/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Hello again. I've spent several more hours trying to get my second "routed"
internal networked masqed, without luck. I have tried with both of the
sample basic and stronger rc.firewall examples making numerous changes that
I felt might work. I am running RH 7.2 (2.4.7-10). My gateway machine has
two NIC's, eth0 is external DHCP, and the second NIC eth1 is 192.168.2.5/24.
I have another (wireless) network 192.168.1.0/24 with routed connectivity to
the 192.168.2.0 network via an NT box with NIC's for both networks
(192.168.1.1 and 192.168.2.1).
IP masq is working fine from my laptop (or any other machine) when I am on
the 192.168.2.0 wired network. However, if I move to the wireless
192.168.1.0 network from my laptop masq is not working. In this
configuration I can ping the internal (192.168.2.5) address of the gateway
from the laptop, but not the DHCP assigned external address. I can also
ping the laptop from the gateway. Finally, I am able to surf the net from
the wireless laptop by configuring proxy to the gateway address. I am
running Apache's proxy server. The last statement would seem to indicated
that there are no iptables rules that are preventing 192.168.1.0 addresses
from getting out to the net, and it is likely something to do with the
forwarding or masqing. Basic routing is obviously working fine between the
machines/networks.
Everything is becoming clearer as I continue to work through this stuff.
The iptables filter table makes quite a bit of sense - probably because most
of the documentation I have discusses it. However, I am still pretty weak
on understanding the nat table (or any other tables), how packets make it to
the nat table (if they jump to ACCEPT in a filter table rule, do they get to
nat), what the differences are between the SNAT and MASQUERADE chains or any
other chains. What are all the chains in the nat table and how do they
work?
Anyhow. Here below is the relevant section of my rc.firewall as it sits now
delivering the above results. INTIP, EXTIP, INTNET, INTNET2 are all being
set appropriately early as evidenced by the echo's when the script is
executed. I do get an error with the log--level info though. Here it is
loading.
Thanks again for any assistance.
Greg
------------------------------
Loading STRONGER rc.firewall - version 0.70s..
External Interface: eth0
Internal Interface: eth1
---
External IP: 24.141.122.225
---
Internal Network: 192.168.2.0/24
Internal IP: 192.168.2.5/24
---
- Verifying that all kernel modules are ok
Loading kernel modules: ip_tables, ip_conntrack, ip_conntrack_ftp,
ip_conntrack_irc, iptable_nat, ip_nat_ftp
---
Enabling forwarding..
Enabling DynamicAddr..
---
Clearing any existing rules and setting default policy to DROP..
Creating a DROP chain..
iptables v1.2.3: log-level `info' ambiguous
Try `iptables -h' or 'iptables --help' for more information.
- Loading INPUT rulesets
- Allowing EXTERNAL access to the WWW server
- Loading OUTPUT rulesets
- Loading FORWARD rulesets
- FWD: Allow all connections OUT and only existing/related IN
- NAT: Enabling SNAT (MASQUERADE) functionality on eth0
----------------------------------rc.firewall-------------------------------
--------
#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP.
#
# You CANNOT change this to REJECT as it isn't a vaild setting for a
# policy. If you want REJECT, you must explictly REJECT at the end
# of a giving INPUT, OUTPUT, or FORWARD chain
#
echo " Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
#Not needed and it will only load the unneeded kernel module
#$IPTABLES -F -t mangle
#
# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
#
# Delete all User-specified chains
$IPTABLES -X
#
# Reset all IPTABLES counters
$IPTABLES -Z
#Configuring specific CHAINS for later use in the ruleset
#
# NOTE: Some users prefer to have their firewall silently
# "DROP" packets while others prefer to use "REJECT"
# to send ICMP error messages back to the remote
# machine. The default is "REJECT" but feel free to
# change this below.
#
# NOTE: Without the --log-level set to "info", every single
# firewall hit will goto ALL vtys. This is a very big
# pain.
#
echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j DROP
echo -e "\n - Loading INPUT rulesets"
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s $INTNET2 -d $UNIVERSE -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF -s $INTNET2 -d $UNIVERSE -j drop-and-log-it
# external interface, from any source, for ICMP traffic is valid
#
# If you would like your machine to "ping" from the Internet,
# enable this next line
#
#$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
# remote interface, any source, going to permanent PPP address is valid
#
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ server in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT
# ----- Begin OPTIONAL Section -----
#
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#
#$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
#$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
echo -e " - Allowing EXTERNAL access to the WWW server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
#
# ----- End OPTIONAL Section -----
# Catch all rule, all other incoming is denied and logged.
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interfaces, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET2 -j ACCEPT
# local interface, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET2 -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
#
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET2 -j drop-and-log-it
# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#
#$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
#-d 255.255.255.255 --dport 68 -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
#-d 255.255.255.255 --dport 68 -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading FORWARD rulesets"
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#
echo " - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
#
$IPTABLES -A FORWARD -j drop-and-log-it
echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
#More liberal form
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
#######################################################################
echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
