Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a Fedora Box with chillispot loaded for a captive protal wifi network. I am needing my office lan to connenct to a controller on the WIFI network. I have tried many different firewall rules and have only momentarly able to ping something on the other network. here's some configuration info and my firewall rules that I thought should work.
FC 4
ETH0 - WAN (office lan 192.168.24.201/24)
ETH1 - LAN (brought up as 192.168.10.1/24)
tun0 - chilli 192.168.240.1
ETH1 is brought up as 192.168.10.1 and chilli brings up tun0 as 192.168.240.1/24/. I cant get my 192.168.24.0 to talk to either .10.0 or the 240.0 network. As you can see by my script I have other services running on this machine also, mail, radius, web, etc.... I commented out my rules drop forwards tried accepting with $IPTABLES -A FORWARD -i $EXTIF -j ACCEPT, #$IPTABLES -A FORWARD -o $EXTIF -j ACCEPT. That failed so I commented out and added $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT. Below is the whole script. I have ran iptables -F prior to running the script. I have also verified ip_forward is 1. My router for 24.0 net has a static route for 192.168.240.0 and 192.168.10.0 to the eth0. when I tracert 192.168.10.187 from 192.168.24.X it does trace back to the FC box and stops...
I hope I have explained everything right.... any help is appreciated.
Quote:
#!/bin/sh
#
# Firewall script
#
#
#########################################################################
# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
# $INTIF (eth1) as the internal interface (access points).
#
#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
################################################################################
# Enable NAT on output device
###############################################################################
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# Drop everything to and from $INTIF (forward)
#$IPTABLES -A FORWARD -i $INTIF -j DROP
#$IPTABLES -A FORWARD -o $INTIF -j DROP
# Accept forward from $EXTIF
#$IPTABLES -A FORWARD -i $EXTIF -j ACCEPT
#$IPTABLES -A FORWARD -o $EXTIF -j ACCEPT
#################################################################################
# Forward networks #
#################################################################################
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
#################################################################################
# Forward Port 3389 #
#################################################################################
#
#$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 3389 -j DNAT --to-destination 192.168.240.254
######################################################################### drop to 24.x Except Broadcast and Gateway and printer
########################################################################
#
#$IPTABLES -I FORWARD -m iprange --src-range 192.168.24.2-192.168.24.72 -j DROP
#$IPTABLES -I FORWARD -m iprange --src-range 192.168.24.74-192.168.24.253 -j DROP
#$IPTABLES -I FORWARD -m iprange --src-range 192.168.10.2-192.168.10.254 -j DROP
I am somewhat familiar with iptables rules but not with tunnel devices (if that is even the right thing to call things like tun0). I don't immediately see anything wrong with your rules, but maybe I can give you some troubleshooting tips that will help you figure out what is going on.
If you use the -v option when listing out iptables rules you can see how many packets (and how many bytes) have matched each rule. (I like to use iptables -nvL for listing.) So for example, you can check to see if you have packets matching your DROP rule at the end of the INPUT chain. If you see such and you want more information about what is getting dropped, you can add a rule (prior to the DROP rule!) to log such packets using the -j LOG target.
If this doesn't give you enough information to figure things out, you might look into using a packet sniffer such as tcpdump or Wire Shark. You can get fairly elaborate (if you need to) in the matching criteria you use and I think you should be able to use them on any interface, including tun0. Hopefully between iptables' packet counts, logging, and packet sniffing you can figure out where packets are disappearing and why. If you can figure out where they are disappearing but not why, maybe I can give your some more help with the iptables rules.
UPDATE - Sorry it took so long I worked on it remotely got it working but stopped the captive portal, so I commented out all the stuff I was testing with and to make it work till I could get on property and work on it. long story short I got it working with config below. But I still have a problem. I don't want my 240.x network to talk to my 24.x net (except gateway) But I need my 24.0 net to talk to a single host of 192.168.240.254. Below is my current configs and outputs requested. I appreciate the help guys :-)
Firewall script
Code:
#!/bin/sh
#
# Firewall script
#
# Stillwaters Resort WIFI server Firwall rules 12-22-2006
# Updated 4/20/2010 added forwarding,ftp, and some extra security
#########################################################################
# Uses $EXTIF (eth0) as the external interface (Internet or intranet) and
# $INTIF (eth1) as the internal interface (access points).
#
IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#################################################################################
# EXTIF #
#################################################################################
#POP3 MAIL
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 110 -j ACCEPT
#SMTP Mail
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 25 -j ACCEPT
# SSH
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
# FTP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 20 -j ACCEPT
# HTTP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 80 -j ACCEPT
# HTTPS
#$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 443 -j ACCEPT
# RADIUS Auth
$IPTABLES -A INPUT -i $EXTIF -p udp -m udp --dport 1812 -j ACCEPT
# Webmin
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 10000 -j ACCEPT
# Samba
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 137:139 -j ACCEPT
# Samba
$IPTABLES -A INPUT -i $EXTIF -p udp -m udp --dport 137:139 -j ACCEPT
# Samba
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 445 -j ACCEPT
# ICMP reply
$IPTABLES -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j ACCEPT
##### Drop Others ######
$IPTABLES -A INPUT -i $EXTIF -j DROP
#################################################################################
# INTIF #
#################################################################################
#SMTP 25
$IPTABLES -A INPUT -i $INTIF -p tcp -m tcp --dport 25 -j ACCEPT
# SSH
$IPTABLES -A INPUT -i $INTIF -p tcp -m tcp --dport 22 -j ACCEPT
# FTP
$IPTABLES -A INPUT -i $INTIF -p tcp -m tcp --dport 21 -j ACCEPT
# WWW
$IPTABLES -A INPUT -i $INTIF -p tcp -m tcp --dport 80 -j ACCEPT
# ICMP reply
$IPTABLES -A INPUT -i $INTIF -p icmp --icmp-type echo-request -j ACCEPT
#### drop others ####
$IPTABLES -A INPUT -i $INTIF -j DROP
#################################################################################
# Input other interfaces #
#################################################################################
# port 80/443 apache
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
# port 3990 chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
#################################################################################
# Loopback #
################################################################################
#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
################################################################################
# Enable NAT on output device
###############################################################################
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# Drop everything to and from $INTIF (forward)
#$IPTABLES -A FORWARD -i $INTIF -j DROP
#$IPTABLES -A FORWARD -o $INTIF -j DROP
#################################################################################
# Forward #
#################################################################################
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
#################################################################################
# Forward Port 3389 #
#################################################################################
#
#$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 3389 -j DNAT --to-destination 192.168.240.241
################################################################################
# drop to 24.x Except Broadcast and Gateway and printer
# Opened up some IP's to communicate with 192.168.240.254
################################################################################
#
$IPTABLES -I FORWARD -m iprange --src-range 192.168.24.2-192.168.24.16 -j DROP
$IPTABLES -I FORWARD -m iprange --src-range 192.168.24.18-192.168.24.69 -j DROP
$IPTABLES -I FORWARD -m iprange --src-range 192.168.24.74-192.168.24.254 -j DROP
$IPTABLES -I FORWARD -m iprange --src-range 192.168.10.2-192.168.10.254 -j DROP
iptables-save
Code:
[root@mail ~]# iptables-save
# Generated by iptables-save v1.3.0 on Mon Apr 26 13:56:13 2010
*filter
:FORWARD ACCEPT [166584:137210448]
:INPUT DROP [431:127275]
:OUTPUT ACCEPT [2891:532808]
-A FORWARD -m iprange --src-range 192.168.10.2-192.168.10.254 -j DROP
-A FORWARD -m iprange --src-range 192.168.24.74-192.168.24.254 -j DROP
-A FORWARD -m iprange --src-range 192.168.24.18-192.168.24.69 -j DROP
-A FORWARD -m iprange --src-range 192.168.24.2-192.168.24.16 -j DROP
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1812 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 137:139 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 137:139 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth1 -j DROP
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3990 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT
# Completed on Mon Apr 26 13:56:13 2010
# Generated by iptables-save v1.3.0 on Mon Apr 26 13:56:13 2010
*nat
:OUTPUT ACCEPT [89:11397]
:POSTROUTING ACCEPT [38:6125]
:PREROUTING ACCEPT [58662:26278403]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Apr 26 13:56:13 2010
If you change the policy of your FORWARD chain to drop, this will work if you add it in to the forward section of your firewall script:
Code:
iptables -A FORWARD -i tun0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -d 192.168.240.254 -j ACCEPT
At the moment 166584 packets have matched your default forward policy of accept, so changing the policy to DROP may have unintended consequences. If you do not want to change the default policy, add this instead of the above rules:
Code:
iptables -A FORWARD -i tun0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -d 192.168.240.254 -j ACCEPT
iptables -A FORWARD -i tun0 -j DROP
iptables -A FORWARD -o tun0 -j DROP
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.