LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-14-2009, 12:55 AM   #1
targettl
Member
 
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84

Rep: Reputation: 16
how to build an iptables gateway/firewall


On my machine I have:
Kubuntu with Virtualbox installed
Virtual client which is Windows7
Virtual client Ubuntu iptables gateway/firewall

The aim is to set the Ubuntu virtual machine as the gateway for the Windows machine. Can this be done? If so with Bridged, Nat, Internal or Host only.Normally you would have a physical machine with two net cards. This is why I am having trouble with this as all tutorials are using this as there situation.
 
Old 12-14-2009, 02:41 AM   #2
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,681
Blog Entries: 33

Rep: Reputation: 287Reputation: 287Reputation: 287
Hi, I think you would be better off if you set up the iptables firewall and gateway with kubuntu.

It will be fast and secure the whole machine.

Both the ubuntu and win7 clients (vm's) will be behind it.

cheers, Glenn
 
Old 12-14-2009, 03:15 AM   #3
targettl
Member
 
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84

Original Poster
Rep: Reputation: 16
Okay I am now using my host as the gateway. I have issued this command so I assume the traffic will now go to the gateway/router/modem that the host is configured to connect to in /etc/network/interfaces.
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Am I missing a step or should this work?
To be honest I have no idea what I am doing I only really heard of Iptables recently so yeah I am no guru.
 
Old 12-14-2009, 03:20 AM   #4
targettl
Member
 
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84

Original Poster
Rep: Reputation: 16
I did this and Windows7 could connect to my router. However it couldn't connect to my modem which the router plugs into. So I plugged directly into my modem and still can't ping to it. My host can connect to it and the machines are both in the same ip range with the same subnet mask. I could obviously get out as I was connecting to my router. So does anybodies no was going on?
 
Old 12-14-2009, 03:29 AM   #5
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,681
Blog Entries: 33

Rep: Reputation: 287Reputation: 287Reputation: 287
Well, if you have your vm's setup it should be easy.

What you do need to be aware of, is that the firewalled gateway server

will not compensate for bad web-surfing habits.

But should stop the bad guys from knowing you're at home.

If you like, to make things simple, have a look at easyfwgen

http://easyfwgen.morizot.net/gen/

follow the instructions there, and copy the script at the end.

It's quite straight forward, unless you want to access your systems remotely.

Cheers, Glenn
 
Old 12-14-2009, 03:55 AM   #6
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,681
Blog Entries: 33

Rep: Reputation: 287Reputation: 287Reputation: 287
Hi, my gateway address is ppp0 (the modems internal ip) 10.64.64.64

Where as my nic is eth0, 192.168.0.2

I have the isp search domain and dns 1 & 2 ip's setup in

/etc/resolv.conf
Code:
nameserver 203.2.193.67
nameserver 202.135.30.4
search vfinternet.au
found in this file....

/etc/sysconfig/network-scripts/ifcfg-eth0
Code:
DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.0.2
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
GATEWAY=10.64.64.64
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=no
USERCTL=yes
DNS1=203.2.193.67
DNS2=202.135.30.4
DOMAIN=vfinternet.au
RESOLV_MODS=no
LINK_DETECTION_DELAY=6
IPV6INIT=no
IPV6TO4INIT=no
/etc/sysconfig/network
Code:
HOSTNAME=GamesBox.GlennsPref.net
NETWORKING=yes
GATEWAYDEV=ppp0
FORWARD_IPV4=true
CRDA_DOMAIN=AU
http://www.linuxhomenetworking.com/

See how you go.

Regards Glenn
 
Old 12-14-2009, 05:19 PM   #7
targettl
Member
 
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84

Original Poster
Rep: Reputation: 16
IP ?
Modem 10.0.0.138
Router 192.168.34.49
Host 192.168.34.60
Client 192.168.34.61

If the client's gateway is set to the router everything is fine, but if it's set as the host it cannot connect to the modem or net but can connect to the router. The client can always connect to the host. So I'm thinking that the host is dropping the packets in which case I am going to want to get some logging happening so I know what happening.
 
Old 12-14-2009, 06:27 PM   #8
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,681
Blog Entries: 33

Rep: Reputation: 287Reputation: 287Reputation: 287
Try "easy fw gen" and see what the script is, that may give you an indication.

Forget about the vm's for now. They will work when everything is setup.

You need to be able to connect to the internet and do all the normal tasks, First, and with a firewall.

I use a customised fw script for iptables, developed by a magazine journalist.

Ashton Mills of Atomicmpc Magazine (Australian) wrote a whole tutorial on how to set up a proxied firewalled gateway. With MRTG, traffic routing GUI for bandwidth tracking of internal ip's.

based on Mandrake9.0 (quite old) The whole tutorial is 1Mb tarred and gziped.

After all that searching, found nothing.

pm me for an email copy. It's an interesting read, also covers remote access to your (headless) server.

If I can help more I will.

Also look for these terms, port-forward, masquerade, when searching the net.

Cheers, Glenn

ps a site I have found useful...
http://www.linuxhomenetworking.com/w...Using_iptables

Last edited by GlennsPref; 12-14-2009 at 06:29 PM.
 
Old 12-14-2009, 07:34 PM   #9
targettl
Member
 
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84

Original Poster
Rep: Reputation: 16
I generated a file it was 826 lines and then ran it. I read that howto/article. But still can't get my vm to connect to the modem through my gateway. It is not logging anything on the host when I try to connect to the modem on the vm.
 
Old 12-14-2009, 07:34 PM   #10
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,681
Blog Entries: 33

Rep: Reputation: 287Reputation: 287Reputation: 287
I have just found another tutorial for ubuntu.

It's scans (pics) of the magazine article, 13Mb.

cheers, Glenn
 
Old 12-14-2009, 07:36 PM   #11
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,681
Blog Entries: 33

Rep: Reputation: 287Reputation: 287Reputation: 287
Your vm should only see a lan network connection.

Just try to hook up to that, not the modem.(transparent, is another term to look up)

I thought it would be smaller.

My entire iptables script is only....288 lines, and I have quite a few lines commented.

Here it is, mind you, I also have....
/etc/sysconfig/network-scripts/chat-ppp0
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/network-scripts/ifcfg-ppp0
/etc/sysconfig/network-scripts/ifcfg-lo
/etc/sysconfig/network
/etc/ppp/peers/ppp0
/etc/rc.d/init.d/atomic.firewall
/etc/rc.d/rc.local
/etc/hosts.deny
/etc/hosts.allow
/etc/hosts
/etc/sysctl.conf
/etc/resolv.conf
/etc/squid/squid.conf
/etc/security/limits.conf
/etc/ifplugd/ifplugd.conf
set-up, they all work together, with squid in my case.

/etc/init.d/atomic.firewall
Code:
#!/bin/sh
#
# Atomic IPTables firewall script v1.2
#
# Simple but effective firewall written for
# the Atomic Uber Linux box guide,
# Issue 21, Oct 2002
#
# Updated May 2003 for bandwidth shaping
#
# Ashton Mills
# amills@iinet.com.au

# Environment variables, change these values accordingly

	EXT_IF=ppp0
	INT_IF=eth0
	INT_NET=192.168.0.2/24

	ANY=0.0.0.0/0

	IPTABLES=/sbin/iptables
	MODPROBE=/sbin/modprobe

#
## You shouldn't need to touch anything below here
#

# Load appropriate iptables modules, others will be loaded dynamically on demand

	$MODPROBE ip_tables
	$MODPROBE iptable_filter
	$MODPROBE ip_nat_ftp
	$MODPROBE ip_conntrack
	$MODPROBE ip_conntrack_ftp

# Set proc values for TCP/IP. In order:
#
# Disable IP spoofing attacks
# Ignore broadcast pings
# Block source routing
# Kill redirects
# Set acceptable local port range
# Allow dynamic IP addresses
# Enable forwarding (gateway)

	echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
	echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
	echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
	echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
	echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
	echo "1" > /proc/sys/net/ipv4/ip_dynaddr
	echo "1" > /proc/sys/net/ipv4/ip_forward

# Flush everything

	$IPTABLES -F INPUT
	$IPTABLES -F OUTPUT
	$IPTABLES -F FORWARD
	$IPTABLES -t nat -F
	$IPTABLES -t mangle -F
	
#
## --- DEFAULT POLICY --- ##
#

	# Drop everything on INPUT and FORWARD chains, accept OUTPUT

	$IPTABLES -P INPUT DROP
	$IPTABLES -P FORWARD DROP
	$IPTABLES -P OUTPUT ACCEPT

#
## --- INPUT CHAIN --- ##
#

	# Allow Telstra hearbeat -- BPA users uncomment this

#	$IPTABLES -A INPUT -p udp --sport 5050 -j ACCEPT
#	$IPTABLES -A INPUT -p udp --sport 5051 -j ACCEPT

	# Allow local net browsing avahi/Zeroconf

#	$IPTABLES -A INPUT -p udp --sport 5353 -j ACCEPT

	
	# Allow bootp port -- Optus and some ADSL users need this
	
#	$IPTABLES -A INPUT -p udp -d 255.255.255.255 --dport 68 -j ACCEPT

	
	# Allow access to services on this (the gateway) machine
	
	# SSH
#	$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

	# Teamspeak
#	$IPTABLES -A INPUT -p udp --dport 8767 -j ACCEPT

	# Half Life server
#	$IPTABLES -A INPUT -p udp --dport 27015 -j ACCEPT
#	$IPTABLES -A INPUT -p udp --dport 27010 -j ACCEPT
	
	# FTP
	$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
	$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT

	# Bittorrent
#	$IPTABLES -A INPUT -p tcp --dport 6881:6969 -j ACCEPT
#	$IPTABLES -A INPUT -p udp --dport 6881:6969 -j ACCEPT
#	$IPTABLES -A INPUT -p udp --dport 4444 -j ACCEPT

	# Accept all connections on local and internal interfaces

	$IPTABLES -A INPUT -i lo -j ACCEPT
	$IPTABLES -A INPUT -i $INT_IF -j ACCEPT


	# Stateful inspection -- Allow packets in from connections already established

	$IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT

	
	# Drop packets from invalid sources (reserved networks and localhost)

	$IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP
	$IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
	$IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
	$IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP
	$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP
	

	# Don't log igmp, web or ssl. More noise we don't need to log.

	$IPTABLES -A INPUT -p igmp -j DROP
	$IPTABLES -A INPUT -p tcp --dport 80 -j DROP
	$IPTABLES -A INPUT -p tcp --dport 443 -j DROP


	# Log everything else

	$IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "|iptables -- "

#
## -- BANDWIDTH SHAPING  -- ##
#

#
# EGRESS (upstream)
#

	# TOS marked packets (we'll just work with minimise-delay and maximise-throughput)
	$IPTABLES -t mangle -A POSTROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 10
	$IPTABLES -t mangle -A POSTROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 30

	# UDP (most games, including all Half Life mods as well as DNS, IM clients and more)
	$IPTABLES -t mangle -A POSTROUTING -p udp -j MARK --set-mark 10
	
	# Games that use DirectPlay from DirectX (note UDP traffic already matched above)
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 47624 -j MARK --set-mark 10
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10

	# Place other games here
	# EVE online
#	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 26000 -j MARK --set-mark 10

	# ICMP (ping)
	$IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 10
	
	# SSH
#	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK --set-mark 10
    
	# Web, SSL
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 80 -j MARK --set-mark 20
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 443 -j MARK --set-mark 20

	# ACKs	
	$IPTABLES -t mangle -A POSTROUTING -p tcp -m length --length :64 -j MARK --set-mark 20

	#
	# No need for catchall for class 30, handled by HTB root qdisc initilisation
	#
	
#
# INGRESS (downstream)
#

	# Only prioritise class 10 traffic

	# Don't police high priority UDP, game, ping and SSH packets
	$IPTABLES -t mangle -A PREROUTING -p udp -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 47624 -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 22 -j MARK --set-mark 10

	# Place other games here
	# EVE online
#	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 26000 -j MARK --set-mark 10

	# Catchall, police everything else
	$IPTABLES -t mangle -A PREROUTING -m mark --mark 0 -j MARK --set-mark 30

	#
	# NOTE: It's a good idea -not- to add HTTP to be let through the police filter even
	# for browsing as many P2P programs, not to mention your HTTP file downloads, will
	# flood the link unpoliced, causing delays with high priority (class 10) packets.
	# Shape HTTP going out, but let it be bulk coming in.
	#
	# Read the note at the end of the atomic.shaper script for more on INGRESS shaping.
	#
	
#
## --- FORWARD CHAIN --- ##
#

	# Stateful inspection -- Forward in connections already established

	$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m state	--state ESTABLISHED,RELATED -j ACCEPT

	#---------------------------------------------------------------
	# Allow outbound DNS queries from the FW and the replies too
	#
	# - Interface ppp0 is the internet interface
	#
	# Zone transfers use TCP and not UDP. Most home networks
	# / websites using a single DNS server won't require TCP statements
	#
	#---------------------------------------------------------------
 
#	$iptables -A OUTPUT -p udp -o ppp0 --dport 53 --sport 1024:65535 -j ACCEPT
 
#	$iptables -A INPUT -p udp -i ppp0 --sport 53 --dport 1024:65535 -j ACCEPT

	# Forwards for software running on Windows/Linux machines behind the firewall

	# Kazaa Lite (change destination IP accordingly)

#	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 1214 -j DNAT --to-dest 192.168.0.2
#	$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 1214 -d 192.168.0.2 -j ACCEPT 
	
	# Bittorrent

#	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6881:6969 -j DNAT --to-dest 192.168.0.2
#	$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 6881:6969 -d 192.168.0.2 -j ACCEPT

#	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 6881:6969 -j DNAT --to-dest 192.168.0.2
#	$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 6881:6969 -d 192.168.0.2 -j ACCEPT

#	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 4444 -j DNAT --to-dest 192.168.0.2
#	$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 4444 -d 192.168.0.2 -j ACCEPT

	# Forwards for hosting DirectPlay games
 
#	iptables -A FORWARD -i ppp0 -o eth0 -p tcp --dport 47624 -m state --state NEW,ESTABLISHED -j ACCEPT
#	iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 47624 -j DNAT --to-destination 192.168.0.2:47624
#	iptables -A FORWARD -i ppp0 -o eth0 -p tcp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
#	iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2300:2400 -j DNAT --to-destination 192.168.0.2:2300-2400
#	iptables -A FORWARD -i ppp0 -o eth0 -p udp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
#	iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 2300:2400 -j DNAT --to-destination 192.168.0.2:2300-2400

	
	# Forward out all traffic

	$IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT

#
## --- OUTPUT CHAIN --- ##
#

	# Follows policy

#
## --- NAT --- ##
#

	# Enable masquerade

	$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -j MASQUERADE

#
## -- Transparent proxy to Squid --- ##
#

	$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128
Just more info. The tutorials work through the set up process.

Regards Glenn

Last edited by GlennsPref; 12-14-2009 at 07:50 PM. Reason: The tutorials work through the set up process
 
Old 12-14-2009, 08:50 PM   #12
targettl
Member
 
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84

Original Poster
Rep: Reputation: 16
When you have got tutorials that use eth0 as internal and eth1 as external could I replace eth1 with the router or modems address
 
Old 12-14-2009, 09:41 PM   #13
targettl
Member
 
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84

Original Poster
Rep: Reputation: 16
I think that it is now working. I used http://www.debian-administration.org/articles/23 script. Now I just gotta block something to confirm that the client is going through they gateway and abiding by the rules. Maybe block ping or a website if that is possible through iptables.
 
Old 12-14-2009, 10:04 PM   #14
targettl
Member
 
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84

Original Poster
Rep: Reputation: 16
Actually I have change my mind it's not working.

iptables -F
iptables -A INPUT -j DROP

Now everything will be dropped
My host has no net connection
Unfortunly my vm does have a net connection. So it's not be processed by iptables even though the host is set as the gateway on the vm.
 
Old 12-15-2009, 01:10 AM   #15
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,681
Blog Entries: 33

Rep: Reputation: 287Reputation: 287Reputation: 287
Hi, you may need to change the vm's to the internal network, to be protected by the iptables firewall.

I have winxpsp2 in a VirtualBox vm and it uses 192.168.0.2 to connect to the internet.....
But that may be because of the proxy.

Sorry for the bum steer, if any.

I can email those other tutes to you if you want, pm me to keep the email address private, if you like, less spam that way.

Like I said before, don't worry about the vm's until the system is secure and is capable of forwarding ipv4.

sadly, there are more than a few things involved, and I am not upto date, and have never used any of the *buntus.

ps, what I should mention is that....

I have turned off the services iptables, resolv, and mandi (mandriva(?))

Because I have a custom fw script and I do not want resolv/mandi to reset my dns and isp lookup addresses.


If you go through the
Quote:
ps a site I have found useful...
http://www.linuxhomenetworking.com/w...Using_iptables
you may find the missing link.

cheers, Glenn

Last edited by GlennsPref; 12-15-2009 at 01:19 AM. Reason: linuxhomenetworking.com
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Iptables firewall and gateway for local network not working. Mogget Linux - Networking 4 03-12-2009 12:41 AM
Need help debugging iptables firewall/nat gateway jcllings Linux - Networking 4 11-08-2008 05:19 PM
HowTo Build Internet Authentication Gateway jasem200 Linux - Networking 1 04-11-2008 06:19 AM
Iptables with iptables-firewall.conf arno's matt3333 Slackware 16 06-28-2007 07:20 AM
IPTABLES : build NAT using IPTABLES joseph Linux - Networking 4 04-23-2004 05:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration