Problem configuring firewall

GanIT · 03-05-2012, 06:49 AM

Hope someone will reply as tise thread is so old now.I tried the above mentioned methods using Fedora 16. But didn't work.Will someone help me to figure out the problem? I will give indetail information if I get a reply. Thank You.

WizadNoNext · 04-03-2012, 11:21 AM

GanIT: give me details what you want to achieve and I would give solution.

GanIT · 05-13-2012, 05:43 AM

Actually I was trying to make a firewall for my ADSL. Although my main target is to make a firewall for two ADSL connections, first I'm trying to build it for one connection. I used two ehternet cards eth1 for router side p17p1 for LAN side once I succesfully configured both NICs and apply iptable rules on iptable.conf file I try to restart iptable service then I'm getting this error message "Redirecting to /binsystemctl restart iptables.service Job failed. See system logs and ‘systeml status’ for details." When I check /var/logs following logs are created

Localhost iptables.init[2321] : iptables: Appying firewall rules: [FAILED]
Localhost systemd[1]: iptables.service: main process exited, code=exited, status=1
Localhost sytemd[1]: Unit iptables.service entered failed state.

From linux box I can ping a PC which on LAN and can ping router as well. And I can ping both eth1 and p17p1(can ping eth1 only if set default gateway address of client PC as 192.168.1.1[eth1 ip]) from a PC in the LAN but cann’t ping the router. And no internet connection to clients on LAN as well. (have setup DNS in resolv.conf)

Is it a problem with rules I entered in iptables or error on iptable? Please help as I'm strugling to fix this problem for three months.

Following are the rules I entered in iptables under nat
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING –out-interface eth1 –j MASQUERADE
-A FORWARD –in-interface p17p1 –j ACCEPT
COMMIT

GanIT · 05-21-2012, 02:30 AM

Anybody like to help on my issue. Or do I have to openup a new thread for this?

WizadNoNext · 05-22-2012, 03:50 AM

Give us those failing scripts.
I can give working configuration, as I have firewall/nat on my server.
You need dhcp, it would be good to have dns and proxy as well on server, as dns and proxy would speed up a bit your connection.
I have dynamic solution. Static solution is hard to manage.

Code:

#!/bin/sh

PATH="/sbin:/bin:/usr/sbin:/usr/bin"

IPtables_dumpfile='/etc/iptables/rules'
IP6tables_dumpfile='/etc/iptables/rules6'

# Include config file for iptables-persistent
. /etc/iptables/iptables.conf

case "$1" in
start)
    if [ -e /var/run/iptables ]; then
        echo "iptables is already started!"
        exit 1
    else
        touch /var/run/iptables
    fi

    modprobe tcp-$CONGESTION
    sysctl net.ipv4.tcp_congestion_control=$CONGESTION

    if [ $ENABLE_FORWARDING -ne 0 ]; then
        # Enable Routing
        echo 1 > /proc/sys/net/ipv4/ip_forward
        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
    fi

    # Load Modules
    modprobe -a $MODULES

    # Load saved rules
    if [ -f $IPtables_dumpfile ]; then
        iptables-restore <$IPtables_dumpfile
    fi

    if [ -f $IP6tables_dumpfile ]; then
        ip6tables-restore <$IP6tables_dumpfile
    fi

    ;;

stop|force-stop)
    if [ ! -e /var/run/iptables ]; then
        echo "iptables is already stopped!"
        exit 1
    else
        rm /var/run/iptables
    fi

    if [ $SAVE_NEW_RULES -ne 0 ]; then
        # Backup old rules
        cp $IPtables_dumpfile $IPtables_dumpfile.bak
        cp $IP6tables_dumpfile $IP6tables_dumpfile.bak
        iptables -t nat -F upnp
        iptables -t filter -F upnp
        # Save new rules
        iptables-save >$IPtables_dumpfile
        ip6tables-save >$IP6tables_dumpfile
    fi

    # Restore Default Policies
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT

    # Flush rules on default tables
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F

    # Unload previously loaded modules
    modprobe -r $MODULES

    # Disable Routing if enabled
    if [ $ENABLE_FORWARDING -ne 0 ]; then
        # Disable Routing
        echo 0 > /proc/sys/net/ipv4/ip_forward
        echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
    fi

    ;;
restart|force-reload)
    $0 stop
    $0 start
    ;;
status)
    echo "Filter Rules:"
    echo "--------------"
    iptables -L -v
    echo ""
    echo "NAT Rules:"
    echo "-------------"
    iptables -t nat -L -v
    echo ""
    echo "Mangle Rules:"
    echo "----------------"
    iptables -t mangle -L -v
    ;;
*)
    echo "Usage: $0 {start|stop|force-stop|restart|force-reload|status}" >&2
    exit 1
    ;;
esac

exit 0

This script should be written to file /etc/init.d/iptables-persistent

Code:

# A basic config file for the /etc/init.d/iptable-persistent script
#

# Should new manually added rules from command line be saved on reboot? Assign to a value different that 0 if you want this enabled.
SAVE_NEW_RULES=0

# Modules to load:
MODULES="nf_nat_ftp nf_conntrack_ftp nf_nat_irc nf_conntrack_irc"

# Enable Routing?
ENABLE_FORWARDING=1

# Advanced Congestion Control
CONGESTION=yeah

This should be written to /etc/iptables/iptables.conf

With IPtables - I have quite extensive rules, which are prepared for a lot more complex setup, then yours (bridge, some services on server), so to use my rules I have to filter out parts which you do not need.

jschiwal · 05-23-2012, 02:31 AM

Since the original thread was 7 years old, and yours doesn't deal with content filtering, I moved your posts to it's own thread.