LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-30-2001, 10:30 PM   #1
davinci
LQ Newbie
 
Registered: Sep 2001
Location: rather not say
Distribution: red hat
Posts: 3

Rep: Reputation: 0
Angry ip masq


heres my network

internet<--->(eth0)linuxbox(eth1)<--->HUB<--->5 pc's(all win9x)
| | |
(dhcp assigned) (10.200.10.2) (between 10.200.10.3-6)

I am running red hat 7.1, eth0 is attatched to cable modem, eth1 is a second nic attatched to the hub,

I tried making a scriupt and entering the commands manually:
echo "1" > /proc/sys/net/ipv4/ip_forward
ipchains -P forward DENY
ipchains -A forward -s 10.200.10.2/6 -j MASQ

all commands enter perfectly with no errors (makes me believe its working) I then go to any windows machine and set the gateway to 10.200.10.2, when I try to access the net I cant, I tired using domain names to access websites as well as the websites ip addresses and no go.

I can ping any ip address to any nic on the network and can access other pc'z on the network

first time setting up ip masq, any help would be appreciated


I have posted on many boards to keep track of, so if possible if you could email me ur response it would be great

tnks
Loren
davinci@seascape.com
 
Old 10-01-2001, 03:00 AM   #2
hazza96
Member
 
Registered: Apr 2001
Location: Brisbane, Australia
Distribution: Ubuntu
Posts: 146

Rep: Reputation: 15
Is the IP address of eth1 10.200.10.2?

If it's not then you have configured your win boxes incorrectly.

I have a similar setup except I use a ppp connection via a modem. My setup looks like this:

internet <--> (ppp0) linuxbox (eth0) <---> winboxes

eth0 has an IP address of 192.168.1.1, all the win boxes use that as their default gateway and that is how I am typing this up.

One other diffrence is I use iptables. It took me a while to understand even a little of iptables but it is worth it.

As for responding to your personal e-mail address, sorry but if you subscribed to linuxquestions the right way then you should receive a notifcation that I have replied to your post. If you can't be bothered to then check it, well it can't be that important.
 
Old 10-01-2001, 05:20 AM   #3
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Try this!

echo "1" > /proc/sys/net/ipv4/ip_forward
# for dhcp
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
ipchains -F
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
ipchains -A forward -i eth0 -j MASQ
ipchains -M -S 6800 15 200
# stops spoofing on Cable interface
ipchains -A input -i eth0 -s 10.0.0.0/8 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 172.16.0.0/12 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 192.168.0.0/16 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 127.0.0.0/8 -d 0/0 -j REJECT -l
ipchains -A input -i eth0 -s 255.255.255.255 -j REJECT -l
ipchains -A input -i eth0 -d 0.0.0.0 -j REJECT -l

----------------
Note: Ok so the above is just going to allow NAT it's not a firewall, you'll need to change the input, output & forward chains to REJECT and add rules to allow source to destination to port.

Use iptables if you need to do more complicated load balancing or port forwarding, otherwise stick to ipchains.

/Raz

Last edited by raz; 10-02-2001 at 04:55 AM.
 
Old 10-01-2001, 11:34 AM   #4
allene
LQ Newbie
 
Registered: Jul 2001
Location: Palo Alto
Distribution: RH 7.1
Posts: 3

Rep: Reputation: 0
Hi Loren,

Had same trouble you had, or at least something similar. I modified the auto generated file /etc/sysconfig/ipchains to the following:


--------------------------------start-------------------------------------------------
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
:input ACCEPT
:forward DENY
utput ACCEPT

# accept local loopback
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT

#accept everything on the local netwrok -- eth1 is local, eth0 is external
-A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT

# accept dns servers
-A input -s 123.456.789.987 53 -d 0/0 -p udp -j ACCEPT
-A input -s 123.456.789.65 53 -d 0/0 -p udp -j ACCEPT


#
-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 -p udp -j REJECT

# stop external addresses claiming to me local
-A input -i eth0 -s 192.168.1.0/24 -j DENY


-A forward -s 192.168.1.0/255.255.255.0 -j MASQ
-A forward -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0 -j MASQ
-A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j DENY

------------------------------------end--------------------------------------------

What this does is run ipchains during the boot up process such that each command run takes its body from a line above. For example, the line "-A input -s 123.456.789.65 53 -d 0/0 -p udp -j ACCEPT" will cause the command "ipchains -A input -s 123.456.789.65 53 -d 0/0 -p udp -j ACCEPT" to be run at startup. I think you need to enter the dns entries. You need to add your dns server ip addresses above to match your isp. The ones in the text are generic place holders.

Good luck,

Allen
 
Old 10-01-2001, 01:17 PM   #5
DavidPhillips
LQ Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163

Rep: Reputation: 58
# ipchains -A forward -i eth0 -j MASQ
 
Old 10-02-2001, 05:00 AM   #6
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Loren,

Go back to my post, I've edited it to change the MASQ interface "as David pointed out, I got it the wrong way round."

# any packets are to be masq'd and forwarded to the external device, in your case eth0
ipchains -A forward -i eth0 -j MASQ

/Raz
 
Old 10-02-2001, 05:26 AM   #7
oni
LQ Newbie
 
Registered: Sep 2001
Posts: 3

Rep: Reputation: 0
Lightbulb this might help

Helo Davinci

from your message, it seemed that you've enabled im masq for one IP only,

>> ipchains -A forward -s 10.200.10.2/6 -j MASQ

But instead, you should enable masqing for all the systems. If you don't intend to restrict anyone, the easiest way is

ipchains -A forward -s 10.200.10.0/6 -d 0.0.0.0/0 -j MASQ

please note that I have added a destination (just in case, but you might not need it).

One more thing, are you using squid or any proxy? depending on that, you might have to reroute the ports as well.

Hope this helps.

take care
 
Old 10-02-2001, 08:27 PM   #8
davinci
LQ Newbie
 
Registered: Sep 2001
Location: rather not say
Distribution: red hat
Posts: 3

Original Poster
Rep: Reputation: 0
ip masq

I am not using any proxy or anything like squid, a bud said I didnt need to when using ipchains or tables, I took it to be he was right

thanks to all of ur suggestions so far, I am still working on it, not much luck so far, but I a mdetermined to stick with linux winXX sukz
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
linux masq server to linux masq server VPN rob_roman23 Linux - Networking 0 09-13-2003 10:54 AM
masq jakublgz Slackware 3 10-03-2002 08:35 PM
firewall script run at boot -> no masq, rerun manually -> masq worx Griffon26 Linux - Networking 2 06-24-2002 04:17 AM
IP Masq on RH 7.2 aceexpert Linux - Software 3 04-24-2002 06:07 AM
IP Masq Nephlite Linux - Networking 2 01-31-2002 07:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration