LinuxQuestions.org - Problem configuring firewall

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - Problem configuring firewall (https://www.linuxquestions.org/questions/linux-networking-3/problem-configuring-firewall-946422/)

Problem configuring firewall

Hope someone will reply as tise thread is so old now.I tried the above mentioned methods using Fedora 16. But didn't work.Will someone help me to figure out the problem? I will give indetail information if I get a reply. Thank You.

GanIT: give me details what you want to achieve and I would give solution.

Actually I was trying to make a firewall for my ADSL. Although my main target is to make a firewall for two ADSL connections, first I'm trying to build it for one connection. I used two ehternet cards eth1 for router side p17p1 for LAN side once I succesfully configured both NICs and apply iptable rules on iptable.conf file I try to restart iptable service then I'm getting this error message "Redirecting to /binsystemctl restart iptables.service Job failed. See system logs and ‘systeml status’ for details." When I check /var/logs following logs are created

Localhost iptables.init[2321] : iptables: Appying firewall rules: [FAILED]
Localhost systemd[1]: iptables.service: main process exited, code=exited, status=1
Localhost sytemd[1]: Unit iptables.service entered failed state.

From linux box I can ping a PC which on LAN and can ping router as well. And I can ping both eth1 and p17p1(can ping eth1 only if set default gateway address of client PC as 192.168.1.1[eth1 ip]) from a PC in the LAN but cann’t ping the router. And no internet connection to clients on LAN as well. (have setup DNS in resolv.conf)

Is it a problem with rules I entered in iptables or error on iptable? Please help as I'm strugling to fix this problem for three months.

Following are the rules I entered in iptables under nat
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING –out-interface eth1 –j MASQUERADE
-A FORWARD –in-interface p17p1 –j ACCEPT
COMMIT

Anybody like to help on my issue. Or do I have to openup a new thread for this?

Give us those failing scripts.
I can give working configuration, as I have firewall/nat on my server.
You need dhcp, it would be good to have dns and proxy as well on server, as dns and proxy would speed up a bit your connection.
I have dynamic solution. Static solution is hard to manage.

Code:

#!/bin/sh



PATH="/sbin:/bin:/usr/sbin:/usr/bin"



IPtables_dumpfile='/etc/iptables/rules'

IP6tables_dumpfile='/etc/iptables/rules6'



# Include config file for iptables-persistent

. /etc/iptables/iptables.conf



case "$1" in

start)

    if [ -e /var/run/iptables ]; then

        echo "iptables is already started!"

        exit 1

    else

        touch /var/run/iptables

    fi



    modprobe tcp-$CONGESTION

    sysctl net.ipv4.tcp_congestion_control=$CONGESTION



    if [ $ENABLE_FORWARDING -ne 0 ]; then

        # Enable Routing

        echo 1 > /proc/sys/net/ipv4/ip_forward

        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

    fi



    # Load Modules

    modprobe -a $MODULES



    # Load saved rules

    if [ -f $IPtables_dumpfile ]; then

        iptables-restore <$IPtables_dumpfile

    fi



    if [ -f $IP6tables_dumpfile ]; then

        ip6tables-restore <$IP6tables_dumpfile

    fi



    ;;



stop|force-stop)

    if [ ! -e /var/run/iptables ]; then

        echo "iptables is already stopped!"

        exit 1

    else

        rm /var/run/iptables

    fi



    if [ $SAVE_NEW_RULES -ne 0 ]; then

        # Backup old rules

        cp $IPtables_dumpfile $IPtables_dumpfile.bak

        cp $IP6tables_dumpfile $IP6tables_dumpfile.bak

        iptables -t nat -F upnp

        iptables -t filter -F upnp

        # Save new rules

        iptables-save >$IPtables_dumpfile

        ip6tables-save >$IP6tables_dumpfile

    fi



    # Restore Default Policies

    iptables -P INPUT ACCEPT

    iptables -P FORWARD ACCEPT

    iptables -P OUTPUT ACCEPT



    # Flush rules on default tables

    iptables -F

    iptables -t nat -F

    iptables -t mangle -F



    # Unload previously loaded modules

    modprobe -r $MODULES



    # Disable Routing if enabled

    if [ $ENABLE_FORWARDING -ne 0 ]; then

        # Disable Routing

        echo 0 > /proc/sys/net/ipv4/ip_forward

        echo 0 > /proc/sys/net/ipv6/conf/all/forwarding

    fi



    ;;

restart|force-reload)

    $0 stop

    $0 start

    ;;

status)

    echo "Filter Rules:"

    echo "--------------"

    iptables -L -v

    echo ""

    echo "NAT Rules:"

    echo "-------------"

    iptables -t nat -L -v

    echo ""

    echo "Mangle Rules:"

    echo "----------------"

    iptables -t mangle -L -v

    ;;

*)

    echo "Usage: $0 {start|stop|force-stop|restart|force-reload|status}" >&2

    exit 1

    ;;

esac



exit 0

This script should be written to file /etc/init.d/iptables-persistent

Code:

# A basic config file for the /etc/init.d/iptable-persistent script

#



# Should new manually added rules from command line be saved on reboot? Assign to a value different that 0 if you want this enabled.

SAVE_NEW_RULES=0



# Modules to load:

MODULES="nf_nat_ftp nf_conntrack_ftp nf_nat_irc nf_conntrack_irc"



# Enable Routing?

ENABLE_FORWARDING=1



# Advanced Congestion Control

CONGESTION=yeah

This should be written to /etc/iptables/iptables.conf

With IPtables - I have quite extensive rules, which are prepared for a lot more complex setup, then yours (bridge, some services on server), so to use my rules I have to filter out parts which you do not need.

Since the original thread was 7 years old, and yours doesn't deal with content filtering, I moved your posts to it's own thread.