Setting up a gateway/dhcp server.

soylentgreen · 09-21-2004, 01:11 PM

um.. not sure about the dns daemon..

win32sux · 09-21-2004, 02:42 PM

Quote:

Originally posted by soylentgreen
Sep 21 13:56:02 slacktop kernel: FORWARD DROP: IN=eth1 OUT=eth0 SRC=192.168.0.58 DST=64.233.171.104 LEN=474 TOS=0x00 PREC=0x00 TTL=127 ID=3089 DF PROTO=TCP SPT=4232 DPT=80 WINDOW=64240 RES=0x00 ACK PSH URGP=0
Sep 21 13:56:38 slacktop kernel: FORWARD DROP: IN=eth1 OUT=eth0 SRC=192.168.0.58 DST=64.233.171.104 LEN=474 TOS=0x00 PREC=0x00 TTL=127 ID=3101 DF PROTO=TCP SPT=4232 DPT=80 WINDOW=64240 RES=0x00 ACK PSH URGP=0

excellent!! thanks to your logfile i can quickly determine that i accidentally left-out something from the FORWARD chain (specifically the FORWARD_LAN2INET chain)...

just add this rule to the chain and it should be fine (make it the first rule in the chain):

Code:

$IPT -A FORWARD_LAN2INET -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

sorry about that!!!

=)

ps: i've updated the script to include this fix...

win32sux · 09-21-2004, 02:57 PM

Quote:

Originally posted by soylentgreen
um.. not sure about the dns daemon..

i suspect you are running a dns daemon on the gateway (unless you edited the script), as the configuration of the FORWARD_LAN2INET chain as posted only allows web traffic and pings to the internet, not dns traffic...

check-it-out:

Code:

###############################################################################
### FORWARD_LAN2INET
###############################################################################

$IPT -A FORWARD_LAN2INET -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 443 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN

this chain controls traffic from the lan to the internet...

the first rule allows packets from related and established connections... such as those ACK packets you were seeing get dropped in your logfile earlier... =)

the second rule allows new connections to secure web services...

the third rule allows new connections to regular web services...

the fourth rule allows hosts on the lan to ping hosts on the internet...

to allow dns queries from the lan to the internet we'd need to add a rule like this (in bold):

Code:

###############################################################################
### FORWARD_LAN2INET
###############################################################################

$IPT -A FORWARD_LAN2INET -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 443 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN

the script (as was posted) is set to only allow dns queries from the lan to a dns daemon on the gateway itself:

Code:

###############################################################################
### INPUT_LAN2GATE
###############################################################################

$IPT -A INPUT_LAN2GATE -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT_LAN2GATE -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p TCP --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p ALL -j RETURN

as you can see, it also allows ssh connection from the lan to the gateway, as well as pings...

win32sux · 09-21-2004, 03:05 PM

Quote:

Originally posted by soylentgreen
Sep 21 13:56:41 slacktop kernel: INPUT DROP: IN=eth0 OUT= MAC=00:80:c7:3f:28:27:00:05:5f:e8:70:70:08:00 SRC=143.229.142.174 DST=68.42.81.220 LEN=60 TOS=0x00 PREC=0x00 TTL=116 ID=20433 PROTO=UDP SPT=6348 DPT=6348 LEN=40
Sep 21 13:56:51 slacktop kernel: INPUT DROP: IN=eth0 OUT= MAC=00:80:c7:3f:28:27:00:05:5f:e8:70:70:08:00 SRC=68.61.117.76 DST=68.42.81.220 LEN=60 TOS=0x00 PREC=0x00 TTL=121 ID=49680 PROTO=UDP SPT=6346 DPT=6348 LEN=40
Sep 21 13:56:51 slacktop kernel: INPUT DROP: IN=eth0 OUT= MAC=00:80:c7:3f:28:27:00:05:5f:e8:70:70:08:00 SRC=209.161.228.131 DST=68.42.81.220 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=54859 DF PROTO=TCP SPT=1984 DPT=6346 WINDOW=65535 RES=0x00 SYN URGP=0

these dropped packets are unrelated to the browsing issue you are (or hopefully were) having...

they look like gnutella packets... if you want to run gnutella on the gateway machine you'll need to open a port for it... and if you want to run gnutella on your girlfriend's machine you'll need to forward a port from the gateway to her machine... let me know if you need to do either of those, i'll gladly help you out...

good luck...

ps: soylentgreen, remember that on slackware you just need to put your firewall script in /etc/rc.d/rc.firewall to have it auto-start at boot... of course you need to make the file executable, etc... you probably already knew this, i'm just mentioning it to make sure...

soylentgreen · 09-21-2004, 07:12 PM

YOU ROCK.

it worked perfectly...
she can now look up why her dog is pooping blood...

sorry.. TMI

thanks again,
soylentgreen

soylentgreen · 09-21-2004, 08:39 PM

OK.. yeah, she runs LimeWire for gnutella access.. and that's not working.. but everything else is working fabulously.

in forwarding the port for gnutella, is that going to be something i just add in the rc.firewall script?

chaosego · 09-21-2004, 09:05 PM

Success!
She works, thanks so much win32sux.

There is however another question. How do I go about letting certain programs ports through, I guess that's basically portforwarding? or opening up the ports a firewall.

As of now I can't seem to get Trillian (multi-IM app, so it includes MSN, AIM, ICQ, etc.) or Steam/Counter-strike to connect. Thanks again, your help thus far has been top notch.

.

win32sux · 09-22-2004, 09:35 AM

Quote:

Originally posted by soylentgreen
OK.. yeah, she runs LimeWire for gnutella access.. and that's not working.. but everything else is working fabulously.

in forwarding the port for gnutella, is that going to be something i just add in the rc.firewall script?

yeah, you just need to add a couple rules to the shell script...

remember that you are doing NAT (network address translation) so the packets that go from the LAN to the internet leave the gateway with your gateway's ip address (hosts on the internet don't even know your lan/girlfriend's pc exists)...

what i'm getting at is that gnutella clients on the internet see your gateways external ip as the source from which the gnutella traffic from your LAN is coming from...

so, basically, what you need to "tell linux" is that any gnutella packet that hits the gateway on the internet side should be immediately sent to my girlfriend's pc (port forwarding)... you can do that by adding a couple rules to the PREROUTING and FORWARD chains... AFAIK, limewire listends on tcp/6346, so the rules would look like this:

Code:

$IPT -A PREROUTING -p TCP -i $INET_IFACE --dport 6346 -j DNAT \
--to-destination 192.168.0.58:6346
$IPT -A FORWARD_INET2LAN -p TCP --dport 6346 -d 192.168.0.58 \
-m state --state NEW -j ACCEPT

the first rule says "change the destination address of any tcp/6346 packet that arrives from the internet to my girlfriends ip address"...

the second rule says "allow new tcp/6346 packets that are destined for my girlfriend's ip address" (rememeber that packets that aren't "new" will be "judged" by the netfilter's connection tracking, in the "ESTABLISHED,RELATED" rule)...

you'll obviously also need to allow gnutella traffic from your girlfriends pc to the internet, if the outgoing traffic also uses port 6346, then you need a rule in the FORWARD_LAN2INET chain...

like this to allow anyone on the lan to send gnutella stuff:

Code:

$IPT -A FORWARD_LAN2INET -p TCP --dport 6346 -m state --state NEW -j ACCEPT

or better yet, like this to allow only your girlfriend's pc to send gnutella stuff:

Code:

$IPT -A FORWARD_LAN2INET -p TCP --dport 6346 -s 192.168.0.58 \
-m state --state NEW -j ACCEPT

here's what your script would look like with the rules incorporated (i've put the rules in bold):

Code:

#!/bin/sh

###############################################################################
### Variables
###############################################################################

IPT="/usr/sbin/iptables"
INET_IFACE="eth0"
LAN_IFACE="eth1"
LAN_IP="192.168.0.1"
LAN_NET="192.168.0.0/24"
LAN_BCAST="192.168.0.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"


###############################################################################
### Modules
###############################################################################

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ip_conntrack_irc


###############################################################################
### Kernel Parameters
###############################################################################

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians


###############################################################################
### Flush Chains and Set Policies
###############################################################################

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT


###############################################################################
### Create User Chains
###############################################################################

$IPT -N INPUT_INET2GATE
$IPT -N INPUT_LAN2GATE
$IPT -N FORWARD_INET2LAN
$IPT -N FORWARD_LAN2INET
$IPT -N BAD_PACKETS


###############################################################################
### INPUT
###############################################################################

$IPT -A INPUT -p ALL -m state --state INVALID -j DROP
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -p ALL -j BAD_PACKETS
$IPT -A INPUT -p ALL -i $INET_IFACE -j INPUT_INET2GATE
$IPT -A INPUT -p ALL -i $LAN_IFACE -j INPUT_LAN2GATE
$IPT -A INPUT -p ALL -j LOG --log-prefix "INPUT DROP: "


###############################################################################
### FORWARD
###############################################################################

$IPT -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPT -A FORWARD -p ALL -j BAD_PACKETS
$IPT -A FORWARD -p ALL -i $LAN_IFACE -o $INET_IFACE -j FORWARD_LAN2INET
$IPT -A FORWARD -p ALL -i $INET_IFACE -o $LAN_IFACE -j FORWARD_INET2LAN
$IPT -A FORWARD -p ALL -j LOG --log-prefix "FORWARD DROP: "


###############################################################################
### OUTPUT
###############################################################################

$IPT -A OUTPUT -p ALL -m state --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -j LOG --log-prefix "OUTPUT DROP: "


###############################################################################
### PREROUTING
###############################################################################


$IPT -A PREROUTING -p TCP -i $INET_IFACE --dport 6346 -j DNAT \
--to-destination 192.168.0.58:6346


###############################################################################
### POSTROUTING
###############################################################################

$IPT -t nat -A POSTROUTING -p ALL -o $INET_IFACE -j MASQUERADE


###############################################################################
### INPUT_INET2GATE
###############################################################################

$IPT -A INPUT_INET2GATE -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A INPUT_INET2GATE -p TCP --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT_INET2GATE -p ALL -j RETURN


###############################################################################
### INPUT_LAN2GATE
###############################################################################

$IPT -A INPUT_LAN2GATE -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT_LAN2GATE -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p TCP --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p ALL -j RETURN


###############################################################################
### FORWARD_INET2LAN
###############################################################################

$IPT -A FORWARD_INET2LAN -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_INET2LAN -p TCP --dport 6346 -d 192.168.0.58 \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD_INET2LAN -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET
###############################################################################

$IPT -A FORWARD_LAN2INET -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 443 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 6346 -s 192.168.0.58 \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN


###############################################################################
### BAD_PACKETS
###############################################################################

$IPT -A BAD_PACKETS -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A BAD_PACKETS -p ICMP --fragment -j DROP
$IPT -A BAD_PACKETS -p ALL -d 255.255.255.255 -j DROP
$IPT -A BAD_PACKETS -p ALL -d $LAN_BCAST -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s ! $LAN_NET -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s $LAN_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s $LO_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -i $INET_IFACE -s $LAN_NET -j DROP
$IPT -A BAD_PACKETS -p ALL -i $INET_IFACE -s $LO_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -j RETURN


echo "So let it be written, so let it be done."

the script above essentially allows anybody on your lan to "surf the web", but only your girlfriend can use gnutella...

=)

win32sux · 09-22-2004, 09:37 AM

Quote:

Originally posted by chaosego
Success!
She works, thanks so much win32sux.

There is however another question. How do I go about letting certain programs ports through, I guess that's basically portforwarding? or opening up the ports a firewall.

As of now I can't seem to get Trillian (multi-IM app, so it includes MSN, AIM, ICQ, etc.) or Steam/Counter-strike to connect. Thanks again, your help thus far has been top notch.

.

i'm not sure that you'd need to forward ports for all that... but it depends on the software we are talking about... you probably just need to allow certain outgoing kinds of traffic...

the thing is, remember that the script i posted is "restrictive"... let me explain:

when configuring a firewall for a lan, you have basically two choices when it comes to the rules that judge traffic from the lan to the internet (LAN2INET):

method "A" - block everything, and then allow only the things you need...

method "B" - allow everything, and then start blocking things you don't want...

method "A" is obviously the "tighter" way of doing things... and it's what i recommend if you want something "serious"... this way you limit traffic to that which you want, and nothing else... that's the essence of a firewall...

the FORWARD_LAN2INET rules i made use method "A", and as they are posted they only allow web traffic (and pings) from the lan to the internet... for any other kind of traffic you want to allow to go out, you need to add a rule to FORWARD_LAN2INET...

for example... let's imagine that counterstrike connects to the internet using tcp ports 6300 through 6350 (it doesn't)... then, to allow counterstrike gamers on the lan to connect to the internet, you'd add a rule like this to the FORWARD_LAN2INET chain:

Code:

$IPT -A FORWARD_LAN2INET -p TCP --dport 6300:6350 -m state --state NEW -j ACCEPT

now, of course you can also switch to method "B", but i don't recommend that...

here it goes anyway...

to switch to method "B" change this:

Code:

###############################################################################
### FORWARD_LAN2INET
###############################################################################

$IPT -A FORWARD_LAN2INET -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 443 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN

to this:

Code:

###############################################################################
### FORWARD_LAN2INET
###############################################################################

$IPT -A FORWARD_LAN2INET -p ALL -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN

you'll then need to add rules to block unwanted stuff... for example, to block people on the lan from connecting to SSH daemons (listening on the standard port) on the internet:

Code:

###############################################################################
### FORWARD_LAN2INET
###############################################################################

$IPT -A FORWARD_LAN2INET -p TCP --dport 22 -m state --state NEW -j REJECT
$IPT -A FORWARD_LAN2INET -p ALL -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN

win32sux · 09-22-2004, 09:56 AM

one more thing... since you have the ability to do NAT and connection tracking for FTP packets:

Quote:

/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

you can easily allow folks on the lan to connect to ftp servers on the internet (if you want)...

Code:

###############################################################################
### FORWARD_LAN2INET
###############################################################################

$IPT -A FORWARD_LAN2INET -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 443 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 21 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN

of course if you use method "B" then you don't need this...

chaosego · 09-22-2004, 10:28 AM

Wow, seriously, you're definately the man.

Works like a charm, thank you so much, I'm seriously running out of reasons to use windows...

Thanks again, man, good luck to soylentgreen, you're in good hands. hehe.

soylentgreen · 09-22-2004, 01:03 PM

yes, thanks again... limewire works, as well as ftp..

*bows*

win32sux · 09-22-2004, 01:13 PM

you guys are both very welcome!! it's been a pleasure...

=)

let me know if you need any further assistance...

good luck!!

chaosego · 09-24-2004, 12:21 PM

I've run into a snag.
I updated my kernel via YOU (gotta admin I was a little disapointed I didn't get to compile it myself. hehe) everything seems to be going fine except the DHCP server won't go up anymore. I get the following error.
Can't open lease database /var/lib/dhcp/db/dhcpd.leases: No such file or directory --

I went to that dir and it's empty. hmmm....

win32sux · 09-24-2004, 01:14 PM

Quote:

Originally posted by chaosego
I've run into a snag.
I updated my kernel via YOU (gotta admin I was a little disapointed I didn't get to compile it myself. hehe) everything seems to be going fine except the DHCP server won't go up anymore. I get the following error.
Can't open lease database /var/lib/dhcp/db/dhcpd.leases: No such file or directory --

I went to that dir and it's empty. hmmm....

create an empty lease file and try again:

Code:

touch /var/lib/dhcp/db/dhcpd.leases

PS: i forgot to mention that you can specify custom lease times in /etc/dhcpd.conf:

Code:

ddns-update-style none;

subnet 192.168.0.0 netmask 255.255.255.0 {
   range 192.168.0.2 192.168.0.254;
   option subnet-mask 255.255.255.0;
   option broadcast-address 192.168.0.255;
   option domain-name-servers 192.168.0.1;
   option routers 192.168.0.1;
   default-lease-time 21600;
   max-lease-time 43200; }

i hope this helps... good luck...