Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
you can test the wall by adding a LOG rule to the end of the FORWARD chain and then monitoring the logfile when you attempt to SSH to the outside from within the LAN...
Originally posted by fei Just realised the "echo 1 > /proc/sys/net/ipv4/ip_forward" didn't work in rc.firewall script, I had to type on command prompt to enable ip_forward.
are you using slackware?? let me know if you are...
Quote:
After that, the output of ssh 172.16.0.2 is :
ssh: connect to host 172.16.0.2 port 22: Connection refused
this means you are getting a REJECT from 172.16.0.2, and since the policy on the wall is DROP it would seem the packet isn't getting stopped by the wall but by whatever is at 172.16.0.2, which would be beyond me... if the wall was giving a DROP to the 22/TCP packets then you'd get a "Connection timed out" instead of a "Connection refused" AFAIK...
Quote:
have any idea what's wrong?
not yet, i'm looking at the output you just posted...
Originally posted by fei
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:172.16.0.1 SNAT all -- anywhere anywhere to:192.168.1.1
SNAT all -- anywhere anywhere to:172.16.0.1
SNAT all -- anywhere anywhere to:172.16.0.1
SNAT all -- anywhere anywhere to:172.16.0.1
there shouldn't be multiple "172.16.0.1" lines here... but mainly i'm boggled by the "192.168.1.1" in your POSTROUTING chain... it doesn't make any sense, AFAIK...
i'd like to look at your rc.firewall to see what's going on here...
#!/bin/sh
# Abort execution on error
set -e
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# You can use this version if you don't want logging
#IPTABLES="/sbin/iptables"
# Use this version to log firewall startup output
IPTABLES=iptables_log
fwlog=/var/log/firewall_start.log
# Clear out the contents of the log file
> $fwlog
iptables_log() {
# Append IPTables command (arguments) to the log
echo "$*" >> $fwlog
# Run the command and log any output
/usr/sbin/iptables $* 2>&1 | tee -a $fwlog
}
# You should always refer to useful names. It eases verification.
EthernetIface=eth0
WirelessIface=eth1
InternetIface=eth2
# IP range
EthernetIPs="192.168.1.1/24"
WirelessIPs="192.168.2.1/24"
InternetIPs="172.16.0.1/30"
#
# Bring up the firewall
#
start() {
# Flush the chains
$IPTABLES -F
$IPTABLES -X
# Turn on packet forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
# Accept lo interface always
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
# Set default policies for major chains
# TODO Are these suitable policies?
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
# accept icmp, so ping can work
$IPTABLES -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Ethernet to Internet -> This is FORWARDING using nat
$IPTABLES -P FORWARD DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j LOG
$IPTABLES -A FORWARD -p TCP -i eth0 -o eth2 --dport 22 -s 192.168.1.1/24 -m state --state NEW -j LOG
$IPTABLES -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 172.16.0.1
# Ethernet to Router
# allow DHCP from Ethernet to Ralph
$IPTABLES -A INPUT -i $EthernetIface -p udp -d 192.168.1.1 --dport 67:68 -j ACCEPT
# allow DHCP from Ralph to Ethernet
$IPTABLES -A OUTPUT -o $EthernetIface -p udp -s 192.168.1.1 --sport 67:68 -j ACCEPT
# allow DNS from Ethernet to Ralph
$IPTABLES -A INPUT -i $EthernetIface -p udp -d 192.168.1.1 --dport 53 -j ACCEPT
# allow DNS from Ralph to Ethernet
$IPTABLES -A OUTPUT -o $EthernetIface -p udp -s 192.168.1.1 --sport 53 -j ACCEPT
# allow ssh from ralf to client1
$IPTABLES -A INPUT -i $EthernetIface -p tcp --sport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o $EthernetIface -p tcp --dport 22 -j ACCEPT
# allow ssh from client1 to ralf
$IPTABLES -A INPUT -i $EthernetIface -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -o $EthernetIface -p tcp --sport 22 -j ACCEPT
# allow www from client1 to ralf
$IPTABLES -A INPUT -i $EthernetIface -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -o $EthernetIface -p tcp --sport 80 -j ACCEPT
# Set up NAT - SNAT outgoing connections
# TODO
# Port forwarding - DNAT incoming connections
# TODO
# Set up connection tracking
# TODO
# Create chains
# TODO
# Link chains together
# TODO
# Fill in each chain
# TODO
# FORWARD chain
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -A FORWARD -j REJECT
$IPTABLES -P FORWARD DROP
}
#
# Take down the firewall, throwing the system wide open
#
stop() {
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
}
case "$1" in
start|restart)
echo -n "Starting IPTables firewall"
start
echo "."
;;
stop)
echo -n "Stopping IPTables firewall"
stop
echo "."
;;
*)
echo "Usage: /etc/rc.d/rc.firewall {start|stop|restart}" >&2
exit 1
;;
esac
exit 0
Originally posted by win32sux there shouldn't be multiple "172.16.0.1" lines here... but mainly i'm boggled by the "192.168.1.1" in your POSTROUTING chain... it doesn't make any sense, AFAIK...
i'd like to look at your rc.firewall to see what's going on here...
Actually, to remove multiple "172.16.0.1" lines, I need to flush the net table every time I start firewall again. so is:
i had missed the ESTABLISHED,RELATED rule in the FORWARD chain of the script i just posted and i just added it so please make sure you are using the latest one when you try...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.