I've followed Warren's walkthrough of MonMotha's firewall script found at <http://www.mplug.org/phpwiki/index.php/BasicFirewallRouter>. I installed the script on a computer running redhat 7.3. The only change I made was that I used 192.168.1.1 instead of 192.168.0.1 for the firewall LAN gateway address (eth1), because I have an existing Linksys router that had been using that address and all my clients are already set up that way, I don't want to have to reconfigure 17 computers when I swap my dedicated firewall for my router.
I can't get the firewall talking to the WAN at all. After I run the script, I can't get the LAN to ping the firewall. When I try to ping anything on the WAN from the firewall I get "network is not reachable." This is true even before I run the firewall script so there are no rules and default is "accept". I have set up the firewall with the same IP number and gateway that the router had, I've disconnected the router from both the WAN and the LAN, and hooked in the firewall instead. I tested the cables. I tested the two ethernet cards. I reconfigured a client to use the WAN address as a gateway and plugged it into the WAN NIC with a crossover cable, the client was able to ping the firewall on eth0. I am able to ping the firewall from the LAN before running the script. After running the script, the firewall no longer answers ping. Is this what I should expect? Could redhat 7.3 have ipchains running by default and messing me up? Could the IP# change matter? (Warren's walkthrough says use 192.168.0.1 as eth1's IP#, the gateway address for the LAN, I used 192.168.1.1 instead.) I tried to set the firewall up to be identical to the router it replaces, same gateway, same IP#. The LED shows activity on the card attached to the WAN. Could the MAC change when I switch from the router to the firewall be confusing my gateway so that it refuses to speak to me? I am at UH, not using an ISP. Could there be a delay before things start working? When I switch things back, it always takes a while before the router starts working again. There is some stuff in the walk-through about the PCI slots using bus-mastering, I have no idea what this is about, could that be causing my problem? How can I tell whether ipforwarding is enabled and working? (That's how the packets get between the LAN NIC and the WAN NIC, right? I see it in the script output,but is there an explicit test?) Since I can't reach the network even before I run the script, the script doesn't seem to be the entire problem. But for what it's worth, here is the output when I run the script: ****************************** Loading iptables firewall: Checking configuration...passed Performing TCP_ALLOW and UDP_ALLOW alias preprocessing...done Checking IP Forwarding...enabled. Checking IP SynCookies...disabled. Checking Route Verification...activated:eth0 activated:eth1 Refusing SSR Packets via SysCtl...activated:eth0 activated:eth1 Flush: INPUT OUTPUT1 FORWARD PREROUTING1 OUTPUT2 POSTROUTING PREROUTING2 OUTPUT3 Creating chains: INETIN INETOUT DMZIN DMZOUT TCPACCEPT UDPACCEPT LDROP LREJECT TREJECT LTREJECT Default Policies: INPUT:DROP OUTPUT:ACCEPT FORWARD:DROP Setting up drop chains chains: LDROP LREJECT TREJECT LTREJECT Setting up per-proto ACCEPT: TCPACCEPT UDPACCEPT TREJECTing invalid packets...done Setting up INET chains: INETIN INETOUT Local Traffic Rules: 192.168.0.0/24:ACCEPT 192.168.1.0/24:ACCEPT loopback:ACCEPT Setting up masquerading: 192.168.0.0/24:MASQUERADE 192.168.1.0/24:MASQUERADE TREJECTing ICMP messages specified in BAD_ICMP...5 9 10 15 16 17 18 Flood limiting: ICMP-PING Allowing the rest of the ICMP messages in...done Hostwise TCP Allows: 0/0>22 Hostwise UDP Allows: 0/0>68 0/0>6112 0/0>6119 0/0>4000 Allowing established outbound connections back in...done Allowing related inbound connections...done Setting up INET policies: INETIN:TREJECT INETOUT:ACCEPT Done loading the firewall! ********************************** These don't look like errors to me. What does "192.168.1.0/24:ACCEPT" in the local traffic rules mean - anything from a machine on the 192.168.1 subnet is accepted?? Here is the output from iptables -L after running the script: ******************************* Chain INPUT (policy DROP) target prot opt source destination INETIN all -- anywhere anywhere ACCEPT all -- 192.168.0.0/24 anywhere ACCEPT all -- 192.168.1.0/24 anywhere ACCEPT all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination INETIN all -- anywhere anywhere INETOUT all -- anywhere anywhere ACCEPT all -- 192.168.0.0/24 anywhere ACCEPT all -- 192.168.1.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination INETOUT all -- anywhere anywhere Chain DMZIN (0 references) target prot opt source destination Chain DMZOUT (0 references) target prot opt source destination Chain INETIN (2 references) target prot opt source destination TREJECT all -- anywhere anywhere state INVALID TREJECT icmp -- anywhere anywhere icmp redirect TREJECT icmp -- anywhere anywhere icmp router-advertisement TREJECT icmp -- anywhere anywhere icmp router-solicitation TREJECT icmp -- anywhere anywhere icmp type 15 TREJECT icmp -- anywhere anywhere icmp type 16 TREJECT icmp -- anywhere anywhere icmp address-mask-request TREJECT icmp -- anywhere anywhere icmp address-mask-reply ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 TREJECT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp !echo-request TCPACCEPT tcp -- anywhere anywhere tcp dpt:ssh UDPACCEPT udp -- anywhere anywhere udp dpt:bootpc UDPACCEPT udp -- anywhere anywhere udp dpt:6112 UDPACCEPT udp -- anywhere anywhere udp dpt:6119 UDPACCEPT udp -- anywhere anywhere udp dpt:4000 ACCEPT all -- anywhere anywhere state ESTABLISHED TCPACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535 state RELATED UDPACCEPT udp -- anywhere anywhere udp dpts:1024:65535 state RELATED TREJECT all -- anywhere anywhere Chain INETOUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain LDROP (0 references) target prot opt source destination LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `TCP Dropped ' LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `UDP Dropped ' LOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `ICMP Dropped ' LOG all -f anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `FRAGMENT Dropped ' DROP all -- anywhere anywhere Chain LREJECT (0 references) target prot opt source destination LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `TCP Rejected ' LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `UDP Rejected ' LOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `ICMP Rejected ' LOG all -f anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `FRAGMENT Rejected ' REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain LTREJECT (0 references) target prot opt source destination LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `TCP Rejected ' LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `UDP Rejected ' LOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level info prefix `ICMP Rejected ' LOG all -f anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `FRAGMENT Rejected ' REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable DROP icmp -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain TCPACCEPT (2 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 20/sec burst 5 LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 2/sec burst 5 LOG level warning prefix `Possible SynFlood ' TREJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `Mismatch in TCPACCEPT ' TREJECT all -- anywhere anywhere Chain TREJECT (13 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable DROP icmp -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain UDPACCEPT (5 references) target prot opt source destination ACCEPT udp -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `Mismatch on UDPACCEPT ' TREJECT all -- anywhere anywhere ************************* That doesn't really look right to me, but I don't claim to understand it at all. Devastated Dave
