Okay, the saga continues...I usually think I'm pretty bright, this
ipchains problem is a large blow to my self esteem. I'm trying to teach
myself networking, but don't know how far I'm getting.
History of problem:
With much thanks to Clint Todish, I began to set-up a firewall
configuration to use my linux box to masq for my wife's win95 comp.
Unfortunatly, I haven't gotten that quite figured out yet, though I feel
that I'm close (I'm an old salt with computers, but still very green on
the network side). It was late last night, so I gave up, took down the
firewall and turned everything off.
This morning I tried to print something (HP deskjet is on the win95 box)
and couldn't. I can't even ping the win comp, and it can't ping me.
Firewall down, with default as ACCEPT anyway. I had a good ethernet
config previously (with the exception of the win95 not recognizing
names, only IP #'s (.SAM files are set, just not read for some reason)).
To troubleshoot, I set up the firewall again, and it's set up to ACCEPT
traffic in- and outbound on the eth0 interface, with all
protocols...Still no ping. Can ping self and loopback, cables are
connected, tried w/ip_forward echoed to 0 and 1. Looked through network
configuration and everything SEEMS to be the same.
What I was trying to do last night was figure out why the win95 comp
could ping and communicate with the linux box, yet netscape could not
connect to it for proxy service. Used netscape profiles to set it up
both for direct connection to internet AND proxy service via linux IP
(same as default gateway in TCP/IP setup...a problem?) with various
randomly picked ports centered around the HTTP port :1024 (I know
nothing of port choice). Netscape could not "reach" the proxy server,
even though it is just the linux box IP, and I don't understand networks
enough to know why. I have to assume that I screwed up the MASQ script,
but don't know why that would break the ethernet the next day.
Questions:
-Does ipchains stay configured through a reboot cycle?
-Even if it did, I should be able to cycle it back to the previous
config by tearing it down and rebuilding it, right?
-Modules can't seem to locate a net-pf-5. I don't know what or where
that is, I think it's a leftover from a previous kernel config, just
haven't gotten around to checking it out. (I just looked through my log
and saw that the kernel's still looking for that, so I guess that may be
a problem)
Information:
Ipchains list, route, ifconfig, and firewall up and down scripts are
attached as a rather long text file.
Linux box is RH5.1 w/kernel 2.1.125 configured w/all bells and whistles
for ip forwarding. EtherII PCI card from linksys (both computers) with
network linked straight (no hub...50Ohm resistor terminating both).
ipchains version is 1.3.6
Win95 comp has Netscape 4.05. TCP/IP was setup to work fine previously.
I would be VERY thankful for any help one could offer me on this
problem.
--
________________________________________
Jonathan Pennington
-Student Anthropologist/Geologist
-Linux User and Advocate
-Bart Simpson Sympathizer
Email at jwp(at)awod.com
_______________________________________
-----------------------------Cut Here--------------------------------
Chain input (policy ACCEPT: 128 packets, 23093 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source
destination ports
52 62737 isp-in all ------ 0xFF 0x00 ppp0 anywhere
anywhere n/a
1 160 eth-in all ------ 0xFF 0x00 eth0 anywhere
anywhere n/a
0 0 ACCEPT all ------ 0xFF 0x00 lo anywhere
anywhere n/a
Chain forward (policy ACCEPT: 0 packets, 0 bytes):
0 0 MASQ all ------ 0xFF 0x00 any judys
anywhere n/a
0 0 MASQ all ------ 0xFF 0x00 any anywhere
judys n/a
Chain output (policy ACCEPT: 226 packets, 20799 bytes):
42 2422 isp-out all ------ 0xFF 0x00 ppp0 anywhere
anywhere n/a
8 748 eth-out all ------ 0xFF 0x00 eth0 anywhere
anywhere n/a
0 0 ACCEPT all ------ 0xFF 0x00 lo anywhere
anywhere n/a
Chain isp-in (refcnt = 1):
0 0 DENY all ----l- 0xFF 0x00 any home/24
anywhere n/a
0 0 ACCEPT icmp ------ 0xFF 0x00 any anywhere
anywhere echo-reply
0 0 ACCEPT icmp ------ 0xFF 0x00 any anywhere
anywhere time-exceeded
0 0 ACCEPT icmp ------ 0xFF 0x00 any anywhere
anywhere destination-unreachable
47 61972 ACCEPT tcp !y---- 0xFF 0x00 any anywhere
anywhere any ->any
0 0 ACCEPT tcp ------ 0xFF 0x00 any anywhere
anywhere any ->http
0 0 ACCEPT tcp ----l- 0xFF 0x00 any anywhere
anywhere any ->auth
0 0 ACCEPT tcp ------ 0xFF 0x00 any anywhere
anywhere any ->any
5 765 ACCEPT udp ------ 0xFF 0x00 any anywhere
anywhere any ->any
Chain isp-out (refcnt = 1):
0 0 ACCEPT icmp ------ 0xFF 0x00 any anywhere
anywhere echo-request
1 181 DENY icmp ------ 0xFF 0x00 any anywhere
anywhere any ->any
Chain eth-in (refcnt = 1):
1 160 ACCEPT all ------ 0xFF 0x00 eth0 home/24
anywhere n/a
Chain eth-out (refcnt = 1):
7 588 ACCEPT all ------ 0xFF 0x00 eth0 anywhere
home/24 n/a
-------------------------Cut Here-----------------------------------------
Destination Gateway Genmask Flags Metric Ref Use Iface
judys * 255.255.255.255 UH 0 0 0 eth0 (win95
comp)
tnt1.awod.com * 255.255.255.255 UH 0 0 0 ppp0
192.0.0.0 * 255.255.255.0 U 0 0 0 eth0 (I
don't know, just popped up)
home * 255.255.255.0 U 0 0 0 eth0
(Network)
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default tnt1.awod.com 0.0.0.0 UG 0 0 0 ppp0
--------------------------Cut Here----------------------------------------
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:34 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
eth0 Link encap:Ethernet HWaddr 00:20:78:13:5B:A6
inet addr:192.168.10.3 Bcast:192.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:38 errors:0 dropped:0 overruns:0 frame:0
TX packets:212 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
Interrupt:10 Base address:0x6600
ppp0 Link encap:Point-to-Point Protocol
inet addr:208.140.98.67 P-t-P:208.140.99.39 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1524 Metric:1
RX packets:132 errors:0 dropped:0 overruns:0 frame:0
TX packets:124 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
----------------------Cut Here---------------------------------
#!/bin/sh
#Firewall Configuration
# Echo every step, to track down errors easily
echo "Establishing Firewall..."
# Setup our default policies
#ipchains -P input DENY
#ipchains -P forward ACCEPT
echo " -Setting ISP Rules"
# Define an inbound chain for our ISP
ipchains -N isp-in
ipchains -A input -i ppp0 -j isp-in
# Define an outbound chain for our ISP
ipchains -N isp-out
ipchains -A output -i ppp0 -j isp-out
# Define RFC (192.168.10.0) inbound chain (internal network)
ipchains -N eth-in
ipchains -A input -i eth0 -j eth-in
# Define RFC (192.168.10.0) outbound chain
ipchains -N eth-out
ipchains -A output -i eth0 -j eth-out
#************ ISP inbound rules
echo " Inbound..."
# don't allow our internal address to come in from the ISP
ipchains -A isp-in -s 192.168.10.0/24 -l -j DENY
# accept echo-reply
ipchains -A isp-in -p ICMP -s 0.0.0.0/0 echo-reply -j ACCEPT
# accept time-exceeded (for downed hosts/traceroutes)
ipchains -A isp-in -p ICMP -s 0.0.0.0/0 time-exceeded -j ACCEPT
# accept destination-unreachable
ipchains -A isp-in -p ICMP -s 0.0.0.0/0 destination-unreachable -j ACCEPT
# accept all tcp connections inbound that are already established
ipchains -A isp-in -p TCP ! -y -j ACCEPT
# accept web traffic inbound (for a web server)
ipchains -A isp-in -p TCP -d 0.0.0.0/0 www -j ACCEPT
# accept ident traffic (IRC mostly)
ipchains -A isp-in -p TCP -d 0.0.0.0/0 113 -l -j ACCEPT
# accept traffic bound for the MASQ ports.
ipchains -A isp-in -p TCP -d 0.0.0.0/0 0:65535 -j ACCEPT
ipchains -A isp-in -p UDP -d 0.0.0.0/0 0:65535 -j ACCEPT
# ************** ISP outbound rules
echo " Outbound..."
# some sanity checks for ICMP
ipchains -A isp-out -p ICMP -s 0.0.0.0/0 echo-request -j ACCEPT
ipchains -A isp-out -p ICMP -j DENY
# ********** RFC inbound rules
echo " -Setting ethernet rules"
echo " Inbound..."
# accept local traffic inbound (since we told the input chain to deny by default)
ipchains -A eth-in -p 0 -s 192.168.10.0/24 -i eth0 -j ACCEPT
# ********** RFC outbound rules
echo " Outbound..."
# accept all traffic going to judy's computer
ipchains -A eth-out -d 192.168.10.0/24 -i eth0 -p 0 -j ACCEPT
echo " -Setting masquerading and forwarding rules"
# *************** Configure Masquerading and Forwarding
# define our masq rule
ipchains -A forward -s 192.168.10.2/32 -d 0.0.0.0/0 -j MASQ
ipchains -A forward -d 192.168.10.2/32 -s 0.0.0.0/0 -j MASQ
echo " -Opening internal network"
#***************** Localhost permissions
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
-------------------------Cut Here-----------------------------
#!/bin/sh
# Dismantle firewall
echo "Dismantling firewall..."
# flush all chains
ipchains -F
# Delete made chains
ipchains -X isp-in
ipchains -X isp-out
ipchains -X eth-in
ipchains -X eth-out
# Make internal network work
ipchains -P input ACCEPT
--------------------------Cut Here----------------------
