Linux - Wireless NetworkingThis forum is for the discussion of wireless networking in Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
excellent!! thanks to your logfile i can quickly determine that i accidentally left-out something from the FORWARD chain (specifically the FORWARD_LAN2INET chain)...
just add this rule to the chain and it should be fine (make it the first rule in the chain):
Code:
$IPT -A FORWARD_LAN2INET -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
sorry about that!!!
=)
ps: i've updated the script to include this fix...
Originally posted by soylentgreen um.. not sure about the dns daemon..
i suspect you are running a dns daemon on the gateway (unless you edited the script), as the configuration of the FORWARD_LAN2INET chain as posted only allows web traffic and pings to the internet, not dns traffic...
check-it-out:
Code:
###############################################################################
### FORWARD_LAN2INET
###############################################################################
$IPT -A FORWARD_LAN2INET -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 443 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN
this chain controls traffic from the lan to the internet...
the first rule allows packets from related and established connections... such as those ACK packets you were seeing get dropped in your logfile earlier... =)
the second rule allows new connections to secure web services...
the third rule allows new connections to regular web services...
the fourth rule allows hosts on the lan to ping hosts on the internet...
to allow dns queries from the lan to the internet we'd need to add a rule like this (in bold):
Code:
###############################################################################
### FORWARD_LAN2INET
###############################################################################
$IPT -A FORWARD_LAN2INET -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 443 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN
the script (as was posted) is set to only allow dns queries from the lan to a dns daemon on the gateway itself:
Code:
###############################################################################
### INPUT_LAN2GATE
###############################################################################
$IPT -A INPUT_LAN2GATE -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT_LAN2GATE -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p TCP --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p ALL -j RETURN
as you can see, it also allows ssh connection from the lan to the gateway, as well as pings...
these dropped packets are unrelated to the browsing issue you are (or hopefully were) having...
they look like gnutella packets... if you want to run gnutella on the gateway machine you'll need to open a port for it... and if you want to run gnutella on your girlfriend's machine you'll need to forward a port from the gateway to her machine... let me know if you need to do either of those, i'll gladly help you out...
good luck...
ps: soylentgreen, remember that on slackware you just need to put your firewall script in /etc/rc.d/rc.firewall to have it auto-start at boot... of course you need to make the file executable, etc... you probably already knew this, i'm just mentioning it to make sure...
There is however another question. How do I go about letting certain programs ports through, I guess that's basically portforwarding? or opening up the ports a firewall.
As of now I can't seem to get Trillian (multi-IM app, so it includes MSN, AIM, ICQ, etc.) or Steam/Counter-strike to connect. Thanks again, your help thus far has been top notch.
Originally posted by soylentgreen OK.. yeah, she runs LimeWire for gnutella access.. and that's not working.. but everything else is working fabulously.
in forwarding the port for gnutella, is that going to be something i just add in the rc.firewall script?
yeah, you just need to add a couple rules to the shell script...
remember that you are doing NAT (network address translation) so the packets that go from the LAN to the internet leave the gateway with your gateway's ip address (hosts on the internet don't even know your lan/girlfriend's pc exists)...
what i'm getting at is that gnutella clients on the internet see your gateways external ip as the source from which the gnutella traffic from your LAN is coming from...
so, basically, what you need to "tell linux" is that any gnutella packet that hits the gateway on the internet side should be immediately sent to my girlfriend's pc (port forwarding)... you can do that by adding a couple rules to the PREROUTING and FORWARD chains... AFAIK, limewire listends on tcp/6346, so the rules would look like this:
Code:
$IPT -A PREROUTING -p TCP -i $INET_IFACE --dport 6346 -j DNAT \
--to-destination 192.168.0.58:6346
$IPT -A FORWARD_INET2LAN -p TCP --dport 6346 -d 192.168.0.58 \
-m state --state NEW -j ACCEPT
the first rule says "change the destination address of any tcp/6346 packet that arrives from the internet to my girlfriends ip address"...
the second rule says "allow new tcp/6346 packets that are destined for my girlfriend's ip address" (rememeber that packets that aren't "new" will be "judged" by the netfilter's connection tracking, in the "ESTABLISHED,RELATED" rule)...
you'll obviously also need to allow gnutella traffic from your girlfriends pc to the internet, if the outgoing traffic also uses port 6346, then you need a rule in the FORWARD_LAN2INET chain...
like this to allow anyone on the lan to send gnutella stuff:
Code:
$IPT -A FORWARD_LAN2INET -p TCP --dport 6346 -m state --state NEW -j ACCEPT
or better yet, like this to allow only your girlfriend's pc to send gnutella stuff:
Code:
$IPT -A FORWARD_LAN2INET -p TCP --dport 6346 -s 192.168.0.58 \
-m state --state NEW -j ACCEPT
here's what your script would look like with the rules incorporated (i've put the rules in bold):
Code:
#!/bin/sh
###############################################################################
### Variables
###############################################################################
IPT="/usr/sbin/iptables"
INET_IFACE="eth0"
LAN_IFACE="eth1"
LAN_IP="192.168.0.1"
LAN_NET="192.168.0.0/24"
LAN_BCAST="192.168.0.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"
###############################################################################
### Modules
###############################################################################
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ip_conntrack_irc
###############################################################################
### Kernel Parameters
###############################################################################
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
###############################################################################
### Flush Chains and Set Policies
###############################################################################
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
###############################################################################
### Create User Chains
###############################################################################
$IPT -N INPUT_INET2GATE
$IPT -N INPUT_LAN2GATE
$IPT -N FORWARD_INET2LAN
$IPT -N FORWARD_LAN2INET
$IPT -N BAD_PACKETS
###############################################################################
### INPUT
###############################################################################
$IPT -A INPUT -p ALL -m state --state INVALID -j DROP
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -p ALL -j BAD_PACKETS
$IPT -A INPUT -p ALL -i $INET_IFACE -j INPUT_INET2GATE
$IPT -A INPUT -p ALL -i $LAN_IFACE -j INPUT_LAN2GATE
$IPT -A INPUT -p ALL -j LOG --log-prefix "INPUT DROP: "
###############################################################################
### FORWARD
###############################################################################
$IPT -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPT -A FORWARD -p ALL -j BAD_PACKETS
$IPT -A FORWARD -p ALL -i $LAN_IFACE -o $INET_IFACE -j FORWARD_LAN2INET
$IPT -A FORWARD -p ALL -i $INET_IFACE -o $LAN_IFACE -j FORWARD_INET2LAN
$IPT -A FORWARD -p ALL -j LOG --log-prefix "FORWARD DROP: "
###############################################################################
### OUTPUT
###############################################################################
$IPT -A OUTPUT -p ALL -m state --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -j LOG --log-prefix "OUTPUT DROP: "
###############################################################################
### PREROUTING
###############################################################################
$IPT -A PREROUTING -p TCP -i $INET_IFACE --dport 6346 -j DNAT \
--to-destination 192.168.0.58:6346
###############################################################################
### POSTROUTING
###############################################################################
$IPT -t nat -A POSTROUTING -p ALL -o $INET_IFACE -j MASQUERADE
###############################################################################
### INPUT_INET2GATE
###############################################################################
$IPT -A INPUT_INET2GATE -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A INPUT_INET2GATE -p TCP --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT_INET2GATE -p ALL -j RETURN
###############################################################################
### INPUT_LAN2GATE
###############################################################################
$IPT -A INPUT_LAN2GATE -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT_LAN2GATE -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p TCP --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p ALL -j RETURN
###############################################################################
### FORWARD_INET2LAN
###############################################################################
$IPT -A FORWARD_INET2LAN -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_INET2LAN -p TCP --dport 6346 -d 192.168.0.58 \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD_INET2LAN -p ALL -j RETURN
###############################################################################
### FORWARD_LAN2INET
###############################################################################
$IPT -A FORWARD_LAN2INET -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 443 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 6346 -s 192.168.0.58 \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN
###############################################################################
### BAD_PACKETS
###############################################################################
$IPT -A BAD_PACKETS -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A BAD_PACKETS -p ICMP --fragment -j DROP
$IPT -A BAD_PACKETS -p ALL -d 255.255.255.255 -j DROP
$IPT -A BAD_PACKETS -p ALL -d $LAN_BCAST -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s ! $LAN_NET -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s $LAN_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s $LO_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -i $INET_IFACE -s $LAN_NET -j DROP
$IPT -A BAD_PACKETS -p ALL -i $INET_IFACE -s $LO_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -j RETURN
echo "So let it be written, so let it be done."
the script above essentially allows anybody on your lan to "surf the web", but only your girlfriend can use gnutella...
Originally posted by chaosego Success!
She works, thanks so much win32sux.
There is however another question. How do I go about letting certain programs ports through, I guess that's basically portforwarding? or opening up the ports a firewall.
As of now I can't seem to get Trillian (multi-IM app, so it includes MSN, AIM, ICQ, etc.) or Steam/Counter-strike to connect. Thanks again, your help thus far has been top notch.
.
i'm not sure that you'd need to forward ports for all that... but it depends on the software we are talking about... you probably just need to allow certain outgoing kinds of traffic...
the thing is, remember that the script i posted is "restrictive"... let me explain:
when configuring a firewall for a lan, you have basically two choices when it comes to the rules that judge traffic from the lan to the internet (LAN2INET):
method "A" - block everything, and then allow only the things you need...
method "B" - allow everything, and then start blocking things you don't want...
method "A" is obviously the "tighter" way of doing things... and it's what i recommend if you want something "serious"... this way you limit traffic to that which you want, and nothing else... that's the essence of a firewall...
the FORWARD_LAN2INET rules i made use method "A", and as they are posted they only allow web traffic (and pings) from the lan to the internet... for any other kind of traffic you want to allow to go out, you need to add a rule to FORWARD_LAN2INET...
for example... let's imagine that counterstrike connects to the internet using tcp ports 6300 through 6350 (it doesn't)... then, to allow counterstrike gamers on the lan to connect to the internet, you'd add a rule like this to the FORWARD_LAN2INET chain:
Code:
$IPT -A FORWARD_LAN2INET -p TCP --dport 6300:6350 -m state --state NEW -j ACCEPT
now, of course you can also switch to method "B", but i don't recommend that...
here it goes anyway...
to switch to method "B" change this:
Code:
###############################################################################
### FORWARD_LAN2INET
###############################################################################
$IPT -A FORWARD_LAN2INET -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 443 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN
to this:
Code:
###############################################################################
### FORWARD_LAN2INET
###############################################################################
$IPT -A FORWARD_LAN2INET -p ALL -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN
you'll then need to add rules to block unwanted stuff... for example, to block people on the lan from connecting to SSH daemons (listening on the standard port) on the internet:
Code:
###############################################################################
### FORWARD_LAN2INET
###############################################################################
$IPT -A FORWARD_LAN2INET -p TCP --dport 22 -m state --state NEW -j REJECT
$IPT -A FORWARD_LAN2INET -p ALL -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN
you can easily allow folks on the lan to connect to ftp servers on the internet (if you want)...
Code:
###############################################################################
### FORWARD_LAN2INET
###############################################################################
$IPT -A FORWARD_LAN2INET -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 443 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 21 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN
of course if you use method "B" then you don't need this...
I've run into a snag.
I updated my kernel via YOU (gotta admin I was a little disapointed I didn't get to compile it myself. hehe) everything seems to be going fine except the DHCP server won't go up anymore. I get the following error. Can't open lease database /var/lib/dhcp/db/dhcpd.leases: No such file or directory --
Originally posted by chaosego I've run into a snag.
I updated my kernel via YOU (gotta admin I was a little disapointed I didn't get to compile it myself. hehe) everything seems to be going fine except the DHCP server won't go up anymore. I get the following error. Can't open lease database /var/lib/dhcp/db/dhcpd.leases: No such file or directory --
I went to that dir and it's empty. hmmm....
create an empty lease file and try again:
Code:
touch /var/lib/dhcp/db/dhcpd.leases
PS: i forgot to mention that you can specify custom lease times in /etc/dhcpd.conf:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.