Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Sorry for not being on, I have been up to my eyeballs in homework. I did manage however to go back to Ubuntu, and things seem to be much more stable. I will try quickly tonight to get your script to work.
Shoot, I just realised that Ubuntu doesn't let you run as root. How do you edit sysctrl.conf? Thanks
on ubuntu you use sudo to run commands with root privilages... so you can do it like this (as the user you set-up during the installation):
Code:
sudo vi /etc/sysctl.conf
sudo will ask you for the password of the non-root account you are using, and once you give it you'll be editing the file with vi with root power... almost anything you need to do on ubuntu as root should be done with sudo instead...
I tried again, only this time with Ubuntu. I created a network configuration file, applied it, set port forwarding and enabled that, and I configured the lan card for an IP address of 192.168.1.2 netmask 255.255.255.0. Still no go, I guess it really may be the network card.
flashstar@ubuntu:~$ sudo iptables -L -n -v
Chain INPUT (policy DROP 35 packets, 4253 bytes)
pkts bytes target prot opt in out source destination
2 80 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state NEW
Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state NEW
you have the WAN_IFACE and LAN_IFACE values inverted in the script... there's no way it would be able to work like that... i should have caught that before - my bad... =(
change this part of the script:
Code:
WAN_IFACE="eth0"
LAN_IFACE="eth1"
to this:
Code:
WAN_IFACE="eth1"
LAN_IFACE="eth0"
then re-execute the script and everything should work fine... remember that the clients on the LAN should have an IP in the 192.168.1.0/24 subnet and be configured to use 192.168.1.2 as their gateway and 192.168.2.1 as their DNS server... also, make sure they don't have any proxy configured for use...
flashstar@ubuntu:~/Desktop$ sudo iptables -L -n -v
Chain INPUT (policy DROP 11 packets, 1025 bytes)
pkts bytes target prot opt in out source destination
3 120 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state NEW
Chain OUTPUT (policy ACCEPT 3 packets, 120 bytes)
pkts bytes target prot opt in out source destination
Does this look ok?
Also, for the lan card, should it have a default gateway set?
flashstar@ubuntu:~/Desktop$ sudo iptables -L -n -v
Chain INPUT (policy DROP 11 packets, 1025 bytes)
pkts bytes target prot opt in out source destination
3 120 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state NEW
Chain OUTPUT (policy ACCEPT 3 packets, 120 bytes)
pkts bytes target prot opt in out source destination
Does this look ok?
Also, for the lan card, should it have a default gateway set?
looks good!!! no, the LAN card doesn't need a gateway set... the box only needs to have one gateway, on the WAN side... the route output you posted above confirms it's already properly set... now it's just a matter of making sure the IP configuration on the LAN clients is fine and you should be set... for starters, try pinging google from a client on the LAN... let me know how it goes... good luck!!!
I tried manually setting a client on the LAN side, but I could still not retrieve Google. I had the ip address set to 192.168.1.5, netmask set to 255.255.255.0, and the gateway/dns at 192.168.2.1.
you need to fix that... the gateway for your LAN clients is 192.168.1.2 (the IP of the LAN interface on your ununtu box)... the DNS is fine as 192.168.2.1 (the IP of your buffalo router)...
I finally got a working connection. I just set the gateway to 192.168.1.2 on the LAN computer I was testing. Hopefully this will help everyone who tries to do the same thing as me. To get everything working perfectly though, I have a few questions.
I need to be able to accept incoming ports 27015, 8080, the vpn port, HTTPS port, and the DNS port.
Also, I would like to set this up to run as a DHCP server so that I don't have to manually set up each computer.
Finally, what is an easy way to get a transparent proxy to work?
Thanks again. You have been the most helpful person that I have met online.
I finally got a working connection. I just set the gateway to 192.168.1.2 on the LAN computer I was testing.
yup, i had a feeling that was gonna do the trick...
Quote:
Hopefully this will help everyone who tries to do the same thing as me.
you can rest assured your thread will help many people...
Quote:
I need to be able to accept incoming ports 27015, 8080, the vpn port, HTTPS port, and the DNS port.
you want these incoming connections on the ubuntu box?? or do you want to have the ubuntu box forward them to a box on the LAN?? let me know and i'll give you the appropriate rules...
i just have two questions: why do you need to accept incoming DNS?? are you planning to make the ubuntu box a DNS daemon for the LAN?? or is it a DNS server for the WAN?? oh, and speaking of WAN, that brings me to my next question: you need those ports enabled on the LAN side or the WAN side??
Quote:
Also, I would like to set this up to run as a DHCP server so that I don't have to manually set up each computer.
sounds like a good idea to me...
here's a dhcpd.conf file to get you started (i've pre-configured it for you):
Finally, what is an easy way to get a transparent proxy to work?
well, it's just a matter of getting squid up and running and then adding a couple rules to the iptables script... but i suggest you leave this for last... lets move on to the DHCP server now... you'll need to make a small addition to the script in order for DHCP to work on the LAN:
Thanks again. I have been running the firewall on the LAN side of the Buffalo so DHCP would currently make a big difference. However, I was wondering if it would be possible to put the Linux firewall in between the Buffalo and the Internet. This would simply be easier because I could let the Buffalo continue to assign IP's and handle all the other basic parts of networking on with the local windows machines.
So I don't necessarily need to have DCHP working (sorry I wasn't really thinking last night). I just need to get the proxy server up and running as a transparent proxy. Also, will plugging the Linux firewall right into the internet cause me to have to make any changes to the setup? I just need to know the ip of the main external DNS server right? Then, setting up the transparent proxy should be easy?
I'm sorry if I can't really answer the questions about the ports now until I get it all evened out.
The main final goal of the firewall is to just have it as a "gateway" so that it can filter all data before it reaches the Buffalo. If I can have it do double duty as a transparent proxy server, that would be awesome as well.
You could probably get quite popular if you combine all of your answers here into a set-by-step guide! I'm sure that a ton of people are wanting to know have to do this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.