Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-13-2003, 10:43 PM
|
#1
|
LQ Newbie
Registered: Aug 2003
Location: Brasil - São Paulo
Distribution: Redhat - FreeBSD - OpenBSD
Posts: 10
Rep:
|
IPTABLES doesn't work!!! help...
I already install the redhat 9 and wanna share my connection with more one comp, but doesn't work!! help me to find solution..
I start with this options:
eth0 (RTK 8139) --> dhcp
eth1 (RTK 8139) -->static 192.168.0.1
everthing ok... I can use the internet normally!
$echo 1 > /proc/sys/net/ipv4/ip_forward
$/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
$/etc/init.d/iptables restart
$/etc/init.d/iptables save
$/etc/init.d/iptables status
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> MASQUERADE all -- 192.168.0.0/24 anywhere
I can ping my client (windows xp):
ip: 192.168.0.2
gateway: 192.168.0.1
netmask: 255.255.255.0
ps.:with DNS of my server configured!
$ ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=128 time=0.564 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=128 time=0.352 ms
my client (windows xp) don't access internet. WHY??
|
|
|
08-13-2003, 11:13 PM
|
#2
|
Senior Member
Registered: Feb 2001
Location: Montreal, Quebec, Canada
Distribution: RedHat, Fedora, CentOS, SUSE
Posts: 1,403
Rep:
|
In order for IP forwarding to be activated automatically when the system boots up.
Edit the file /etc/sysctl.conf and on the line net.ipv4.ip_forward = 0, change 0 to 1.
Code:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Make sure the FORWARD policy is set to ACCEPT.
You can view your iptables rules by typing:
You can also take a look at this post.
http://www.linuxquestions.org/questi...351#post395351
|
|
|
08-13-2003, 11:24 PM
|
#3
|
LQ Newbie
Registered: Aug 2003
Location: Brasil - São Paulo
Distribution: Redhat - FreeBSD - OpenBSD
Posts: 10
Original Poster
Rep:
|
How can I set FORWARD...
$/sbin/iptables -L
Chain FORWARD (policy DROP)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
OH GOD..
policy is DROP, I thinks it's wrong... how can I change this???
I try this..
/sbin/iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
but...
$/sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
policy for FORWARD is still drop??
and this INPUT policy ACCEPT is bad??
|
|
|
08-13-2003, 11:50 PM
|
#4
|
Senior Member
Registered: Feb 2001
Location: Montreal, Quebec, Canada
Distribution: RedHat, Fedora, CentOS, SUSE
Posts: 1,403
Rep:
|
To set FORWARD to accept, type:
Code:
iptables -P FORWARD ACCEPT
To set up a basic IP forwarding and Masquerading for your network,
take a look a this post.
http://www.linuxquestions.org/questi...351#post395351
|
|
|
08-13-2003, 11:58 PM
|
#5
|
LQ Newbie
Registered: Aug 2003
Location: Brasil - São Paulo
Distribution: Redhat - FreeBSD - OpenBSD
Posts: 10
Original Poster
Rep:
|
Doesn't work yet!! :-(
#/sbin/iptables -P FORWARD ACCEPT
/etc/init.d/iptables restart
#/sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
ACCEPT all -- 192.168.0.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Lokkit-0-50-INPUT (2 references)
target prot opt source destination
ACCEPT udp -- ns2.papalegua.com.br anywhere udp spt:domain dpts:1025:65535
ACCEPT udp -- ns1.papalegua.com.br anywhere udp spt:domain dpts:1025:65535
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpts:0:1023 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:nfs reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
It's all message... I test my client and doesn't work yet!! shit!! I use iptables on the redhat 8 on milion times and works!! maybe I made something wrong?? I dont know.. it's make crazy!!
|
|
|
08-14-2003, 12:17 AM
|
#6
|
Senior Member
Registered: Feb 2001
Location: Montreal, Quebec, Canada
Distribution: RedHat, Fedora, CentOS, SUSE
Posts: 1,403
Rep:
|
Can windowsXP ping Linux ?
It may be a routing issue.
You can take a look at the routing table.
|
|
|
08-14-2003, 07:58 AM
|
#7
|
Member
Registered: Jul 2003
Location: Stockholm, Sweden
Distribution: RH9
Posts: 37
Rep:
|
Hi,
Could you post the result of "iptables -t nat -L"
In general what you need to do to make it work is the following...
1. set all policy's to ACCEPT (Q'n'D solution)
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
2. masquerade all everyware...
iptables -t nat -A POSTROUTING -j MASQUERADE
3. enable forwarding...
echo 1 > /proc/sys/net/ipv4/ip_forward
And of course you machine needs to have the right DNS, Gateway and so on...
Regards
Jonas
Quote:
ACCEPT all -- 192.168.0.0/24 anywhere
|
When you put this in your forward chain it will enable everything from the 192.168.0.0 network to get out, but it will not let anything back in...
You need to put this in your FORWARD chain...
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
This will enable already established packages to get back to your internal network... (i.e. an echo-reply...)
|
|
|
08-14-2003, 10:46 AM
|
#8
|
Newbie
Registered: Aug 2003
Location: Toronto, Canada
Distribution: RedHat
Posts: 13
Rep:
|
I'm brand new, but I read some iptables stuff, and my impression is the the Policy is suppose to be DROP and then you let in what you want, and if it doen't match the criteria then it is dropped
|
|
|
08-14-2003, 11:36 AM
|
#9
|
Senior Member
Registered: Feb 2001
Location: Montreal, Quebec, Canada
Distribution: RedHat, Fedora, CentOS, SUSE
Posts: 1,403
Rep:
|
Yes.
But in this case, we are trying to debug the network.
By setting the three main chains to ACCEPT and leaving the Masquerade, we know that iptables is not the problem.
By the way, saruman666 if you have not found the problem.
I suggest flushing all the rules, setting the three main chains to ACCEPT and leaving only the Masquerade,
if the internet sharing does not work, then the problem is not with iptables.
|
|
|
08-14-2003, 12:25 PM
|
#10
|
LQ Newbie
Registered: Aug 2003
Location: Brasil - São Paulo
Distribution: Redhat - FreeBSD - OpenBSD
Posts: 10
Original Poster
Rep:
|
Sory for my big delay but I have to sleep to work on the morning.... now I'am on launch time... so.... I will begin where I stop... about route -n...
yes, i can ping the gateway from client (winXP)
/sbin/route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
200.210.122.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 200.210.122.1 0.0.0.0 UG 0 0 0 eth0
[root@phoenix phoenix]# /sbin/iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
after apply this commands:
$iptables -P INPUT ACCEPT
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD ACCEPT
/sbin/iptables-save
# Generated by iptables-save v1.2.7a on Thu Aug 14 13:04:33 2003
*filter
:INPUT ACCEPT [199:14160]
:FORWARD ACCEPT [3:216]
:OUTPUT ACCEPT [243:16515]
COMMIT
# Completed on Thu Aug 14 13:04:33 2003
# Generated by iptables-save v1.2.7a on Thu Aug 14 13:04:33 2003
*nat
:PREROUTING ACCEPT [3:216]
:POSTROUTING ACCEPT [11:703]
:OUTPUT ACCEPT [8:487]
COMMIT
# Completed on Thu Aug 14 13:04:33 2003
and this can be helpufl...
/etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Table: nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I accept everthing above!
So.. the last thing that I do is:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I tested and it's not working yet!! :-(
I will try to do something more...
Maybe this:
>By the way, saruman666 if you have not found the problem.
>I suggest flushing all the rules, setting the three main chains to ACCEPT and leaving >only the Masquerade,
>if the internet sharing does not work, then the problem is not with iptables.
|
|
|
08-14-2003, 02:39 PM
|
#11
|
Senior Member
Registered: Feb 2001
Location: Montreal, Quebec, Canada
Distribution: RedHat, Fedora, CentOS, SUSE
Posts: 1,403
Rep:
|
Now you need Masquerading. Type:
Code:
iptables -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save
|
|
|
08-16-2003, 05:15 PM
|
#12
|
LQ Newbie
Registered: Aug 2003
Location: Brasil - São Paulo
Distribution: Redhat - FreeBSD - OpenBSD
Posts: 10
Original Poster
Rep:
|
I fix the problem... I take a look on the rules and have some rules from redhat-config-securitylevel that's block forward when you set medium or high security
I need execute redhat-config-securitylevel change the level and apply the rules again!!
just use:
$echo 1 > /proc/sys/net/ipv4/ip_forward
on the file /etc/sysctl.conf I change the net.ipv4.ip_forward from 0 to 1!!
net.ipv4.ip_forward = 1
After this only use:
$/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
****DON'T USE:
/etc/init.d/iptables restart
****BEFORE SAVE YOUR RULES!!!
if you do that you will apply the default rule that is before MASQUERADE!!
so... save first:
/etc/init.d/iptables save
and then...
/etc/init.d/iptables restart
everthing's good with me now!!
and on the next time I need to pay attention on the securitylevel of redhat install! ^_^"
thanks and more thanks to everone for help me!!
|
|
|
All times are GMT -5. The time now is 01:06 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|