LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   allow internet access from LAN using IPTABLES (https://www.linuxquestions.org/questions/linux-networking-3/allow-internet-access-from-lan-using-iptables-428040/)

cccc 03-24-2006 10:43 AM

allow internet access from LAN using IPTABLES
 
hi

my network:

internet & ipsec gateway has 2 interfaces:
eth0 -> external interface (internet)
eth1 -> internal interface (LAN)

LAN:
LOCAL_LAN="192.168.115.0/24"

remote networks:
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="192.168.2.0/24"

ipsec works without problems and I can reach remote networks from any LAN machine,
but cannot access the Internet from the LAN machines

what's wrong ?

I'm using this firewall script:
Code:

#!/bin/sh

EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.115.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="192.168.2.0/24"
IPTABLES="/sbin/iptables"

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT


$IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,53,80,443 -i eth0 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -i eth0 -j ACCEPT # DNS per udp


# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN

$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT

# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT

Code:

# iptables -V
iptables v1.2.11

Code:

# uname -a
Linux sarge.stable 2.6.8-2-686 #1 Tue Aug 16 13:22:48 UTC 2005 i686 GNU/Linux


demian 03-24-2006 11:17 AM

Add

iptable -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to <your external IP>

if you have a static external IP or

iptables -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j MASQUERADE

if it's dynamic

cccc 03-24-2006 04:47 PM

thanks, it works now

but I have a very strange problem with this script.

If I run it, my DNS server running on the same machine doesn't work anymore
and the server is completely hanging.
I cannot shutdown the machine, because name server could not be stopped !

knows someone what's wrong and howto solve this problem ?


All times are GMT -5. The time now is 04:44 AM.