Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-20-2006, 04:23 AM
|
#1
|
LQ Newbie
Registered: Oct 2006
Posts: 6
Rep:
|
problem forwarding packets with iptable
I am having problems forwarding packets between my two nics, in my one machine, with iptables.
eg while connected to eth0 ip 192.168.1.15 I would
#ping 192.168.0.15.
result "network unreachable"
I can only ping the nic that is directly connected to the system I am pinging with. If I try to ping the nic that is not directly connected, I get the message "network unreachable"
I do not have a router on this machine. I also cannot get all those router setups, on the web, to work. What am I doing wrong? Do I have to use another tool other than ping to test if the packets are forwarded?
Here is my script
-----------------
#configuration area
ssh="23"
min_delay="0"
max_throughput="0"
lan_addresses="192.168.0.0/24"
lan_interface="dev5861"
external_interface="eth0"
loopback_interface="lo"
gateway="192.168.0.15"
external_address="192.168.1.15"
unprivports="1024:65535"
privports="0:1023"
loopback="127.0.0.1/8"
#Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo Your new firewall -assignA is now loaded
#Resetting all the chains
#Reset all the default policies
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#flushing all the specific policies
iptables -F
#flush all the specific existing rules user chains
iptables --flush
#flush all the user define chains
iptables -X
#Setting new firewall rules
#Unlimited traffic on the loopback interface
iptables -A INPUT -i $loopback_interface -j ACCEPT
iptables -A OUTPUT -o $loopback_interface -j ACCEPT
#Setting all default policies to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#Logging all packets transmitted into file /var/log/messages
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $external_interface -o $lan_interface -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $external_interface -p tcp -s $lan_addresses -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $lan_interface -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Thank you for your reply
Last edited by notsosmart; 10-20-2006 at 04:24 AM.
|
|
|
10-20-2006, 06:42 AM
|
#2
|
Senior Member
Registered: Mar 2006
Posts: 1,896
Rep:
|
You are trying to ping from box A to box C going through box B where box B has the two NICs and the firewall rules listed above? I don't know if this is your problem, but both box A and box C would need to list box B as a gateway to the other network.
Also, your last 3 firewall rules are superfluous because any packet that could match them has already matched one of the previous three rules.
|
|
|
10-22-2006, 03:26 AM
|
#3
|
LQ Newbie
Registered: Oct 2006
Posts: 6
Original Poster
Rep:
|
Thank you, thank you, thank you, blackhole54!!! I did what you suggested - set the gateway for both box A and box C as box B. I then added a few routes and it works!!! Box A pings box C and vice versa.
Here is my script.
#add routes
route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.10.1 dev dev28028
route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1 dev eth0
#SIOCADDRT: Network is unreachable
#configuration area
ssh="23"
min_delay="0"
max_throughput="0"
lan_addresses="192.168.10.0/24"
lan_interface="dev5861"
external_interface="eth0"
loopback_interface="lo"
gateway="192.168.10.1"
external_address="192.168.0.1"
unprivports="1024:65535"
privports="0:1023"
loopback="127.0.0.1/8"
#Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo Your new firewall -assignA is now loaded
#Resetting all the chains
#Reset all the default policies
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#flushing all the specific policies
iptables -F
#flush all the specific existing rules user chains
iptables --flush
#flush all the user define chains
iptables -X
#Setting new firewall rules
#Unlimited traffic on the loopback interface
iptables -A INPUT -i $loopback_interface -j ACCEPT
iptables -A OUTPUT -o $loopback_interface -j ACCEPT
#Setting all default policies to drop
#iptables -P INPUT DROP
#iptables -P OUTPUT DROP
#iptables -P FORWARD DROP
#Logging all packets transmitted into file /var/log/messages
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG
iptables -A FORWARD -i $external_interface -o $lan_interface -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $external_interface -p tcp -s $lan_addresses -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $lan_interface -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Thanks again and best regards,
notsosmart
|
|
|
All times are GMT -5. The time now is 01:37 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|