SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OK I can't figure this one out here is the scenario
my office has two networked computers on it. mine, and the older agents computer. mine dual boots between winxp and slackware10. the other runs win98se. What I need to do is configure my box to share internet with win98se box no matter what os i am using on this computer.
I configured winxp fine and it works, i used the floppy in the setup wizard to config the win98se box.
1. I configured my eth0 card to have an internal address of 192.168.0.1 since this is what my winxp assigns the eth0.
2. I set up an rc.firewallscript to enable IP Masqing:
Code:
#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.75
#
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
# using IPTABLES.
#
# Once IP Masquerading has been tested, with this simple
# ruleset, it is highly recommended to use a stronger
# IPTABLES ruleset either given later in this HOWTO or
# from another reputable resource.
#
#
#
# Log:
# 0.75 - Added more kernel modules to the comments section
# 0.74 - the ruleset now uses modprobe vs. insmod
# 0.73 - REJECT is not a legal policy yet; back to DROP
# 0.72 - Changed the default block behavior to REJECT not DROP
# 0.71 - Added clarification that PPPoE users need to use
# "ppp0" instead of "eth0" for their external interface
# 0.70 - Added commented option for IRC nat module
# - Added additional use of environment variables
# - Added additional formatting
# 0.63 - Added support for the IRC IPTABLES module
# 0.62 - Fixed a typo on the MASQ enable line that used eth0
# instead of $EXTIF
# 0.61 - Changed the firewall to use variables for the internal
# and external interfaces.
# 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
# all forwarded packets but it didn't have a rule to ACCEPT
# any packets to be forwarded either
# - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
# 0.50 - Initial draft
#
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
# The location of the iptables and kernel module programs
#
# If your Linux distribution came with a copy of iptables,
# most likely all the programs will be located in /sbin. If
# you manually compiled iptables, the default location will
# be in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
#IPTABLES=/sbin/iptables
IPTABLES=/usr/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" is external and "eth1" is internal"
#
#
# NOTE: If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables above. For example:
#
# If you are a PPPoE or analog modem user:
#
# EXTIF="ppp0"
#
#
EXTIF="ppp0"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==
echo -en " loading modules: "
# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
# options as MODULES. If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
# NOTE: The following items are listed ONLY for informational reasons.
# There is no reason to manual load these modules unless your
# kernel is either mis-configured or you intentionally disabled
# the kernel module autoloader.
#
# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
# modules are shown below but are commented out from loading.
# ===============================================================
echo "----------------------------------------------------------------------"
#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
$MODPROBE ip_tables
#Load the IPTABLES filtering module - "iptable_filter"
# - Loaded automatically when filter policies are activated
#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack
#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp
#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc
#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
$MODPROBE iptable_nat
#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp
#Loads the IRC NAT functionality into the core IPTABLES code
# Required to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to activate
#
#echo -e "ip_nat_irc"
#$MODPROBE ip_nat_irc
echo "----------------------------------------------------------------------"
# Just to be complete, here is a partial list of some of the other
# IPTABLES kernel modules and their function. Please note that most
# of these modules (the ipt ones) are automatically loaded by the
# master kernel module for proper operation and don't need to be
# manually loaded.
# --------------------------------------------------------------------
#
# ip_nat_snmp_basic - this module allows for proper NATing of some
# SNMP traffic
#
# iptable_mangle - this target allows for packets to be
# manipulated for things like the TCPMSS
# option, etc.
#
# --
#
# ipt_mark - this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
#
# ipt_limit - this target allows for packets to be limited to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within a range
# of port numbers vs. listing each port individually
#
# ipt_state - this match allows to catch packets with various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets that have invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
#
# ipt_LOG - this target allows for packets to be
# logged
#
# ipt_REJECT - this target DROPs the packet and returns
# a configurable ICMP packet back to the
# sender.
#
echo -e " Done loading modules.\n"
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
#
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable simple IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal LAN address in the
# 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
# connecting to the Internet on external interface "eth0". This
# example will MASQ internal traffic out to the Internet but not
# allow non-initiated traffic into your internal network.
#
#
# ** Please change the above network numbers, subnet mask, and your
# *** Internet connection interface name to match your setup
#
#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP (REJECT is not a valid policy)
#
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
3. I set up samba, file sharing works fine between the two boxes.
4. here is my ifconfig output:
5. pinging: with the windows box i can ping: the eth0 interface, and the ppp0 interface, not anything beyond it.
with the linux box i can ping the windows box fine also
my win98se also has an ip of 192.168.0.5, i don't know where it got this ip, prolly from my winxp box, since the win98se is set up to retrieve ips automatically... so do i need to set up a dhcpd maybe? sth else?
ok one last lil annoyance. ere thing works now except I have to run rc.firewall AFTER i dial up on ppp or kppp. If i do it before it won't work... is there a work around this?
Originally posted by cythrawll ok one last lil annoyance. ere thing works now except I have to run rc.firewall AFTER i dial up on ppp or kppp. If i do it before it won't work... is there a work around this?
if this wasn't happening with your old script, then try this:
Code:
#!/bin/sh
IPT=/usr/sbin/iptables
EXTIF="ppp0"
INTIF="eth0"
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ip_conntrack_irc
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p UDP -i $INTIF --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -p TCP -i $INTIF --dport 445 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP -i $INTIF --dport 445 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i $INTIF --dport 137:139 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP -i $INTIF --dport 137:139 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo "So let it be written, so let it be done."
i have never used that option before, but judging from this part of your old script, it seems it might be related to your issue:
Quote:
# Dynamic IP users:
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
if this wasn't happening with your old script, then try this:
Code:
#!/bin/sh
IPT=/usr/sbin/iptables
EXTIF="ppp0"
INTIF="eth0"
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ip_conntrack_irc
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p UDP -i $INTIF --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -p TCP -i $INTIF --dport 445 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP -i $INTIF --dport 445 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i $INTIF --dport 137:139 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP -i $INTIF --dport 137:139 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo "So let it be written, so let it be done."
Wow...sorry to bring this old thread back, but I had to ask a question. I've been using this script now for quite a while (great script by the way). Well, I like to use firestarter, but lately, I've been wanting to get my hands dirty with iptables. The one thing that I haven't been able to figure out is how can I make iptables log when packets are droped while using this script. I've tried a couple of things, but none has worked. I'm pretty sure I'm doing something wrong. Thanks!
Wow...sorry to bring this old thread back, but I had to ask a question. I've been using this script now for quite a while (great script by the way). Well, I like to use firestarter, but lately, I've been wanting to get my hands dirty with iptables. The one thing that I haven't been able to figure out is how can I make iptables log when packets are droped while using this script. I've tried a couple of things, but none has worked. I'm pretty sure I'm doing something wrong. Thanks!
just add a rule with target LOG to the end of the relevant chain... like:
#!/bin/sh
IPT=/usr/sbin/iptables
EXTIF="ppp0"
INTIF="eth0"
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ip_conntrack_irc
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p UDP -i $INTIF --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -p TCP -i $INTIF --dport 445 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP -i $INTIF --dport 445 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i $INTIF --dport 137:139 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP -i $INTIF --dport 137:139 -m state --state NEW -j ACCEPT
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 \
-j LOG --log-prefix "INPUT DROP: "
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INTIF -o $EXTIF -m state --state NEW -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
this way any packet that doesn't match any of the rules will get logged right before it runs into the policy of DROP you've set...
Ah...thanks a bunch! I'll try that when I get home. Quick question, what does "-m limit --limit 3/minute --limit-burst 3"? What does it do? Thanks again for your help!
Ah...thanks a bunch! I'll try that when I get home. Quick question, what does "-m limit --limit 3/minute --limit-burst 3"? What does it do? Thanks again for your help!
it limits the number of packets that will be matched (for logging in this case) by the rule... this is usually done in LOG rules to control the amount of logging done, so for example if some IP rapidly scans fifty thousand ports on your box your log file won't get flooded by that... you can tweak the values to your liking of course...
from "man iptables":
Quote:
limit
This module matches at a limited rate using a token bucket filter. A
rule using this extension will match until this limit is reached
(unless the `!' flag is used). It can be used in combination with the
LOG target to give limited logging, for example.
Quote:
--limit-burst number
Maximum initial number of packets to match: this number gets
recharged by one every time the limit specified above is not
reached, up to this number; the default is 5.
if you don't wanna limit then a plain LOG rule will do:
it limits the number of packets that will be matched (for logging in this case) by the rule... this is usually done in LOG rules to control the amount of logging done, so for example if some IP rapidly scans fifty thousand ports on your box your log file won't get flooded by that... you can tweak the values to your liking of course...
from "man iptables":
if you don't wanna limit then a plain LOG rule will do:
Code:
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
Thanks a bunch! I learned quite a lot today. Thanks for your time! This site rocks!!!
Ah...thanks a bunch! I'll try that when I get home. Quick question, what does "-m limit --limit 3/minute --limit-burst 3"? What does it do? Thanks again for your help!
Hey there...I just tried what you asked me to do, but no luck. I'm not getting any droped logs on /var/log/messages. What I'm doing wrong???
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
