Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
12-14-2009, 12:55 AM
|
#1
|
Member
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84
Rep:
|
how to build an iptables gateway/firewall
On my machine I have:
Kubuntu with Virtualbox installed
Virtual client which is Windows7
Virtual client Ubuntu iptables gateway/firewall
The aim is to set the Ubuntu virtual machine as the gateway for the Windows machine. Can this be done? If so with Bridged, Nat, Internal or Host only.Normally you would have a physical machine with two net cards. This is why I am having trouble with this as all tutorials are using this as there situation.
|
|
|
12-14-2009, 02:41 AM
|
#2
|
Senior Member
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,681
|
Hi, I think you would be better off if you set up the iptables firewall and gateway with kubuntu.
It will be fast and secure the whole machine.
Both the ubuntu and win7 clients (vm's) will be behind it.
cheers, Glenn
|
|
|
12-14-2009, 03:15 AM
|
#3
|
Member
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84
Original Poster
Rep:
|
Okay I am now using my host as the gateway. I have issued this command so I assume the traffic will now go to the gateway/router/modem that the host is configured to connect to in /etc/network/interfaces.
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Am I missing a step or should this work?
To be honest I have no idea what I am doing I only really heard of Iptables recently so yeah I am no guru.
|
|
|
12-14-2009, 03:20 AM
|
#4
|
Member
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84
Original Poster
Rep:
|
I did this and Windows7 could connect to my router. However it couldn't connect to my modem which the router plugs into. So I plugged directly into my modem and still can't ping to it. My host can connect to it and the machines are both in the same ip range with the same subnet mask. I could obviously get out as I was connecting to my router. So does anybodies no was going on?
|
|
|
12-14-2009, 03:29 AM
|
#5
|
Senior Member
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,681
|
Well, if you have your vm's setup it should be easy.
What you do need to be aware of, is that the firewalled gateway server
will not compensate for bad web-surfing habits.
But should stop the bad guys from knowing you're at home.
If you like, to make things simple, have a look at easyfwgen
http://easyfwgen.morizot.net/gen/
follow the instructions there, and copy the script at the end.
It's quite straight forward, unless you want to access your systems remotely.
Cheers, Glenn
|
|
|
12-14-2009, 03:55 AM
|
#6
|
Senior Member
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,681
|
Hi, my gateway address is ppp0 (the modems internal ip) 10.64.64.64
Where as my nic is eth0, 192.168.0.2
I have the isp search domain and dns 1 & 2 ip's setup in
/etc/resolv.conf
Code:
nameserver 203.2.193.67
nameserver 202.135.30.4
search vfinternet.au
found in this file....
/etc/sysconfig/network-scripts/ifcfg-eth0
Code:
DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.0.2
NETMASK=255.255.255.0
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
GATEWAY=10.64.64.64
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=no
USERCTL=yes
DNS1=203.2.193.67
DNS2=202.135.30.4
DOMAIN=vfinternet.au
RESOLV_MODS=no
LINK_DETECTION_DELAY=6
IPV6INIT=no
IPV6TO4INIT=no
/etc/sysconfig/network
Code:
HOSTNAME=GamesBox.GlennsPref.net
NETWORKING=yes
GATEWAYDEV=ppp0
FORWARD_IPV4=true
CRDA_DOMAIN=AU
http://www.linuxhomenetworking.com/
See how you go.
Regards Glenn
|
|
|
12-14-2009, 05:19 PM
|
#7
|
Member
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84
Original Poster
Rep:
|
IP ?
Modem 10.0.0.138
Router 192.168.34.49
Host 192.168.34.60
Client 192.168.34.61
If the client's gateway is set to the router everything is fine, but if it's set as the host it cannot connect to the modem or net but can connect to the router. The client can always connect to the host. So I'm thinking that the host is dropping the packets in which case I am going to want to get some logging happening so I know what happening.
|
|
|
12-14-2009, 06:27 PM
|
#8
|
Senior Member
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,681
|
Try "easy fw gen" and see what the script is, that may give you an indication.
Forget about the vm's for now. They will work when everything is setup.
You need to be able to connect to the internet and do all the normal tasks, First, and with a firewall.
I use a customised fw script for iptables, developed by a magazine journalist.
Ashton Mills of Atomicmpc Magazine (Australian) wrote a whole tutorial on how to set up a proxied firewalled gateway. With MRTG, traffic routing GUI for bandwidth tracking of internal ip's.
based on Mandrake9.0 (quite old) The whole tutorial is 1Mb tarred and gziped.
After all that searching, found nothing.
pm me for an email copy. It's an interesting read, also covers remote access to your (headless) server.
If I can help more I will.
Also look for these terms, port-forward, masquerade, when searching the net.
Cheers, Glenn
ps a site I have found useful...
http://www.linuxhomenetworking.com/w...Using_iptables
Last edited by GlennsPref; 12-14-2009 at 06:29 PM.
|
|
|
12-14-2009, 07:34 PM
|
#9
|
Member
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84
Original Poster
Rep:
|
I generated a file it was 826 lines and then ran it. I read that howto/article. But still can't get my vm to connect to the modem through my gateway. It is not logging anything on the host when I try to connect to the modem on the vm.
|
|
|
12-14-2009, 07:34 PM
|
#10
|
Senior Member
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,681
|
I have just found another tutorial for ubuntu.
It's scans (pics) of the magazine article, 13Mb.
cheers, Glenn
|
|
|
12-14-2009, 07:36 PM
|
#11
|
Senior Member
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,681
|
Your vm should only see a lan network connection.
Just try to hook up to that, not the modem.(transparent, is another term to look up)
I thought it would be smaller.
My entire iptables script is only....288 lines, and I have quite a few lines commented.
Here it is, mind you, I also have....
/etc/sysconfig/network-scripts/chat-ppp0
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/network-scripts/ifcfg-ppp0
/etc/sysconfig/network-scripts/ifcfg-lo
/etc/sysconfig/network
/etc/ppp/peers/ppp0
/etc/rc.d/init.d/atomic.firewall
/etc/rc.d/rc.local
/etc/hosts.deny
/etc/hosts.allow
/etc/hosts
/etc/sysctl.conf
/etc/resolv.conf
/etc/squid/squid.conf
/etc/security/limits.conf
/etc/ifplugd/ifplugd.conf
set-up, they all work together, with squid in my case.
/etc/init.d/atomic.firewall
Code:
#!/bin/sh
#
# Atomic IPTables firewall script v1.2
#
# Simple but effective firewall written for
# the Atomic Uber Linux box guide,
# Issue 21, Oct 2002
#
# Updated May 2003 for bandwidth shaping
#
# Ashton Mills
# amills@iinet.com.au
# Environment variables, change these values accordingly
EXT_IF=ppp0
INT_IF=eth0
INT_NET=192.168.0.2/24
ANY=0.0.0.0/0
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
#
## You shouldn't need to touch anything below here
#
# Load appropriate iptables modules, others will be loaded dynamically on demand
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
# Set proc values for TCP/IP. In order:
#
# Disable IP spoofing attacks
# Ignore broadcast pings
# Block source routing
# Kill redirects
# Set acceptable local port range
# Allow dynamic IP addresses
# Enable forwarding (gateway)
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
# Flush everything
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
## --- DEFAULT POLICY --- ##
#
# Drop everything on INPUT and FORWARD chains, accept OUTPUT
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
#
## --- INPUT CHAIN --- ##
#
# Allow Telstra hearbeat -- BPA users uncomment this
# $IPTABLES -A INPUT -p udp --sport 5050 -j ACCEPT
# $IPTABLES -A INPUT -p udp --sport 5051 -j ACCEPT
# Allow local net browsing avahi/Zeroconf
# $IPTABLES -A INPUT -p udp --sport 5353 -j ACCEPT
# Allow bootp port -- Optus and some ADSL users need this
# $IPTABLES -A INPUT -p udp -d 255.255.255.255 --dport 68 -j ACCEPT
# Allow access to services on this (the gateway) machine
# SSH
# $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
# Teamspeak
# $IPTABLES -A INPUT -p udp --dport 8767 -j ACCEPT
# Half Life server
# $IPTABLES -A INPUT -p udp --dport 27015 -j ACCEPT
# $IPTABLES -A INPUT -p udp --dport 27010 -j ACCEPT
# FTP
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
# Bittorrent
# $IPTABLES -A INPUT -p tcp --dport 6881:6969 -j ACCEPT
# $IPTABLES -A INPUT -p udp --dport 6881:6969 -j ACCEPT
# $IPTABLES -A INPUT -p udp --dport 4444 -j ACCEPT
# Accept all connections on local and internal interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INT_IF -j ACCEPT
# Stateful inspection -- Allow packets in from connections already established
$IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop packets from invalid sources (reserved networks and localhost)
$IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP
# Don't log igmp, web or ssl. More noise we don't need to log.
$IPTABLES -A INPUT -p igmp -j DROP
$IPTABLES -A INPUT -p tcp --dport 80 -j DROP
$IPTABLES -A INPUT -p tcp --dport 443 -j DROP
# Log everything else
$IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "|iptables -- "
#
## -- BANDWIDTH SHAPING -- ##
#
#
# EGRESS (upstream)
#
# TOS marked packets (we'll just work with minimise-delay and maximise-throughput)
$IPTABLES -t mangle -A POSTROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 30
# UDP (most games, including all Half Life mods as well as DNS, IM clients and more)
$IPTABLES -t mangle -A POSTROUTING -p udp -j MARK --set-mark 10
# Games that use DirectPlay from DirectX (note UDP traffic already matched above)
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 47624 -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10
# Place other games here
# EVE online
# $IPTABLES -t mangle -A POSTROUTING -p tcp --dport 26000 -j MARK --set-mark 10
# ICMP (ping)
$IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 10
# SSH
# $IPTABLES -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK --set-mark 10
# Web, SSL
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 80 -j MARK --set-mark 20
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 443 -j MARK --set-mark 20
# ACKs
$IPTABLES -t mangle -A POSTROUTING -p tcp -m length --length :64 -j MARK --set-mark 20
#
# No need for catchall for class 30, handled by HTB root qdisc initilisation
#
#
# INGRESS (downstream)
#
# Only prioritise class 10 traffic
# Don't police high priority UDP, game, ping and SSH packets
$IPTABLES -t mangle -A PREROUTING -p udp -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 47624 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 22 -j MARK --set-mark 10
# Place other games here
# EVE online
# $IPTABLES -t mangle -A PREROUTING -p tcp --sport 26000 -j MARK --set-mark 10
# Catchall, police everything else
$IPTABLES -t mangle -A PREROUTING -m mark --mark 0 -j MARK --set-mark 30
#
# NOTE: It's a good idea -not- to add HTTP to be let through the police filter even
# for browsing as many P2P programs, not to mention your HTTP file downloads, will
# flood the link unpoliced, causing delays with high priority (class 10) packets.
# Shape HTTP going out, but let it be bulk coming in.
#
# Read the note at the end of the atomic.shaper script for more on INGRESS shaping.
#
#
## --- FORWARD CHAIN --- ##
#
# Stateful inspection -- Forward in connections already established
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# Allow outbound DNS queries from the FW and the replies too
#
# - Interface ppp0 is the internet interface
#
# Zone transfers use TCP and not UDP. Most home networks
# / websites using a single DNS server won't require TCP statements
#
#---------------------------------------------------------------
# $iptables -A OUTPUT -p udp -o ppp0 --dport 53 --sport 1024:65535 -j ACCEPT
# $iptables -A INPUT -p udp -i ppp0 --sport 53 --dport 1024:65535 -j ACCEPT
# Forwards for software running on Windows/Linux machines behind the firewall
# Kazaa Lite (change destination IP accordingly)
# $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 1214 -j DNAT --to-dest 192.168.0.2
# $IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 1214 -d 192.168.0.2 -j ACCEPT
# Bittorrent
# $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6881:6969 -j DNAT --to-dest 192.168.0.2
# $IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 6881:6969 -d 192.168.0.2 -j ACCEPT
# $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 6881:6969 -j DNAT --to-dest 192.168.0.2
# $IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 6881:6969 -d 192.168.0.2 -j ACCEPT
# $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 4444 -j DNAT --to-dest 192.168.0.2
# $IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 4444 -d 192.168.0.2 -j ACCEPT
# Forwards for hosting DirectPlay games
# iptables -A FORWARD -i ppp0 -o eth0 -p tcp --dport 47624 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 47624 -j DNAT --to-destination 192.168.0.2:47624
# iptables -A FORWARD -i ppp0 -o eth0 -p tcp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2300:2400 -j DNAT --to-destination 192.168.0.2:2300-2400
# iptables -A FORWARD -i ppp0 -o eth0 -p udp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 2300:2400 -j DNAT --to-destination 192.168.0.2:2300-2400
# Forward out all traffic
$IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT
#
## --- OUTPUT CHAIN --- ##
#
# Follows policy
#
## --- NAT --- ##
#
# Enable masquerade
$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -j MASQUERADE
#
## -- Transparent proxy to Squid --- ##
#
$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128
Just more info. The tutorials work through the set up process.
Regards Glenn
Last edited by GlennsPref; 12-14-2009 at 07:50 PM.
Reason: The tutorials work through the set up process
|
|
|
12-14-2009, 08:50 PM
|
#12
|
Member
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84
Original Poster
Rep:
|
When you have got tutorials that use eth0 as internal and eth1 as external could I replace eth1 with the router or modems address
|
|
|
12-14-2009, 09:41 PM
|
#13
|
Member
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84
Original Poster
Rep:
|
I think that it is now working. I used http://www.debian-administration.org/articles/23 script. Now I just gotta block something to confirm that the client is going through they gateway and abiding by the rules. Maybe block ping or a website if that is possible through iptables.
|
|
|
12-14-2009, 10:04 PM
|
#14
|
Member
Registered: Sep 2009
Location: Launceston
Distribution: Kubuntu
Posts: 84
Original Poster
Rep:
|
Actually I have change my mind it's not working.
iptables -F
iptables -A INPUT -j DROP
Now everything will be dropped
My host has no net connection
Unfortunly my vm does have a net connection. So it's not be processed by iptables even though the host is set as the gateway on the vm.
|
|
|
12-15-2009, 01:10 AM
|
#15
|
Senior Member
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,681
|
Hi, you may need to change the vm's to the internal network, to be protected by the iptables firewall.
I have winxpsp2 in a VirtualBox vm and it uses 192.168.0.2 to connect to the internet.....
But that may be because of the proxy.
Sorry for the bum steer, if any.
I can email those other tutes to you if you want, pm me to keep the email address private, if you like, less spam that way.
Like I said before, don't worry about the vm's until the system is secure and is capable of forwarding ipv4.
sadly, there are more than a few things involved, and I am not upto date, and have never used any of the *buntus.
ps, what I should mention is that....
I have turned off the services iptables, resolv, and mandi (mandriva(?))
Because I have a custom fw script and I do not want resolv/mandi to reset my dns and isp lookup addresses.
If you go through the you may find the missing link.
cheers, Glenn
Last edited by GlennsPref; 12-15-2009 at 01:19 AM.
Reason: linuxhomenetworking.com
|
|
|
All times are GMT -5. The time now is 01:26 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|