Don't have internet connection using this iptable rules
Can anyone please help me? I want to ask if my rules are correct.
Here's my setup: IP ADD provided by the ISP: 121.x.x.133 ROUTER'S IP (ALSO AS GATEWAY): 192.168.1.1 External IP: 192.168.1.98 (ETH0) Internal IP: 192.168.1.99 (ETH1) Subnet Mask: 255.255.255.0 Here are my rules: INPUT (Default:DROP) ACCEPT if state of connection is ESTABLISHED, RELATED ACCEPT if input interface is lo ACCEPT if protocol if ICMP ACCEPT if source is 127.0.0.1 and destination is 127.0.0.1 ACCEPT if protocol is TCP and destination port is 80 ACCEPT if protocol is TCP and destination port is 22 ACCEPT if protocol is TCP and destination port is 53 ACCEPT if protocol is UDP and destination port is 22 ACCEPT if protocol is TCP and destination port is 20:21 ACCEPT if protocol is TCP and destination port is 443 ACCEPT if protocol is TCP and input interface is ETH1 and destination port is 10000 FORWARD (Default:DROP) ACCEPT if state of connection is ESTABLISHED, RELATED ACCEPT if input interface is ETH0 and output interface is ETH1 ACCEPT if input interface is ETH1 and output interface is ETH0 OUTPUT (Default:DROP) ACCEPT if state of connection is ESTABLISHED, RELATED ACCEPT if output interface is lo ACCEPT if protocol if ICMP ACCEPT if source is 127.0.0.1 and destination is 127.0.0.1 ACCEPT if protocol is TCP and source port is 80 ACCEPT if protocol is TCP and source port is 22 ACCEPT if protocol is TCP and source port is 53 ACCEPT if protocol is UDP and source port is 22 ACCEPT if protocol is TCP and source port is 20:21 ACCEPT if protocol is TCP and source port is 443 ACCEPT if protocol is TCP and input interface is ETH1 and source port is 10000 POSTROUTING (Default:ACCEPT) SNAT if output interface is ETH0 (IP for SNAT is 121.x.x.133) Rules above won't allow me to access any sites in my web browser. Also my email. Thanks in advance.:confused: |
Is this box being directly used or is it a gateway box? If its direct then you need to kind of swap your input/output rules (unless you are running services on that box then you'll need to just add to the rules). If its a gateway box the you might want to MASQUERADE instead of SNAT, they are essentially the same, but I think MASQ'ing covers more protocols (I could easily be wrong on this).
|
I can't really see the problem in the rules, so this might sound a bit crazy, but can you get so far as to ping the Gateway? Can you ping Google.com, can you ping 209.85.171.99? Basic checks I know but might help in finding the problem. Also (this won't be the problem), but shouldn't port 22 be TCP not UDP?
|
Quote:
INTERNET >> ROUTER >> FIREWALL MACHINE >> SWITCH >> LAN I also tried the MASQUERADE rule but it results to nothing. Quote:
Quote:
this should be port 53 not 22 I also tried to flush the iptable rules and accept everything but still the computer connected to the LAN can't access the net. what could be the problem? correct me if i'm wrong...i thought this has nothing to do with the iptables. but i wonder wht couold be the problem. I'm new with linux and i'm really having a hard time figuring out the problem. |
Did you turn on forwarding?
check with cat /proc/sys/net/ipv4/ip_forward set with echo 1 > /proc/sys/net/ipv4/ip_forward and you can set it permanently in /etc/sysctl.conf (on most linux distros) |
Can you a sample network setting from one of the LAN client PC'?
I wonder if the problem stems for your mixture of IP addresses used for gateway, eth0 and eth1. My routers so far always had the same IP for the gateway and one of the ethernet cards. On the other hand, maybe I was just lucky that it worked at all. |
Quote:
Also on the machines within your network, have you ensured that they are using 192.168.1.99 as their gateway address since I assume that this machine you are dealing with is acting as a firewall and thus they must all pass through this connection? |
Quote:
Quote:
ipadd: 192.168.1.107 netmask: 255.255.255.0 gateway: 192.168.1.1 Quote:
Re gateway the network config of one of the computers in the is: ipadd: 192.168.1.107 netmask: 255.255.255.0 gateway: 192.168.1.1 I'll try to change the gateway to 192.168.1.99 I'll post the result after changing the gateway. Another question guys.... How would i check if what ports are open using the command prompt? I want to know if i really opened up the ports needed. |
hello guys! My firewall is working now....
Quote:
Thanks a lot guys! I will now configure the squid proxy...I hope I can. I'll keep posting what's the result re may configuration and will ask for your help/suggestions :) |
guys, i had another question
This is regarding squid proxy...why can't i connect to internet if i set the proxy? my default port for proxy is 8000 I added this rules on my iptables ACCEPT if protocol is TCP and destination port is 8000 (INPUT RULE) ACCEPT if protocol is TCP and source port is 8000 (OUTPUT RULE) Please help me again |
Thats not the default port for the squid. You set squid to work on 3128. So you need to tell the browser to connect to net through proxy by giving its ip address and the port 8000 that you have configured it to work on. It will not work by default. Another thing to ask, is your squid running in transparent mode? If yes then forget the browser settings. Also search the LQ forums for transparent squid.
You need not set the second rule. For web browsing port 80 is used. So you need to accept the connections originating from port 80 that you already have done. |
Do I need to do some port redirection for the port used by squid?
I didn't set the squid in transparent mode... |
Quote:
Here's the rule i used: DNAT if the protocol is TCP and input interface is ETH0 and the destination port is 80. (wherein the destination ip is 192.168.1.99:8000) My question is.....Does that rule will make my firewall secure? Are all my rules will make our lan protected from any hacking. |
Using a firewall and Nat does increase security alot but protecting against hacking is never 100% possible, effectively all you can do is make it as hard as you can and deter hackers as much as possible, you can use certain techniques like sacrifical machines that log all access to them and then block the associated ips as such... but I'd never ever say any machine connected to the internet is fully protected against hacking :(.
|
Thanks!!!
|
All times are GMT -5. The time now is 11:31 PM. |