LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-31-2011, 02:26 PM   #1
iArash
LQ Newbie
 
Registered: Jan 2011
Posts: 15

Rep: Reputation: 0
loosing the net-connection in lan after iptables confing script


Hi .
I have a Lan ,
an ubuntu with address 192.168.1.100
an OpenSuse with address 192.168.1.106
a windows xp with address 192.168.1.102
And these are connected via a DSL router/switch (4 ports eth) .
My purpose is config the ubuntu as a Firewall and NAT server for investigating the network layer packet with specific policies .
well, I've used the following script :

Code:
#!/bin/sh
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
INT_NET=192.168.1.0/24

### flush existing rules and set chain policy setting to DROP
$IPTABLES	-F
$IPTABLES	-F -t nat
$IPTABLES	-X
$IPTABLES	-P	INPUT		DROP
$IPTABLES	-P	OUTPUT		DROP
$IPTABLES	-P	FORWARD		DROP

### load connection-tracking modules
$MODPROBE	ip_conntrack
$MODPROBE	iptable_nat
$MODPROBE	ip_conntrack_ftp
$MODPROBE	ip_nat_ftp

### input chain ###
echo "[+] setting up the INPUT chain"
### state tracking rules
$IPTABLES	-A INPUT	-m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES	-A INPUT	-m state --state INVALID -j DROP
$IPTABLES -A INPUT 	-m state --state ESTABLISHED,RELATED -j ACCEPT

### Anti-Spoofing rules
$IPTABLES	-A	INPUT	-i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT"
$IPTABLES	-A 	INPUT -i eth1 -s ! $INT_NET	-j	DROP

### accept rules
$IPTABLES	-A INPUT	-i eth1 -p tcp -s $INT_NET	--dport 22 --syn -m state --state NEW	-j ACCEPT
$IPTABLES	-A INPUT	-p icmp --icmp-type echo-request -j ACCEPT

### default INPUT log rule
$IPTABLES	-A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options



### OUTPUT Chain ###
echo "[+] Setting up OUTPUT chain ..."
### state tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for allowing connections out
$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT

## default OUTPUT LOG rule
$IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options



### FORWARD Chain 
echo "[+] Setting up FORWARD Chain ..."
### State tracking rules
$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

### Anti-Spoofing rules 
$IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
$IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j DROP

### ACCEPT Rules
$IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 43 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport  80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 4321 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 -m state --state NEW -j ACCEPT 
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT

### default log rule 
$IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

### NAT rules
echo "[+] Setting up NAT rules ..."
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.1.106:80
$IPTABLES -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.1.106:443
$IPTABLES -t nat -A PREROUTING -p tcp --dport 53 -i eth0 -j DNAT --to 192.168.1.106:53
$IPTABLES -t nat -A POSTROUTING -s $INT_NET -o eth0 -j MASQUERADE

#### forwarding #####
echo "[+] Enabling IP forwarding ..."
echo 1 > /proc/sys/net/ipv4/ip_forward
well, after running this script from terminal, I lost the Internet connection from my ubuntu system .

well, I've checked the ifconfig & seems there is no eth0 interface & I think this is what's the reason I've lost the connection with according to this section of script :
Code:
echo "[+] Setting up NAT rules ..."
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.1.106:80
$IPTABLES -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.1.106:443
$IPTABLES -t nat -A PREROUTING -p tcp --dport 53 -i eth0 -j DNAT --to 192.168.1.106:53
$IPTABLES -t nat -A POSTROUTING -s $INT_NET -o eth0 -j MASQUERADE
I don't know what's the interface for internet connection for defining in NAT rule part of script .

I'm connecting to the network with tp-link DSL modem/router (have 4 eth ports) with web access 192.168.1.1 (auto-connect) .

So if anyone can point me to the solution for correcting the script it would be appreciated .

regards.
 
Old 01-31-2011, 02:57 PM   #2
andrewthomas
Senior Member
 
Registered: May 2010
Location: Chicago Metro
Distribution: Arch, Gentoo, Slackware
Posts: 1,690

Rep: Reputation: 310Reputation: 310Reputation: 310Reputation: 310
I would think that you would need two ethernet ports to be able to act as a firewall.
 
1 members found this post helpful.
Old 01-31-2011, 03:01 PM   #3
iArash
LQ Newbie
 
Registered: Jan 2011
Posts: 15

Original Poster
Rep: Reputation: 0
@ andrewthomas :
Good point Andrew, as I draw the network topology, yes you're right but I missed this point .
now, Are you meaning I need two network cards ? or simply I can use my ADSL switch/router for acquiring this task ?
thanks for your help .

regards.

Last edited by iArash; 01-31-2011 at 03:20 PM.
 
Old 02-01-2011, 10:42 AM   #4
andrewthomas
Senior Member
 
Registered: May 2010
Location: Chicago Metro
Distribution: Arch, Gentoo, Slackware
Posts: 1,690

Rep: Reputation: 310Reputation: 310Reputation: 310Reputation: 310
Quote:
Originally Posted by iArash View Post
@ andrewthomas :
Good point Andrew, as I draw the network topology, yes you're right but I missed this point .
now, Are you meaning I need two network cards ? or simply I can use my ADSL switch/router for acquiring this task ?
thanks for your help .

regards.
As far as I know, you would need two cards.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to switch easily between net connections on a box w/ PCImodem AND LAN connection? GrapefruiTgirl Linux - Networking 15 04-20-2007 02:28 PM
Improoving net connection inside LAN. Palula Linux - Networking 2 08-28-2005 12:59 PM
How to set iptables script for lan matthewchin Linux - Networking 4 07-21-2003 05:23 AM
idea: sharing net connection, method: iptables..., problem: broken net connection :( danny2055 Linux - Networking 4 06-09-2003 08:00 AM
iptables forwarding from ppp connection onto LAN CoolScan3 Linux - Networking 0 08-23-2002 06:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration