LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-15-2005, 11:40 AM   #1
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Rep: Reputation: 30
Talking router pubblic_ip


I have a router netgear-dg834 gateway for a linuxbox acting as a firewall for my lan where i have a webserver,debian sarge 3.1 kernel2.6.I'm having problems to DNAT incoming requests to port 80 to my webserver.It's the router getting the ip from my isp so the prerouting i did is $IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.1(MY ROUTER) --dport 80 -j DNAT --to 192.168.1.3:80 and it's not working.There must be a script to resolve my pubblic ip and use it in iptables into a variable .I hope my english is cler any help will be great!
G!
 
Old 12-15-2005, 03:19 PM   #2
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
Incoming requests from The Internet will not be to your private 192.168 IP address. Regardless of that, since you only have one public IP address that points to your system (even if it changes, or you don't currenty know it) you can safely forward all connections coming in from outside to port 80, just take out the "-d 192.168.0.1"

You also need to forward these connections (all incoming port 80 requests) on the netgear as well, but point them at the 192.168.0.x interface of your linux firewall.
 
Old 12-20-2005, 02:21 AM   #3
gabsik
Member
 
Registered: Dec 2005
Location: This planet
Distribution: Debian,Xubuntu
Posts: 567

Original Poster
Rep: Reputation: 30
I have followed your instructions see if i got it well,i still don't get connections to the webserver,wherewere you see the sign # it means that that rule doesn't work and it needs a correction:
#!/bin/bash

#carico moduli
modprobe iptable_nat
modprobe ipt_MASQUERADE

#cancello prima masquerading
echo "0" > /proc/sys/net/ipv4/ip_forward

#cancello eventuali regole presenti
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -t mangle -F PREROUTING
/sbin/iptables -t mangle -F OUTPUT
/sbin/iptables -t nat -F PREROUTING
/sbin/iptables -t nat -F POSTROUTING
/sbin/iptables -t nat -F OUTPUT

#impongo polise
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT

#libero localhost
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
/sbin/iptables -A INPUT -j LOG -i ! lo -s 127.0.0.1/255.0.0.0
/sbin/iptables -A INPUT -j DROP -i ! lo -s 127.0.0.1/255.0.0.0

########TOR##########
#/sbin/iptables -A INPUT -s 127.0.0.1/255.0.0.0 -i lo --dport 9050 -j ACCEPT -i lo

#PREROUTING
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j DNAT --to 192.168.1.3:80
/sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.1.1/255.255.255.0 -d 192.168.1.1 --dport 80 -j REDIRECT --to-port 3128
#/sbin/iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-inc 1

#Input
#Stop invalid e portscan attempts
/sbin/iptables -A INPUT -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP
#/sbin/iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
#/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m satte --state NEW -j LOG --log-prefix "New not syn:"
#/sbin/iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#Abilito#la mia lan
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.0/255.255.255.0 -d 192.168.1.1/255.255.255.0 -j ACCEPT
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -s 192.168.1.1/255.255.255.0 -dEW,ESTABLISHED,RELATED
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -s 192.168.1.1/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth1 -d 224.0.0.0/4 -p ! 6
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 255.255.255.255/32
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 192.168.0.2/32
/sbin/iptables -A INPUT -j ACCEPT -i eth0 -d 192.168.0.255/32

#Abilito i servizi
/sbin/iptables -A INPUT -p tcp -s 192.168.1.1/255.255.255.0 -i eth1 --dport 22 -d 192.168.0.2 -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 192.168.1.1/255.255.255.0 --dport 53 -d 192.168.1.1 -j ACCEPT
#/sbin/iptables -A INPUT -p tcp -s 192.168.1.1/255.255.255.0 --dport 53 -d 192.168.1.1 -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 192.168.1.1/255.255.255.0 --dport 67:68 -d 192.168.1.1 -j ACCEPT
#/sbin/iptables -A INPUT -p tcp -i eth0 -s 192.168.0.1 -d 192.168.1.1/255.255.255.0 --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 631 -i eth1 -s 192.168.1.1/255.255.255.0 -d 192.168.1.1 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 631 -i eth1 -s 192.168.1.1/255.255.255.0 -d 192.168.1.1 -j ACCEPT
#/sbin/iptables -A INPUT -p tcp -s 192.168.1.1/255.255.255.0 -d 192.168.0.2 --dport 1241 -j ACCEPT


######## NETBIOS # SAMBA #####################
/sbin/iptables -A INPUT -p udp -s 192.168.1.1/255.255.255.0 -d 192.168.0.2 -m multiport --dports 137,138 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 192.168.1.1/255.255.255.0 -d 192.168.0.2 -m multiport --dport 139,445 -j ACCEPT
/sbin/iptables -A INPUT -p udp -s 192.168.1.1/255.255.255.0 -d 192.168.255.255 --dport 137 -j ACCEPT
/sbin/iptables -A INPUT -p udp -d 192.168.0.2 -m multiport --dport 137,138 -j DROP
/sbin/iptables -A INPUT -p tcp -d 192.168.0.2 -m multiport --dport 139,445 -j DROP

# Loggo e droppo
/sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A INPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A INPUT -j LOG -i eth0 -s 192.168.1.1/255.255.255.0
/sbin/iptables -A INPUT -j DROP -i eth0 -s 192.168.1.1/255.255.255.0

#FORWARD
/sbin/iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp -s 192.168.0.2 --dport 80 -d 192.168.1.3 -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.1/255.255.255.0 -d 0.0.0.0/0 -j ACCEPT

#loggo tutto
/sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A FORWARD -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A FORWARD -j LOG -o eth0 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A FORWARD -j DROP -o eth0 -d 192.168.1.1/255.255.255.0

#IN USCITA
/sbin/iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -d 255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s 192.168.0.2/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth0 -s 192.168.0.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d 255.255.255.255/32
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A OUTPUT -j ACCEPT -o eth1 -d 224.0.0.0/4 -p ! 6

#loggo e droppo il resto
/sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A OUTPUT -j DROP -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A OUTPUT -j LOG -o eth0 -d 192.168.1.1/255.255.255.0
/sbin/iptables -A OUTPUT -j DROP -o eth0 -d 192.168.1.1/255.255.255.0

#POSTROUTING&MASQUERADING#
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.1/255.255.255.0 -j MASQUERADE

#riabilito forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward





function IPSYSCTL {
# Enables kernel timestamps as defined in RFC 1323 used to calculate the
# Round Trip Measurement in a better way than the retransmission timeout method
if [ -f /proc/sys/net/ipv4/tcp_timestamps ]; then
echo 1 > /proc/sys/net/ipv4/tcp_timestamps
fi

# Disable logging of packets from illegal addresses
if [ -f /proc/sys/net/ipv4/conf/all/log_martians ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
fi

# Disables logging of RFC 1122 violations (bogus responses to broadcast frames)
if [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi

# Disable TCP Explicit Congestion Notification Support
if [ -f /proc/sys/net/ipv4/tcp_ecn ]; then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi

# Proxy ARP is a system of automatically answering ARP queries for other hosts
# Disabling proxy ARP for the WANIFACE (1=ON 2=OFF)
if [ $INTERNAL = "ON" ] && [ -f /proc/sys/net/ipv4/conf/$WANIFACE/proxy_arp ]; then
echo 1 > /proc/sys/net/ipv4/conf/$WANIFACE/proxy_arp
else
if [ -f /proc/sys/net/ipv4/conf/$WANIFACE/proxy_arp ]; then
echo 2 > /proc/sys/net/ipv4/conf/$WANIFACE/proxy_arp
fi
fi

# Enable proxy ARP for LANIFACE (1=ON 2=OFF)
if [ -f /proc/sys/net/ipv4/conf/$LANIFACE/proxy_arp ]; then
echo 1 > /proc/sys/net/ipv4/conf/$LANIFACE/proxy_arp
fi

# Enable flood protection
if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi

# Enable source address verification to prevent spoofing
if [ -f /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for x in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $x; done
fi

# Disable source routed packets to help prevent outside access to LAN
if [ $INTERNAL != "ON" ] && [ -f /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
for x in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $x; done
fi

# Accept redirects only from gateways in the default gateways list
if [ -f /proc/sys/net/ipv4/conf/all/secure_redirects ]; then
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
fi

# Disable ICMP redirects
if [ -f /proc/sys/net/ipv4/conf/all/send_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
fi

# Disable acceptance of ICMP redirects to avoid malicious routing changes
if [ -f /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
fi

# Ignore broadcast ICMP echo requests to prevent
# becoming a Smurf attack amplifier
if [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi

# Enables the Selective Acknowledgements algoorithm as defined in RFC 2883
# which helps to shore up poor internet connections
if [ -f /proc/sys/net/ipv4/tcp_sack ]; then
echo 1 > /proc/sys/net/ipv4/tcp_sack
fi

# Enables the Forward Acknowledgement algorithm
# geared at congestion control
# This option is dependent upon tcp_sack
if [ -f /proc/sys/net/ipv4/tcp_fack ]; then
echo 1 > /proc/sys/net/ipv4/tcp_fack
fi

# Required to send duplicate SACKs as defined in RFC 2883
# This option is used to tell the sender that
# duplicate packets have been received
if [ -f /proc/sys/net/ipv4/tcp_dsack ]; then
echo 1 > /proc/sys/net/ipv4/tcp_dsack
fi

# Enables window scaling as it is defined in RFC 1323 allowing windows to be a
# larger size than 65kb, helping to reduce bandwidth loss in fast connections
if [ -f /proc/sys/net/ipv4/tcp_window_scaling ]; then
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
fi

# Controls how much a TCP packet may be reordered in a stream without
# assuming that the packet was lost somewhere on the way
if [ -f /proc/sys/net/ipv4/tcp_reordering ]; then
echo 5 > /proc/sys/net/ipv4/tcp_reordering # Default=3
fi

# Adjust connection tracking timeout value
# Default=600 (600 seconds or 10 minutes)
if [ -f /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout ]; then
echo 120 > /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout
fi

# Increase maximum limit of connections to track
if [ -f /proc/sys/net/ipv4/ip_conntrack_max ]; then
echo 8192 > /proc/sys/net/ipv4/ip_conntrack_max # Default=2048
fi

# The maximum length of the queue (i.e. the number packets delivered to
# userspace with no verdict issued back)
if [ -f /proc/sys/net/ipv4/ip_queue_maxlen ]; then
echo 2048 > /proc/sys/net/ipv4/ip_queue_maxlen # Default=1024
fi

# Maximum number of packets queued in INPUT (used when the interface receives
# packets faster than it can process them)
if [ -f /proc/sys/net/core/netdev_max_backlog ]; then
echo 4096 > /proc/sys/net/core/netdev_max_backlog
fi

# Adjusts the write (transmit) memory buffer
echo 262144 > /proc/sys/net/core/wmem_default # Default=131072
echo 262144 > /proc/sys/net/core/wmem_max # Default=131072
echo '8196 32768 262144' > /proc/sys/net/ipv4/tcp_wmem # Default=4096 16384 131072

# Adjusts the receive memory buffer
echo 174760 > /proc/sys/net/core/rmem_default # Default=87380
echo 349520 > /proc/sys/net/core/rmem_max # Default=174760
echo '8196 174760 349520' > /proc/sys/net/ipv4/tcp_rmem # Default=4096 87380 174760

# Seconds before a connection to timeout
if [ -f /proc/sys/net/ipv4/tcp_fin_timeout ]; then
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout # Default=180
fi

# Seconds before a stall connection is killed
if [ $INTERNAL != "ON" ] && [ -f /proc/sys/net/ipv4/tcp_keepalive_time ]; then
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time # Default=7200
fi
} 192.168.0.0/255.255.255.0 -m state --state N
####################################THEEND########################################
Maybe it's in the chain of forward that i'm not doing right.Anyway i'm sure we are nearly there.I forgot what i messed up but last week when you answerd to my first letter i got it working ,i forgot what i have changed.Anyway ...
In the linux world you always hear about linux firewalls ,gateways,i386 recycled to make proper routing with linux.But ,and tell me if i'm wrong,the only quick and easy way to get a linux lan on the internet is to use a host-like proprietary router because we don't get our own adsl linux-drivers,am i wrong?If so what linux adsl usb modem should i buy to make proper firewalling with linux?Because there isn't we should all be equipped with scripts or whatever to get around this ,because we all would have routers or double gateways configurations,but all you can find is tutorials about linuxbox directly exposed in the internet with ppp0 configurations and son on,it sounds like adsl modems are never been a problem for linux users ... no solutions to get the damn pubblic ip and get your firewall working,no tutorials regarding this subject,i hope my english was clear enough,ciao!

Last edited by gabsik; 12-21-2005 at 09:32 AM.
 
Old 12-20-2005, 01:42 PM   #4
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
Quote:
Originally Posted by gabsik
...In the linux world you always hear about linux firewalls ,gateways,i386 recycled to make proper routing with linux.But ,and tell me if i'm wrong,the only quick and easy way to get a linux lan on the internet is to use a host-like proprietary router because we don't get our own adsl linux-drivers,am i wrong?If so what linux adsl usb modem should i buy to make proper firewalling with linux?Because there isn't we should all be equipped with scripts or whatever to get around this ,because we all would have routers or double gateways configurations,but all you can find is tutorials about linuxbox directly exposed in the internet with ppp0 configurations and son on,it sounds like adsl modems are never been a problem for linux users ... no solutions to get the damn pubblic ip and get your firewall working,no tutorials regarding this subject,i hope my english was clear enough,ciao!
I have my DSL set up so that the "modem" that is actually a "router" is set to just act like a "bridge" so now my linux firewall does have a ppp0, using PPPoE on the ethernet connection to my DSL device. It's all in the fine details that get left out or obsoleted from documentation. You will either have to route between the DSL router, linux firewall and local net or double NAT between them or have the DSL "modem" dumbed down to bridge mode. Most DSL devices are usually propriatary enough that Linux/USB support will be slim to none, luckily most of the DSL devices also have ethernet connections.

That's quite a firewall script to go through, I'll take a stab at it in another post when I have more time to look for what exactly isn't working in it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Small Linux Router/firewall behind D-Link Hardware router dleidlein Linux - Networking 6 04-30-2007 06:12 AM
linux as router/gateway/firewall to dsl-router sjoerdvvu Linux - Networking 2 02-24-2006 11:56 PM
Linux Router & Netgear Wireless Router DMaCATO Linux - Wireless Networking 1 04-30-2004 10:16 AM
/etc/resolv.conf configuration when behind a router(not a linux router) rmanocha Linux - Networking 2 04-28-2004 02:52 AM
Mandrake Firewall/router networked to US Robotics 8000A router jrzplace Linux - Networking 0 11-17-2003 05:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:13 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration