Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
EXTERNAL NETWORK BConnected to Eth1 on Linux Box)
================
PC3: 192.168.29.20(Gateway is set to 192.168.29.1)
PC4: 192.168.29.21(Gateway is set to 192.168.29.1)
Ok..so it looks like this:
LINUX
Internal NetworkA --> eth0 eth1<----- External NetworkB
!** br0 **!
Ping Results at the moment( Before loading of the firewall script)
=============================================
Internal NetworkA PC's can Ping and Access PC on External NetworkB
and VISA VERSA.
linux PC can Ping Internal NetworkA PC's and also External NetworkB.
Ok....this means that External NetworkB can use the internet and access Internal Shares 100%. This works at the moment.Internet on External NetworkB Running VIA the Router in Internal NetworkA.
WHAT I WANT TO DO IS:
=================
I want the "FIREWALL" script to do the following:
* Block "ALL INCOMMING" trafic from the "External NetworkB(Eth1)", so all trafic going to the Br0(192.168.29.100) from "External NetworkB(Eth1)" will be DROPED.
* Trafic from "External NetworkB" will mostly goto the ADSL Router(192.168.29.1) for internet Access.So this MUST BE BLOCKED by the Linux Box.
* Now...i want to "ALLOW" only sertain IP in "EXTERNAL NETWORKB" to get acces to "Internal NEtworkA" and so be allowed to get access to the internet and internal network PC's
=====================================
All Internal NetworkA PC's will have access to the ADSL router,which is what i want. Becuase the Router is INSIDE the Internal Network...and not on the other side of the brigde, the bridge firewall will then have NO effect on "Internal NetworkA" trying to access the ADSL Internet...which is 100% fine "I think this statement is correct"
MY CURRENT FIREWALL SCRIPT
===========================
Run script: > chmod +x firewall
> ./firewall RUN THE SCRIPT
#
# Drop INPUT from hosts in the VIOLATED list.
#
iptables -A INPUT -s ! 127.0.0.1 -m recent --name VIOLATED --rttl --update --seconds 300 -j DROP
iptables -A FORWARD -s ! 127.0.0.1 -m recent --name VIOLATED --rttl --update --seconds 120 -j DROP
#
# Accept ESTABLISHED and RELATED connections on ports 1024:65535
#
for Chain in $ALL; do
iptables -A $Chain -m state --state ESTABLISHED -j ACCEPT
iptables -A $Chain -p tcp --dport 1024:65535 -m state --state RELATED -j ACCEPT
iptables -A $Chain -p udp --dport 1024:65535 -m state --state RELATED -j ACCEPT
done
#
# IP(s) to FORWARD, MASQUERADE and DROP.
#
for IP in $LocalNetwork; do
# Accept all your LAN IP(s) explicitly.
iptables -A INPUT -s $IP -i eth+ -j ACCEPT
# Forward your LAN.
iptables -A FORWARD -i eth+ -o ppp+ -s $IP -d ! $IP -j ACCEPT
iptables -A FORWARD -i ! ppp+ -m state --state NEW -s $IP -j ACCEPT
# Masquerading.
iptables -t nat -A POSTROUTING -o ppp+ -s $IP -d ! $IP -j MASQUERADE
done
#
# Explicit ACCEPT / helper modules only!
#
for Chain in $ALL; do
iptables -A $Chain -m helper --helper irc -j ACCEPT
iptables -A $Chain -m helper --helper ftp -j ACCEPT
done
#
# Interpret
#
iptables -t mangle -A POSTROUTING -o ppp+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# IRC priority/precedence.
iptables -t mangle -A PREROUTING -p tcp --dport 6667 -j TOS --set-tos Minimize-Delay
#
# Unauthorized Packets.
#
iptables -N Attack
iptables -A INPUT -m state --state NEW -j Attack
iptables -A Attack $LIMITLOG "Unauthorized Packet: "
iptables -A Attack $VIOLATE
iptables -A Attack -j DROP
============================================
My Problem with Script
As you will see with above script.....only PC3(192.168.29.20) on the External NetworkB will be given access through the bridge into "Internal NetworkA" and so be ably to use the Internet.This does work becuase PC3 can still ping "Internal NetworkA" and access the Internet. BUT SO CAN THE OTHER PC's,LIKE PC4 on Extrenal NetworkB which WAS NOT Allowed inside the script. SO IS LOOKS LIKE the script does not Block any Trafic or IP's
Acording to the script, only PC3(192.168.29.20) will have access to internet, and it does...But if i change PC3's ip to 192.168.29.50(which does not have access) it still has internet access and still can ping internal PC's
Ping Results NOW( AFTER loading of the firewall script)
=============================================
* I can't ping the Linux box(192.168.29.100) from Internal or External Networks.Which is ok becuase i don;t need to ping it....but anyways...this was possible before i loaded the script.
* Linux box can Ping "INTERNAL NETWORKA" Pc's, but can;t ping "EXTERNAL PC".No reply from Extrenal Network PC's.
MY QUESTION IS: WHAT IS WRONG WITH MY SCRIPT? Can anybody find a problem here?
I didn't write this script myself...someone gave it to me and i just edited it.
yes i did read it....i also have a advanced linux user by my side and he can't spot the problem.THATS WHY I AM HERE OM THIS FORUM...for help... IT"S THAT WHY WHERE ARE ALL HERE HU!!!!!!!!!!!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.