SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The cards appear to be detected fine. eth0 is using dhcp to acquire a WAN ip address from my DSL modem. I edited the rc.inet1.conf and put the following in the eth1 field.
Code:
192.168.1.100
255.255.255.0
Unfortunately, eth1 is doing anything. The lights don't flash on the back of the PC.
What I need help with is configuring eth1 and finding out what my WinXP machine needs to input (ip address, gateway, dns, etc) in order to work with the linux box.
GAD!!!! Get eth1 on a different subnet and everything should be fine. To the extent that you can contact this system, unless you have also set up routing and iptables but not mentioned it...
192.168.0.1 as a router address will make Windows happy. Take a look at the Gentoo Home Router guide for an excellent information source, which translates into Slack pretty easily.
ORBiTrus is right you need eth1 to be on another network address, go with 192.168.2.0 network, your /etc/rc.d/rc.inet1.conf shouuld look like this:
# /etc/rc.d/rc.inet1.conf
#
# This file contains the configuration settings for network interfaces.
# If USE_DHCP[interface] is set to "yes", this overrides any other settings.
# If you don't have an interface, leave the settings null ("").
# Config information for eth0:
IPADDR[0]=""
NETMASK[0]=""
USE_DHCP[0]="yes"
DHCP_HOSTNAME[0]=""
# Config information for eth1:
IPADDR[1]="192.168.2.1"
NETMASK[1]="255.255.255.0"
USE_DHCP[1]="no"
DHCP_HOSTNAME[1]=""
# Config information for eth2:
IPADDR[2]=""
NETMASK[2]=""
USE_DHCP[2]=""
DHCP_HOSTNAME[2]=""
# Config information for eth3:
IPADDR[3]=""
NETMASK[3]=""
USE_DHCP[3]=""
DHCP_HOSTNAME[3]=""
# Default gateway IP address:
GATEWAY=""
# Change this to "yes" for debugging output to stdout. Unfortunately,
# /sbin/hotplug seems to disable stdout so you'll only see debugging output
# when rc.inet1 is called directly.
DEBUG_ETH_UP="no"
Since your using DHCP to get the ip-address from your dsl modem the gateway address will be automatically set from that, so you don;t have to set the gateway = "" in the /etc/rc.d/rc.iniet1.conf file.
For your XP machine set the ip-address statically:
Since you don't run a DNS server setting the DNS entry to your router, it will by default send all DNS request to it's default gateway which will be your dsl modem which in turn will send the request to your isp's dns servers
Yup. Get eth1 onto a different subnet. You could configure eth1 as follows (like I have): (Someone else replied while I wrote this)
Code:
eth1:
IP-address: 10.0.0.1
Netmask : 255.0.0.0
This is a completely different subnet. As for Windows XP:
Code:
IP-address: 10.0.0.2
Netmask : 255.0.0.0
Gateway : 10.0.0.1
DNS : <Your ISP's DNS server here>
And yes, the netmask is supposed to be 255.0.0.0 for the 10.0.0. subnet. Do not set 255.255.255.0.
Remember to activate IP-forwarding. In Slackware 10.2 you can do this by running 'pkgtool' and modifying the services. Check IP-forwarding so that it activates on boot. You can start it now without rebooting by running:
Code:
. /etc/rc.d/rc.ip_forward start
You also need to activate NAT (Network Address Translation). I do it in my iptables firewall script:
I'm not sure if it's enough just to run that last command to get NAT working. You may need to tell iptables to stop blocking some traffic, for instance by installing this script. This is my script and I have been using it without problems since 2004. It is based on "Rusty's really quick guide to packet filtering" which you can find on the iptables official website: http://www.netfilter.org/
Other additions (except the interface-variable I think...) are taken from that site as well, and the fancy START|STOP|RESTART functions are based on /etc/rc.d/rc.sshd.
Code:
#!/bin/sh
# Start/stop/restart the firewall:
firewall_start() {
echo "Starting firewall."
# Set the value of this variable to the name of the network interface
# that connects to the internet.
export INETINTERFACE="wlan0"
# Insert connection-tracking modules (not needed if built into kernel).
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Create chain which blocks new connections, except if coming from
# inside.
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! $INETINTERFACE -j ACCEPT
iptables -A block -j DROP
# Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block
# Enable NAT
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o $INETINTERFACE -j MASQUERADE
}
firewall_stop() {
echo "Stopping firewall."
iptables -F
iptables -X
}
firewall_restart() {
echo "Stopping firewall."
iptables -F
iptables -X
firewall_start
}
case "$1" in
'start')
firewall_start
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
You need to paste this into a text-file called rc.firewall. Then 'chown root:root' and 'chmod 755' on it, and put it in /etc/rc.d/ -- if Slackware finds the script /etc/rc.d/rc.firewall during boot it will run it with the 'start' arguement. BAM, you got a firewall too! Oh, and notice that variable in the script where the comment says to set it to the interface that connects to the internet. You change it to:
Code:
export INETINTERFACE="eth0"
This is how I set up my Slackware 10.2 gateway. Hope it helps you.
THANKS!!!! I will give it a shot when I get home from work. Out of curiousity, this gateway machine IS being used ultimately as a content filter. I have Dansguardian working GREAT...on the gateway machine itself. I want to know how I setup a transparent proxy to force people accessing the gateway to go THROUGH dansguardian.
# /etc/rc.d/rc.inet1.conf
#
# This file contains the configuration settings for network interfaces.
# If USE_DHCP[interface] is set to "yes", this overrides any other settings.
# If you don't have an interface, leave the settings null ("").
# Config information for eth0:
IPADDR[0]=""
NETMASK[0]=""
USE_DHCP[0]="yes"
DHCP_HOSTNAME[0]=""
# Config information for eth1:
IPADDR[1]="192.168.2.1"
NETMASK[1]="255.255.255.0"
USE_DHCP[1]="no"
DHCP_HOSTNAME[1]=""
# Config information for eth2:
IPADDR[2]=""
NETMASK[2]=""
USE_DHCP[2]=""
DHCP_HOSTNAME[2]=""
# Config information for eth3:
IPADDR[3]=""
NETMASK[3]=""
USE_DHCP[3]=""
DHCP_HOSTNAME[3]=""
# Default gateway IP address:
GATEWAY=""
# Change this to "yes" for debugging output to stdout. Unfortunately,
# /sbin/hotplug seems to disable stdout so you'll only see debugging output
# when rc.inet1 is called directly.
DEBUG_ETH_UP="no"
No connection between my XP machine and the gatway. DOH! I still need some help. Thanks. Oh by the way (not that this really means anything), when the gateway is booted up the WAN NIC has a green light immediately where as the LAN NIC never has a light come on.
Are you running a DNS daemon on 192.168.2.1? If not, the XP machine will not be able to map names to IP.
Does your firewall rules allow DNS queries outside of the machine? This is another area where name-to-IP mapping can get munged (timeouts)
If you decide to use your ISP's DNS servers rather than setting up your own, then keep in mind that as long as you are using private IP's for your internal network, you're going to have to use IP addresses to access the other machines on the local network.
Example setup of my systems:
(router)
eth0: IP 192.168.1.253 netmask 255.255.255.0 (local network i/f)
eth1: connected to DSL modem
eth2: IP 192.168.2.253 netmask 255.255.255.0 (DMZ zone for testing)
I also have DNS/DHCP services running on the router that only listens on eth0/2 and ignores eth1.
Appropriate firewall rules for eth1
Last edited by alisonken1; 05-26-2006 at 12:59 PM.
If you want to read how to do this in depth, which I would recommend, read http://www.tldp.org/HOWTO/IP-Masquer...WTO/index.html thoroughly! This will explain how to use setup a Linux gateway & how to use iptables to control how others connect to it. They include an excellent script that configures your system however you want it.
When I first started learning this stuff I found this HOWTO invaluable!! I must also say that if you are going to invest your time in this then it pays to learn ALL the in's-&-out's of Linux routing & firewalling.
I have a copy of "Easy Firewall Generator" online which produces an rc.firewall script that runs unmodified on Slackware (the original is geared toward Redhat) here: http://www.slackware.com/~alien/efg/ It configures a firewall script for you with a few simple questions, which you can then download and install as "/etc/rc.d.rc.firewall" .
when the gateway is booted up the WAN NIC has a green light immediately where as the LAN NIC never has a light come on.
This is odd. The green light should come on. As of now both NICs at my gateway are shining green through the ventilation opening. You should rule out the cable being the problem. If you are connecting the XP-box directly to the Linux-box with one cable you will need a cross-over cable. Also make sure to disable the firewall while troubleshooting. When you can ping between XP and Linux you can proceed with the gateway configuration.
when the gateway is booted up the WAN NIC has a green light immediately where as the LAN NIC never has a light come on.
The programs "ethtool" and "mii-tool" can help you in diagnosing network connectivity problems. First run
Code:
ethtool eth1
which should report
Code:
Link detected: yes
. If ethtool is not available you can also try
Code:
mii-tool
which should report something along these lines:
Code:
eth1: negotiated 100baseTx-FD, link ok
If a link beat is not detected, it is time to check your cabling - and in the case of direct cable connection between two network cards, you should indeed use cross-cable as i_joh indicated.
1. I am NOT running a DNS daemon on the gateway system. (I'm a networking novice. what can I say?") I'm gonna need help setting THAT up.
2. Here are some results
Code:
root@scs:~# ethtool eth0
Settings for eth0:
No data available
root@scs:~# ethtool eth1
Settings for eth1:
No data available
root@scs:~# mii-tool eth0
eth0: negotiated 100baseTx-FD, link ok
root@scs:~# mii-tool eth1
eth1: no link
root@scs:~#
3. rc.firewall created by the generator - NOTE: I enabled a transparent proxy for my content filter. It is SUPPOSED to send everything through port 8080 for Dansguardian
Code:
#!/bin/sh
#
# Generated iptables firewall script for the Linux 2.4 kernel
# Script generated by Easy Firewall Generator for IPTables 1.15
# copyright 2002 Timothy Scott Morizot
#
# Redhat chkconfig comments - firewall applied early,
# removed late
# chkconfig: 2345 08 92
# description: This script applies or removes iptables firewall rules
#
# This generator is primarily designed for RedHat installations,
# although it should be adaptable for others.
#
# It can be executed with the typical start and stop arguments.
# If used with stop, it will stop after flushing the firewall.
# The save and restore arguments will save or restore the rules
# from the /etc/sysconfig/iptables file. The save and restore
# arguments are included to preserve compatibility with
# Redhat's or Fedora's init.d script if you prefer to use it.
# Redhat/Fedora installation instructions
#
# 1. Have the system link the iptables init.d startup script into run states
# 2, 3, and 5.
# chkconfig --level 235 iptables on
#
# 2. Save this script and execute it to load the ruleset from this file.
# You may need to run the dos2unix command on it to remove carraige returns.
#
# 3. To have it applied at startup, copy this script to
# /etc/init.d/iptables. It accepts stop, start, save, and restore
# arguments. (You may wish to save the existing one first.)
# Alternatively, if you issue the 'service iptables save' command
# the init.d script should save the rules and reload them at runtime.
#
# 4. For non-Redhat systems (or Redhat systems if you have a problem), you
# may want to append the command to execute this script to rc.local.
# rc.local is typically located in /etc and /etc/rc.d and is usually
# the last thing executed on startup. Simply add /path/to/script/script_name
# on its own line in the rc.local file.
###############################################################################
#
# Local Settings
#
# sysctl location. If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.
SYSCTL="/sbin/sysctl -w"
# To echo the value directly to the /proc file instead
# SYSCTL=""
# IPTables Location - adjust if needed
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
# Internet Interface
INET_IFACE="eth0"
# Local Interface Information
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.2.1"
LOCAL_NET="192.168.2.0/24"
LOCAL_BCAST="192.168.1.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo "done"
exit 0
fi
###############################################################################
#
# Load Modules
#
echo "Loading kernel modules ..."
# You should uncomment the line below and run it the first time just to
# ensure all kernel module dependencies are OK. There is no need to run
# every time, however.
# /sbin/depmod -a
# Unless you have kernel module auto-loading disabled, you should not
# need to manually load each of these modules. Other than ip_tables,
# ip_conntrack, and some of the optional modules, I've left these
# commented by default. Uncomment if you have any problems or if
# you have disabled module autoload. Note that some modules must
# be loaded by another kernel module.
# core netfilter module
/sbin/modprobe ip_tables
# the stateful connection tracking module
/sbin/modprobe ip_conntrack
# filter table module
# /sbin/modprobe iptable_filter
# mangle table module
# /sbin/modprobe iptable_mangle
# nat table module
# /sbin/modprobe iptable_nat
# LOG target module
# /sbin/modprobe ipt_LOG
# This is used to limit the number of packets per sec/min/hr
# /sbin/modprobe ipt_limit
# masquerade target module
# /sbin/modprobe ipt_MASQUERADE
# filter using owner as part of the match
# /sbin/modprobe ipt_owner
# REJECT target drops the packet and returns an ICMP response.
# The response is configurable. By default, connection refused.
# /sbin/modprobe ipt_REJECT
# This target allows packets to be marked in the mangle table
# /sbin/modprobe ipt_mark
# This target affects the TCP MSS
# /sbin/modprobe ipt_tcpmss
# This match allows multiple ports instead of a single port or range
# /sbin/modprobe multiport
# This match checks against the TCP flags
# /sbin/modprobe ipt_state
# This match catches packets with invalid flags
# /sbin/modprobe ipt_unclean
# The ftp nat module is required for non-PASV ftp support
/sbin/modprobe ip_nat_ftp
# the module for full ftp connection tracking
/sbin/modprobe ip_conntrack_ftp
# the module for full irc connection tracking
/sbin/modprobe ip_conntrack_irc
###############################################################################
#
# Kernel Parameter Configuration
#
# See http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
# for a detailed tutorial on sysctl and the various settings
# available.
# Required to enable IPv4 forwarding.
# Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true
# Alternatively, it can be set in /etc/sysctl.conf
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi
# This enables dynamic address hacking.
# This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\).
#if [ "$SYSCTL" = "" ]
#then
# echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#else
# $SYSCTL net.ipv4.ip_dynaddr="1"
#fi
# This enables SYN flood protection.
# The SYN cookies activation allows your system to accept an unlimited
# number of TCP connections while still trying to give reasonable
# service during a denial of service attack.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi
# This enables source validation by reversed path according to RFC1812.
# In other words, did the response packet originate from the same interface
# through which the source packet was sent? It's recommended for single-homed
# systems and routers on stub networks. Since those are the configurations
# this firewall is designed to support, I turn it on by default.
# Turn it off if you use multiple NICs connected to the same network.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
# This option allows a subnet to be firewalled with a single IP address.
# It's used to build a DMZ. Since that's not a focus of this firewall
# script, it's not enabled by default, but is included for reference.
# See: http://www.sjdjweis.com/linux/proxyarp/
#if [ "$SYSCTL" = "" ]
#then
# echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#else
# $SYSCTL net.ipv4.conf.all.proxy_arp="1"
#fi
# The following kernel settings were suggested by Alex Weeks. Thanks!
# This kernel parameter instructs the kernel to ignore all ICMP
# echo requests sent to the broadcast address. This prevents
# a number of smurfs and similar DoS nasty attacks.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
# This option can be used to accept or refuse source routed
# packets. It is usually on by default, but is generally
# considered a security risk. This option turns it off.
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
# This option can disable ICMP redirects. ICMP redirects
# are generally considered a security risk and shouldn't be
# needed by most systems using this generator.
#if [ "$SYSCTL" = "" ]
#then
# echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
#else
# $SYSCTL net.ipv4.conf.all.accept_redirects="0"
#fi
# However, we'll ensure the secure_redirects option is on instead.
# This option accepts only from gateways in the default gateways list.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
# This option logs packets from impossible addresses.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians="1"
fi
###############################################################################
#
# Flush Any Existing Rules or Chains
#
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
###############################################################################
#
# Rules Configuration
#
###############################################################################
#
# Filter Table
#
###############################################################################
# Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
###############################################################################
#
# User-Specified Chains
#
# Create user chains to reduce the number of rules each packet
# must traverse.
echo "Create and populate custom rule chains ..."
# Create a chain to filter INVALID packets
$IPT -N bad_packets
# Create another chain to filter bad tcp packets
$IPT -N bad_tcp_packets
# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.
$IPT -N icmp_packets
# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound
# Used to block outbound UDP services from internal network
# Default to allow all
$IPT -N udp_outbound
# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound
# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound
###############################################################################
#
# Populate User Chains
#
# bad_packets chain
#
# Drop packets received on the external interface
# claiming a source of the local network
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG \
--log-prefix "Illegal source: "
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "Invalid packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets
# All good, so return
$IPT -A bad_packets -p ALL -j RETURN
# bad_tcp_packets chain
#
# All tcp packets will traverse this chain.
# Every new connection attempt should begin with
# a syn packet. If it doesn't, it is likely a
# port scan. This drops packets in state
# NEW that are not flagged as syn packets.
# Return to the calling chain if the bad packets originate
# from the local interface. This maintains the approach
# throughout this firewall of a largely trusted internal
# network.
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
# However, I originally did apply this filter to the forward chain
# for packets originating from the internal network. While I have
# not conclusively determined its effect, it appears to have the
# interesting side effect of blocking some of the ad systems.
# Apparently some ad systems have the browser initiate a NEW
# connection that is not flagged as a syn packet to retrieve
# the ad image. If you wish to experiment further comment the
# rule above. If you try it, you may also wish to uncomment the
# rule below. It will keep those packets from being logged.
# There are a lot of them.
# $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE ! --syn -m state \
# --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN
# icmp_packets chain
#
# This chain is for inbound (from the Internet) icmp packets only.
# Type 8 (Echo Request) is not accepted by default
# Enable it if you want remote hosts to be able to reach you.
# 11 (Time Exceeded) is the only one accepted
# that would not already be covered by the established
# connection rule. Applied to INPUT on the external interface.
#
# See: http://www.ee.siue.edu/~rwalden/networking/icmp.html
# for more info on ICMP types.
#
# Note that the stateful settings allow replies to ICMP packets.
# These rules allow new packets of the specified types.
# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented. Fragmented ICMP packets are a typical sign
# of a denial of service attack.
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
--log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
# Echo - uncomment to allow your system to be pinged.
# Uncomment the LOG command if you also want to log PING attempts
#
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
# --log-prefix "Ping detected: "
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# By default, however, drop pings without logging. Blaster
# and other worms have infected systems blasting pings.
# Comment the line below if you want pings logged, but it
# will likely fill your logs.
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN
# TCP & UDP
# Identify ports at:
# http://www.chebucto.ns.ca/~rakerman/port-table.html
# http://www.iana.org/assignments/port-numbers
# udp_inbound chain
#
# This chain describes the inbound UDP packets it will accept.
# It's applied to INPUT on the external or Internet interface.
# Note that the stateful settings allow replies.
# These rules are for new requests.
# It drops netbios packets (windows) immediately without logging.
# Drop netbios calls
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
# Dynamic Address
# If DHCP, the initial request is a broadcast. The response
# doesn't exactly match the outbound packet. This explicitly
# allow the DHCP ports to alleviate this problem.
# If you receive your dynamic address by a different means, you
# can probably comment this line.
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 \
-j ACCEPT
# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN
# udp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# UDP requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
# tcp_inbound chain
#
# This chain is used to allow inbound connections to the
# system/gateway. Use with care. It defaults to none.
# It's applied on INPUT from the external or Internet interface.
# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN
# tcp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
###############################################################################
#
# INPUT Chain
#
echo "Process INPUT chain ..."
# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets
# DOCSIS compliant cable modems
# Some DOCSIS compliant cable modems send IGMP multicasts to find
# connected PCs. The multicast packets have the destination address
# 224.0.0.1. You can accept them. If you choose to do so,
# Uncomment the rule to ACCEPT them and comment the rule to DROP
# them The firewall will drop them here by default to avoid
# cluttering the log. The firewall will drop all multicasts
# to the entire subnet (224.0.0.1) by default. To only affect
# IGMP multicasts, change '-p ALL' to '-p 2'. Of course,
# if they aren't accepted elsewhere, it will only ensure that
# multicasts on other protocols are logged.
# Drop them without logging.
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
# Inbound Internet Packet Rules
# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Log packets that still don't match
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "INPUT packet died: "
###############################################################################
#
# FORWARD Chain
#
echo "Process FORWARD chain ..."
# Used if forwarding for a private network
# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets
# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Log packets that still don't match
$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "FORWARD packet died: "
###############################################################################
#
# OUTPUT Chain
#
echo "Process OUTPUT chain ..."
# Generally trust the firewall on output
# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
# Log packets that still don't match
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "OUTPUT packet died: "
###############################################################################
#
# nat table
#
###############################################################################
# The nat table is where network address translation occurs if there
# is a private network. If the gateway is connected to the Internet
# with a static IP, snat is used. If the gateway has a dynamic address,
# masquerade must be used instead. There is more overhead associated
# with masquerade, so snat is better when it can be used.
# The nat table has a builtin chain, PREROUTING, for dnat and redirects.
# Another, POSTROUTING, handles snat and masquerade.
echo "Load rules for nat table ..."
###############################################################################
#
# PREROUTING chain
#
# This is a sample that will exempt a specific host from the transparent proxy
#$IPT -t nat -A PREROUTING -p tcp -s 192.168.1.50 --destination-port 80 \
# -j RETURN
#$IPT -t nat -A PREROUTING -p tcp -s 192.168.1.50 --destination-port 443 \
# -j RETURN
# Redirect HTTP for a transparent proxy
$IPT -t nat -A PREROUTING -p tcp --destination-port 80 \
-j REDIRECT --to-ports 8080
# Redirect HTTPS for a transparent proxy - commented by default
# $IPT -t nat -A PREROUTING -p tcp --destination-port 443 \
# -j REDIRECT --to-ports 8080
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
4. I OWN a cross over cable, however I have not been using it. I thought (thought WRONG I guess) that since the computer is acting as a router AND since you typically do NOT need a cross over cable for a router that I wouldn't need to use a special cable. I will try that next time.
Gotta go......going to dinner. We're having AWESOME Chinese food at Shang Ghri La. YUUMMMMMMMMMMMM!!!
4. I OWN a cross over cable, however I have not been using it. I thought (thought WRONG I guess) that since the computer is acting as a router AND since you typically do NOT need a cross over cable for a router that I wouldn't need to use a special cable. I will try that next time.
Try using your crossover cable, since your going from one network card in your pc to the network card in your linux router you will need to use a crossover cable. It's only with hardware switches that now auto detect if your using a crossover or straight through cable and do it the crossover for you if needed.
I used the crossover cable and I now have the WinXP being able to ping the gateway and the gateway being able to ping the WinXP machine. Unfortunately, I do NOT have internet access on my WinXP machine through the gateway. Sooooo, I need help fixing that. I have a hunch it has to do with "tinyproxy" and the transparent proxy settings. Please refer to the rc.firewall file above and the following results
eth0 Link encap:Ethernet HWaddr 00:04:5A:77:388
inet addr:192.168.1.96 Bcast:255.255.255.255 Mask:255.255.255.0
I only just noticed this, and the Bcast ("broadcast") value is wrong here. IT says 255.255.255.255 and that is an impossible value, this should be "192.168.1.255" (based on the IP address and the netmask. You told that eth0 is getting it's IP Address throught DHCP, so there must be something wrong on the DHCP server side perhaps to get such a strange value.
Furthermore, I had a look at your firewall script you generated using the link I provided, and it looks like you did not enter all information correctly. Look at this excerpt:
Code:
# Local Interface Information
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.2.1"
LOCAL_NET="192.168.2.0/24"
LOCAL_BCAST="192.168.1.255"
and you'll notice that the LOCAL_BCAST address does not match the two lines in front of it. The correct block would look like this:
Code:
# Local Interface Information
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.2.1"
LOCAL_NET="192.168.2.0/24"
LOCAL_BCAST="192.168.2.255"
With these changes, you might get a lot further.
Eric
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
8
