip of choice,
and yyy.yyy.yyy.yyy with the default gateway

Code:

echo "ifconfig br0 xxx.xxx.xxx.xxx" >> /etc/rc.d/rc.br0
echo "route add default gw yyy.yyy.yyy.yyy" >> /etc/rc.d/rc.br0

note: you will need nameservers in /etc/resolv.conf
for dns to work on this machine


Option #3

Don't set an ip, the computer will not have an ip and will be invisible


Ok, That's it for the script..

We need to set permissions on our new file

Code:

chmod 755 /etc/rc.d/rc.br0

Now we are ready to run the script to setup the bridge
if your interfaces are up you bring them down first

Code:

ifconfig eth0 down
ifconfig eth1 down

Code:

/etc/rc.d/rc.br0 &

If you want it to come up at boot this will set it up

Code:

echo "/etc/rc.d/rc.br0" >> /etc/rc.d/rc.local

Now you have a bridge

One of the main advantages is that dhcp and other broadcast protocols will work through the bridge. They will not work through a proxy arp.