IPTables and a failing forwarding

devscripts · 04-08-2003, 06:51 PM

OK here's the setup I've got:

Linux PC (Router)
ppp0 - Connected to Internet (81.86.something)
eth0 - Internal Network (192.169.0.3)

Linux Laptop
eth0 - Internal Network (192.168.0.2)
gateway 192.168.0.3

Windows XP
eth0 - Internal Network (192.168.0.1)
gateway 192.168.0.3

OK I've set up the PC via a hub. All PC's can see, and ping each other.

Linux PC can access web and ping external IP's and resolve domain names.

Linux Laptop and XP can ping internally but not externally.

I've borrowed a rc.firewall script off a mate who has a similar setup and it's working perfectly, but my forwarding isn't working for some reason.

Here's the output when I do iptables -L

Code:

[root@linux etc]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  192.0.0.0/8          anywhere
drop-log   all  --  192.0.0.0/8          anywhere
ICMP_FILTER  icmp --  anywhere             81-86-114-166.dsl.pipex.com
ACCEPT     all  --  anywhere             81-86-114-166.dsl.pipex.comstate RELATED,ESTABLISHED
SERVICES   all  --  anywhere             anywhere
TRUSTED    all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:bootpc dpt:bootps
ACCEPT     udp  --  anywhere             anywhere           udp spt:bootpc dpt:bootps
drop-log   all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
drop-log   all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  81-86-114-166.dsl.pipex.com  192.0.0.0/8
ACCEPT     all  --  192.0.0.0/8          192.0.0.0/8
drop-log   all  --  anywhere             192.0.0.0/8
ACCEPT     all  --  81-86-114-166.dsl.pipex.com  anywhere
ACCEPT     tcp  --  192.0.0.0/8          255.255.255.255    tcp spt:bootps dpt:bootpc
ACCEPT     udp  --  192.0.0.0/8          255.255.255.255    udp spt:bootps dpt:bootpc
drop-log   all  --  anywhere             anywhere

Chain ICMP_FILTER (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere           icmp echo-request limit: avg 2/sec burst 5
REJECT     icmp --  anywhere             anywhere           icmp echo-request reject-with icmp-port-unreachable
ACCEPT     icmp --  anywhere             anywhere           icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere           icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere           icmp time-exceeded

Chain SERVICES (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:imap3
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:ntp
ACCEPT     udp  --  anywhere             anywhere           udp dpt:pop3
ACCEPT     udp  --  anywhere             anywhere           udp dpt:pop3s
ACCEPT     udp  --  anywhere             anywhere           udp dpt:imap
ACCEPT     udp  --  anywhere             anywhere           udp dpt:imap3
ACCEPT     udp  --  anywhere             anywhere           udp dpt:imaps
ACCEPT     udp  --  anywhere             anywhere           udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere           udp dpt:ntp
REJECT     tcp  --  anywhere             anywhere           tcp dpt:auth reject-with tcp-reset
ACCEPT     udp  --  anywhere             anywhere           udp dpts:1025:65535
ACCEPT     udp  --  anywhere             anywhere           udp dpt:ntp

Chain TRUSTED (1 references)
target     prot opt source               destination
ACCEPT     all  --  192.168.0.0/24       anywhere

Chain drop-log (5 references)
target     prot opt source               destination
DROP       udp  --  anywhere             anywhere           udp dpts:netbios-ns:netbios-dgm
LOG        all  --  anywhere             anywhere           LOG level info
DROP       all  --  anywhere             anywhere

Dunno if that helps, but it might show you guys why it's not working lol

Anyone got any idea's on how I can get my internal network on the internet??

Any idea's gratefully received.

:Pengy:

Capt_Caveman · 04-08-2003, 09:00 PM

Your going to need to setup ip masquerading. There are some how-tos here:
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO
http://www.netfilter.org

But your going to need to add a couple of lines to iptables.
In the nat table add:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

In the filter take out that universal forwarding line and add:
iptables -A FORWARD -i ppp0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT

Make sure to set the default policies for the postrouting and forward chains like:
iptables -P FORWARD DROP
iptables -P POSTROUTING DROP

Also unless I'm reading you iptables rules wrong, your INPUT chain is wide-open. The first rule listed in INPUT is allowing everything through, which is not recommended. You might want to rework your rules so that you're allowing only the traffic you want.

HTH