Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Right now I have a Duron 800 with dual functional NICs with a Fedora Core 1 installation.
I have bellsouth ADSL with PPPoE, which works just fine on Linux. I want to share the DSL with all of the Windows computers.
I've extensively searched for an FAQ that would work, and nothing does. While I've been using computers since 1992, it's always been Windows/Dos. I need step by step instructions. I want Windows Internet Connection Sharing for linux. I don't need DHCP since this is a small network.
Currently I have ETH0 as the net facing card. It is unconfigured. ppp0 is the ADSL connection.
ETH1 is also unconfigured. I just blew out my Fedora install and redid it, so any previous stupidity has been eaten by the format gods.
So:
eth0 is connected to ppp0. Which works.
eth1 is connected to the local network, which can work, but isn't configured because I don't know what to do.
If anyone would like to help directly, AIM me at Chris C workin, or email instructions to fewdman at yahoo.com
I've been trying to get this functional for weeks, so this is an act of desperation and not a first call for help. I'm very frustrated.
This should work out for ya. It was tested on my Fedora box way back when so it should give you a good start. Not only does it help you share your internet, but it does it safely.
Good luck to ya.
J.
Oh... P.s. Looks like I missed part of your question about setting up ADSL. Before you run the firewall script above, configure adsl with these two commands
adsl-setup
adsl-start
I marked what was giving me problems in red. Further, it doesn't seem like I'm able to share my DSL, which is most of the point.
################################################################################
echo 1 > /proc/sys/net/ipv4/ip_forward
# location of iptables command
ipt=/sbin/iptables
#
# Interfaces
# Be sure to be accurate when defining these interfaces.
# ext is your external card, likely ppp0 for DSL or eth1 for cable
lo=lo
ext=ppp0
int=eth0
#
# Spoofing protection. List all networks and IP addresses that should NOT exist
# in the real world.
#
spoofed="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12
192.168.0.0/16 255.255.255.255"
#
# List all ports to open ON your firewall
#
tcp_ports="22"
udp_ports=""
#
# These logging options will be used for all logged packets
#
logops="--log-leve=3 -m limit --limit 1/second --limit-burst=3"
################################################################################
################################################################################
# Set policies and delete, flush and zero chains
################################################################################
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done
################################################################################
################################################################################
# BAD_IP
# Check and log all spoofed IP's from external hosts.
# !! Only call from external interface !!
################################################################################
$ipt -N BAD_IP
$ipt -A BAD_IP -j LOG --log-prefix "IPT: BAD IP: " $logops
$ipt -A BAD_IP -j DROP
$ipt -N SPOOF
for spf in $spoofed
do
$ipt -A SPOOF -s $spf -j BAD_IP
done
################################################################################
################################################################################
# IN_NETWORK
# These packets are entering our network
# 1. Allow related and established connections
# 2. Allow ICMP packets
# 3. Deny everything else.
################################################################################
$ipt -N IN_NETWORK
$ipt -A IN_NETWORK -m state --state INVALID -j DROP
$ipt -A IN_NETWORK -j SPOOF
$ipt -A IN_NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p icmp -j ACCEPT
$ipt -A IN_NETWORK -j LOG --log-prefix "IPT: IN_NETWORK: " $logops
$ipt -A IN_NETWORK -j DROP
################################################################################
################################################################################
# OUT_NETWORK
# These packets are leaving our network!
# 1. Allow all packets to leave our current network because we trust our users
################################################################################
$ipt -N OUT_NETWORK
$ipt -A OUT_NETWORK -i $int -j ACCEPT
$ipt -A OUT_NETWORK -j LOG --log-prefix "IPT: OUT_NETWORK: " $logops
$ipt -A OUT_NETWORK -j DROP
################################################################################
################################################################################
# EXT_FIREWALL
# Packets entering firewall machine
# 1. Allow established and related connections
# 2. Allow new connections on specified ports
# 3. Log and Drop everything else
################################################################################
$ipt -N EXT_FIREWALL
$ipt -A EXT_FIREWALL -m state --state INVALID -j DROP
$ipt -A EXT_FIREWALL -j SPOOF
$ipt -A EXT_FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A EXT_FIREWALL -p icmp -j ACCEPT
#
# Open ports
#
for tcp_p in $tcp_ports
do
$ipt -A EXT_FIREWALL -p tcp --dport $tcp_p -m state --state NEW -j ACCEPT
done
for udp_p in $udp_ports
do
$ipt -A EXT_FIREWALL -p udp --dport $udp_p -m state --state NEW -j ACCEPT
done
$ipt -A EXT_FIREWALL -j LOG --log-prefix "IPT: EXT_FIREWALL: " $logops
$ipt -A EXT_FIREWALL -j DROP
################################################################################
################################################################################
# INT_FIREWALL
# Connections from internal LAN
# 1. Allow all connections from the internal machines because they are trusted
################################################################################
$ipt -N INT_FIREWALL
$ipt -A INT_FIREWALL -m state --state INVALID -j DROP
$ipt -A INT_FIREWALL -j ACCEPT
################################################################################
Originally posted by Mnehwrar
[B]I marked what was giving me problems in red. Further, it doesn't seem like I'm able to share my DSL, which is most of the point.
If those lines give you trouble then no wonder you're having problems with using ip_forwarding and iptable firewalls.
If you could be more specific about HOW they are giving you problems we could help you. Are there error messages? What happens when you run the script?
I'm supposed to cut/paste this into my iptables file, right? I'm probably doing something wrong. Also, there is already fedora configuration file for a firewall.
I tried remarking that out, but whatever I do doesn't work.
The script in the link above is a standalone script. It replaces any other firewall script you may have had. It works as-is for a standard configuration.
Ok... try this and let me know what happens.
AS root
1. create the script above called /etc/init.d/firewall.sh
2. chmod 700 /etc/init.d/firewall.sh
3. type /etc/init.d/fireall.sh
There should be NO output to the console. If there is an error displayed, write it down and post it here. That should give me some clue as to what is going on. I have a busy day at work tomorrow but will try to find time to help out - if you can be more descriptive about the problems you are having, it will take less time for me to help you... I'm sure you want this up and running quickly.
This is what I have. There is no error output, but when I go to the Fedora proccess control applet, it crashes. When I try to do an iptables-restore, nothing happens. I can't see the internet with any of the other computers. I've tried DNS and just ip adresses, and none of them can load a web page.
I can ping the eth1 from my workstations, but, beyond that, nothing.
################################################################################
# Default options
# These options configure the below script. It would be a good idea to move
# them to a conf file in /etc and then source it from this script.
################################################################################
echo 1 > /proc/sys/net/ipv4/ip_forward
# location of iptables command
ipt=/sbin/iptables
#
# Interfaces
# Be sure to be accurate when defining these interfaces.
# ext is your external card, likely ppp0 for DSL or eth1 for cable
lo=lo
ext=ppp0
int=eth1
#
#
spoofed="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12
192.168.0.0/16 255.255.255.255"
#
# List all ports to open ON your firewall
#
tcp_ports="22 21 80 110 125 23"
udp_ports="22 21 80 110 125 23"
#
# These logging options will be used for all logged packets
#
logops="--log-leve=3 -m limit --limit 1/second --limit-burst=3"
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
# Set policies and delete, flush and zero chains
################################################################################
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done
################################################################################
################################################################################
# BAD_IP
# Check and log all spoofed IP's from external hosts.
# !! Only call from external interface !!
################################################################################
$ipt -N BAD_IP
$ipt -A BAD_IP -j LOG --log-prefix "IPT: BAD IP: " $logops
$ipt -A BAD_IP -j DROP
$ipt -N SPOOF
for spf in $spoofed
do
$ipt -A SPOOF -s $spf -j BAD_IP
done
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
# IN_NETWORK
# These packets are entering our network
# 1. Allow related and established connections
# 2. Allow ICMP packets
# 3. Deny everything else.
################################################################################
$ipt -N IN_NETWORK
$ipt -A IN_NETWORK -m state --state INVALID -j DROP
$ipt -A IN_NETWORK -j SPOOF
$ipt -A IN_NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p icmp -j ACCEPT
$ipt -A IN_NETWORK -j LOG --log-prefix "IPT: IN_NETWORK: " $logops
$ipt -A IN_NETWORK -j DROP
################################################################################
################################################################################
# OUT_NETWORK
# These packets are leaving our network!
# 1. Allow all packets to leave our current network because we trust our users
################################################################################
$ipt -N OUT_NETWORK
$ipt -A OUT_NETWORK -i $int -j ACCEPT
$ipt -A OUT_NETWORK -j LOG --log-prefix "IPT: OUT_NETWORK: " $logops
$ipt -A OUT_NETWORK -j DROP
################################################################################
################################################################################
# EXT_FIREWALL
# Packets entering firewall machine
# 1. Allow established and related connections
# 2. Allow new connections on specified ports
# 3. Log and Drop everything else
################################################################################
$ipt -N EXT_FIREWALL
$ipt -A EXT_FIREWALL -m state --state INVALID -j DROP
$ipt -A EXT_FIREWALL -j SPOOF
$ipt -A EXT_FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A EXT_FIREWALL -p icmp -j ACCEPT
#
# Open ports
#
for tcp_p in $tcp_ports
do
$ipt -A EXT_FIREWALL -p tcp --dport $tcp_p -m state --state NEW -j ACCEPT
done
for udp_p in $udp_ports
do
$ipt -A EXT_FIREWALL -p udp --dport $udp_p -m state --state NEW -j ACCEPT
done
$ipt -A EXT_FIREWALL -j LOG --log-prefix "IPT: EXT_FIREWALL: " $logops
$ipt -A EXT_FIREWALL -j DROP
################################################################################
################################################################################
# INT_FIREWALL
# Connections from internal LAN
# 1. Allow all connections from the internal machines because they are trusted
################################################################################
$ipt -N INT_FIREWALL
$ipt -A INT_FIREWALL -m state --state INVALID -j DROP
$ipt -A INT_FIREWALL -j ACCEPT
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
################################################################################
# Main Rules
# 1. Allow all loopback traffic. This is safe.
# 2. Send internal connections to INT_FIREWALL chain
# 3. Send external connections to EXT_FIREWALL chain
# 4. Send connections entering LAN to IN_NETWORK
# 5. Send connections leaving LAN to OUT_NETWORK
# 6. Do not modify packets leaving computer to improve performance. It's safe.
################################################################################
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i $int -j INT_FIREWALL
$ipt -A INPUT -i $ext -j EXT_FIREWALL
$ipt -A FORWARD -i $ext -j IN_NETWORK
$ipt -A FORWARD -i $int -j OUT_NETWORK
# $ipt -A OUTPUT -i lo -j ACCEPT
# $ipt -A OUTPUT -i $int -j ACCEPT
# $ipt -A OUTPUT -i $ext -j ACCEPT
################################################################################
################################################################################
# Masquerading
# Turn on Masquerading and port forwarding
################################################################################
$ipt -t nat -A POSTROUTING -o $ext -j MASQUERADE
################################################################################
I'm going to summarize, correct me if this is wrong:
1. You have created the script as specified above and then you have run that script from a terminal or the console. NO errors are reported when running this script.
2. Your internal adapter is on the 192.168.1.0/24 network
3. You can ping 192.168.1.1 from other machines on the LAN
4. You can browse the internet from your Linux machine ONLY.
... ok ...
Try these
a. Check your LAN machine configuration such that
ipaddress 192.168.1.x
network 255.255.255.0
gateway (THIS IS IMPORTANT) 192.168.1.1
DNS ------- as required.
b. From your LAN machines, run an nslookup on bob.com. Did it succeed or fail?
c. From a windows command prompt try a tracert bob.com Where does it freeze?
More ideas to come after I receive your responses.
A) Done, several times.
B) Failed to resolve
C) Tracert anywhere dies at the gateway IP (192.168.1.1), if I'm tracing an IP adress and not a DNS name. If I'm tracing a DNS name it doesn't make it that far.
here is a completely open firewall... if this doesn't get you going, then iptables isn't the problem. I strongly suggest you only use this for testing as it doesn't provide any protection.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
