LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 11-11-2006, 03:19 AM   #1
Chikne
Member
 
Registered: Jul 2006
Distribution: Slackware 11
Posts: 140

Rep: Reputation: 15
iptables on slackware


Dear slackers,

for a week now I have been searching the web on how to setup a gateway/router using slackware. At first I thought that iproute2 would be the solution, but looked around a bit more and actually found out that to use a box like an off the shelf router nat/iptable/masquerading would be more like it.

I am running slackware 10.2 on this box (tried to install 11 but the pc wouldn't boot from the install cd, bizarre!) with kernel 2.4.31 that I compiled myself (also tried to copy the .config file from 2.4.31 to 2.4.33, but wouldn't compile, bizarre again!).

Please don't get me wrong, I still consider myself a new linux user but can normally easily work my way around things by reading howtos on the net etc... The thing there is that there are several howtos about this around but none of them want to work for me.

The Linux IP Masquerade HOWTO on tldp.org seems fairly detailed but doesn't really explain how to manipulate iptables by hand, however it does mention the requirement for certain modules, the one that worries me being ipt_MASQUERADE.o, which looks like it would be something I need isn't there on my system.
This HOWTO also talks about IPMASQ, I tried googling this but the results came back with nothing much interesting, so is that something that is deprecated or not?

Now following the Nat HOWTO on netfilter.org, they don't talk about the required modules or anything, which is fine with me, they do however talk about two types of Nat. Snat and Dnat, the one that I suspect to be interesting to me is Snat, again it is quite confusing to me since my knowledge of networking is a fairly limited, and this is my first time trying to setup a home network.
But the interesting in these explainations though is that they give some commands for iptables, so when logged on my box i do:

iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to My.IP.address.0

then:

iptables -L

target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

So if I am correct, iptables -L should be listing something right???

Ok, I am not going to mention all the howto I've been reading about NAT, my point here is that since every HOWTO is different, I can't find out wether or not I am doing something wrong, I am missing programs (which I doubt), my machine is not configured properly or whatever reason would the cause of my problem be. Note that I did enable all the stuff in the kernel config for netfilter etc...

I did start other post in other forums (sorry admins) but not many people seemed to concerned, so I am reverting back to the good old slackware forum, in the meantime I'll keep on googling and trying

thanks in advance guys...

Last edited by Chikne; 11-11-2006 at 03:20 AM.
 
Old 11-11-2006, 06:02 AM   #2
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,307

Rep: Reputation: Disabled
For a listing of your NAT rules, try
Code:
iptables -t nat -L -n
instead.

Eric
 
Old 11-11-2006, 07:42 PM   #3
Chikne
Member
 
Registered: Jul 2006
Distribution: Slackware 11
Posts: 140

Original Poster
Rep: Reputation: 15
BIG thank you, you are the man!!!
 
Old 11-13-2006, 03:33 PM   #4
Chikne
Member
 
Registered: Jul 2006
Distribution: Slackware 11
Posts: 140

Original Poster
Rep: Reputation: 15
Hmmmm so far so good, I have managed to use the box as a router with the following command:

iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to my.ip.address.0

However when I put this script in /etc/rc.d/rc.local to execute it at boot, I get iptables: command unknown or something very similar.

Basically I can't use that command unless I log in the box as root and execute it, which isn't really how I would like it to work.

I've also tried to create a script rc.iptables nat but this didn't work either.

Has anyone got any thoughts?

thanks
 
Old 11-13-2006, 03:36 PM   #5
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,307

Rep: Reputation: Disabled
When running commands in rc.local (especially commands from /sbin and /usr/sbin) it is probably a better idea to provide the full path - i.e. /usr/sbin/iptables .

Eric
 
Old 11-13-2006, 03:58 PM   #6
Chikne
Member
 
Registered: Jul 2006
Distribution: Slackware 11
Posts: 140

Original Poster
Rep: Reputation: 15
Damn right once again, you're good!!!

How about using iptables-save and iptables-restore?

Are there any benefits using those commands instead of restarting iptables at every boot?
 
Old 11-13-2006, 04:18 PM   #7
DragonM15
Member
 
Registered: Sep 2003
Location: USA
Distribution: Slackware (Multiple Versions)
Posts: 455

Rep: Reputation: 31
Every time I change my iptables I use the 'iptables-save myfile-date' command to backup my iptables config. I suppose you could use 'iptables-restore filename'.... dunno if it would accomplish anything that just enabling iptables wouldnt do already.. unless of course you wipe out your iptable rules at every shutdown.
 
Old 11-13-2006, 04:28 PM   #8
Chikne
Member
 
Registered: Jul 2006
Distribution: Slackware 11
Posts: 140

Original Poster
Rep: Reputation: 15
Well, as far as I went, everytime I reboot the machine the iptables rules got wiped out and I had to manually restart them...

Oh, ok I think I understood what you mean, can you actually restore the rules you saved just by executing iptables?
 
Old 11-13-2006, 04:31 PM   #9
Youri
Member
 
Registered: Oct 2004
Distribution: slamd64-current, slackware-current, clfs 6.1, arch-current, ubuntu dapper
Posts: 144

Rep: Reputation: 15
iptables-save makes it possible (as the name says) to write it to a specified file (it actually writes to stdout so ya need to use i/o redirection provided by the shell ie:

Code:
/usr/sbin/iptables-save > /path/to/mysavediptables.file
when ya did this ya only need to run the restore command (also need the i/o redirection of your shell)
Code:
/usr/sbin/iptables-restore < /path/to/mysavediptables.file
as for benefits? cleaner startupscripts imo and easier adjustable.

if ya use restore ya can change it all once by issueing the iptables command with the changes then do save > filename and its done. else you'd have to adjust your startupscript every single time. i prefer the former

/edit: too late. :P

Last edited by Youri; 11-13-2006 at 04:44 PM.
 
Old 11-15-2006, 08:25 AM   #10
Chikne
Member
 
Registered: Jul 2006
Distribution: Slackware 11
Posts: 140

Original Poster
Rep: Reputation: 15
Now I got my network to use WPA encryption, next step is to configure firewall using iptables.

Oh by the way I would like to have a server on a wired connection (just with a cross-wired cable, no hub) to the router and the rest wireless, the thing is everytime I ssh into the router via the wired, then the wireless becomes unusable, it took me around 5 hours the other day to figure out that it was actually the ethernet cross-wired cable that was causing that problem...
Even if I set the wireless of the router to 192.168.0.1 and the wired to 192.168.1.1, it still is unusable...

My thoughts are that I need a bridge but I am just guessing there as I haven't had time yet to look at this, I just had to configure the router using a screen and a keyboard. The reason I'd like to have the server wired to the router is so I can have wake up on lan, which I can't imagine is available on wireless but I might be wrong again. Can I setup a bridge using IPTABLES???

Thanks
 
Old 11-19-2006, 05:17 PM   #11
Chikne
Member
 
Registered: Jul 2006
Distribution: Slackware 11
Posts: 140

Original Poster
Rep: Reputation: 15
Well I am at the filtering stage of my setup, what I am now trying to do:

iptables -P INPUT DROP

then for ssh:

iptables -A INPUT -ath0 -p tcp --source-port 22 -d 192.168.0.1 --destination-port 22 -j ACCEPT

and that still won't let me ssh into the router, which is a pain since I wanted it headless. So I had to plonk a keyboard and a monitor on it for the moment. It's worth noting that I have tried several version of this, like to ssh into the ppp0 outside address of the router (so that I can ssh from the internet for instance), but got blocked by the firewall...

As usual I keep on trying and searching in the meantime =)
 
Old 11-19-2006, 06:18 PM   #12
Chikne
Member
 
Registered: Jul 2006
Distribution: Slackware 11
Posts: 140

Original Poster
Rep: Reputation: 15
I managed to ssh from the lan into my router after doing:

iptables -P INPUT DROP

iptables -A INPUT -i ath0 -p tcp -d 192.168.0.1 --destination-port 22 -j ACCEPT

but can't ssh into my external interface when doing:

iptables -A INPUT -i ppp0 -p tcp -d my.internet.protocol.address --destination-port 22 -j ACCEPT


There is actually a quite helpful thread there:

http://www.linuxquestions.org/questi...light=iptables
 
Old 11-19-2006, 11:52 PM   #13
acummings
Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 615

Rep: Reputation: 49
bridge

Code:
href="http://www.debian.org/doc/manuals/securing-debian-howto/ap-bridge-fw.en.html
   <title>Securing Debian Manual - Setting up a bridge firewall</title>

href="http://www.linuxsecure.de/index.php?action=90
   <title>LINUXSECURE</title>

href="http://www.linuxjournal.com/article/8172
   <title>Kernel Korner - Linux as an Ethernet Bridge | Linux Journal</title>

href="http://linux-net.osdl.org/index.php/Bridge
   <title>Bridge - LinuxNet</title>

href="http://ebtables.sourceforge.net/documentation.html
   <title>ebtables</title>

href="http://ebtables.sourceforge.net/ebtables-hacking/ebtables-hacking-HOWTO-1.html
   <title>Ebtables Hacking HOWTO: Introduction</title>

href="http://freshmeat.net/articles/view/1433/
   <title>freshmeat.net: Tutorials - Configuring a Transparent Proxy/Webcache in a Bridge using Squid and ebtables</title>

href="http://www.nslu2-linux.org/wiki/Applications/HomePage
   <title>NSLU2-Linux - Applications / HomePage browse</title>

href="http://www.faqs.org/docs/Linux-mini/TransparentProxy.html
   <title>Transparent Proxy with Linux and Squid mini-HOWTO</title>

href="http://allmanj.frlinux.net/drupal/?q=bridging_firewall_serial
   <title>Transparent bridging firewall with debian, serial configuration | allmanj</title>

href="http://www.redwall-firewall.com/content/view/15/36/
   <title>redWall Firewall</title>
--
Alan.
 
Old 11-20-2006, 04:47 PM   #14
Chikne
Member
 
Registered: Jul 2006
Distribution: Slackware 11
Posts: 140

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by acummings
bridge

Code:
href="http://www.debian.org/doc/manuals/securing-debian-howto/ap-bridge-fw.en.html
   <title>Securing Debian Manual - Setting up a bridge firewall</title>

href="http://www.linuxsecure.de/index.php?action=90
   <title>LINUXSECURE</title>

href="http://www.linuxjournal.com/article/8172
   <title>Kernel Korner - Linux as an Ethernet Bridge | Linux Journal</title>

href="http://linux-net.osdl.org/index.php/Bridge
   <title>Bridge - LinuxNet</title>

href="http://ebtables.sourceforge.net/documentation.html
   <title>ebtables</title>

href="http://ebtables.sourceforge.net/ebtables-hacking/ebtables-hacking-HOWTO-1.html
   <title>Ebtables Hacking HOWTO: Introduction</title>

href="http://freshmeat.net/articles/view/1433/
   <title>freshmeat.net: Tutorials - Configuring a Transparent Proxy/Webcache in a Bridge using Squid and ebtables</title>

href="http://www.nslu2-linux.org/wiki/Applications/HomePage
   <title>NSLU2-Linux - Applications / HomePage browse</title>

href="http://www.faqs.org/docs/Linux-mini/TransparentProxy.html
   <title>Transparent Proxy with Linux and Squid mini-HOWTO</title>

href="http://allmanj.frlinux.net/drupal/?q=bridging_firewall_serial
   <title>Transparent bridging firewall with debian, serial configuration | allmanj</title>

href="http://www.redwall-firewall.com/content/view/15/36/
   <title>redWall Firewall</title>
--
Alan.

Thanks for that I will have a look later!
 
Old 11-20-2006, 04:58 PM   #15
Chikne
Member
 
Registered: Jul 2006
Distribution: Slackware 11
Posts: 140

Original Poster
Rep: Reputation: 15
Right, something I didn't realise yesterday is that when doing on my router:

iptables -P INPUT DROP

iptables -A INPUT -i ath0 -p tcp -d 192.168.0.1 --destination-port 22 -j ACCEPT

then from a remote computer:

ssh 192.168.0.1

I am then asked for a password, if I type the password and press return I will not be logged in. The console will just sit there and do nothing, no shell... Any advices on that???

What I also did notice was that if setting the OUTPUT policy to DROP I cannot ssh in my router either I will have to :

iptables -A OUTPUT -o ath0 -p tcp -s 192.168.0.1 --destination-port 22 -j ACCEPT

This question is just out of curiosity but is it because of the ssh daemon that needs to go out on this interface also?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables help! on slackware 10.2 Tony/osIRIs Linux - Newbie 3 03-01-2006 08:29 PM
Slackware 10.1 and iptables configuration help houler Linux - Security 25 05-11-2005 05:21 PM
iptables and slackware Fetch Linux - Security 5 04-11-2005 11:41 PM
slackware 10 & iptables atari303 Linux - Networking 8 11-07-2004 02:17 AM
slackware iptables firewall hooker Linux - Networking 3 08-23-2002 10:47 PM


All times are GMT -5. The time now is 10:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration