LinuxQuestions.org
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   internet connection sharing (https://www.linuxquestions.org/questions/linux-software-2/internet-connection-sharing-316234/)

win32sux 04-23-2005 12:42 AM
you're very welcome!! let me know if any issues come-up... good luck!!

meinzorn 04-23-2005 12:46 AM
hmm.. kinda an issue, not that big of one I guess....

but pre this, I had apache set up, as well as proftpd and they worked fine...

now they aren't working.. is it related, or did I change something without realizing it ?

ssh also isn't working...... which is more of an issue than anything... I planned on using that mostly when I needed to do anything with the machine.

win32sux 04-23-2005 12:49 AM
you mean, like, to access those services on your box from the internet??

meinzorn 04-23-2005 12:50 AM
well, yeah, or the local network.. from the windows machine..

and when I try to connect with ssh, it just times out.

same with http

win32sux 04-23-2005 12:54 AM
Quote:
Originally posted by meinzorn
hmm.. kinda an issue, not that big of one I guess....

but pre this, I had apache set up, as well as proftpd and they worked fine...

now they aren't working.. is it related, or did I change something without realizing it ?

ssh also isn't working...... which is more of an issue than anything... I planned on using that mostly when I needed to do anything with the machine.
Quote:
well, yeah, or the local network..

and when I try to connect with ssh, it just times out.

same with http
no problem, we just need to add a few rules to the script allowing http, ftp, and ssh (the original script i wrote was designed for complete stealth on the external interface, as i didn't know you were running services on it)...

here you go (the relevant rules are in bold):

here you go:

Code:
#!/bin/sh

IPT="/usr/sbin/iptables"

LAN_IFACE="eth0"
INET_IFACE="ppp0"

echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP --dport 21 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACE -o $INET_IFACE \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "

$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_irc

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "So let it be written. So let it be done."

meinzorn 04-23-2005 01:01 AM
ok, so if I need a port opened for whatever reason, it's just like those added lines, only change the port number?

win32sux 04-23-2005 01:11 AM
yeah, basically... but it wouldn't be a bad idea to do some reading about iptables/netfilter so you can have a better understanding of what the script is doing:

http://www.linuxguruz.com/iptables/howto/

http://www.linuxguruz.com/iptables/

http://www.justlinux.com/nhf/Securit...es_Basics.html

http://iptables-tutorial.frozentux.n...-tutorial.html

for more iptables info: http://www.google.com/linux?hl=en&lr...es&btnG=Search

;-)

win32sux 04-23-2005 01:32 AM
BTW, that script is logging every packet that gets blocked by the firewall... you can see what packets are getting blocked in "real-time" by doing a:

Code:
tail -f /var/log/syslog
(you need to have sysklogd installed for this to work)

this is good for troubleshooting and stuff... like, for example when you weren't able to SSH to the box - by monitoring the log file you would have noticed the port 22 packets getting blocked... so you would have known it was a firewall issue right away...

it's also good for seeing all the weird spiders that crawl all over the internet... hehe...


All times are GMT -5. The time now is 11:27 PM.
Page 2 of 2 1 2
Show 50 post(s) from this thread on one page