Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
12-15-2005, 11:40 AM
|
#1
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Rep:
|
router pubblic_ip
I have a router netgear-dg834 gateway for a linuxbox acting as a firewall for my lan where i have a webserver,debian sarge 3.1 kernel2.6.I'm having problems to DNAT incoming requests to port 80 to my webserver.It's the router getting the ip from my isp so the prerouting i did is $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.1(MY ROUTER) --dport 80 -j DNAT --to 192.168.1.3:80 and it's not working.There must be a script to resolve my pubblic ip and use it in iptables into a variable .I hope my english is cler any help will be great!
G!
|
|
|
12-15-2005, 03:19 PM
|
#2
|
Senior Member
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024
Rep:
|
Incoming requests from The Internet will not be to your private 192.168 IP address. Regardless of that, since you only have one public IP address that points to your system (even if it changes, or you don't currenty know it) you can safely forward all connections coming in from outside to port 80, just take out the "-d 192.168.0.1"
You also need to forward these connections (all incoming port 80 requests) on the netgear as well, but point them at the 192.168.0.x interface of your linux firewall.
|
|
|
12-20-2005, 02:21 AM
|
#3
|
Member
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567
Original Poster
Rep:
|
I have followed your instructions see if i got it well,i still don't get connections to the webserver,wherewere you see the sign # it means that that rule doesn't work and it needs a correction:
#!/bin/bash
#carico moduli
modprobe iptable_nat
modprobe ipt_MASQUERADE
#cancello prima masquerading
echo "0" > /proc/sys/net/ipv4/ip_forward
#cancello eventuali regole presenti
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -t mangle -F PREROUTING
/sbin/iptables -t mangle -F OUTPUT
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT
#impongo polise
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
#libero localhost
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
/sbin/iptables -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0
/sbin/iptables -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0
########TOR##########
#/sbin/iptables -A INPUT -s 127.0.0.1/255.0.0.0 -i lo --dport 9050 -j ACCEPT -i lo
#PREROUTING
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j DNAT --to 192.168.1.3:80
/sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.1.1/255.255.255.0 -d 192.168.1.1 --dport 80 -j REDIRECT --to-port 3128
#/sbin/iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-inc 1
#Input
#Stop invalid e portscan attempts
/sbin/iptables -A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP
#/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
#/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m satte --state NEW -j LOG --log-prefix "New not syn:"
#/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#Abilito#la mia lan
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.0/255.255.255.0 -d 192.168.1.1/255.255.255.0 -j ACCEPT
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -s 192.168.1.1/255.255.255.0 -dEW,ESTABLISHED,RELATED
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -s 192.168.1.1/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 224.0.0.0/4 -p ! 6
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 192.168.0.2/32
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 192.168.0.255/32
#Abilito i servizi
/sbin/iptables -A INPUT -p tcp -s 192.168.1.1/255.255.255.0 -i eth1 --dport 22 -d 192.168.0.2 -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 192.168.1.1/255.255.255.0 --dport 53 -d 192.168.1.1 -j ACCEPT
#/sbin/iptables -A INPUT -p tcp -s 192.168.1.1/255.255.255.0 --dport 53 -d 192.168.1.1 -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 192.168.1.1/255.255.255.0 --dport 67:68 -d 192.168.1.1 -j ACCEPT
#/sbin/iptables -A INPUT -p tcp -i eth0 -s 192.168.0.1 -d 192.168.1.1/255.255.255.0 --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 631 -i eth1 -s 192.168.1.1/255.255.255.0 -d 192.168.1.1 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 631 -i eth1 -s 192.168.1.1/255.255.255.0 -d 192.168.1.1 -j ACCEPT
#/sbin/iptables -A INPUT -p tcp -s 192.168.1.1/255.255.255.0 -d 192.168.0.2 --dport 1241 -j ACCEPT
######## NETBIOS # SAMBA #####################
/sbin/iptables -A INPUT -p udp -s 192.168.1.1/255.255.255.0 -d 192.168.0.2 -m multiport --dports 137,138 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 192.168.1.1/255.255.255.0 -d 192.168.0.2 -m multiport --dport 139,445 -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 192.168.1.1/255.255.255.0 -d 192.168.255.255 --dport 137 -j ACCEPT
/sbin/iptables -A INPUT -p udp -d 192.168.0.2 -m multiport --dport 137,138 -j DROP
/sbin/iptables -A INPUT -p tcp -d 192.168.0.2 -m multiport --dport 139,445 -j DROP
# Loggo e droppo
/sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A INPUT -j LOG -i eth0 -s 192.168.1.1/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth0 -s 192.168.1.1/255.255.255.0
#FORWARD
/sbin/iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp -s 192.168.0.2 --dport 80 -d 192.168.1.3 -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.1/255.255.255.0 -d 0.0.0.0/0 -j ACCEPT
#loggo tutto
/sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A FORWARD -j LOG -o eth0 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth0 -d 192.168.1.1/255.255.255.0
#IN USCITA
/sbin/iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s 192.168.0.2/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s 192.168.0.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d 255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d 224.0.0.0/4 -p ! 6
#loggo e droppo il resto
/sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A OUTPUT -j LOG -o eth0 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth0 -d 192.168.1.1/255.255.255.0
#POSTROUTING&MASQUERADING#
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.1/255.255.255.0 -j MASQUERADE
#riabilito forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
function IPSYSCTL {
# Enables kernel timestamps as defined in RFC 1323 used to calculate the
# Round Trip Measurement in a better way than the retransmission timeout method
if [ -f /proc/sys/net/ipv4/tcp_timestamps ]; then
echo 1 > /proc/sys/net/ipv4/tcp_timestamps
fi
# Disable logging of packets from illegal addresses
if [ -f /proc/sys/net/ipv4/conf/all/log_martians ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
fi
# Disables logging of RFC 1122 violations (bogus responses to broadcast frames)
if [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
# Disable TCP Explicit Congestion Notification Support
if [ -f /proc/sys/net/ipv4/tcp_ecn ]; then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
# Proxy ARP is a system of automatically answering ARP queries for other hosts
# Disabling proxy ARP for the WANIFACE (1=ON 2=OFF)
if [ $INTERNAL = "ON" ] && [ -f /proc/sys/net/ipv4/conf/$WANIFACE/proxy_arp ]; then
echo 1 > /proc/sys/net/ipv4/conf/$WANIFACE/proxy_arp
else
if [ -f /proc/sys/net/ipv4/conf/$WANIFACE/proxy_arp ]; then
echo 2 > /proc/sys/net/ipv4/conf/$WANIFACE/proxy_arp
fi
fi
# Enable proxy ARP for LANIFACE (1=ON 2=OFF)
if [ -f /proc/sys/net/ipv4/conf/$LANIFACE/proxy_arp ]; then
echo 1 > /proc/sys/net/ipv4/conf/$LANIFACE/proxy_arp
fi
# Enable flood protection
if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
# Enable source address verification to prevent spoofing
if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for x in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $x; done
fi
# Disable source routed packets to help prevent outside access to LAN
if [ $INTERNAL != "ON" ] && [ -f /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
for x in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $x; done
fi
# Accept redirects only from gateways in the default gateways list
if [ -f /proc/sys/net/ipv4/conf/all/secure_redirects ]; then
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
fi
# Disable ICMP redirects
if [ -f /proc/sys/net/ipv4/conf/all/send_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
fi
# Disable acceptance of ICMP redirects to avoid malicious routing changes
if [ -f /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
fi
# Ignore broadcast ICMP echo requests to prevent
# becoming a Smurf attack amplifier
if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
# Enables the Selective Acknowledgements algoorithm as defined in RFC 2883
# which helps to shore up poor internet connections
if [ -f /proc/sys/net/ipv4/tcp_sack ]; then
echo 1 > /proc/sys/net/ipv4/tcp_sack
fi
# Enables the Forward Acknowledgement algorithm
# geared at congestion control
# This option is dependent upon tcp_sack
if [ -f /proc/sys/net/ipv4/tcp_fack ]; then
echo 1 > /proc/sys/net/ipv4/tcp_fack
fi
# Required to send duplicate SACKs as defined in RFC 2883
# This option is used to tell the sender that
# duplicate packets have been received
if [ -f /proc/sys/net/ipv4/tcp_dsack ]; then
echo 1 > /proc/sys/net/ipv4/tcp_dsack
fi
# Enables window scaling as it is defined in RFC 1323 allowing windows to be a
# larger size than 65kb, helping to reduce bandwidth loss in fast connections
if [ -f /proc/sys/net/ipv4/tcp_window_scaling ]; then
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
fi
# Controls how much a TCP packet may be reordered in a stream without
# assuming that the packet was lost somewhere on the way
if [ -f /proc/sys/net/ipv4/tcp_reordering ]; then
echo 5 > /proc/sys/net/ipv4/tcp_reordering # Default=3
fi
# Adjust connection tracking timeout value
# Default=600 (600 seconds or 10 minutes)
if [ -f /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout ]; then
echo 120 > /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout
fi
# Increase maximum limit of connections to track
if [ -f /proc/sys/net/ipv4/ip_conntrack_max ]; then
echo 8192 > /proc/sys/net/ipv4/ip_conntrack_max # Default=2048
fi
# The maximum length of the queue (i.e. the number packets delivered to
# userspace with no verdict issued back)
if [ -f /proc/sys/net/ipv4/ip_queue_maxlen ]; then
echo 2048 > /proc/sys/net/ipv4/ip_queue_maxlen # Default=1024
fi
# Maximum number of packets queued in INPUT (used when the interface receives
# packets faster than it can process them)
if [ -f /proc/sys/net/core/netdev_max_backlog ]; then
echo 4096 > /proc/sys/net/core/netdev_max_backlog
fi
# Adjusts the write (transmit) memory buffer
echo 262144 > /proc/sys/net/core/wmem_default # Default=131072
echo 262144 > /proc/sys/net/core/wmem_max # Default=131072
echo '8196 32768 262144' > /proc/sys/net/ipv4/tcp_wmem # Default=4096 16384 131072
# Adjusts the receive memory buffer
echo 174760 > /proc/sys/net/core/rmem_default # Default=87380
echo 349520 > /proc/sys/net/core/rmem_max # Default=174760
echo '8196 174760 349520' > /proc/sys/net/ipv4/tcp_rmem # Default=4096 87380 174760
# Seconds before a connection to timeout
if [ -f /proc/sys/net/ipv4/tcp_fin_timeout ]; then
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout # Default=180
fi
# Seconds before a stall connection is killed
if [ $INTERNAL != "ON" ] && [ -f /proc/sys/net/ipv4/tcp_keepalive_time ]; then
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time # Default=7200
fi
} 192.168.0.0/255.255.255.0 -m state --state N
####################################THEEND########################################
Maybe it's in the chain of forward that i'm not doing right.Anyway i'm sure we are nearly there.I forgot what i messed up but last week when you answerd to my first letter i got it working ,i forgot what i have changed.Anyway ...
In the linux world you always hear about linux firewalls ,gateways,i386 recycled to make proper routing with linux.But ,and tell me if i'm wrong,the only quick and easy way to get a linux lan on the internet is to use a host-like proprietary router because we don't get our own adsl linux-drivers,am i wrong?If so what linux adsl usb modem should i buy to make proper firewalling with linux?Because there isn't we should all be equipped with scripts or whatever to get around this ,because we all would have routers or double gateways configurations,but all you can find is tutorials about linuxbox directly exposed in the internet with ppp0 configurations and son on,it sounds like adsl modems are never been a problem for linux users ... no solutions to get the damn pubblic ip and get your firewall working,no tutorials regarding this subject,i hope my english was clear enough,ciao!
Last edited by gabsik; 12-21-2005 at 09:32 AM.
|
|
|
12-20-2005, 01:42 PM
|
#4
|
Senior Member
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024
Rep:
|
Quote:
Originally Posted by gabsik
...In the linux world you always hear about linux firewalls ,gateways,i386 recycled to make proper routing with linux.But ,and tell me if i'm wrong,the only quick and easy way to get a linux lan on the internet is to use a host-like proprietary router because we don't get our own adsl linux-drivers,am i wrong?If so what linux adsl usb modem should i buy to make proper firewalling with linux?Because there isn't we should all be equipped with scripts or whatever to get around this ,because we all would have routers or double gateways configurations,but all you can find is tutorials about linuxbox directly exposed in the internet with ppp0 configurations and son on,it sounds like adsl modems are never been a problem for linux users ... no solutions to get the damn pubblic ip and get your firewall working,no tutorials regarding this subject,i hope my english was clear enough,ciao!
|
I have my DSL set up so that the "modem" that is actually a "router" is set to just act like a "bridge" so now my linux firewall does have a ppp0, using PPPoE on the ethernet connection to my DSL device. It's all in the fine details that get left out or obsoleted from documentation. You will either have to route between the DSL router, linux firewall and local net or double NAT between them or have the DSL "modem" dumbed down to bridge mode. Most DSL devices are usually propriatary enough that Linux/USB support will be slim to none, luckily most of the DSL devices also have ethernet connections.
That's quite a firewall script to go through, I'll take a stab at it in another post when I have more time to look for what exactly isn't working in it.
|
|
|
All times are GMT -5. The time now is 05:13 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|