Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey everyone I have a question , what would be the best way to route all traffic coming in from eth1 to eth0.
eth0 = 192.168.1.11
eth1 = 10.0.0.1
There is in coming traffic to eth1 from another server which is 10.0.0.10 , i can ping the 192.168.1.11 address but it stops there. How can I make sure to route all traffic coming in on eth1 and route it to go out of eth0.
Basicly this box is going to be a firewall/router.
I feel kinda silly, OK here is the next problem , I have a web server running on the 10.0.0.0 network, i setup forwarding to that IP for port 80 but this is the error it gives me
root@abby ~]# lynx 10.0.0.10
Looking up 10.0.0.10 first
Looking up 10.0.0.10
Making HTTP connection to 10.0.0.10
Alert!: Unable to connect to remote host.
OK so now i played around with it for a little bit, and now I can see packets flowing BUT I still can't get to the site from the 192.168.1.0 network or the outside world.
OK so next update, I actually had to install HTTPD on my firewall server to have it listening port 80 now it all works fine....
Any idea's on a way around this so I don't have to have this listening on port 80, cause I want the firewall site responding on like 9001 so if i do that it wont forward correctly right?
That said, you might try easyfwgen and then compare your script to it and see (maybe)
any diffs in the order of rules and possibly a solution.
Quote:
...... generalized it to include a number of features that are commonly used, but it is targeted at single computers or gateways for small private networks. It's designed to easily generate a full-featured iptables configuration script with a variety of the most commonly desired options....
I have a squid proxy server and httpd installed (LAMP) and I use a custom fw script.
This maybe obsolete now, But I've had it for years and it seems to work for me.
iptables script,/etc/init.d/atomic.firewall (atomic=Australian PC magazine AtomicMPC)
Code:
#!/bin/sh
#
# Atomic IPTables firewall script v1.2
#
# Simple but effective firewall written for
# the Atomic Uber Linux box guide,
# Issue 21, Oct 2002
#
# Updated May 2003 for bandwidth shaping
#
# Ashton Mills
# amills@iinet.com.au
# Environment variables, change these values accordingly
EXT_IF=eth0
INT_IF=eth1
INT_NET=10.0.0.15/24
ANY=0.0.0.0/0
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
#
## You shouldn't need to touch anything below here
#
# Load appropriate iptables modules, others will be loaded dynamically on demand
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
# Set proc values for TCP/IP. In order:
#
# Disable IP spoofing attacks
# Ignore broadcast pings
# Block source routing
# Kill redirects
# Set acceptable local port range
# Allow dynamic IP addresses
# Enable forwarding (gateway)
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1600 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
# Flush everything
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
## --- DEFAULT POLICY --- ##
#
# Drop everything on INPUT and FORWARD chains, accept OUTPUT
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
#
## --- INPUT CHAIN --- ##
#
# Allow Telstra hearbeat -- BPA users uncomment this
$IPTABLES -A INPUT -p udp --sport 5050 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 5051 -j ACCEPT
# Allow local net browsing avahi/Zeroconf
$IPTABLES -A INPUT -p udp --sport 3128 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 5353 -j ACCEPT
#Allow bootp port -- Optus and some ADSL users need this
$IPTABLES -A INPUT -p udp -d 255.255.255.255 --dport 68 -j ACCEPT
# Allow access to services on this (the gateway) machine
# SSH
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
# Teamspeak
$IPTABLES -A INPUT -p udp --dport 8767 -j ACCEPT
# Half Life server
$IPTABLES -A INPUT -p udp --dport 27015 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 27010 -j ACCEPT
# FTP
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
# Bittorrent
$IPTABLES -A INPUT -p tcp --dport 6881:6969 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 6881:6969 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 7881 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 8881 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 4444 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 51413 -j ACCEPT #--dport 51413 Transmission-torrent
$IPTABLES -A INPUT -p udp --dport 51413 -j ACCEPT #--dport 51413 Transmission-torrent
# Accept all connections on local and internal interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INT_IF -j ACCEPT
# Accept local connections for webcam
$IPTABLES -A INPUT -p tcp -m tcp --sport 8081 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o tcp --dport 8081 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --sport 8081 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o udp --dport 8081 -j ACCEPT
# Accept local config for webcam
$IPTABLES -A INPUT -p tcp -m tcp --sport 8080 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o tcp --dport 8080 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --sport 8080 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o udp --dport 8080 -j ACCEPT
# cups
$IPTABLES -A INPUT -p tcp -m tcp --sport 631 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -o tcp --dport 631 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --sport 631 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o udp --dport 631 -j ACCEPT
# Stateful inspection -- Allow packets in from connections already established
$IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop packets from invalid sources (reserved networks and localhost)
$IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP
# Don't log igmp, web or ssl. More noise we don't need to log.
$IPTABLES -A INPUT -p igmp -j DROP
$IPTABLES -A INPUT -p tcp --dport 80 -j DROP
$IPTABLES -A INPUT -p tcp --dport 443 -j DROP
# Log everything else
$IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "|iptables -- "
#
## -- BANDWIDTH SHAPING -- ##
#
#
# EGRESS (upstream)
#
# TOS marked packets (we'll just work with minimise-delay and maximise-throughput)
$IPTABLES -t mangle -A POSTROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 30
# UDP (most games, including all Half Life mods as well as DNS, IM clients and more)
$IPTABLES -t mangle -A POSTROUTING -p udp -j MARK --set-mark 10
# Games that use DirectPlay from DirectX (note UDP traffic already matched above)
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 47624 -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10
# Place other games here
# EVE online
# $IPTABLES -t mangle -A POSTROUTING -p tcp --dport 26000 -j MARK --set-mark 10
# ICMP (ping)
$IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 10
# SSH
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK --set-mark 10
# Web, SSL
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 80 -j MARK --set-mark 20
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 443 -j MARK --set-mark 20
# ACKs
$IPTABLES -t mangle -A POSTROUTING -p tcp -m length --length :64 -j MARK --set-mark 20
#
# No need for catchall for class 30, handled by HTB root qdisc initilisation
#
#
# INGRESS (downstream)
#
# Only prioritise class 10 traffic
# Don't police high priority UDP, game, ping and SSH packets
$IPTABLES -t mangle -A PREROUTING -p udp -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 47624 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 22 -j MARK --set-mark 10
# Place other games here
# EVE online
# $IPTABLES -t mangle -A PREROUTING -p tcp --sport 26000 -j MARK --set-mark 10
# Catchall, police everything else
$IPTABLES -t mangle -A PREROUTING -m mark --mark 0 -j MARK --set-mark 30
#
# NOTE: It's a good idea -not- to add HTTP to be let through the police filter even
# for browsing as many P2P programs, not to mention your HTTP file downloads, will
# flood the link unpoliced, causing delays with high priority (class 10) packets.
# Shape HTTP going out, but let it be bulk coming in.
#
# Read the note at the end of the atomic.shaper script for more on INGRESS shaping.
#
#
## --- FORWARD CHAIN --- ##
#
# Stateful inspection -- Forward in connections already established
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# Allow outbound DNS queries from the FW and the replies too
#
# - Interface eth0 is the internet interface
#
# Zone transfers use TCP and not UDP. Most home networks
# / websites using a single DNS server won't require TCP statements
#
#---------------------------------------------------------------
# Printer port
#
# $IPTABLES -A INPUT -p udp -i eth0 --sport 127.0.0.1:9100 --dport 1024:65535 -j ACCEPT
# $IPTABLES -A INPUT -p tcp -i eth1 --sport 127.0.0.1:9100 --dport 1024:65535 -j ACCEPT
#
# $IPTABLES -A INPUT -p udp -i eth1 --sport 127.0.0.1:9100 --dport 1024:65535 -j ACCEPT
# $IPTABLES -A INPUT -p tcp -i eth0 --sport 127.0.0.1:9100 --dport 1024:65535 -j ACCEPT
#
#
# $IPTABLES -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
#
# $IPTABLES -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
#
# Forwards for software running on Windows/Linux machines behind the firewall
# Kazaa Lite (change destination IP accordingly)
# $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 1214 -j DNAT --to-dest 10.0.0.15
# $IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 1214 -d 10.0.0.15 -j ACCEPT
# Bittorrent
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6881:6969 -j DNAT --to-dest 10.0.0.15
$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 6881:6969 -d 10.0.0.15 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 6881:6969 -j DNAT --to-dest 10.0.0.15
$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 6881:6969 -d 10.0.0.15 -j ACCEPT
# #--dport 51413 Transmission-torrent
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 51413 -j DNAT --to-dest 10.0.0.15
$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 51413 -d 10.0.0.15 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 51413 -j DNAT --to-dest 10.0.0.15
$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 51413 -d 10.0.0.15 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 4444 -j DNAT --to-dest 10.0.0.15
$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 4444 -d 10.0.0.15 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 7881 -j DNAT --to-dest 10.0.0.15
$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 7881 -d 10.0.0.15 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 7881 -j DNAT --to-dest 10.0.0.15
$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 7881 -d 10.0.0.15 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 8881 -j DNAT --to-dest 10.0.0.15
$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 8881 -d 10.0.0.15 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 8881 -j DNAT --to-dest 10.0.0.15
$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 8881 -d 10.0.0.15 -j ACCEPT
# Forwards for hosting DirectPlay games
$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 47624 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 47624 -j DNAT --to-destination 10.0.0.15:47624
$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 2300:2400 -j DNAT --to-destination 10.0.0.15:2300-2400
$IPTABLES -A FORWARD -i eth0 -o eth1 -p udp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 2300:2400 -j DNAT --to-destination 10.0.0.15:2300-2400
# Forward out all traffic
$IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT
#
## --- OUTPUT CHAIN --- ##
#
# Follows policy
#
## --- NAT --- ##
#
# Enable masquerade
$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -j MASQUERADE
#
## -- Transparent proxy to Squid --- ##
#
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128
/etc/squid/squid.conf
Code:
http_port 10.0.0.15:3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir diskd /var/spool/squid 5000 16 256
cache_store_log none
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
half_closed_clients off
acl manager proto cache_object
acl localhost src 127.0.0.0/8
acl to_localhost dst 127.0.0.0/8
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 10.0.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
acl mynetwork src 10.0.0.0/16
http_access allow mynetwork
http_access allow localnet
http_access allow localhost
http_reply_access allow all
icp_access allow all
visible_hostname squid@GamesBox.GlennsPref.net
append_domain .GamesBox.GlennsPref.net
err_html_text admin@GamesBox.GlennsPref.net
deny_info ERR_CACHE_ACCESS_DENIED all
memory_pools off
coredump_dir /var/spool/squid
ie_refresh on
2 things I'm not sure about are MASQUERADE and Transparent.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.