LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-06-2010, 05:10 AM   #1
OldBikerPete
LQ Newbie
 
Registered: Sep 2010
Location: Melbourne, Australia
Distribution: Slackware 0.9 -> 13.1
Posts: 7

Rep: Reputation: 0
Why doesn't my distro 9.0 setup work for the 13.1 distro


I have a linux box set up as a multi-purpose server for my home with three Windows client PC's. The linux box is based on a slightly modified Slackware 9.0 distribution using Linux 2.4.20 and an unfortinately old, slow AMD processor with a miserable 512Kb RAM. The linux box serves the CIFS file system to the Windows boxes, runs the SQUID HTTP proxy, the Apache web server, a print server, does masquerading, mail serving and a very effective firewall using iptables.

This system, although slow, has run perfectly for several years.

Let me say that again - This system works perfectly.

I had decided that now is the time to upgrade the hardware, so I bought a Gigabyte LGA775 motherboard which has two 1Gb network interfaces on it, an ASUS 256Mb PCI-E display card, 2Gb of DDR3 RAM, an Intel Core2-Quad processor and a bunch of 500Gb SATA drives to set up a RAID5 array (but I intend that the system boot off one of several 40Gb PATA drives I have).
I set up the processor, motherboard, display card, RAM, a SATA DVD Drive and a 40Gb PATA hard disk in a "breadboard" layout and installed distro 13.1, being careful to set up the static IP for the local network, dhcpcd to get an IP address from the cable modem (my internet connection) and to enable ip_forward in the network configuration.
Then I installed a script invoked by /etc/rc.d/rc.local which installed all the SAME iptables rules as my old Linux box. There was one minor glitch when I had to change 8 occurrences of "-d ! $LOCAL_NET to"
"! --destination $LOCAL_NET" but that was no problem. I also set up /etc/resolv.conf, /etc/hosts , the BIND server files etc. etc. exactly as in the old box.
I am able to ping mirror.aarnet.edu.au (this is at the heart of Australia's internet hub network - if it's down the whole bloody thing is down) and have the system find the correct IP from the designated nameservers and contact that server with a return trip time of 35ms. I am able to run a telnet session from one of the Windows boxes and edit files on the Linux server. So both network interfaces work and I've got them the right way around.
I am able to run FTP on one of the Windows boxes and connect through to mirror.aarnet.edu.au, although it seems to hang when I try a DIR (but then so does the old linux system).

BUT

No web browser can get a message from a Windows box through the new linux setup out to the outside world. I have done a fair amount of logging in iptables and the http packets on port 80 are being redirected to port 3128 HOWEVER, squid reports back that page "/" cannot be opened (it seems that the URL is not being passed across to squid). iptables does NOT report that any packets are outgoing during this exchange. If I comment out the REDIRECT instructions to iptables and re-run the script, then again try a web browser on one of the Windows boxes, Windows pops up a connection diagnostic, reporting that the (unspecified) page cannot be found.

Before you ask, yes, I have checked that /proc/sys/net/ipv4/ip_forward is set to 1.


Why is this so. Or in other words, HELP.

Peter.
 
Old 09-09-2010, 12:13 AM   #2
OldBikerPete
LQ Newbie
 
Registered: Sep 2010
Location: Melbourne, Australia
Distribution: Slackware 0.9 -> 13.1
Posts: 7

Original Poster
Rep: Reputation: 0
Unhappy BUMP

No ideas on this?
 
Old 09-09-2010, 04:48 AM   #3
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,483

Rep: Reputation: 2610Reputation: 2610Reputation: 2610Reputation: 2610Reputation: 2610Reputation: 2610Reputation: 2610Reputation: 2610Reputation: 2610Reputation: 2610Reputation: 2610
Quote:
Why doesn't my distro 9.0 setup work for the 13.1 distro
are you kidding ???
you are expecting settings and config files to work on a 4 versions newer OS
??? would you expect windows ME/2000 settings to work on win 7 ???

reset them back to the default and use the slack 13 tools to set the network connections and iptable rules
and aliases
 
Old 09-09-2010, 04:59 AM   #4
OldBikerPete
LQ Newbie
 
Registered: Sep 2010
Location: Melbourne, Australia
Distribution: Slackware 0.9 -> 13.1
Posts: 7

Original Poster
Rep: Reputation: 0
Angry Half-arsed reply.

Quote:
Originally Posted by John VV View Post
are you kidding ???
you are expecting settings and config files to work on a 4 versions newer OS
??? would you expect windows ME/2000 settings to work on win 7 ???
Not hardly - as if I would expect it to be that simple.
Quote:
reset them back to the default and use the slack 13 tools to set the network connections and iptable rules
and aliases
Obviously you didn't read my post closely enough. I have set up two (different) ethernet NICs dhcpd, named, dhcpcd, inetd and they all work correctly. They would have to be working correctly for the FTP and telnet sessions I describe to work as described.

BTW I'm not now and never have run X.

IPTABLES and ip_forwarding are the functions not working. There are no clues in the relevant man pages as to why the newer version should behave differently to the old version. Over to you, lets see what you've got.

Last edited by OldBikerPete; 09-09-2010 at 05:08 AM.
 
Old 09-09-2010, 05:34 AM   #5
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678
The location of ip_forwarding may have changed in your latest kernel. Several kernel modules that netfilter uses have different names. E.G. tc_conntrack is now nf_conntrack. An old firewall script may load modules by their old name. There may be other differences. In the latest version of ssh, you need to indicate the location of authorized_hosts with %h/.ssh/authorized_hosts instead of .ssh/authorized_hosts in /etc/ssh/sshd_config.
Code:
example of enabling ipv6 forwarding:
# enable IPv6 forwarding
#net.ipv6.conf.all.forwarding = 1

don't know but is net.ipv4.ip_forward depreciated?  What happens if net.ipv4.conf.all.forwarding=0 and net.ipv4.ip_forward=1?
/proc/sys/net/ipv4/conf/all/forwarding
/proc/sys/net/ipv4/conf/all/mc_forwarding
/proc/sys/net/ipv4/conf/default/forwarding
/proc/sys/net/ipv4/conf/default/mc_forwarding
...
/proc/sys/net/ipv4/ip_forward
Some configuration files may have moved into directories, instead of a single configuration file. This has been happening for quite some time for services and scripts like logrotate, xinetd, udev, and now even xorg.conf and profile. These directories tend to end with ".d". Software packages will drop a file in these directories instead of editing the existing global script. Your old configurations may exist in a script while a conflicting script exists in a directory.

One such directory on OpenSUSE is /etc/sysconfig/SuSEfirewall2.d/services/. I'm not running Slackware, but they may have adopted the same strategy.

For the services where you have problems, configure them from scratch using your distro's current tools if needed.

You may want to read the release notes for each newer version of Slackware. I found out about "%h" in sshd_config by reading a release note. Before that I couldn't ssh pubkey authentication working copying my old config sshd_config after upgrading.
 
1 members found this post helpful.
Old 09-09-2010, 06:08 AM   #6
OldBikerPete
LQ Newbie
 
Registered: Sep 2010
Location: Melbourne, Australia
Distribution: Slackware 0.9 -> 13.1
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks for your helpful rely.

Quote:
Originally Posted by jschiwal View Post
The location of ip_forwarding may have changed in your latest kernel. Several kernel modules that netfilter uses have different names. E.G. tc_conntrack is now nf_conntrack. An old firewall script may load modules by their old name. There may be other differences. In the latest version of ssh, you need to indicate the location of authorized_hosts with %h/.ssh/authorized_hosts instead of .ssh/authorized_hosts in /etc/ssh/sshd_config.
Code:
example of enabling ipv6 forwarding:
# enable IPv6 forwarding
#net.ipv6.conf.all.forwarding = 1

don't know but is net.ipv4.ip_forward depreciated?  What happens if net.ipv4.conf.all.forwarding=0 and net.ipv4.ip_forward=1?
/proc/sys/net/ipv4/conf/all/forwarding
/proc/sys/net/ipv4/conf/all/mc_forwarding
/proc/sys/net/ipv4/conf/default/forwarding
/proc/sys/net/ipv4/conf/default/mc_forwarding
...
/proc/sys/net/ipv4/ip_forward
Some configuration files may have moved into directories, instead of a single configuration file. This has been happening for quite some time for services and scripts like logrotate, xinetd, udev, and now even xorg.conf and profile. These directories tend to end with ".d". Software packages will drop a file in these directories instead of editing the existing global script. Your old configurations may exist in a script while a conflicting script exists in a directory.

One such directory on OpenSUSE is /etc/sysconfig/SuSEfirewall2.d/services/. I'm not running Slackware, but they may have adopted the same strategy.

For the services where you have problems, configure them from scratch using your distro's current tools if needed.

You may want to read the release notes for each newer version of Slackware. I found out about "%h" in sshd_config by reading a release note. Before that I couldn't ssh pubkey authentication working copying my old config sshd_config after upgrading.
I was under the initial impression that this board dealt with Slackware distributions only and accordingly left out that I am upgrading from Slackware 9.0 with Linux 2.4.20 to 13.1 using Linux 2.6.33.4 and the install DVD.
My method of upgrading is to install the entire default distibution (including the Huge-smp kernel precompiled and supplied with this distro)then get each of the functions I need running and tested one by one. Only if I find something missed out in the supplied kernel or I get everything I want working will I compile a kernel - and even then I will use one of the generic .config files supplied as a jumping-off point.
That being my workflow, I choose to disable as many options as possible during the scripted install and then enable them as I need them and only after reading any scripts and man pages involved.
Accordingly, I read through the /etc/rc.d/rc.ip_forwarding script and it sets the /proc/sys/net/ipv4/ip_forwarding flag. I don't recall enabling ipv6 at all (nor sshd or most of the other functions you mentioned).

Will things not work now if ipv6 and the relevant forwarding are not enabled?

Last edited by OldBikerPete; 09-09-2010 at 06:15 AM.
 
Old 09-09-2010, 09:59 AM   #7
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678
I didn't mean to imply that you needed to enable ipv6. Only that I hadn't noticed "/proc/sys/net/ipv4/conf/all/forwarding" before.
The ssh difference was just an example of differences you can run into when copying old config files. It was an example I learned from experience after copying my old sshd_config file. When I read the release notes, I discovered the problem.

If your problem is with ip_tables, then print out your ip_tables rules. Read through your firewall script. There may be some kernel modules loaded at the start of the script. Make sure that those modules still exist, and haven't been renamed in the newest kernel release.

IMHO, you may not have a problem with ip_tables. Check the squid configuration and setup.

Did you run Squid "squid -z" to create the cache store directories?
 
1 members found this post helpful.
Old 09-10-2010, 12:20 AM   #8
OldBikerPete
LQ Newbie
 
Registered: Sep 2010
Location: Melbourne, Australia
Distribution: Slackware 0.9 -> 13.1
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by jschiwal View Post
I didn't mean to imply that you needed to enable ipv6. Only that I hadn't noticed "/proc/sys/net/ipv4/conf/all/forwarding" before.
The ssh difference was just an example of differences you can run into when copying old config files. It was an example I learned from experience after copying my old sshd_config file. When I read the release notes, I discovered the problem.

If your problem is with ip_tables, then print out your ip_tables rules. Read through your firewall script. There may be some kernel modules loaded at the start of the script. Make sure that those modules still exist, and haven't been renamed in the newest kernel release.

IMHO, you may not have a problem with ip_tables. Check the squid configuration and setup.

Did you run Squid "squid -z" to create the cache store directories?
Thank you for your helpful reply. _I_ wrote my iptables and firewall scripts and have now checked which modules named in it are available in the default Slackware 13.1 distro. They are all there except iptables_filter, iptables_mangle and iptables_nat. I will read through the appropriate .config script to ensure that these have been compiled embedded as I expect they will.
And yes, I have done squid -z. Much use of the iptables LOG facility has revealed that packets from a web browser on on XP client machine are being redirected to port 3128 and that squid does send the admin page to that browser reporting that the page "/" cannot be found. I deduce that the URL is not being passed correctly to squid. I have also tried removing the REDIRECT commands from the iptables script which, as you know, bypasses squid since port 80 packets should then be forwarded straight through. That produces the web browser's admin page saying that the URL cannot be found.
If you like, I will find a way to post my iptables script here for you to look at.

Last edited by OldBikerPete; 09-10-2010 at 12:21 AM.
 
Old 09-14-2010, 07:57 PM   #9
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678
Probably any module you used before that had IP_ in the name now uses NF instead, with versions for IPv4 and IPv6.
Code:
CONFIG_IP_NF_FILTER=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_NF_NAT_SNMP_BASIC=m
CONFIG_NF_NAT_PROTO_DCCP=m
CONFIG_NF_NAT_PROTO_GRE=m
CONFIG_NF_NAT_PROTO_UDPLITE=m
CONFIG_NF_NAT_PROTO_SCTP=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_PPTP=m
CONFIG_NF_NAT_H323=m
CONFIG_NF_NAT_SIP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_BRIDGE_EBT_T_FILTER=m
CONFIG_BRIDGE_EBT_T_NAT=m
CONFIG_NET_ACT_NAT=m
CONFIG_BT_BNEP_MC_FILTER=y
CONFIG_BT_BNEP_PROTO_FILTER=y
CONFIG_NATIONAL_PHY=m
CONFIG_NATSEMI=m
CONFIG_PPP_FILTER=y
CONFIG_IPPP_FILTER=y
 
2 members found this post helpful.
Old 09-15-2010, 12:06 AM   #10
OldBikerPete
LQ Newbie
 
Registered: Sep 2010
Location: Melbourne, Australia
Distribution: Slackware 0.9 -> 13.1
Posts: 7

Original Poster
Rep: Reputation: 0
Thank you for that list jschiwal.
All now works.
I commented out the instruction which redirected forwarded port 80 packets to port 3128 for SQUID - cutting squid out of the equation. I also did a 'chmod a-x /etc/rc.d/rc.squid'. Then I concentrated on debugging and editing the iptables script.
I don't know what the exact problem was as I finished up doing a semi-redesign of the whole script and eventually, it worked.
I then re-enabled the redirection which supports squid and experimented with squid. I did not realise that squid-3.1.4 is an experimental version but when I did I downloaded squid-3.0.STABLE11, configured and tried to compile it - no luck. I kept getting simple syntax errors (such as a 'const char*' variable requiring a cast to 'char*' in a function call) so I dug out my previusly-working squid-2.3.STABLE4 and installed that and that now works. Sorting out later version problems can wait until I get the meat of the upgrade done.

Gratefully, Peter.

Here's my iptables script.
Quote:
#!/bin/bash
#
# firewall.cable
#
# New version to use iptables instead of ipchains
# Cable modem connected to interface eth3 and assigned default route/gateway
# LAN connected to device eth2 192.168.0.0/24
# dialin lines on devices ppp0 192.168.2.0/24
#
IPTABLES="/usr/local/sbin/iptables"
LOG_LEVEL="--log-level 6"
FILE_SERVER=192.168.0.16 # Static IP of local network NIC.
CABLE_IFACE=eth3
LAN_IFACE=eth2
DIALIN_IFACE=ppp0
LOCAL_NET=192.168.0.0/24
LOCAL_BCAST=192.168.0.255
DIALIN_NET=192.168.2.0/24
DIALIN_BCAST=192.168.2.255
NON_INTERNET=192.168.0.0/22
NON_INTERNET_BCAST=192.168.3.255
TO_INTERNET=" ! --destination $NON_INTERNET"
FROM_INTERNET=" ! --source $NON_INTERNET"
INTERNET=" ! $NON_INTERNET"
SUPPORT_SQUID=yes #Comment this out to disable SQUID support
#
# Get dynamic IP of cable NIC
CABLE_MODEM=`ifconfig $CABLE_IFACE | grep inet | awk '{ print $2 }' | sed --expression=s/addr://`
#
PROXY_SERVER=$FILE_SERVER
NAME_SERVER=$FILE_SERVER
SMTP_SERVER=$FILE_SERVER
DHCP_SERVER=$FILE_SERVER
HTTP_SERVER=$FILE_SERVER
POP3_SERVER=$FILE_SERVER
SMTP_SERVER=$FILE_SERVER
LPD_SERVER=$FILE_SERVER
#
# this is a temporary patch
MORE_CHECKING=ACCEPT
# Ensure dependencies are current for loading modules
/sbin/depmod -A
#
# Required modules
/sbin/modprobe ip_tables # tick
/sbin/modprobe ip_conntrack # tick
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG # tick
/sbin/modprobe ipt_limit # tick
/sbin/modprobe ipt_state # tick
#
# Non-required modules
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
#
# First, add to the log of internet usage
#echo >firewall.log
#date >>firewall.log
#$IPTABLES -L -v >>firewall.log
#echo '================ Finish ==================' >>firewall.log
#echo >>firewall.log
#
# Flush out all rules, set default policies
$IPTABLES -t filter -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -P OUTPUT DROP
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
#
############################################################################################
#
# Trouble-shooting & debugging
if test "$1" == "debug"; then
echo "netfilter and iptables operating in debugging mode"
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -j LOG $LOG_LEVEL
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -j LOG $LOG_LEVEL
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -p udp -j LOG $LOG_LEVEL
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -p tcp -j LOG $LOG_LEVEL
#
$IPTABLES -t filter -A INPUT -i $LAN_IFACE -p udp -j LOG $LOG_LEVEL
$IPTABLES -t filter -A INPUT -i $LAN_IFACE -p tcp -j LOG $LOG_LEVEL
$IPTABLES -t filter -A OUTPUT -o $LAN_IFACE -p udp -j LOG $LOG_LEVEL
$IPTABLES -t filter -A OUTPUT -o $LAN_IFACE -p tcp -j LOG $LOG_LEVEL
fi
#
#############################################################################################
#
# Accept any inputs from trusted sites
# These are Telstra's nameservers
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 144.140.70.30 -j ACCEPT #
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 144.140.71.16 -j ACCEPT #
# $IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 72.20.34.145 -j ACCEPT # uTorrent
#
############################################################################################
#
# Quietly block accesses from certain sources
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 192.168.0.0/16 -j DROP # these are private network address blocks
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 10.0.0.0/8 -j DROP # these are private network address blocks
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 66.70.20.61 -j DROP # www.fassia.net
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 65.60.37.116 -j DROP # www.fmn-media.com
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 216.242.75.52 -j DROP #
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 203.14.168.3 -j DROP # iinet.net.au
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -s 203.59.24.3 -j DROP # nameserver iinet.net.au
#
############################################################################################
#
# Quietly block some broadcast signals
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp --source-port 65535 -j DROP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --source-port 65535 -j DROP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp --dport 65535 -j DROP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 65535 -j DROP
#
############################################################################################
#
# Quietly block NETBIOS and SMB packets incoming over the internet
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp --dport 135:139 -j DROP #NETBIOS over IP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 135:139 -j DROP #NETBIOS over IP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp --source-port 135:139 -j DROP #
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --source-port 135:139 -j DROP #
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 445 -j DROP #SMB over IP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --source-port 445 -j DROP #
#
############################################################################################
#
# Create a rule quietly denying access from banned sites
#
#/etc/rc.d/bpalogin/firewall.Banned
#
# Input rules
#
# Allow incoming SYN packets (connect attempts) on ports #20 & #21 (FTP)
#$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 20 --syn -j $MORE_CHECKING
#$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 21 --syn -j $MORE_CHECKING
# Allow incoming SYN packets on mail port #25 (SMTP)
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 25 --syn -j $MORE_CHECKING
# Allow incoming SYN packets on web port #80 (HTTP)
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 80 --syn -j $MORE_CHECKING
#
###########################################################################################
#
# DROP and log all other attempts to login from the internet (SYN packets)
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --syn -j LOG $LOG_LEVEL
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --syn -j DROP
#
# DROP and log orphan fragments (because large packets are reassembled by the interface)
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -f -j LOG $LOG_LEVEL
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -f -j DROP
#
# DROP and log FINGER attempts from internet
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 79 -j LOG $LOG_LEVEL
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp --dport 79 -j DROP
#
# DROP and log PING attempts from internet
#$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp --dport 7 -j LOG $LOG_LEVEL
#$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp --dport 7 -j DROP
#
############################################################################################
#
# Enable internal transfers
$IPTABLES -t filter -A INPUT -i lo -j ACCEPT
#
# Allow input related to established outgoing connections
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
#
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp --dport 7 -j $MORE_CHECKING # PING
#$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 20 -j $MORE_CHECKING # FTP
#$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 21 -j $MORE_CHECKING # FTP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 25 -j $MORE_CHECKING # SMTP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 25 -j $MORE_CHECKING # SMTP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 37 -j $MORE_CHECKING # TIME
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 37 -j $MORE_CHECKING # TIME
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 42 -j $MORE_CHECKING # DNS
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 42 -j $MORE_CHECKING # DNS
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 53 -j $MORE_CHECKING # DNS
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 53 -j $MORE_CHECKING # DNS
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 67 -j $MORE_CHECKING # DHCP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 67 -j $MORE_CHECKING # DHCP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 68 -j $MORE_CHECKING # DHCP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 68 -j $MORE_CHECKING # DHCP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 80 -j $MORE_CHECKING # HTTP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 80 -j $MORE_CHECKING # HTTP
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 110 -j $MORE_CHECKING # POP3
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 110 -j $MORE_CHECKING # POP3
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 443 -j $MORE_CHECKING # HTTPS
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 443 -j $MORE_CHECKING # HTTPS
# Because we are using NAT, many wierd port destinations from the
# internet will have to be acceptable
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p tcp -d $CABLE_MODEM --dport 1024:65534 -j $MORE_CHECKING # NAT replies
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -p udp -d $CABLE_MODEM --dport 1024:65534 -j $MORE_CHECKING # NAT replies
#
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -j LOG $LOG_LEVEL # log all other internet packets.
$IPTABLES -t filter -A INPUT -i $CABLE_IFACE -j DROP # and then drop them
#
#----------------------------------------------------------------------------
# Input rules for Local network
$IPTABLES -t filter -A INPUT -i $LAN_IFACE -p udp -d 255.255.255.255 --dport 67 -j ACCEPT # DHCP client b/cast
$IPTABLES -t filter -A INPUT -i $LAN_IFACE -s $LOCAL_NET -d $LOCAL_NET -j ACCEPT
$IPTABLES -t filter -A INPUT -i $LAN_IFACE -s $LOCAL_NET $TO_INTERNET -j ACCEPT
#
$IPTABLES -t filter -A INPUT -i $LAN_IFACE -s $LOCAL_NET -j LOG $LOG_LEVEL # Log all packets that don't fit the above
$IPTABLES -t filter -A INPUT -i $LAN_IFACE -s $LOCAL_NET -j DROP # and then drop them
#
# Input rules for dialin cients
# Log and DROP orphan fragments (because large packets are reassembled by the interface)
$IPTABLES -t filter -A INPUT -f -i $DIALIN_IFACE -j LOG $LOG_LEVEL
$IPTABLES -t filter -A INPUT -f -i $DIALIN_IFACE -j DROP
#
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp $TO_INTERNET --dport 0:65534 -j ACCEPT # ?
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp $TO_INTERNET --dport 0:65534 -j ACCEPT # ?
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -p tcp -s $DIALIN_NET --source-port 3 -d $FILE_SERVER --dport 3 -j ACCEPT # gateway p'col
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -p udp -s $DIALIN_NET --source-port 3 -d $FILE_SERVER --dport 3 -j ACCEPT # gateway p'col
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -p tcp -s $DIALIN_NET --source-port 3 -d $DIALIN_NET --dport 3 -j ACCEPT # gateway p'col
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -p udp -s $DIALIN_NET --source-port 3 -d $DIALIN_NET --dport 3 -j ACCEPT # gateway p'col
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $SMTP_SERVER --dport 25 -j ACCEPT # SMTP mail
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $SMTP_SERVER --dport 25 -j ACCEPT # SMTP mail
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $DIALIN_NET --dport 25 -j ACCEPT # SMTP mail
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $DIALIN_NET --dport 25 -j ACCEPT # SMTP mail
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $NAME_SERVER --dport 42 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $NAME_SERVER --dport 42 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $DIALIN_NET --dport 42 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $DIALIN_NET --dport 42 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $NAME_SERVER --dport 53 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $NAME_SERVER --dport 53 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $DIALIN_NET --dport 53 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $DIALIN_NET --dport 53 -j ACCEPT # name server
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d 255.255.255.255 --dport 67 -j ACCEPT # DHCP client b/cast
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $FILE_SERVER --dport 67 -j ACCEPT # bootps
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $FILE_SERVER --dport 67 -j ACCEPT # bootps
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $FILE_SERVER --dport 68 -j ACCEPT # bootpc
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $FILE_SERVER --dport 68 -j ACCEPT # bootpc
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $HTTP_SERVER --dport 80 -j ACCEPT # www
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $HTTP_SERVER --dport 80 -j ACCEPT # www
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $POP3_SERVER --dport 110 -j ACCEPT # POP3 mail
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $POP3_SERVER --dport 110 -j ACCEPT # POP3 mail
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $POP3_SERVER --dport 113 -j ACCEPT # TAP auth
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $DIALIN_BCAST --dport 137 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $DIALIN_BCAST --dport 137 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $FILE_SERVER --dport 137 -j ACCEPT # netbios-ns
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $FILE_SERVER --dport 137 -j ACCEPT # netbios-ns
#$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $LOCAL_BCAST --dport 137 -j ACCEPT # netbios-ns
#$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $LOCAL_BCAST --dport 137 -j ACCEPT # netbios-ns
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $DIALIN_BCAST --dport 138 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $DIALIN_BCAST --dport 138 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $FILE_SERVER --dport 138 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $FILE_SERVER --dport 138 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $DIALIN_BCAST --dport 139 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $DIALIN_BCAST --dport 139 -j ACCEPT # netbios-dgm
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $FILE_SERVER --dport 139 -j ACCEPT # netbios-ssn
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $FILE_SERVER --dport 139 -j ACCEPT # netbios-ssn
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $FILE_SERVER --dport 445 -j ACCEPT # netbios-ssn
#
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $FILE_SERVER --dport 3128 -j ACCEPT # squid ?
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $FILE_SERVER --dport 3128 -j ACCEPT # ?
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p tcp -d $DIALIN_NET --dport 3128 -j ACCEPT # squid ?
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -s $DIALIN_NET -p udp -d $DIALIN_NET --dport 3128 -j ACCEPT # ?

#
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -j LOG $LOG_LEVEL # Log all packets that don't fit the above
$IPTABLES -t filter -A INPUT -i $DIALIN_IFACE -j DROP # and then drop them
#
###############################################################################
#
# NAT rules
if test "$SUPPORT_SQUID" != "" && test "$1" != "nosquid" && test "$2" != "nosquid"; then
echo "Redirection support for the SQUID web proxy is enabled"
$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -s $LOCAL_NET -p udp --dport 80 -j REDIRECT --to-ports 3128 # Squid proxy redir
$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -s $LOCAL_NET -p tcp --dport 80 -j REDIRECT --to-ports 3128 # Squid proxy redir
$IPTABLES -t nat -A PREROUTING -i $DIALIN_IFACE -s $DIALIN_NET -p udp --dport 80 -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A PREROUTING -i $DIALIN_IFACE -s $DIALIN_NET -p tcp --dport 80 -j REDIRECT --to-ports 3128
fi
$IPTABLES -t nat -A POSTROUTING -o $CABLE_IFACE -j SNAT --to-source $CABLE_MODEM
#
###############################################################################
#
# forwarding rules
# Forward incoming packets related to established outgoing connections
$IPTABLES -t filter -A FORWARD -i $CABLE_IFACE -o $LAN_IFACE -d $LOCAL_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $LAN_IFACE -o $CABLE_IFACE -s $LOCAL_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $CABLE_IFACE -o $DIALIN_IFACE -d $DIALIN_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $DIALIN_IFACE -o $CABLE_IFACE -s $DIALIN_NET -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow specific traffic through and quietly dispose of the rest
$IPTABLES -t filter -A FORWARD -i $DIALIN_IFACE -s $DIALIN_NET -d $LOCAL_NET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $DIALIN_IFACE -s $DIALIN_NET -d $DIALIN_NET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $DIALIN_IFACE -s $DIALIN_NET $TO_INTERNET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $DIALIN_IFACE -s $DIALIN_NET -j LOG $LOG_LEVEL
$IPTABLES -t filter -A FORWARD -i $DIALIN_IFACE -s $DIALIN_NET -j DROP
#
$IPTABLES -t filter -A FORWARD -i $LAN_IFACE -s $LOCAL_NET -d $LOCAL_NET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $LAN_IFACE -s $LOCAL_NET -d $DIALIN_NET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $LAN_IFACE -s $LOCAL_NET $TO_INTERNET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $LAN_IFACE -s $LOCAL_NET -j LOG $LOG_LEVEL
$IPTABLES -t filter -A FORWARD -i $LAN_IFACE -s $LOCAL_NET -j DROP
#
$IPTABLES -t filter -A FORWARD -i $CABLE_IFACE $FROM_INTERNET -d $CABLE_MODEM -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $CABLE_IFACE $FROM_INTERNET -d $DIALIN_NET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $CABLE_IFACE $FROM_INTERNET -d $LOCAL_NET -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $CABLE_IFACE -j LOG $LOG_LEVEL # Log all bad candidates for forwarding
$IPTABLES -t filter -A FORWARD -i $CABLE_IFACE -j DROP # and then drop them
#
###############################################################################
#
# Output rules
$IPTABLES -t filter -A OUTPUT -o lo -j ACCEPT
#
# DROP but don't log output attempts by local CIFS system
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -p tcp --dport 135:139 -j DROP
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -p udp --dport 135:139 -j DROP
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -p tcp --dport 445 -j DROP
# DROP but don't log output attempts by local DHCP system
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -p tcp --dport 67:68 -j DROP
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -p udp --dport 67:68 -j DROP
#
# Log all outgoing packets for debugging
#$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE -j LOG $LOG_LEVEL
#
$IPTABLES -t filter -A OUTPUT -o $LAN_IFACE -p udp -d 255.255.255.255 --dport 68 -j ACCEPT # allow local BOOTP/DHCP Replies
$IPTABLES -t filter -A OUTPUT -o $LAN_IFACE -d $LOCAL_NET -j ACCEPT # allow all local traffic
$IPTABLES -t filter -A OUTPUT -o $DIALIN_IFACE -d $DIALIN_NET -j ACCEPT # allow all dial-in traffic
$IPTABLES -t filter -A OUTPUT -o $CABLE_IFACE $TO_INTERNET -j ACCEPT # allow all outgoing access to internet
$IPTABLES -t filter -A OUTPUT -j LOG $LOG_LEVEL # Log all packets that don't fit the above
$IPTABLES -t filter -A OUTPUT -j DROP # and then drop them.
#
# Construct a list of firewall rules.
/etc/rc.d/bpalogin/createList.sh &
# Done!
 
  


Reply

Tags
forwarding, ip, iptables, linux, slackware


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Best Linux distro for this setup? PenguinnPower Linux - Distributions 10 08-02-2009 07:22 AM
Multi-distro partition setup; does this sound like a good setup? Twilight in Zero Linux - General 5 02-22-2009 12:15 AM
math distro....? music distro...? small distro....? jasonparent Linux - Newbie 11 02-11-2008 09:57 AM
What distro for this setup? st0len Linux - Newbie 4 06-11-2005 02:41 AM
Best Distro for this setup Peanut Linux - Software 1 06-29-2003 11:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration