Linux- NAT problem

fritz001 · 09-02-2004, 04:08 AM

after 2 month a managed to learn linux preaty well but.. i'm still noob.

well i decided to leave my Win-Router( with kerio winroute) and instal linux due to increasing security wholes in windows

...and to be a little short

here is the problem:

if [ ! -x /usr/sbin/iptables ]; then
exit 0
fi

case "$1" in
'start')
echo \ "Start: "

# ----------------------------------------------------------------------------

IPADDR="81.196.55.X
EXTERNAL_INTERFACE="eth1" # Net Output
LOOPBACK_INTERFACE="lo"
LOCAL_INTERFACE_1="eth0" # TO LAN
INTRANET="192.168.0.2/24" # Local Adress Domain
PRIMARY_NAMESERVER="81.196.55.X-3"
SECONDARY_NAMESERVER="81.196.55.x-4"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0" BROADCAST_DEST="255.255.255.255"
BROADCAST_SRC1=""
BROADCAST_DEST1=""
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:"
# ----------------------------------------------------------------------------

SSH_LOCAL_PORTS="1022:65535" SSH_REMOTE_PORTS="513:65535"

TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

# MODULEs FIREWALL
# -----------------

# /sbin/modprobe ip_tables
# /sbin/modprobe iptable_nat
# /sbin/modprobe ip_conntrack
# /sbin/modprobe ip_conntrack_ftp
# /sbin/modprobe ip_tables
# /sbin/modprobe ip_nat_ftp
# /sbin/modprobe ipt_LOG
# /sbin/modprobe ipt_MARK
# /sbin/modprobe ipt_MASQUERADE
# /sbin/modprobe ipt_REDIRECT
# /sbin/modprobe ipt_REJECT
# /sbin/modprobe ipt_TOS
# /sbin/modprobe ipt_limit
# /sbin/modprobe ipt_mac
# /sbin/modprobe ipt_mark
# /sbin/modprobe ipt_multiport
# /sbin/modprobe ipt_state
# /sbin/modprobe ipt_tos
# /sbin/modprobe iptable_mangle

iptables -F
iptables -F -t nat

iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# ----------------------------------------------------------------------------

# LOOPBACK
# --------

iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP

# Elimina pachetele NULL prost formate
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

iptables -A FORWARD -i $LOCAL_INTERFACE_1 -s ! $INTRANET -j DROP

iptables -A FORWARD -m state --state NEW -i $LOCAL_INTERFACE_1 \
-s $INTRANET -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-i $EXTERNAL_INTERFACE -s ! $INTRANET -j ACCEPT

iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE

# ----------------------------------------------------------------------------

iptables -A INPUT -s $IPADDR -j DROP

iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
# iptables -A INPUT -s $CLASS_C -j DROP

iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP

iptables -A INPUT -s $BROADCAST_DEST1 -j DROP
iptables -A INPUT -d $BROADCAST_SRC1 -j DROP

iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP

iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP

# 0.*.*.*
# 127.*.*.*
# 169.254.*.*
# 192.0.2.*
# 224-255.*.*.*

iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP

# ----------------------------------------------------------------------------

# UDP TRACEROUTE
# --------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
-d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $PRIMARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $PRIMARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $SECONDARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $SECONDARY_NAMESERVER --source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT

# Server DNS (53)
# --------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 53 -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port 53 \
--destination-port $UNPRIVPORTS -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port 53 \
-d $IPADDR --destination-port 53 -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port 53 \
--destination-port 53 -j ACCEPT

# Client DNS (53)
# ---------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 53 -j ACCEPT

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 53 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 53 -j ACCEPT

# Transfer DNS Zone (53)
# ------------------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-s $SECONDARY_NAMESERVER --source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 53 -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port 53 \
-d $SECONDARY_NAMESERVER --destination-port $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# Clientul HTTP (80)
# ------------------

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT

;;

esac
exit 0

this is the firewall configuration and...
here is te network config from one of local machines

IP: 192.168.0.9
NetMask: 255.255.255.0
Gateway:192.168.0.2
DNS1: 192.168.0.2

So if i try to start iexplorer and access any webpage the like ww.yahoo.com ---the status of IE is CONECTING TO.....but nothing happend.

the firewaal works weel on server machime, i managed to acces any web page.... but the problem is i can't manage to do NAT working ??

so please tell me what do i misconfigured ?

more then 2 days i try to find tje problem, to read the man iptables and other firewall examples...but so far no success

so i'll be vere greatufull if some one tel me on my firewaal what todo to make NAT working....

win32sux · 09-02-2004, 05:23 AM

i've cleaned-up your script a little bit, using the KISS principle... give it a shot and see...

i only set dns on the local area interface... do you really need dns on the external interface???

Code:

#!/bin/sh

IPT="/usr/sbin/iptables"
IPADDR="81.196.55.xxx"
EXTERNAL_INTERFACE="eth1"
LOOPBACK_INTERFACE="lo"
LOCAL_INTERFACE_1="eth0"
INTRANET="192.168.0.0/24"
LOOPBACK="127.0.0.0"

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT

$IPT -A INPUT -p ALL -m state --state INVALID -j DROP
$IPT -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p ALL -i $LOOPBACK_INTERFACE -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_INTERFACE_1 -s ! $INTRANET -j LOG \
--log-prefix "UNKNOWN SOURCE: "
$IPT -A INPUT -p ALL -i $LOCAL_INTERFACE_1 -s ! $INTRANET -j DROP
$IPT -A INPUT -p TCP ! --syn -m state --state NEW -j LOG \
--log-prefix "NEW NOT SYN: "
$IPT -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A INPUT -p ALL -i $EXTERNAL_INTERFACE_1 -s $INTRANET -j LOG \
--log-prefix "OBVIOUS SPOOF: "
$IPT -A INPUT -p ALL -i $EXTERNAL_INTERFACE_1 -s $INTRANET -j DROP
$IPT -A INPUT -p UDP -i $LOCAL_INTERFACE_1 --dport 53 -j ACCEPT
$IPT -A INPUT -p ALL -j LOG --log-prefix "INPUT DROP: "

$IPT -A OUTPUT -p ALL -m state --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -o $LOOPBACK_INTERFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOOPBACK -j ACCEPT
$IPT -A OUTPUT -p ALL -o $EXTERNAL_INTERFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_INTERFACE_1 -j ACCEPT

$IPT -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPT -A FORWARD -p TCP ! --syn -m state --state NEW -j LOG \
--log-prefix "NEW NOT SYN: "
$IPT -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A FORWARD -p ALL -i $EXTERNAL_INTERFACE -o $LOCAL_INTERFACE_1 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p ALL -i $LOCAL_INTERFACE_1 -o $EXTERNAL_INTERFACE  \
-j ACCEPT

$IPT -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j SNAT \
--to-source $IPADDR

NOTE: it's better to use SNAT instead of MASQUERADE when you have a static IP...

dnsmasq is an awesome, simple tool for letting your nat firewall do as a dns server without needing a full-blown dns server... it's included in slackware 10.0:

http://thekelleys.org.uk/dnsmasq/doc.html

if you still have issues accessing the world wide web from within the lan, see if you are able to ping an ip on the internet... if you can ping an ip, but can't ping a domain, then it is likely an issue with the onboard dns server....

fritz001 · 09-02-2004, 07:53 AM

i have to make a little adjustements at the two code lines

$IPT -A INPUT -p ALL -i $EXTERNAL_INTERFACE -s $INTRANET -j LOG \
--log-prefix "OBVIOUS SPOOF: "
$IPT -A INPUT -p ALL -i $EXTERNAL_INTERFACE -s $INTRANET -j DROP

well te same problem......i'm not able to browse within lan not even to ping....

now the firewall seems to work fine.......and then what is the problem ?

another proble is:
the DNS1 of my ISP is 81.196.25.xx

ex1:

comp1_lan: ip-192.168.06 gateway: 192.168.0.2 dns1:192.168.0.2

unable to browsw and ping and...no internet but if i change DNS1 to my isp dns(81.196.25.xx) i can browse........

well but this is not a sollution(test purpose only)

win32sux · 09-02-2004, 04:06 PM

Quote:

Originally posted by fritz001
i have to make a little adjustements at the two code lines

$IPT -A INPUT -p ALL -i $EXTERNAL_INTERFACE -s $INTRANET -j LOG \
--log-prefix "OBVIOUS SPOOF: "
$IPT -A INPUT -p ALL -i $EXTERNAL_INTERFACE -s $INTRANET -j DROP

what do you mean by this??

Quote:

well te same problem......i'm not able to browse within lan not even to ping....

do you mean you can't ping ANYTHING on the internet from the lan?? or do you mean you can't ping DOMAINS but CAN ping IPs??

ping google.com

ping 216.239.57.99

Quote:

now the firewall seems to work fine.......and then what is the problem ?

ummm... what??

Quote:

another proble is:
the DNS1 of my ISP is 81.196.25.xx

ex1:

comp1_lan: ip-192.168.06 gateway: 192.168.0.2 dns1:192.168.0.2

unable to browsw and ping and...no internet but if i change DNS1 to my isp dns(81.196.25.xx) i can browse........

well but this is not a sollution(test purpose only)

from what i read on your first post, machines on your lan are using 192.168.0.2 as their gateway and dns server... this means that only your nat router needs to use your ISP's DNS servers...

if the dns daemon installed on your nat router isn't functioning properly, then the machines on the lan won't be able to surf the "web", even though they are actually able to connect to the "internet"... this is why it's important to know if you can ping an internet ip when you can't ping a web domain...

this is the rule that allows machines on the lan to connect to a dns server on your nat router:

$IPT -A INPUT -p UDP -i $LOCAL_INTERFACE_1 --dport 53 -j ACCEPT

if you install dnsmasq, all you need to do to start it and have it listen for dns requests on the lan is this (you don't need to configure it):

dnsmasq --interface=eth0

Quote:

if i change DNS1 to my isp dns(81.196.25.xx) i can browse

honestly, it seems you are having issues with your dns daemon... you need to look into that... or install dnsmasq instead...

win32sux · 09-02-2004, 11:35 PM

i fixed some errors i had made (sorry), and i also juiced-it-up a little:

Code:

#!/bin/sh

IPT="/usr/sbin/iptables"
LOOPBACK_INTERFACE="lo"
LOOPBACK_IP="127.0.0.1"
EXTERNAL_INTERFACE="eth1"
EXTERNAL_IP="81.196.55.xxx"
LOCAL_INTERFACE="eth0"
LOCAL_IP="192.168.0.2"
LOCAL_NETWORK="192.168.0.0/24"

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT

$IPT -A INPUT -p ALL -m state --state INVALID -j DROP
$IPT -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p ALL -i $LOOPBACK_INTERFACE -j ACCEPT
$IPT -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A INPUT -p ALL -i $LOCAL_INTERFACE -s ! $LOCAL_NETWORK -j DROP
$IPT -A INPUT -p ALL -i $EXTERNAL_INTERFACE -s $LOCAL_NETWORK -j DROP
$IPT -A INPUT -p UDP -i $LOCAL_INTERFACE --dport 53 -j ACCEPT
#$IPT -A INPUT -p TCP -i $LOCAL_INTERFACE --dport 22 -j ACCEPT
#$IPT -A INPUT -p ICMP -i $LOCAL_INTERFACE --icmp-type 8 -j ACCEPT
$IPT -A INPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "INPUT DROP: "

$IPT -A OUTPUT -p ALL -o $LOOPBACK_INTERFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOOPBACK_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_INTERFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $EXTERNAL_INTERFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $EXTERNAL_IP -j ACCEPT

$IPT -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPT -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A FORWARD -p ALL -i $LOCAL_INTERFACE -s ! $LOCAL_NETWORK -j DROP
$IPT -A FORWARD -p ALL -i $EXTERNAL_INTERFACE -s $LOCAL_NETWORK -j DROP
$IPT -A FORWARD -p ALL -i $LOCAL_INTERFACE -o $EXTERNAL_INTERFACE \
-j ACCEPT
$IPT -A FORWARD -p ALL -i $EXTERNAL_INTERFACE -o $LOCAL_INTERFACE \
-m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j SNAT \
--to-source $EXTERNAL_IP

fritz001 · 09-03-2004, 04:43 PM

it seems to be a dns problem

i'm using the new script

and now i can ping from lan but not to surf www.///////

i mean i can ping 216.109.118.70 instead of ping www.yahoo.com
or ping 195.71.11.67 (www.spiegel.de)

i have installed DNSMASQ and set it up dnsmasq --interface=eth0, but same problem

now, how to resolv the bllody dns problem ???

P.S. i'm using SLACK 10
P.S.1 thank for the modified script

win32sux · 09-03-2004, 07:35 PM

make sure your /etc/resolv.conf files are properly set-up with the dns addresses...

the one on the router should look something like this (your ISP's DNS IPs):

nameserver 81.196.25.xxx
nameserver 81.196.25.xxx

while the ones on the LAN should look like this (your router's local IP):

nameserver 192.168.0.2

you can check-up on dnsmasq with these:

ps aux | grep dnsmasq

netstat -a | grep :domain

also, make sure you stop your previous dns daemon before you start dnsmasq...

fritz001 · 09-05-2004, 02:31 AM

well the content of resolv.conf is

nameserver 81.196.25.xxx
nameserver 81.196.25.xxx
search ispname

the result of netstat -a | fgrep :domain is

udp 0 0*:domain

the result of ps aux | fgrep dnsmasq is

nobody 989 0.0 0.2 1536 688? dnsmasq --interface=eth0

i'm using the buildin dnsmasq(dnsmasq 2.8) from slack 10

....and the result of ifconfig eth0

inet addr 192.168.0.2 bcast: 192.168.0.255 Mask: 255.255.255.0

and the same problem...................can't browse

then what the hell is wrong ????????

win32sux · 09-05-2004, 12:49 PM

the machines on the lan are using ips in the 192.168.0.3-254 range, right??

this is weird, your dns daemon seems to be listening fine...

the thing to do now is to look at the logs i guess... make sure every DROP in the iptables script gets logged, and then view the log while attempting to connect to a www address from the lan... the log might show you what's going-on here... to view the log in real-time use:

tail -f /var/log/syslog

if you need help adding LOG targets to the DROPs just let me know, i'll gladly tweak it for you...

good luck!!

gbonvehi · 09-05-2004, 12:54 PM

Try using your ISP nameservers on your lan machines.

win32sux · 09-05-2004, 01:00 PM

Quote:

Originally posted by gbonvehi
Try using your ISP nameservers on your lan machines.

Quote:

Originally posted by fritz001
if i change DNS1 to my isp dns(81.196.25.xx) i can browse...

gbonvehi · 09-05-2004, 01:02 PM

Oops, sorry didn't read that, well it seems he isn't running bind then (or have something configured wrong on it)..

Edit: mmm.. i've just woke up, i have to take shower before reading the forum, i see now he's using dnsmasq

fritz001 · 09-06-2004, 05:56 AM

heh, after several hours 24> i manage to resolv the problem

i dad to manualy config the /etc/dnsmasq.conf

now everything is ok

and now the second problem::

hot to allow to conect from lan only some users, i choose as conect criteria MAC ADDRESS

so:
user with macaddr 11.22.44.55.66 and ip 192.168.0.9 allow
user with macaddr 11.55.77.66 and ip 192.168.0.5 deny
user with macaddr 11.55.99.77 and ip 192.168.0.19 allow
,....and so on

PROBLEM NUMBER 2

i want to deny acces to some services like IRC

i now the port range is 6660-6669 and protocol TCP/UDP

how to deny irc services ??

and yahoo messenger: source: anyport; destination:5050 protocol tcp/udp ?

....and howto tonfig the firewall to run dc++(even if i'm behind a firewall) in active mode ??

here is what i try to deny access to irc service------------but doesn't work

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 6660:6669 \
-d $EXTERNAL_IPADDR --destination-port 1054:65535 -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $EXTERNAL_IPADDR --source-port 1024:65535 \
--destination-port 6660:6669 -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port 1024:65535 \
-d $EXTERNAL_IPADDR --destination-port 1024:65535 -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $EXTERNAL_IPADDR --source-port 1024:65535 \
--destination-port 1024:65535 -j DROP

.....and great thanks for great help so far.....

win32sux · 09-06-2004, 12:41 PM

Quote:

Originally posted by fritz001
i dad to manualy config the /etc/dnsmasq.conf

please explain what you had to configure in the file so that this thread can better help others...

fritz001 · 09-06-2004, 01:04 PM

well the firewall script works fine, the dnsmasq works almost fine, but.....

as i said before i was able to ping 216.109.118.70 but not www.yahoo.com

it seems dnsmasq dosn't proprely forward dns requests
so i looked into dnsmasq.conf

here is the a part of dnsmasq.conf
and i'll explain what i modified

# Never forward plain names (with a dot or domain part)
##########domain-needed
# Reply to reverse queries for addresses in the non-routed address
# space with the dotted.quad address
bogus-priv
# Filter useless windows-originated DNS requests
##############filterwin2k <----- here modified i had to coment this line

# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=

# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
strict-order <-------------------here modified i had to uncoment line

.................................................................................................... .....................

# If you want to disable negative caching, uncomment this.
#no-negcache

# Normally responses which come form /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=

# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11

# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8

alias=81.196.25.xx,192.168.0.2 <----------------here modified

# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0

# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
log-queries

# Include a another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf

so any dns request to 192.168.0.2 wiil be translated as direct request to 81.196.25.xx(my isp primary dsn)

without those modifies i was unable to use 192.168.0.2 as PRIMARY DNS on my local machines...

...............and now can you help me to create rules to block access to some services like irc, or yahoo messenger?

...and howto permit acces based on ipadress and mac ??