I'm trying to put up a gateway


my setup :

cisco 827 that makes pppoe connetion to ISP /
cisco eth0 : 192.168.1.1 (gateway of course)
|
eth0 : 192.168.1.2
subnet 255.255.255.254
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

eth1 : 10.0.0.1
subnet 255.255.255.248
network 10.0.0.0
broadcast 10.0.0.255
gateway 192.168.1.2

I recompiled my kernel and have a 2.6.8 version now.
included all neat ipmasq and netfilter features .

the 10.0.0.0 network range with subnet I configged can surf on the internet. no probs at all.

But I have following issue, first of all my cisco is ALSO configured with NAT ...
So I opened ALL ports from cisco to 192.168.1.2 which works fine.


but can someone give me a hint on how to configure the port forwarding with ipmasq ? I can't seem to find a config file for ipmasq, or do I have to manually do the commands like --> @root@xxdx: ipmasq -x -blabalbalba

All tutorials I find are practically for Redhat with bridged connections from modem to linux and linux that should make ppp connection...

Could you guys give me an example ?
I would like to forward port 80 to my webserver who has following ip : 192.168.1.4

thx a lot dudes !

Hi, bennethos.

I'm not an expert on Cisco or pppoe stuff, but I have set up IP masquerading on a couple of Linux routers, using both Mandrake 10 and Slackware 10. The quickest and easiest way to do it (although not the most secure) is by using the instructions in the IP-Masquerading How-To from the Linux Documentation Project: http://www.ibiblio.org/pub/Linux/doc...TO-html.tar.gz . This will help you write some scripts to get it working.

Once you've got the basic concept down, you'll probably want to move onto a more robust firewall, such as Shorewall. The setup process if very well-documented at http://www.shorewall.net/ . Use the installation guides and other documentation offered there and you'll have a nice firewall set up in no time. It looks a LOT more complicated than it really is, so just stick with it.

Good luck!

--Dane

I read the faq, I understand the principle of ipmasq, but I'm still confused as to where to put the script in debian.

I noticed following in debian : /etc/ipmasq

I suppose it's there I will have to put the scripts ? Or modify them ?

All you Debian freaks help me out

I found it I think

/etc/ipmasq/ipmasq-down/A03flush.def

netfilter)
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -F PREROUTING
$IPTABLES -t mangle -F OUTPUT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -F OUTPUT

This will load at boot time, and it's just like in the faq you send me

nice, will look some more

Hi, Bennethos.

I took a quick look at the script you posted and noticed that it didn't make any mention of having an internal and an external interface (two ethernet cards). Here's another script, taken from the masquerading how-to, which, I think, should get you set up properly. As for what loads at boot, I'll have to leave that up to the Debian users, except to say that anything you put into /etc/rc.d/rc.local (your directory structure may be different from this) will be executed at the end of the boot process. If you reference a firewall script there it should load when the computer starts.

Here's that script:

#!/bin/sh
#
# rc.firewall−2.4
FWVER=0.75
#
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
# using IPTABLES.
#
# Once IP Masquerading has been tested, with this simple
# ruleset, it is highly recommended to use a stronger
# IPTABLES ruleset either given later in this HOWTO or
# from another reputable resource.
#
#
#
# Log:
# 0.75 − Added more kernel modules to the comments section
# 0.74 − the ruleset now uses modprobe vs. insmod
# 0.73 − REJECT is not a legal policy yet; back to DROP
# 0.72 − Changed the default block behavior to REJECT not DROP
# 0.71 − Added clarification that PPPoE users need to use
# "ppp0" instead of "eth0" for their external interface
# 0.70 − Added commented option for IRC nat module
# − Added additional use of environment variables
# − Added additional formatting
# 0.63 − Added support for the IRC IPTABLES module
# 0.62 − Fixed a typo on the MASQ enable line that used eth0
# instead of $EXTIF
# 0.61 − Changed the firewall to use variables for the internal
# and external interfaces.
# 0.60 − 0.50 had a mistake where the ruleset had a rule to DROP
# all forwarded packets but it didn't have a rule to ACCEPT
# any packets to be forwarded either
# − Load the ip_nat_ftp and ip_conntrack_ftp modules by default
# 0.50 − Initial draft
#
echo −e "\n\nLoading simple rc.firewall version $FWVER..\n"
# The location of the iptables and kernel module programs
#
# If your Linux distribution came with a copy of iptables,
# most likely all the programs will be located in /sbin. If
# you manually compiled iptables, the default location will
# be in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
#IPTABLES=/sbin/iptables
IPTABLES=/usr/local/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" is external and "eth1" is internal"
#
#
# NOTE: If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables above. For example:
#
# If you are a PPPoE or analog modem user:
#
# EXTIF="ppp0"
#
#
EXTIF="eth0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==
echo −en " loading modules: "
# Need to verify that all modules have all required dependencies
#
echo " − Verifying that all kernel modules are ok"
$DEPMOD −a
# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
# options as MODULES. If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
# NOTE: The following items are listed ONLY for informational reasons.
# There is no reason to manual load these modules unless your
# kernel is either mis−configured or you intentionally disabled
# the kernel module autoloader.
#
# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
# modules are shown below but are commented out from loading.
# ===============================================================
echo "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−"
#Load the main body of the IPTABLES module − "iptable"
# − Loaded automatically when the "iptables" command is invoked
#
# − Loaded manually to clean up kernel auto−loading timing issues
#
echo −en "ip_tables, "
$MODPROBE ip_tables
#Load the IPTABLES filtering module − "iptable_filter"
# − Loaded automatically when filter policies are activated
#Load the stateful connection tracking framework − "ip_conntrack"
#
# The conntrack module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
# − This module is loaded automatically when MASQ functionality is
# enabled
#
# − Loaded manually to clean up kernel auto−loading timing issues
#
echo −en "ip_conntrack, "
$MODPROBE ip_conntrack
#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default −− insert a "#" on the next line to deactivate
#
echo −en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp
#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default −− insert a "#" on the next line to deactivate
#
echo −en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc
#Load the general IPTABLES NAT code − "iptable_nat"
# − Loaded automatically when MASQ functionality is turned on
#
# − Loaded manually to clean up kernel auto−loading timing issues
#
echo −en "iptable_nat, "
$MODPROBE iptable_nat
#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non−PASV FTP.
#
# Enabled by default −− insert a "#" on the next line to deactivate
#
echo −en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp
#Loads the IRC NAT functionality into the core IPTABLES code
# Required to support NAT of IRC DCC requests
#
# Disabled by default −− remove the "#" on the next line to activate
#
#echo −e "ip_nat_irc"
#$MODPROBE ip_nat_irc
echo "−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−"
# Just to be complete, here is a partial list of some of the other
# IPTABLES kernel modules and their function. Please note that most
# of these modules (the ipt ones) are automatically loaded by the
# master kernel module for proper operation and don't need to be
# manually loaded.
# −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
#
# ip_nat_snmp_basic − this module allows for proper NATing of some
# SNMP traffic
#
# iptable_mangle − this target allows for packets to be
# manipulated for things like the TCPMSS
# option, etc.
#
# −−
#
# ipt_mark − this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss − this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
#
# ipt_limit − this target allows for packets to be limited to
# to many hits per sec/min/hr
#
# ipt_multiport − this match allows for targets within a range
# of port numbers vs. listing each port individually
#
# ipt_state − this match allows to catch packets with various
# IP and TCP flags set/unset
#
# ipt_unclean − this match allows to catch packets that have invalid
# IP/TCP flags set
#
# iptable_filter − this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
#
# ipt_LOG − this target allows for packets to be
# logged
#
# ipt_REJECT − this target DROPs the packet and returns
# a configurable ICMP packet back to the
# sender.
#
echo −e " Done loading modules.\n"
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic−address hacking
# which makes the life with Diald and similar programs much easier.
#
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable simple IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal LAN address in the
# 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
# connecting to the Internet on external interface "eth0". This
# example will MASQ internal traffic out to the Internet but not
# allow non−initiated traffic into your internal network.
#
#
# ** Please change the above network numbers, subnet mask, and your
# *** Internet connection interface name to match your setup
#
#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP (REJECT is not a valid policy)
#
echo " Clearing any existing rules and setting default policy.."
$IPTABLES −P INPUT ACCEPT
$IPTABLES −F INPUT
$IPTABLES −P OUTPUT ACCEPT
$IPTABLES −F OUTPUT
$IPTABLES −P FORWARD DROP
$IPTABLES −F FORWARD
$IPTABLES −t nat −F
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES −A FORWARD −i $EXTIF −o $INTIF −m state −−state ESTABLISHED,RELATED −j ACCEPT
$IPTABLES −A FORWARD −i $INTIF −o $EXTIF −j ACCEPT
$IPTABLES −A FORWARD −j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES −t nat −A POSTROUTING −o $EXTIF −j MASQUERADE
echo −e "\nrc.firewall−2.4 v$FWVER done.\n"

# End of File



The main things you'll probably want to check are that $EXTIF and $INTIF (at the top of the file) are set to the proper ethernet cards for your setup. $INTIF should connect to your local network and $EXTIF should connect to your internet service provider. Also, make sure that the path variables (such as "$IPTABLES") are set to the proper paths to access your iptables and other important files/programs. There's also a bunch of other nifty stuff that you can mess with if you want to.

This will set up a VERY simplistic firewall/internet gateway. Please note that all traffic, whether requested or not, will go straight through the gateway in either direction. If you keep a program like gkrellm, or some other network monitor open on the gateway you'll probably notice a lot of noise coming in even when the internet isn't in use. Simply put, this should work in a very insecure way. If you're interested in making it a bit beefier, just contact me and I'll point you in the right direction.

Cheers!

--Dane

You cannot have 2 gateways. The gateway is 192.168.1.1. I have been through this drama recently. In networking remember this very important point; Network addresses relate to the card NOT to the machine.


The router must be directed to forward request for port 80 to the address of the card attached to the router i.e. 192.168.1.2 (Remember what I said above i.e. Card not machine). The firewall script above given above should resolve your forwarding in terms of internet sharing. Each machine behind the router should be intructed to use 192.168.1.1 as the gateway. You may get some insight from my site

thx for all the help so far.

I understand working principles of ipmasq and iptables. It's all working out fine now.

It's quite a lot different for Debian than for Redhat.

in Debian you have a symlink in /etc/rc.S/S41ipmasq (S40 is the networking so ipmasq is loaded after network comes up)

the symlink points to /etc/init.d/ipmasq where your ipmasq is loaded with following script :

test -x /usr/sbin/ipmasq || exit 1

case $1 in
start|restart|force-reload)
# Display 'whaddamidoing?' prompt
echo -n "Initializing IP Masquerading..."

# Setup ipmasq
/usr/sbin/ipmasq

# Display 'whaddamidoing?' prompt
echo "done."
;;
stop)
# Display 'whaddamidoing?' prompt
echo -n "Disabling IP Masquerading..."

# Setup ipmasq
/usr/sbin/ipmasq --rules /etc/ipmasq/ipmasq-down

# Display 'whaddamidoing?' prompt
echo "done."
;;
esac


and the basic check/ipmasq scripts (to see whether you have ipfwadm ipchains or iptables and what nics you have eg. eth0 and eth1) are situated in /etc/ipmasq/ipmasq-down and /etc/ipmasq/rules .

it's quite nicely structered have a look a:

A00path.def
A02unkernelforward.def
I15lospoof.def
I90extbcast.def
Z99ipmasqrules.def --> one of the last scripts ipmasq runs contains :

#: Run the deprecated /etc/ipmasq.rules, if present
if [ -e /etc/ipmasq.rules ]; then
if [ "$NOACT" != "yes" ]; then
. /etc/ipmasq.rules
fi

if [ "$SHOWRULES" = "yes" ]; then
echo ". /etc/ipmasq.rules"
fi
fi

so I suppose if you create that file that's were you will put in all your MANUAL ADDED rules like denying specific packets, DNAT forwarding and so on...

Took some time to find out ...

One more question for TigerOC

quote :

The router must be directed to forward request for port 80 to the address of the card attached to the router i.e. 192.168.1.2 (Remember what I said above i.e. Card not machine). The firewall script above given above should resolve your forwarding in terms of internet sharing. Each machine behind the router should be intructed to use 192.168.1.1 as the gateway. You may get some insight from my site

from cisco to eth0 linux router/firewall I use 192.168.1.0 range
for my leth1 I use 10.0.0.0 range with default gateway 192.168.1.1 like you said.

eth1 has 10.0.0.1 as ip.

I configured all pc's in lan to use gateway 10.0.0.1 which works out fine !
I suppose this is because my routing table from the linux router is following :
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 eth1
localnet * 255.255.255.0 U 0 0 0 eth0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

??? He checks his routing table and sees default gateway is 192.168.1.1 am I right ?

If I put default gateway in my lan to 192.168.1.1 won't the lan users skip my packetfiltering ?

btw nice site you have there, I added it to my bookmarks , I also have one which will contain a lot of my debian xperience in the future : www.gigaspeeds.com (nothing there yet, just a sample page)


Now toughest part, making firewall scripts ... You guys have some examples ?
Allready reading the 'O reilly firewalling book

cheers

Thanks for the compliment on the site bennethos.
Re the firewall I would suggest this howto as it is very easy to follow and it is a good starting point and works well. I use it on my machines and it once you have ipmasq installed it sets up forwarding for you on boot.
I have set up my system so that the server acts as a server/router so all the traffic is moving through the fiirewall anyway. i do have firewalls set up on all my machines anyway.
Re you network addresses. They look fine. If you are using static addressing keep all the machines on the same subnet. If the incoming route is a different subnet then provided the card interfacing with the router is on the same subnet then its fine. This is where I and a lot of people get very tangled up. The thing I like about Debian is that all these things are controlled through /etc/network/interfaces so it is very easy to manage.