hi flashstar... just wondering how this is going (or went)...

ain't heard from you for a few days...

i hope all is well... =/

Sorry for not being on, I have been up to my eyeballs in homework. I did manage however to go back to Ubuntu, and things seem to be much more stable. I will try quickly tonight to get your script to work.

Thanks

Shoot, I just realised that Ubuntu doesn't let you run as root. How do you edit sysctrl.conf? Thanks

on ubuntu you use sudo to run commands with root privilages... so you can do it like this (as the user you set-up during the installation):sudo will ask you for the password of the non-root account you are using, and once you give it you'll be editing the file with vi with root power... almost anything you need to do on ubuntu as root should be done with sudo instead...

I tried again, only this time with Ubuntu. I created a network configuration file, applied it, set port forwarding and enabled that, and I configured the lan card for an IP address of 192.168.1.2 netmask 255.255.255.0. Still no go, I guess it really may be the network card.

could i have a look at the current output from all those previous commands??

Here are the results:

flashstar@ubuntu:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:11:95:1D:E4:94
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::211:95ff:fe1d:e494/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:468 (468.0 b)
Interrupt:58 Base address:0x6000

eth1 Link encap:Ethernet HWaddr 00:30:1B:BB:73:A1
inet addr:192.168.2.16 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::230:1bff:febb:73a1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2567 errors:0 dropped:0 overruns:0 frame:0
TX packets:522 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:775839 (757.6 KiB) TX bytes:124242 (121.3 KiB)
Interrupt:233 Base address:0xe000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:256 (256.0 b) TX bytes:256 (256.0 b)

flashstar@ubuntu:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth1

flashstar@ubuntu:~$ cat /etc/resolv.conf
search hsd1.tx.comcast.net
nameserver 192.168.2.1

flashstar@ubuntu:~$ sudo iptables -L -n -v
Chain INPUT (policy DROP 35 packets, 4253 bytes)
pkts bytes target prot opt in out source destination
2 80 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state NEW

Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination

flashstar@ubuntu:~$ cat /proc/sys/net/ipv4/ip_forward
1

flashstar@ubuntu:~$ cat /proc/sys/net/ipv4/conf/all/rp_filter
1

everything looks great now - except this:you have the WAN_IFACE and LAN_IFACE values inverted in the script... there's no way it would be able to work like that... i should have caught that before - my bad... =(

change this part of the script:to this:then re-execute the script and everything should work fine... remember that the clients on the LAN should have an IP in the 192.168.1.0/24 subnet and be configured to use 192.168.1.2 as their gateway and 192.168.2.1 as their DNS server... also, make sure they don't have any proxy configured for use...

flashstar@ubuntu:~/Desktop$ sudo iptables -L -n -v
Chain INPUT (policy DROP 11 packets, 1025 bytes)
pkts bytes target prot opt in out source destination
3 120 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state NEW

Chain OUTPUT (policy ACCEPT 3 packets, 120 bytes)
pkts bytes target prot opt in out source destination

Does this look ok?

Also, for the lan card, should it have a default gateway set?

looks good!!! no, the LAN card doesn't need a gateway set... the box only needs to have one gateway, on the WAN side... the route output you posted above confirms it's already properly set... now it's just a matter of making sure the IP configuration on the LAN clients is fine and you should be set... for starters, try pinging google from a client on the LAN... let me know how it goes... good luck!!!

I tried manually setting a client on the LAN side, but I could still not retrieve Google. I had the ip address set to 192.168.1.5, netmask set to 255.255.255.0, and the gateway/dns at 192.168.2.1.

I'll try it again.

you need to fix that... the gateway for your LAN clients is 192.168.1.2 (the IP of the LAN interface on your ununtu box)... the DNS is fine as 192.168.2.1 (the IP of your buffalo router)...

THANKS SO MUCH!!!!

I finally got a working connection. I just set the gateway to 192.168.1.2 on the LAN computer I was testing. Hopefully this will help everyone who tries to do the same thing as me. To get everything working perfectly though, I have a few questions.

I need to be able to accept incoming ports 27015, 8080, the vpn port, HTTPS port, and the DNS port.

Also, I would like to set this up to run as a DHCP server so that I don't have to manually set up each computer.

Finally, what is an easy way to get a transparent proxy to work?

Thanks again. You have been the most helpful person that I have met online.

you're very welcome!!!

yup, i had a feeling that was gonna do the trick...

you can rest assured your thread will help many people...

you want these incoming connections on the ubuntu box?? or do you want to have the ubuntu box forward them to a box on the LAN?? let me know and i'll give you the appropriate rules...

i just have two questions: why do you need to accept incoming DNS?? are you planning to make the ubuntu box a DNS daemon for the LAN?? or is it a DNS server for the WAN?? oh, and speaking of WAN, that brings me to my next question: you need those ports enabled on the LAN side or the WAN side??

sounds like a good idea to me...

here's a dhcpd.conf file to get you started (i've pre-configured it for you):well, it's just a matter of getting squid up and running and then adding a couple rules to the iptables script... but i suggest you leave this for last... lets move on to the DHCP server now... you'll need to make a small addition to the script in order for DHCP to work on the LAN:also, let me know if you already figured-out how to make the iptables rules stick - cuz if not then they get lost upon reboot...

hehe, happy to help...

Thanks again. I have been running the firewall on the LAN side of the Buffalo so DHCP would currently make a big difference. However, I was wondering if it would be possible to put the Linux firewall in between the Buffalo and the Internet. This would simply be easier because I could let the Buffalo continue to assign IP's and handle all the other basic parts of networking on with the local windows machines.

So I don't necessarily need to have DCHP working (sorry I wasn't really thinking last night). I just need to get the proxy server up and running as a transparent proxy. Also, will plugging the Linux firewall right into the internet cause me to have to make any changes to the setup? I just need to know the ip of the main external DNS server right? Then, setting up the transparent proxy should be easy?

I'm sorry if I can't really answer the questions about the ports now until I get it all evened out.

The main final goal of the firewall is to just have it as a "gateway" so that it can filter all data before it reaches the Buffalo. If I can have it do double duty as a transparent proxy server, that would be awesome as well.

You could probably get quite popular if you combine all of your answers here into a set-by-step guide! I'm sure that a ton of people are wanting to know have to do this.