Linux box with eth0 to cable modem and eth1 to Windows box

videojeff · 11-15-2004, 02:14 AM

OK, here are the latest results.

Flushing iptables didn't work.

Here is the output from the masquerading attempt:

Code:

root@1[var]# iptables -A PREROUTING -t NAT -j MASQUERADE
iptables v1.2.11: can't initialize iptables table `NAT': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
root@1[var]#

Daniel56 · 11-15-2004, 08:47 AM

Seems you have this networking thing down packed. Sorry I don't have any solutions but do have a problem.

I have a wireless home-based network, running dual environments (Windows XP Pro and Linux). Just ported over from SuSe 9.0 to NDL. Here is my dilemma. Five machines on Network, three with dual boot. On my machine (which I guess also serves as the server) upon loading Novell's Desktop Linux, the network settings worked fine. However, on my son's machine, using wireless adapter, Windows boots and finds network, but can't get it on Novell Linux. Dying for some help! Started yesterday at 6:00 pm and still working on it at 10:00 a.m today. Literally slept three hours HELP

And thanks for any assistance!

Dan

exvor · 11-15-2004, 09:27 AM

Thats strange that you can ping everything on the linux box but nothing on the windows box. This idicates that maq or nat isnt working properly.

|------------------|
| windows box |-------im a packet-------> Linux firewall/routeing script |<------- note that this needs to be in the same
|------------------| to yahoo.com should forward this out to the internet | thing no seperation of firewall/nat

Here is firegates script from my server

NOTE I HAVE NOT REMVOED ANYTHING HERE SO CHECK IT BEFORE USING TO MAKE SURE ITS CORRECT

---------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash

# Program Name = FIRE|GATE
# Intended Use = An IPtables firewall ruleset and NAT gateway
# Revision Lvl = 0.79
# Created File = 20 Jan 2002
# Last Updated = 01 Sep 2003

# Download URL = http://firegate.lunarfox.com

# Copyright 2002-2003 Jeff Bonner (firegate@lunarfox.com)

# OSI Certified Open Source Software
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, Version 2.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
# MA 02111-1307 USA

# CAUTION: THIS SCRIPT IS IN DEVELOPMENT AND MAY NOT BE SUITABLE
# FOR USE IN A PRODUCTION ENVIRONMENT. Concerns and questions are
# prefixed with "FIXME" to denote they need to be addressed. You
# should review the code thoroughly to ensure it is appropriate for
# your location and situation.
### SET NECESSARY VARIABLES --------------------------------------------------
#
VER="v0.79"

IPT="/usr/sbin/iptables" # Location of your IPtables

EXT="eth0" # External interface name
INT="eth1" # Internal interface name

MASQ="10.10.10.0/24" # LAN IP range to masquerade; see
# http://dmdl.uvm.edu/subnet.shtml

# Null "" allows ANY traffic in:
DHCP="192.168.0.1 192.168.0.11" # DHCP server(s) to allow inbound

DNS="209.244.0.3 209.244.0.4" # DNS server(s) to allow inbound

IDENT="0" # Use Ident/Auth? 0=REJECT 1=ACCEPT
SSH="1" # SSH in from Internet? 0=NO 1=YES
PING="1" # Allow PINGs inbound? 0=NO 1=YES
QUIET="1" # Ignore common scans? 0=NO 1=YES

DROPEXT="0" # Drop all external traffic when you
# stop the firewall? 0=NO 1=YES

WEBPORT="80" # If ISP blocks port 80, change here

HTTP="" # Forward HTTP > LAN IP; "" disables
SMTP="" # Forward SMTP > LAN IP; "" disables

AIM="" # Port(s) forwarded to internal LAN
ICQ="" # machines using IP masq; null value
MSN="1863" # "" disables that one. For a range
P2P="" # (eg ICQ) use colon between ports.

CAM="" # Forward port number to internal IP;
CAMIP="" # a null value "" for both disables

COLOR="1" # Use ANSI color msgs? 0=NO 1=YES

if [ $COLOR = "1" ]
then
NORM="\\033[0;39m" # You may adjust these as desired to
GREEN="\\033[1;32m" # use other colors, insert different
RED="\\033[1;31m" # sequences (non-ANSI), sound your
WHITE="\\033[1;29m" # terminal bell CTRL-G, et cetera
fi

### BLACKLISTED IPs ----------------------------------------------------------
#
# This section can be used against nefarious sites you want to prevent

EVIL="219.96.228.226 150.108.236.20 210.80.207.147 200.222.3.3 24.148.22.92 216.127.74.43"

# ***** END OF USER VARIABLES; EXERCISE CAUTION EDITING BELOW THIS LINE *****

# [START] ====================================================================
#
case "$1" in
start)

echo -e "\n"$NORM"FIRE|GATE $VER$GREEN starting"$NORM"..."

### SYSCTL: PERFORMANCE TUNING, DoS, ETC -------------------------------------
# http://www.tldp.org/HOWTO/Adv-Routin...l.obscure.html
#
echo -e "\n - SYSCTL, performance tuning"
echo 1 > /proc/sys/net/ipv4/ip_forward # Enable IP masq
echo 1 > /proc/sys/net/ipv4/ip_dynaddr # Rewrite new address
echo 1 > /proc/sys/net/ipv4/tcp_syncookies # TCP SYN overload
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Smurf amplify off
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Spoof/route/redir
echo 0 > /proc/sys/net/ipv4/tcp_timestamps # Uptime/GB Ethernet
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # ICMP redirects off
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # No bcast response
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # No return path mod
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # No bad msgs

for r in /proc/sys/net/ipv4/conf/*/rp_filter; do # Reverse path filter
echo 1 > $r # (default for Debian
done # installations)

### ERASE PREVIOUS RULES, DEFINE DEFAULT POLICY ------------------------------
#
echo " - Flush; default policy DENY"
$IPT -F # Flush built-in rules
$IPT -X # Erase custom rules
$IPT -Z # Zero all counters
$IPT -t nat -F # Flush pre/postroute
$IPT -t mangle -F # Flush packet mangle

$IPT -P INPUT DROP #
$IPT -P OUTPUT DROP # Default policy
$IPT -P FORWARD DROP #

$IPT -A INPUT -i lo -j ACCEPT # Allow traffic on
$IPT -A OUTPUT -o lo -j ACCEPT # loopback interface

# You should never see legitimate traffic originating from any of these
# addresses to the external interface, but a misconfigured router or hack
# attempt could produce this behavior. Comcast sends broadcast messages
# from 10.0.0.0/8 to bootpc for whatever reason (check it yourself with
# "iptables -L -n -v"), but it does not appear to matter if we drop them.
# See http://again.net/cidr for a list of these addresses plus tables of
# subnets, ICMP codes, and more. Toss any packets to external interface
# claiming to be:

echo " - No reserved IPs coming from" $EXT

$IPT -A INPUT -i $EXT -s 10.0.0.0/8 -j DROP #
$IPT -A INPUT -i $EXT -s 172.16.0.0/12 -j DROP # RFC1918 Private
$IPT -A INPUT -i $EXT -s 192.168.0.0/16 -j DROP #

$IPT -A INPUT -i $EXT -s 0.0.0.0/8 -j DROP # Broadcast
$IPT -A INPUT -i $EXT -s 127.0.0.0/8 -j DROP # Loopback
$IPT -A INPUT -i $EXT -s 192.0.2.0/24 -j DROP # TEST-NET
$IPT -A INPUT -i $EXT -s 169.254.0.0/16 -j DROP # Unconfigured DHCP
$IPT -A INPUT -i $EXT -s 224.0.0.0/4 -j DROP # Class D / Multicast
$IPT -A INPUT -i $EXT -s 240.0.0.0/5 -j DROP # Class E / Reserved
$IPT -A INPUT -i $EXT -s 255.255.255.255 -j DROP # Broadcast

### DROP BLACKLIST SITES (SCANS, WORMS, ETC) ---------------------------------
#
if [ "$EVIL" ]
then
echo " - Drop traffic for blacklisted IP(s)"
for v in $EVIL; do
$IPT -A INPUT -s $v -j DROP # Drop blacklist traffic to firewall
done
for v in $EVIL; do
$IPT -A OUTPUT -d $v -j DROP # Don't send to any blacklist sites
done
for v in $EVIL; do
$IPT -A FORWARD -s $v -j DROP # Don't forward any blacklist traffic
done
fi

### IGNORE COMMONLY PROBED PORTS (SSH/SMTP/HTTP HANDLED LATER) ---------------
#
# FIRE|GATE assumes a default INPUT policy of DROP, so this section is just
# to cut down on nuisance logs. However, if you analyze your firewall logs
# for hack attempts (fwlogwatch, DShield, etc), you should set QUIET variable
# to "1"; otherwise, activity aimed at these ports will not be recorded. If
# you host any of these services for the Internet, you should comment out the
# appropriate ports (notably FTP).
#
if [ "$QUIET" = "1" ]
then
echo " - Ignore commonly probed ports"
$IPT -A INPUT -p tcp -i $EXT --dport 0:19 -j DROP # ... Diagnostics
$IPT -A INPUT -p udp -i $EXT --dport 0:19 -j DROP # ... Diagnostics
$IPT -A INPUT -p tcp -i $EXT --dport 21 -j DROP # ... FTPd
$IPT -A INPUT -p tcp -i $EXT --dport 23 -j DROP # ... Telnet
$IPT -A INPUT -p tcp -i $EXT --dport 111 -j DROP # ... RPC/Portmap
$IPT -A INPUT -p tcp -i $EXT --dport 135 -j DROP # ... Microsoft RPC
$IPT -A INPUT -p udp -i $EXT --dport 135 -j DROP # ... Microsoft RPC
$IPT -A INPUT -p udp -i $EXT --sport 137:138 -j DROP # ... SMB w/NetBIOS
$IPT -A INPUT -p tcp -i $EXT --sport 139 -j DROP # ... SMB w/NetBIOS
$IPT -A INPUT -p tcp -i $EXT --dport 443 -j DROP # ... HTTP w/SSL
$IPT -A INPUT -p tcp -i $EXT --dport 445 -j DROP # ... SMB w/o NetBIOS
$IPT -A INPUT -p tcp -i $EXT --dport 515 -j DROP # ... LPR/Printer
$IPT -A INPUT -p tcp -i $EXT --dport 1080 -j DROP # ... SOCKS Proxy
$IPT -A INPUT -p tcp -i $EXT --dport 27374 -j DROP # ... SubSeven
$IPT -A INPUT -p tcp -i $EXT --dport 31337 -j DROP # ... BackOrifice etc
$IPT -A INPUT -p udp -i $EXT --dport 31337 -j DROP # ... BackOrifice etc
# $IPT -A INPUT -p tcp -i $EXT --dport 1214 -j DROP # ... KaZaA
# $IPT -A INPUT -p tcp -i $EXT --dport 6346 -j DROP # ... Gnutella
fi

### DETECT & LOG SUSPECTED PORT SCANS ----------------------------------------
#
# FIXME: These need to be confirmed for correctness; 3rd rule may cause
# some false alarms during certain FTP sessions (including apt-get)
#
echo " - PortScan, Fragment, Hostile Flags"
$IPT -N SCAN
$IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL ALL -j SCAN # `Xmas' scan
$IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL NONE -j SCAN # `Null' scan
$IPT -A INPUT -p tcp -i $EXT --tcp-flags SYN,ACK,FIN,RST RST -j SCAN # Type?
$IPT -A SCAN -m limit --limit 2/s -j LOG --log-level info \
--log-prefix "**PORTSCAN** "
$IPT -A SCAN -j DROP

### FRAGMENTED PACKETS -------------------------------------------------------
#
# FIXME: Necessary w/NAT? Mostly hostile (need to be logged)?
#
$IPT -A INPUT -i $EXT -f -j LOG -m limit --limit 1/s \
--log-level info --log-prefix "**FRAGMENT** "
$IPT -A INPUT -i $EXT -f -j DROP

### HOSTILE TCP FLAGS --------------------------------------------------------
#
# FIXME: These need to be confirmed for correctness
#
$IPT -N FLAGS
$IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL FIN,URG,PSH -j FLAGS
$IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL ALL -j FLAGS
$IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL NONE -j FLAGS
$IPT -A INPUT -p tcp -i $EXT --tcp-flags SYN,RST SYN,RST -j FLAGS
$IPT -A INPUT -p tcp -i $EXT --tcp-flags SYN,FIN SYN,FIN -j FLAGS #QueSO
$IPT -A INPUT -p tcp -i $EXT --tcp-flags ALL SYN,RST,ACK,FIN,URG -j FLAGS
$IPT -A FLAGS -m limit --limit 2/s -j LOG --log-level info \
--log-prefix "**BADFLAGS** "
$IPT -A FLAGS -j DROP

### ALLOW DHCP LEASE & RENEWAL -----------------------------------------------
#
# If running a DHCP server internally, you may need different/additional
# rules here.
#
if [ "$DHCP" ]
then
echo " - Allow only authorized DHCP servers"
for d in $DHCP; do
$IPT -A INPUT -p udp -s $d --sport 67 -d 0/0 --dport 68 -j ACCEPT
done
else
$IPT -A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
fi

### ALLOW REPLIES ONLY FROM AUTHORIZED DNS SERVERS ---------------------------
#
# UDP = Short DNS answers; TCP = Long/retry DNS answers, zones
#
if [ "$DNS" ]
then
echo " - Allow only authorized DNS replies"
for u in $DNS; do
$IPT -A INPUT -p udp -s $u --sport 53 -d 0/0 -j ACCEPT
done
for t in $DNS; do
$IPT -A INPUT -p tcp -s $t --sport 53 -d 0/0 -j ACCEPT
done
else
echo " - Allow ALL incoming DNS replies"
$IPT -A INPUT -p tcp --sport 53 -j ACCEPT
fi

### HANDLE IDENTD (with DAEMON, or REJECT) -----------------------------------
#
# If you ARE NOT running an ident daemon, set IDENT as "0"; this bounces
# auth gracefully so you don't wait for a timeout, as may happen if you
# just block the port. If you DO need the real thing, set IDENT as "1".
# Debian package "harden-servers" will conflict with many common identd's
# for security reasons, but nullidentd or perhaps slidentd are acceptable.

$IPT -A INPUT -p tcp -i $INT --dport 113 -j ACCEPT # Always accept internal

if [ "$IDENT" = "1" ]
then
echo " - Allow external IDENT/auth"
$IPT -A INPUT -p tcp -i $EXT --dport 113 -j ACCEPT
else
echo " - Reject IDENT with tcp-reset"
$IPT -A INPUT -p tcp -i $EXT --dport 113 -j REJECT --reject-with tcp-reset
fi

### BLOCK OUTBOUND TROJANS & INSECURE PORTS ----------------------------------
#
# The ports listed below are not exhaustive, and blocking a particular one
# is not always effective (most new trojans can use any high port). These
# could also intentionally prevent your LAN users from using some outbound
# applications (with the same caveat as above). A well-documented list of
# trojans is available at http://www.simovits.com/trojans/.
#
echo " - Drop, log outbound trojan ports"

$IPT -N STOPOUT
$IPT -A OUTPUT -p udp --dport 137:138 -j STOPOUT # SMB w/NetBIOS
$IPT -A OUTPUT -p tcp --dport 139 -j STOPOUT # SMB w/NetBIOS
$IPT -A OUTPUT -p tcp --dport 445 -j STOPOUT # SMB w/o NetBIOS
$IPT -A OUTPUT -p tcp --dport 4444 -j STOPOUT # W32.Blaster worm
$IPT -A OUTPUT -p tcp --dport 10008 -j STOPOUT # Lion worm
$IPT -A OUTPUT -p tcp --dport 65535 -j STOPOUT # Ramen worm
$IPT -A OUTPUT -p tcp --dport 12345 -j STOPOUT # Various trojans
$IPT -A OUTPUT -p tcp --dport 27374 -j STOPOUT # "
$IPT -A OUTPUT -p tcp --dport 31335:31337 -j STOPOUT # "
$IPT -A OUTPUT -p udp --dport 31335:31337 -j STOPOUT # "

$IPT -A STOPOUT -m limit --limit 1/s -j LOG \
--log-level info --log-prefix "**TROJAN?** " # Log these attempts
$IPT -A STOPOUT -j DROP # then drop packets

### CONTROL ICMP MESSAGES ----------------------------------------------------
#
# Certain types should be allowed for more friendly/compliant servers, but
# some must be restricted as well. Set PING to "0" if you do not want to
# respond to those, but be warned that just blocking ping at the firewall
# won't keep connection from being saturated in a Denial of Service attack
# ("ping flood"); you'd need your upstream (ISP) to filter these instead.
#
# These ICMPs are suggested by "Linux Firewalls 2nd Edition" by R Ziegler:
#
# 0 = Echo Reply, what gets sent back after a Type 8 is received here
# 3 = Destination Unreachable (inbound) or Fragmentation Needed (out)
# 4 = Source Quench tells sending IP to slow down its rate to destination
# 8 = Echo Request used for pinging hosts, but see the caution above
# 11 = Time Exceeded used for traceroute (TTL) or sometimes frag packets
# 12 = Parameter Problem is some error or weirdness detected in header
#
# See also http://www.iana.org/assignments/icmp-parameters or RFC792
#
# FIXME: This may break traceroute from the firewall itself, but it works
# from NAT'd machines behind it.

echo -e -n " - Control ICMP messages"

$IPT -A INPUT -p icmp -i $EXT --fragment -j LOG -m limit --limit 1/s \
--log-level info --log-prefix "**ICMP FRAG** " # Log and drop any
$IPT -A INPUT -p icmp -i $EXT --fragment -j DROP # frag'd ICMPs (bad)

# No outgoing destination-unreachable; can be spoofed & sent to other hosts
$IPT -A OUTPUT -p icmp --icmp-type destination-unreachable -o $EXT -j DROP

# Specifically allow these types (just in case ESTABLISHED/RELATED doesn't)
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -i $EXT -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type source-quench -i $EXT -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -i $EXT -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type parameter-problem -i $EXT -j ACCEPT

if [ "$PING" = "1" ]
then
echo -e -n "; PING on\n"
$IPT -A INPUT -p icmp --icmp-type echo-request -i $EXT -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type echo-reply -o $INT -j ACCEPT
else
echo -e -n "; PING off\n"
$IPT -A INPUT -p icmp --icmp-type echo-request -i $EXT -j DROP
$IPT -A OUTPUT -p icmp --icmp-type echo-reply -o $INT -j DROP
fi

$IPT -A INPUT -p icmp -i $INT -j ACCEPT # Accept all from LAN

$IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -p icmp -j LOG -m limit --limit 1/s \
--log-level info --log-prefix "**ICMP DROP** " # Log anything else
$IPT -A INPUT -p icmp -j DROP # denied, then drop

### ALLOW SSH INTO FIREWALL FROM INTERNET ------------------------------------
#
# Blocked by default and not logged, but internal LAN use & outbound SSH
# always allowed. To permit external access FROM internet, set SSH as "1";
# be sure you also specify the proper interface for your listening address
# (i.e., in /etc/ssh/sshd_config).

$IPT -A INPUT -p tcp -i $INT --dport 22 -j ACCEPT # Allow SSH from LAN

if [ "$SSH" = "1" ]
then
echo " - Inbound SSH from Internet"
$IPT -A INPUT -p tcp -i $EXT --dport 22 -j ACCEPT # SSH from internet
elif [ "$QUIET" = "1" ]
then
echo " - No inbound SSH from Internet"
$IPT -A INPUT -p tcp -i $EXT --dport 22 -j DROP # No SSH & don't log
fi

### REDIRECT INBOUND TRAFFIC TO SERVER(S) ------------------------------------
#
# To permit access to your internal servers from those outside the LAN
# (on the internet), define all the appropriate IP(s) at top of script.
# Otherwise, this traffic will be dropped; set QUIET to 1 to not log
# these attempts either.

echo -e -n " - Redirect inbound: "

if [ "$CAM" ] && [ "$CAMIP" ]
then
echo -e -n "+CAM "
$IPT -A FORWARD -i $EXT -o $INT -p tcp --dport $CAM -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A PREROUTING -t nat -i $EXT -p tcp \
--dport $CAM -j DNAT --to $CAMIP:$CAM # Forward webcam
elif [ "$QUIET" = "1" ] && [ "$CAM" ]
then
$IPT -A INPUT -p tcp -i $EXT --dport $CAM -j DROP # No cam & don't log
fi

if [ "$HTTP" ] && [ $WEBPORT ]
then
echo -e -n "+HTTP "
$IPT -A FORWARD -i $EXT -o $INT -p tcp --dport $WEBPORT -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A PREROUTING -t nat -i $EXT -p tcp \
--dport $WEBPORT -j DNAT --to $HTTP:$WEBPORT # Forward HTTP
elif [ "$QUIET" = "1" ]
then
$IPT -A INPUT -p tcp -i $EXT --dport 80 -j DROP # No HTTP & don't log
fi

if [ "$SMTP" ]
then
echo -e -n "+SMTP "
$IPT -A FORWARD -i $EXT -o $INT -p tcp --dport 25 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A PREROUTING -t nat -i $EXT -p tcp \
--dport 25 -j DNAT --to $SMTP:25 # Forward SMTP
elif [ "$QUIET" = "1" ]
then
$IPT -A INPUT -p tcp -i $EXT --dport 25 -j DROP # No SMTP & don't log
fi

### PREROUTE CLIENT PORTS FOR IM DIRECT CONNECT/FILE XFER --------------------
#
# FIXME: At this time, the following implementation results in...
#
# AIM - Allows in/outbound file xfers, direct connect
# ICQ - Allows outgoing file transfers only
# MSN - Allows incoming file transfers, no voice chat
# IRC (DCC) - Untested, but supposedly built-in to IPtables
# P2P - Believed to work but recently added; let me know
# H.323 - aka Netmeeting: see below, and read included FAQ
# Yahoo - "View My Webcam" works, but file xfers untested
#

if [ "$AIM" ]
then
echo -e -n "+AIM "
$IPT -A PREROUTING -t nat -i $EXT -p tcp \
--dport $AIM -j REDIRECT --to-ports $AIM # Allow AIM file xfer
fi

if [ "$ICQ" ]
then
echo -e -n "+ICQ "
$IPT -A PREROUTING -t nat -i $EXT -p tcp \
--dport $ICQ -j REDIRECT --to-ports $ICQ # Allow ICQ file xfer
fi

if [ "$MSN" ]
then
echo -e -n "+MSN "
$IPT -A PREROUTING -t nat -i $EXT -p tcp \
--dport $MSN -j REDIRECT --to-ports $MSN # Allow MSN file xfer
fi

if [ "$P2P" ]
then
echo -e -n "+P2P "
$IPT -A PREROUTING -t nat -i $EXT -p tcp \
--dport $P2P -j REDIRECT --to-ports $P2P # Allow P2P file share
fi

### MAIN RULESET FOR AUTHORIZED (LAN) TRAFFIC
#
echo -e "\n - Allow authorized LAN traffic"
$IPT -N TRAFFIC
$IPT -A TRAFFIC -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A TRAFFIC -m state --state NEW -i ! $EXT -j ACCEPT
$IPT -A TRAFFIC -j LOG -m limit --limit 1/s \
--log-level info --log-prefix "**PACKET DROP** " # Log anything denied
$IPT -A TRAFFIC -j DROP # and drop the packets

$IPT -A INPUT -j TRAFFIC # Send INPUT to above
$IPT -A OUTPUT -j TRAFFIC # Send OUTPUT to above
$IPT -A FORWARD -j TRAFFIC # Send FORWARD above

### ENABLE sNAT/MASQUERADE #
echo " - Enable sNAT/Masquerade"
$IPT -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INT -o $EXT -j ACCEPT
$IPT -A FORWARD -j LOG -m limit --limit 1/s \
--log-level info --log-prefix "**FORWARD DROP** " # Log anything denied
$IPT -A FORWARD -j DROP # and drop the packets
$IPT -A POSTROUTING -t nat -s $MASQ -o $EXT -j MASQUERADE

# NOTE: The last line above is intended for dynamic IPs (PPP, DHCP etc); see
# info at http://www.netfilter.org/documentati...T-HOWTO-6.html for
# important differences between sNAT and MASQUERADE. If your IP address is
# truly static, you should use this format instead:
#
# $IPT -t nat -A POSTROUTING -o $EXT -j SNAT --to <YourIP>
#
# Of course, then you have to grep the IP or specify it manually. Since this
# is contrary to the original design of this script, it won't be accommodated
# herein (but you are free to make that modification yourself if needed).

echo -e "\n"$WHITE"FINISHED!"$NORM"\n"
touch /var/lock/firegate
;;

# [STATUS] ===================================================================
#
status)

if [ -f /var/lock/firegate ]; then
echo -e "\nFIRE|GATE $VER is "$GREEN"running$NORM.\n"
else
echo -e "\nFIRE|GATE $VER is "$RED"NOT running$NORM.\n"
fi
exit 0
;;

# [RESTART/RELOAD] ===========================================================
#
restart|reload)
$0 stop
$0 start
;;

# [STOP] =====================================================================
#
stop)

echo -e "\n"$NORM"FIRE|GATE $VER$RED stopping"$NORM"..."

echo -e "\n - IP forwarding off"
echo 0 > /proc/sys/net/ipv4/ip_forward # IP forwarding off
echo -e " - Address rewrite off"
echo 0 > /proc/sys/net/ipv4/ip_dynaddr # Address rewrite off

for r in /proc/sys/net/ipv4/conf/*/rp_filter; do # Reverse path filter
echo 1 > $r # (default for Debian
done # installations)

echo -e " - Flush built-in/custom/NAT/mangle"
$IPT -F # Flush built-in rules
$IPT -X # Erase custom rules
$IPT -Z # Zero all counters
$IPT -t nat -F # Flush pre/postroute
$IPT -t mangle -F # Flush packet mangle

if [ "$DROPEXT" = "1" ]
then
echo -e " - Drop all traffic on $EXT"
$IPT -A INPUT -i $EXT -j DROP # ALL external access
$IPT -A OUTPUT -o $EXT -j DROP # & forwarding disabled
else
echo -e " - Allow traffic on $EXT"
$IPT -A INPUT -i $EXT -j ACCEPT # Remote SSH works even
$IPT -A OUTPUT -o $EXT -j ACCEPT # after ./firegate stop
fi

echo -e " - Allow in/output on $INT"
$IPT -A INPUT -i $INT -j ACCEPT # Leave internal alone
$IPT -A OUTPUT -o $INT -j ACCEPT # (prevents a local SSH
$IPT -P FORWARD DROP # session lockout)

$IPT -A INPUT -i lo -j ACCEPT # Allow traffic on the
$IPT -A OUTPUT -o lo -j ACCEPT # loopback interface

rm -f /var/lock/firegate # Remove status file

echo -e "\n"$WHITE"FINISHED!"$NORM"\n"
;;

#
*)
echo -e "\nFIRE|GATE $VER usage:"
echo -e " "$WHITE"firegate {start|stop|status|restart|reload}$NORM\n"
;;

esac
exit 0

exvor · 11-15-2004, 09:30 AM

Ok after you get this working it sets up a firewall and routing to interface eth1 then you need a dhcp/dns server like dnsmasq to enable dhcp server operation <<<NOTE this is not a dhcp client so your gonna still need one for dhcp operation on the internet connection interface. Also note that your gonna have to manually setup the eth1 or whatever your internal interface is for ip. This dns server will setup the dns servers on the remote computer so you dont have to worry about that. NOTE there are better dns servers out there that are more sutible for larger networks but for a small home or office i recommend this one cause of its eaze of use.

Happy networking

By the way I had to remove alot of non needed text out of the above script and i tryied to remove with caution but i may have removed somehting that is used or at least provides information about an option. If you want the full script then download firegate your self. In any case it should work.

The above script is not mine and I redistrubiting it as specifyed in the GNU licence agreement. All credit for this script should be redirected to its author and not me.

CroMagnon · 11-15-2004, 03:52 PM

Looks like the 'nat' part may need to be lowercase. If that still doesn't work, you should make sure that masquerading is enabled in your kernel (you may need to compile a new one).

videojeff · 11-15-2004, 04:35 PM

Hey CroMagnon: I think we're getting close. I can feel it in my bones.

Code:

root@1[videojeff]# iptables -A prerouting -t nat -j MASQUERADE
iptables: No chain/target/match by that name
root@1[videojeff]# iptables -A prerouting -t nat -j masquerade
iptables v1.2.11: Couldn't load target `masquerade':/lib/iptables/libipt_masquerade.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
root@1[videojeff]#

If it turns out that I have to recompile the kernel, I might be away for a while, because I have not done that and would have to do some research. Also, I may soon have to switch my cables back to the Windows box just to get some work done there. I keep thinking, though, that we're so close, that I hate to do that when ultimate, I don't want to have just the Windows box connected. My other thought (I cringe to think about it), is to move one NIC card to the Windows box and let that be the router and have the Linux box relegated to being on the edge :/ Not what I ultimately want, but it might be more expedient. Actually, my long term plan, when I get money coming in again (I'm between careers right now--and in fact might just end up going back to my previous career in high tech), is to get a wireless access point/router. But that's all beside the point right now.

--Jeff

CroMagnon · 11-15-2004, 05:00 PM

I think you do need to compile a new kernel (or get hold of the libipt_masquerade module that matches your kernel - this may work, but compiling the kernel is pretty easy to do, and on a reasonable machine won't take more than about half an hour).

Check out the Kernel HOWTO, and while you're at it, have a look for the Masquerading HOWTO, as it will likely list the modules you need to have enabled.

Darin · 11-15-2004, 11:53 PM

Most distros have all the iptables stuff precompiled as modules in their stock kernels, it's probably just not loaded. My firewall script loads a bunch of them before running rules:

Code:

# The location of the iptables and kernel module programs
IPTABLES=/usr/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod

$DEPMOD -a

$INSMOD ip_tables
$INSMOD ip_conntrack
$INSMOD ip_conntrack_ftp
$INSMOD ip_conntrack_irc
$INSMOD iptable_nat
$INSMOD ip_nat_ftp
#$INSMOD ip_nat_irc
$INSMOD iptable_filter

And yes, sorry I didn't pick up on that earlier, you do need NAT since your Internet device appears to be just bridging (since your network card has a public IP address: eth0 Link encap:Ethernet HWaddr 00:A0:CC:32:C5:48 inet addr:68.119.0.72)

KurtAKARebuild · 03-03-2005, 07:58 PM

videojeff: CroMagnon has nailed it - you need masquerading.

If you're already using guarddog to manage your firewall, you should look into guidedog (written by the same person) to help you manage your routing/masquerading needs.

I dont know about mepis, but debian makes guidedog available through apt. If that fails

http://www.simonzone.com/software/guidedog/

good luck
Kurt