|
internet gateway problems (iptables configuration)
Seriously, I tried not to post another new thread regarding to iptables... (becuz many threads r available in here)
But even after reading all those iptables related threads & my linux books, I'm still having touble when configuring my iptables. My internet gateway/firewall is connect to a router, which connect to the internet. My gateway box has an ip of 192.168.0.3 (ip for my eth0 that connect to a router) and an static internal ip set to 192.168.1.254 (ip for my eth1) On my windows 2000 client computer, I setup the following: ip: 192.168.1.2 subnet mask: 255.255.255.0 default gateway: 192.168.1.254 preferred dns server: 206.47.244.101 alternate dns server: 198.235.216.114 This is what I did to configure my gateway: I modify the /etc/sysctl.conf file to net.ipv4.ip_forward=1 iptables --policy INPUT ACCEPT iptables --policy OUTPUT ACCEPT iptables --policy FORWARD ACCEPT iptables --flush iptables --flush -t nat I haven't set any rules yet, cuz I want to test if the gateway actually works or not. With this setting, the gateway should accept any IP packet to come into or out of the network right? when I'm on my win2k box, I can only ping to my gateway box (ip: 192.168.1.254) and my router (ip: 192.168.0.1)... I can't ping to any other address. also, although I can ping to my router (192.168.0.1), I can't go into the router setup page using a browser (http://192.168.0.1)... I can't get into that page. *sigh* What is going on? :scratch: |
what does the command
route print show on the windows 2k box and whaqt does route -n show on the linux firewall also, you may have to tell the router to use dhcp and put the dns addresses in there. and you may need routes to the routing tables on the router and the gateway box. first off. connect directly to the router and see if you can get online then. cut out the middleman. okay also, i will help however i can. but need more info. |
from route print in my win2k box:
=========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x8000003 ...00 50 ba 9f 3f 48 ...... D-Link DHN-520 10Mb Home Phoneline NIC =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.2 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 1 192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 1 192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 1 224.0.0.0 224.0.0.0 192.168.1.2 192.168.1.2 1 255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1 Default Gateway: 192.168.1.254 =========================================================================== Persistent Routes: None from route -n from my linux gateway: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 lo 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 Hope u can read it.. it's kind of messy (sorry) My router is using dhcp :scratch: |
can you ping internet addresses from linux firewall box?
ther router may need a route to the inside addresses. also, the netmask of the lo interface, the 127.0.0.0 should 255.0.0.0 just trying to throw things out there. |
yes I can ping internet address on my linux gateway with no problem. I can ping to yahoo, google, etc.
"the router may need a route to the inside addresses." can u explain this in more detail?? how do I change the 127.0.0.0 to 255.0.0.0? In the ifcfg-lo file ? |
i had similar problems, but if you use dhcp to connect the gateway (linux box) to the remote computer (win 2k), then this should work fine. i don't suggest you set the ip on the win 2k machine, and setup the dhcp daemon (dhcpd) on the linux to give the win 2k machine an IP. try finding and reading the DHCP mini-howto w/ google to get more info on DHCP.
DHCP is great b/c it makes your life easy if you set it up correctly. if you try this and hit snags, just post and i'll help. what confuses me most here is why you're using a router, as your linux box does a much better job of it. i understand if you're sharing your internet w/ others though. gl, y-p |
So, what u r saying is that I should use the dhcpd instead of static ip right? Actually before I went to the static ip, I tried the dhcpd daemon, but I've touble configuring the /etc/dhcpd.conf file. Can u post ur dhcpd.conf file here?
Also, even I got the dhcpd working. Do I still have to configure the iptables? BTW, I'm using a router because I'm living in an university residence right now and the only way I can connect to the internet is through the router. I'm going to move soon, so I want to setup my linux gateway before I move, so that I don't have to configure my network after I move to the new place. |
I DID IT !!!! YEAH !!!!
hey guys I did it !
I finally setup a gateway that really works.... right now all my internal ip are static.. maybe I'll start dhcpd later (which one is better?) I want to share this with u guys. This is what I did to my iptables configuration: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -N block iptables -A INPUT -j block iptables -A FORWARD -j block iptables -A block -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A block -i ! eth0 -m state --state NEW -j ACCEPT iptables -A block -j DROP service iptables save For my win2k box: IP: 192.168.1.2 Subnet: 255.255.255.0 Gateway 192.168.1.254 DNA: from isp Any suggestion regarding to my configuration? but one thing bother me... from my win2k box, it keep sending packets out even I'm not connecting to anything (eg. internet, file sharing, etc) What is it sending???:scratch: |
i have no idea about the win 2k computer's behavior, but i wouldn't be too concerned if it doesn't constitute too much traffic outflow. if it's influx of packets, then i'd be concerned. maybe it has to do with the win 2k client that manages the connection...
the only things i'd suggest are (1) stronger matching rule(s) in place of iptables -A block -i ! eth0 -m state --state NEW -j ACCEPT, like iptables -A FORWARD -i eth1 -o eth0 -m state ! --state INVALID -m mac --mac-source <MAC of your remote computer's card> -j ACCEPT (this matches both state NOT INVALID and the MAC of the source computer) (2) change default policies to DROP using iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP (3) incorporate logging into your tables; this allows you to see when ppl send crap packets to scan you i don't know how relevant this all is, but i try to be a nut w/ my firewall. nice job, y-p |
how do I know if they are influx or not?
how do I incorporate logging and how do I use that log? my win2k is keep sent packets out... which I dunno what packets it is sending....this really toubles me... any idea what's going on?:confused: |
windows boxes look for network shares by themselves (NETBIOS). That could be it. Or maybe some spyware.
On the gateway, you can use Ethereal to monitor packets going through the box. Ethereal will tell you the packet size, destination, source, ports and protocol. |
you may find that most of these packets have a desintaino of 255.255.255.255 or 192.168.1.255 or something like that. Also, you can install a firewall on the Win2k box (zone alarm is ok but be careful with that one if u use it).
|
| All times are GMT -5. The time now is 11:57 AM. |