LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-24-2003, 09:07 PM   #1
woranl
Member
 
Registered: Apr 2003
Location: Toronto
Distribution: Fedora Core
Posts: 119

Rep: Reputation: 15
internet gateway problems (iptables configuration)


Seriously, I tried not to post another new thread regarding to iptables... (becuz many threads r available in here)

But even after reading all those iptables related threads & my linux books, I'm still having touble when configuring my iptables.

My internet gateway/firewall is connect to a router, which connect to the internet. My gateway box has an ip of 192.168.0.3 (ip for my eth0 that connect to a router) and an static internal ip set to 192.168.1.254 (ip for my eth1)

On my windows 2000 client computer, I setup the following:
ip: 192.168.1.2
subnet mask: 255.255.255.0
default gateway: 192.168.1.254
preferred dns server: 206.47.244.101
alternate dns server: 198.235.216.114

This is what I did to configure my gateway:

I modify the /etc/sysctl.conf file to net.ipv4.ip_forward=1

iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables --flush
iptables --flush -t nat

I haven't set any rules yet, cuz I want to test if the gateway actually works or not. With this setting, the gateway should accept any IP packet to come into or out of the network right?

when I'm on my win2k box, I can only ping to my gateway box (ip: 192.168.1.254) and my router (ip: 192.168.0.1)... I can't ping to any other address.

also, although I can ping to my router (192.168.0.1), I can't go into the router setup page using a browser (http://192.168.0.1)... I can't get into that page.

*sigh* What is going on?
 
Old 08-24-2003, 10:36 PM   #2
tyler0123
Member
 
Registered: Aug 2003
Posts: 134

Rep: Reputation: 16
what does the command

route print

show on the windows 2k box

and whaqt does route -n show on the linux firewall

also, you may have to tell the router to use dhcp and put the dns addresses in there.

and you may need routes to the routing tables on the router and the gateway box.

first off. connect directly to the router and see if you can get online then. cut out the middleman. okay also, i will help however i can. but need more info.
 
Old 08-24-2003, 11:18 PM   #3
woranl
Member
 
Registered: Apr 2003
Location: Toronto
Distribution: Fedora Core
Posts: 119

Original Poster
Rep: Reputation: 15
from route print in my win2k box:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x8000003 ...00 50 ba 9f 3f 48 ...... D-Link DHN-520 10Mb Home Phoneline NIC
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.2 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 1
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 1
224.0.0.0 224.0.0.0 192.168.1.2 192.168.1.2 1
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None


from route -n from my linux gateway:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 lo
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0


Hope u can read it.. it's kind of messy (sorry)

My router is using dhcp

 
Old 08-24-2003, 11:32 PM   #4
tyler0123
Member
 
Registered: Aug 2003
Posts: 134

Rep: Reputation: 16
can you ping internet addresses from linux firewall box?

ther router may need a route to the inside addresses.

also, the netmask of the lo interface, the 127.0.0.0 should 255.0.0.0

just trying to throw things out there.
 
Old 08-24-2003, 11:45 PM   #5
woranl
Member
 
Registered: Apr 2003
Location: Toronto
Distribution: Fedora Core
Posts: 119

Original Poster
Rep: Reputation: 15
yes I can ping internet address on my linux gateway with no problem. I can ping to yahoo, google, etc.

"the router may need a route to the inside addresses."
can u explain this in more detail??


how do I change the 127.0.0.0 to 255.0.0.0? In the ifcfg-lo file ?
 
Old 08-25-2003, 04:20 PM   #6
yocompia
Member
 
Registered: Apr 2003
Location: Chicago, IL
Distribution: openbsd 3.6, slackware 10.0
Posts: 244

Rep: Reputation: 30
i had similar problems, but if you use dhcp to connect the gateway (linux box) to the remote computer (win 2k), then this should work fine. i don't suggest you set the ip on the win 2k machine, and setup the dhcp daemon (dhcpd) on the linux to give the win 2k machine an IP. try finding and reading the DHCP mini-howto w/ google to get more info on DHCP.

DHCP is great b/c it makes your life easy if you set it up correctly. if you try this and hit snags, just post and i'll help.

what confuses me most here is why you're using a router, as your linux box does a much better job of it. i understand if you're sharing your internet w/ others though.

gl,
y-p
 
Old 08-25-2003, 04:44 PM   #7
woranl
Member
 
Registered: Apr 2003
Location: Toronto
Distribution: Fedora Core
Posts: 119

Original Poster
Rep: Reputation: 15
So, what u r saying is that I should use the dhcpd instead of static ip right? Actually before I went to the static ip, I tried the dhcpd daemon, but I've touble configuring the /etc/dhcpd.conf file. Can u post ur dhcpd.conf file here?

Also, even I got the dhcpd working. Do I still have to configure the iptables?

BTW, I'm using a router because I'm living in an university residence right now and the only way I can connect to the internet is through the router. I'm going to move soon, so I want to setup my linux gateway before I move, so that I don't have to configure my network after I move to the new place.
 
Old 08-25-2003, 07:29 PM   #8
woranl
Member
 
Registered: Apr 2003
Location: Toronto
Distribution: Fedora Core
Posts: 119

Original Poster
Rep: Reputation: 15
Talking I DID IT !!!! YEAH !!!!

hey guys I did it !

I finally setup a gateway that really works....

right now all my internal ip are static.. maybe I'll start dhcpd later (which one is better?)

I want to share this with u guys. This is what I did to my iptables configuration:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -N block
iptables -A INPUT -j block
iptables -A FORWARD -j block
iptables -A block -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A block -i ! eth0 -m state --state NEW -j ACCEPT
iptables -A block -j DROP

service iptables save

For my win2k box:
IP: 192.168.1.2
Subnet: 255.255.255.0
Gateway 192.168.1.254
DNA: from isp

Any suggestion regarding to my configuration?

but one thing bother me... from my win2k box, it keep sending packets out even I'm not connecting to anything (eg. internet, file sharing, etc) What is it sending???
 
Old 08-25-2003, 11:18 PM   #9
yocompia
Member
 
Registered: Apr 2003
Location: Chicago, IL
Distribution: openbsd 3.6, slackware 10.0
Posts: 244

Rep: Reputation: 30
i have no idea about the win 2k computer's behavior, but i wouldn't be too concerned if it doesn't constitute too much traffic outflow. if it's influx of packets, then i'd be concerned. maybe it has to do with the win 2k client that manages the connection...

the only things i'd suggest are

(1) stronger matching rule(s) in place of

iptables -A block -i ! eth0 -m state --state NEW -j ACCEPT,

like

iptables -A FORWARD -i eth1 -o eth0 -m state ! --state INVALID -m mac --mac-source <MAC of your remote computer's card> -j ACCEPT

(this matches both state NOT INVALID and the MAC of the source computer)

(2) change default policies to DROP using

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

(3) incorporate logging into your tables; this allows you to see when ppl send crap packets to scan you

i don't know how relevant this all is, but i try to be a nut w/ my firewall.

nice job,
y-p
 
Old 08-27-2003, 08:46 PM   #10
woranl
Member
 
Registered: Apr 2003
Location: Toronto
Distribution: Fedora Core
Posts: 119

Original Poster
Rep: Reputation: 15
how do I know if they are influx or not?

how do I incorporate logging and how do I use that log?

my win2k is keep sent packets out... which I dunno what packets it is sending....this really toubles me...

any idea what's going on?
 
Old 08-27-2003, 11:40 PM   #11
Robert0380
LQ Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
windows boxes look for network shares by themselves (NETBIOS). That could be it. Or maybe some spyware.

On the gateway, you can use Ethereal to monitor packets going through the box. Ethereal will tell you the packet size, destination, source, ports and protocol.
 
Old 08-27-2003, 11:41 PM   #12
Robert0380
LQ Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
you may find that most of these packets have a desintaino of 255.255.255.255 or 192.168.1.255 or something like that. Also, you can install a firewall on the Win2k box (zone alarm is ok but be careful with that one if u use it).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Internet gateway on FC3 -Do i need iptables ? dannie Linux - Networking 4 12-08-2004 02:47 PM
sendmail configuration problems (hylafax mail to fax gateway) ricky_ds Linux - Software 0 11-07-2004 12:11 AM
Networking problems with gateway - no internet Belize Linux - Networking 4 12-17-2003 11:39 AM
Network Configuration to allow internet connection through gateway computer Ultrakapy Linux - Networking 3 07-30-2003 04:06 PM
internet configuration problems m1ke Linux - Software 5 08-08-2001 05:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration