Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm having a problem with setting up my Cable Internet connection under Linux, all I seem to be recieving is ARP requests (I monitored the connection with Ethereal).I have firewall (IPTables) setup (it's on the same machine that I'll be surfing with).
BTW: Here's the firewall script:
Code:
### Below is a list of pre-configuration options to get iptables setup properly. ###
## DHCP SERVER'S IP ADDRESS
USE_DHCP=yes
DHCP_IP=?
DHCP_HNAME="C-NUMBER"
## ETHERNET INTERFACE TO THE INTERNET. DHCP ASSIGNED IP ADDRESSING - CABLE INTERNET.
INET_IP=`/sbin/ifconfig eth1 | grep 'inet addr' | awk '{print $2}' | sed -e s/.*://`
BROADCAST=`/sbin/ifconfig eth1 | grep 'inet addr' | awk '{print $3}' | sed -e s/.*://`
## DNS SERVER IP ADDRESSES.
DNS1_IP=?
DNS2_IP=?
## LOOPBACK INTERFACE CONFIGURATION.
LO_IP="127.0.0.1"
LO_IFACE="lo"
## LOAD ALL $IPTABLES/NETFILTER MODULES REQUIRED.
/sbin/modprobe ipt_LOG
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
## SETUP POINTER TO THE PATH OF IPTABLES.
IPTABLES=/usr/sbin/iptables
## FLUSH ALL CHAINS (INPUT, OUTPUT FORWARD, ETC); REMOVE ALL PRE-EXSITING
## DEFINED RULES AND ZERO THE COUNTERS.
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
## DROP ALL INCOMING, OUTGOING AND FORWARDING PACKETS.
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#---------------------------------------------------------------------------------
### Below is a list of kernel flags. ###
## DISABLE RESPONSE TO BROADCASTS.
# You don't want yourself becoming a Smurf amplifier.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
## DON'T ACCEPT SOURCE ROUTED PACKETS.
# Attackers can use source routing to generate traffic pretending to be from inside
# your network.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
## DISABLE ICMP REDIRECT ACCEPTANCE.
# ICMP redirects can be used to alter your routing tables, possibly to a bad end.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
## ENABLE BAD ERROR MESSAGE PROTECTION.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
## TURN ON REVERSE PACKET FILTERING.
# This helps make sure that packets use legitimate source addresses, by automatically
# rejecting incoming packets if the routing table entry for their source address
# doesn't match the network interface they're arriving on.
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done
## ENABLE DHCP SUPPORT.
/bin/echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#----------------------------------------------------------------------------------
## STOP INCOMING PACKETS WITHOUT SYN FLAG SET - THIS IS USED TO STOP EXPLOITING CONNECTION TRACKING
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New connection no syn-flag "
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
## STOP INCOMING PACKETS THAT HAVE NO ESTABLISHED OR RELATED CONNECTION.
$IPTABLES -A INPUT -i eth1 -m state --state NEW,INVALID -j LOG --log-prefix "NEW/INVALID connection "
$IPTABLES -A INPUT -i eth1 -m state --state NEW,INVALID -j DROP
## ACCEPT CERTAIN INCOMING ICMP PACKET TYPES.
$IPTABLES -A OUTPUT -o eth1 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p icmp --icmp-type address-mask-reply -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p icmp --icmp-type required-option-missing -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p icmp --icmp-type ip-header-bad -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p icmp --icmp-type source-route-failed -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p icmp --icmp-type network-unknown -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p icmp --icmp-type echo-reply -j ACCEPT
## DNS.
$IPTABLES -A INPUT -i eth1 -s $DNS1_IP -p udp -m udp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -s $DNS2_IP -p udp -m udp --sport 53 -j ACCEPT
## DHCP.
#$IPTABLES -A INPUT -i eth1 -s $DHCP_IP -p udp -m udp --sport 67 --dport 68 -j ACCEPT
## ACTIVE FTP.
#$IPTABLES -A INPUT -i eth1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i eth1 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
## PASSIVE FTP.
#$IPTABLES -A INPUT -i eth1 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT -i eth1 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
## HTTP/HTTPS.
# Allow http outbound to 80.
$IPTABLES -A INPUT -i eth1 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# Allow https outbound to 443.
$IPTABLES -A INPUT -i eth1 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
## SMTP.
# Allow smtp outbound.
$IPTABLES -A INPUT -i eth1 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
## POP 3.
$IPTABLES -A INPUT -i eth1 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
## SYN-FLOOD PROTECTION.
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT
## DROP NASTY FLAGS.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "BADFLAG! L1 "
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "BADFLAG! L2 "
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "BADFLAG! L3 "
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "BADFLAG! L4 "
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "BADFLAG! L5 "
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
## STEALTH PORT SCANNER PROTECTION.
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
## FRAGMENTS.
$IPTABLES -A INPUT -i eth1 -f -j LOG --log-prefix "IPTABLES FRAGMENTS "
$IPTABLES -A INPUT -i eth1 -f -j DROP
## PING OF DEATH PROTECTION.
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
## SAFETY BARRIER RULES
$IPTABLES -A INPUT -i eth1 -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
$IPTABLES -A INPUT -i eth1 -j DROP
$IPTABLES -A OUTPUT -o eth1 -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
$IPTABLES -A OUTPUT -o eth1 -j DROP
I ripped this off from one of the Slackware scripts
Code:
#! /bin/sh
# Edit these values to set up your first Ethernet card (eth1):
IPADDR="127.0.0.1" # REPLACE with YOUR IP address!
NETMASK="255.255.255.0" # REPLACE with YOUR netmask!
# Or, uncomment the following lines to set up eth1 using DHCP:
USE_DHCP=yes
# If your provider requires a DHCP hostname, uncomment and edit below:
DHCP_HOSTNAME="C-NUMBER"
# Edit the next line to point to your gateway:
#GATEWAY="GATEWAT_IP" # REPLACE with YOUR gateway
# Set up the eth0 interface:
if [ "$USE_DHCP" = "yes" ]; then # use DHCP to set everything up:
echo "Attempting to configure eth1 by contacting a DHCP server..."
# Add the -h option to the DHCP hostname:
if [ ! "$DHCP_HOSTNAME" = "" ]; then
DHCP_HOSTNAME="-h $DHCP_HOSTNAME"
fi
/sbin/dhcpcd -t 4 ${DHCP_HOSTNAME} -d eth1
elif [ ! "$IPADDR" = "127.0.0.1" -a ! "$IPADDR" = "" ]; then # set up IP statically:
# Determine broadcast and network addresses from the IP address and netmask:
BROADCAST=`/bin/ipmask $NETMASK $IPADDR | cut -f 1 -d ' '`
NETWORK=`/bin/ipmask $NETMASK $IPADDR | cut -f 2 -d ' '`
# Set up the ethernet card:
echo "Configuring eth1:"
echo "ifconfig eth1 ${IPADDR} broadcast ${BROADCAST} netmask ${NETMASK}"
/sbin/ifconfig eth1 ${IPADDR} broadcast ${BROADCAST} netmask ${NETMASK}
# If that didn't succeed, give the system administrator some hints:
if [ ! $? = 0 ]; then
echo "Your eth1 card was not initialized properly. Here are some reasons why this"
echo "may have happened, and the solutions:"
echo "1. Your kernel does not contain support for your card. Including all the"
echo " network drivers in a Linux kernel can make it too large to even boot, and"
echo " sometimes including extra drivers can cause system hangs. To support your"
echo " ethernet, either edit /etc/rc.d/rc.modules to load the support at boot time,"
echo " or compile and install a kernel that contains support."
echo "2. You don't have an ethernet card, in which case you should run netconfig"
echo " and configure your machine for loopback. (Unless you don't mind seeing this"
echo " error...)"
fi
fi # set up eth1
# End of IP_Address-Request.sh
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
