Gud day.I have a problem with my iptables setup.. hope you guys can help me.. Actually I already did masqueraded my connections so that my xp clients can view browse the internet by using firestarter as my firewal, but the point is i'm trying to masquerade my connections manually by not using firestarter or any gui firewall, im trying to remove firestarter and just write a script for my personal firewall.

here's what i've done so far by using the iptables, but masquerading didn't seems to work for me. by the way I'm using Ubuntu 10.04 LTS as my Linuxserver.

here's my setup..
LAN<<eth0<<linuxserver>>eth1>>Internet

#iptables -P INPUT DROP
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD DROP

//Allowing services for dnsmasq,dhcp server & webserver

#iptables -A INPUT -p tcp --dport 67 -j ACCEPT
#iptables -A INPUT -p tcp --dport 68 -j ACCEPT
#iptables -A INPUT -p udp --dport 67 -j ACCEPT
#iptables -A INPUT -p udp --dport 68 -j ACCEPT
#iptables -A INPUT -p tcp --dport 67 -j ACCEPT
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 67 -j ACCEPT
#iptables -A INPUT -p tcp --dport 53 -j ACCEPT

//Allow loopback connections

#iptables -A INPUT -i lo -j ACCEPT

//Allow Established related connections for the local server
#iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

//Tried Masquerading?

#iptables -t nat -A POSTROUTING -s 192.168.0.1/24 -o eth1 -j MASQUERADE
#iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
#iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

Is there anything i'm missing here so that my clients can successfully browse the internet??.. need some advice, tnx in advance






im trying to masquerade my connections so that i can able to let my xpclients w/in my network to browse the internet..

First, I'd drop that one. It would just allow SYN packets accidently using a port that the masquerading module has seen as internal source port. Under normal conditions, they will be just ignored by whatever host they are reaching, but it's unnecessary to "let them in".

edit:

Misread your interface names .. this line seems fine as it allows packets from the internal to the external interface. So maybe you just need to exchenge the interface names on the NEXT line where packets belonging to established connections are allowed.

/edit.

And then, one thing often overlooked when trying to set up a masquerading router is the fact the linux network stack has to be configured to route /at all/. Try
If it says
your box doesn't act as a router. Edit /etc/sysctl.conf or some file in /etc/sysctl.d/ to change this permanently (and issue "sysctl -w net.ipv4.ip_forward=1" to switch routing on instantly).

Another idea: Are all these '#' charcaters actually in your script? '#' starts a comment, so these lines would be ignored.

If this doesn't help, maybe describe in detail what behavior you expected and what you got...

i already did that by issuing the

echo 1> /proc/sys/net/ipv4/ip_forward

& I also edited the /etc/sysctl.conf by changing the line

net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1

i just forgot to put it in my 1st post..
secondly the eth1 & eth0 is correct I set it up that way.

the eth0 is my internal interface while the eth1 is my outbound interface going to the internet.

the number sign '#' is just to let you know that im trying to type it in textbased using user as root.

As of now I'm using firestarter to setup masquerading correctly. however im still trying to create my own script w/out the help of the firestarter.

heres some more info bout my connection.


nternet->
DSLmodem->
eth1-LinuxServer-eth0->
LAN

can you give me some info on how to do this by the way im newbie to linux??.. What needs modification from the script that I created above??

See, your rule from the first post allows packets in state "ESTABLISHED" and "RELATED" from eth0 to eth1 (from inside to outside), but it really SHOULD allow these packets in the other direction (from eth1 to eth0). Maybe this is the whole problem.

what do you mean about this rule??.. ok I will try to remove this one

No i meant you should exchange eth0 and eth1 on that rule because you want to allow these packes from the outside world (internet) to the inside...

But please understand I'll stop supporting this issue unless some nazi "moderator" reconsiders his behavior.

0 members found this post helpful.

My point of view is that you have some issues in FORWARD chain

- you set the policy to DROP
- you allow the forwarding like : -i eth0 -o eth1 -j ACCEPT, but I am not sure that at this level the eth1 is known. In my opinion, if am not wrong, the eth1 will be known only later after the output routing table.