Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
06-12-2001, 07:21 PM
|
#1
|
LQ Newbie
Registered: Jun 2001
Location: Eastern Canada
Distribution: Red Hat
Posts: 5
Rep:
|
I'm new in this game and have come to the point where i have pulled most of my hair out... I am trying to setup a linux box on a small network, to do several jobs. The first of these jobs is to act as a firewall for the network.
I am running RH 7.0
eth0 is the internal network device 192.168.1.1
eth1 is the external network device 10.166.102.250
Windows 98 machine 192.168.1.10
After running the following script i can ping successfully from my windows machine both addresses of my linux box, and external web addresses. I can also ping web addresses (www.yahoo.com) from my windows machine so i know DNS is working. The problem is i can't seem to get my web broswer to work on my windows machine. it seems to e able to get the IP number, but doesn't load the web page.
The web browser on my linux box works fine.
Also when I run "firewall status" i recieve the following message: "firewall dead but subsys locked"
If anyone out there can help me that would be wonderful!
#!/bin/sh
# chkconfig: 2345 11 89
. /etc/rc.d/init.d/functions
. /etc/sysconfig/network
[ ${NETWORKING} = "no" ] && exit 0
EXTDEV=eth1
EXTERNALIP=`ifconfig $EXTDEV | grep "inet addr:" | \
awk -F: {'print $2'} | cut -d\ -f 1`
if [ -z "${EXTERNALIP}" ]; then
exit 1
fi
INTDEV=eth0
INTERNALIP=`ifconfig $INTDEV | grep "inet addr:" | \
awk -F: {'print $2'} | cut -d\ -f 1`
if [ -z "${INTERNALIP}" ]; then
exit 1
fi
INTNET="192.168.1.0"
echo "EXTDEV: ${EXTDEV} on ${EXTERNALIP}"
echo "INTDEV: ${INTDEV} on ${INTERNALIP}"
case "$1" in
start)
# Start firewall.
echo -n "Starting firewall: "
modprobe ip_masq_ftp
modprobe ip_masq_irc
modprobe ip_masq_raudio
echo "Setting masq timeouts"
ipchains -M -S 7200 10 60
echo "Setting new forward rules"
echo -n "forward..."
echo 1 > /proc/sys/net/ipv4/ip_forward
ipchains -F forward
ipchains -P forward DENY
ipchains -A forward -s $INTNET/255.255.255.0 -j MASQ
ipchains -A forward -i $EXTDEV -s $INTNET/24 -d 0.0.0.0/0 -j MASQ
ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j DENY
echo -n "input..."
echo "Setting new input rules"
ipchains -F input
ipchains -P input DENY
ipchains -A input -i $INTDEV -s $INTNET/24 -d 0.0.0.0/0 -j ACCEPT
ipchains -A input -i $EXTDEV -s $EXTERNALIP/32 -d 224.0.0.0/8 -j ACCEPT
ipchains -A input -i $EXTDEV -s $INTNET/24 -d 0.0.0.0/0 -j DENY
ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 617 -j DENY
ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 7777 -j DENY
ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 7 -j DENY
ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 514 -j DENY
ipchains -A input -i $EXTDEV -s 0.0.0.0/0 -d $EXTERNALIP/32 -j ACCEPT
ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j DENY
echo "Setting new output rules"
echo -n "output..."
# Outgoing, flush and set default policy of deny.
ipchains -F output
ipchains -P output DENY
# local interface, any source going to local net is valid
#ipchains -A output -i $INTDEV -s 0.0.0.0/0 -d $INTNET/24 -j ACCEPT
ipchains -A output -i $INTDEV -s 0.0.0.0/0 -d $INTNET/24 -j ACCEPT
# loopback interface is valid.
# ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
# outgoing to local net on remote interface: stuffed routing, deny
ipchains -A output -i $EXTDEV -s 0.0.0.0/0 -d $INTNET/24 -j DENY
# outgoing from local net on remote interface: stuffed masq, deny
ipchains -A output -i $EXTDEV -s $INTNET/24 -d 0.0.0.0/0 -j DENY
# anything else outgoing on remote interface is valid
#ipchains -A output -i $EXTDEV -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -i $EXTDEV -s $EXTERNALIP/32 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j DENY
echo "Done with the firewall rulesets"
echo -n "acct..."
# Accounting, flush all entries
ipchains -N acctin
ipchains -N acctout
ipchains -N acctio
# Track traffic just to network, not individual hosts
ipchains -I input -j acctio
ipchains -I input -j acctin
ipchains -I output -j acctio
ipchains -I output -j acctout
ipchains -I forward -j acctout
echo "done"
touch /var/lock/subsys/firewall
;;
stop)
# Stop firewall.
echo -n "Shutting down firewall: "
ipchains -F input
ipchains -A input -j ACCEPT
ipchains -F output
ipchains -A output -j ACCEPT
ipchains -F forward
ipchains -A forward -j ACCEPT
ipchains -X acctio
ipchains -X acctin
ipchains -X acctout
rmmod ip_masq_raudio
rmmod ip_masq_irc
rmmod ip_masq_ftp
echo "done"
rm -f /var/lock/subsys/firewall
;;
restart)
$0 stop
$0 start
;;
status)
status firewall
;;
*)
echo "Usage: firewall {start|stop|restart|status}"
exit 1
esac
exit 0
|
|
|
06-12-2001, 10:14 PM
|
#2
|
Senior Member
Registered: May 2001
Location: Left Coast - Canada
Distribution: s l a c k w a r e
Posts: 2,731
Rep:
|
Do you have any proxy settings on the Windows browser? (Hint - don't)
Don't know what 'firewall dead subsys locked' means. What's in the syslogs when you start the firewall?
|
|
|
06-13-2001, 02:10 AM
|
#3
|
Moderator
Registered: May 2001
Posts: 29,415
|
"firewall dead but subsys locked" means it's DOA, but the process can't remove the PID at /var/lock/subsys/firewall.
Try to see if ipchains is running issue "pidof ipchains".
if it aint, check the binary first, then the startup part of the script itself.
if this script is in /etc/rc.d/init.d IMHO its dead wrong, it should only point to stuff to start/stop and the ipchains script itself should be detached from those routines; easier to maintain/test, harder to snafu the startup script :-]
|
|
|
All times are GMT -5. The time now is 04:44 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|