| Home | Register | Members | Search | Links |
 |
| Thread Tools | Display Modes |
|
Chris
Guest
Posts: n/a
|
Hi, I am trying to run a IP MASQ firewall for 2 computers. The
linuxbox will sit in between the university network and my 2 winboxes. eth0 is the exterior interface, eth1 is the interior. I have everything except the firewall script setup. I have used a couple from different HOWTOs and none of them will work. I have even tried just "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" with everything else set to accept, and it won't work. Here is the script I am currently using: #!/bin/bash # # rc.firewall-2.4 # # Initial SIMPLE IP Masquerade test for 2.4.x kernels # using IPTABLES. # # Once IP Masquerading has been tested, with this simple # ruleset, it is highly recommended to use a stronger # IPTABLES ruleset either given later in this HOWTO or # from another reputable resource. # # # echo -e "\n\nLoading simple rc.firewall\n" # The location of the iptables and kernel module programs # # If your Linux distribution came with a copy of iptables, # most likely all the programs will be located in /sbin. If # you manually compiled iptables, the default location will # be in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPTABLES=/sbin/iptables DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the natting will occur and the internal network # should preferably be addressed with a RFC1918 private address # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # If you are a PPPoE or analog modem user: # # EXTIF="ppp0" # # EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" #================================================= ===================== #== No editing beyond this line is required for initial MASQ testing == echo -en " loading modules: " # Need to verify that all modules have all required dependencies # echo " - Verifying that all kernel modules are ok" $DEPMOD -a # With the new IPTABLES code, the core MASQ functionality is now either # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES # options as MODULES. If your kernel is compiled correctly, there is # NO need to load the kernel modules manually. # # NOTE: The following items are listed ONLY for informational reasons. # There is no reason to manual load these modules unless your # kernel is either mis-configured or you intentionally disabled # the kernel module autoloader. # # Upon the commands of starting up IP Masq on the server, the # following kernel modules will be automatically loaded: # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ # modules are shown below but are commented out from loading. # ================================================== ============= echo "----------------------------------------------------------------------" #Load the main body of the IPTABLES module - "iptable" # - Loaded automatically when the "iptables" command is invoked # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_tables, " $MODPROBE ip_tables #Load the IPTABLES filtering module - "iptable_filter" # - Loaded automatically when filter policies are activated #Load the stateful connection tracking framework - "ip_conntrack" # # The conntrack module in itself does nothing without other specific # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" # module # # - This module is loaded automatically when MASQ functionality is # enabled # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_conntrack, " $MODPROBE ip_conntrack #Load the FTP tracking mechanism for full FTP tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_ftp, " $MODPROBE ip_conntrack_ftp #Load the IRC tracking mechanism for full IRC tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_irc, " $MODPROBE ip_conntrack_irc #Load the general IPTABLES NAT code - "iptable_nat" # - Loaded automatically when MASQ functionality is turned on # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "iptable_nat, " $MODPROBE iptable_nat #Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP. # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_nat_ftp, " $MODPROBE ip_nat_ftp #Loads the IRC NAT functionality into the core IPTABLES code # Require to support NAT of IRC DCC requests # # Disabled by default -- remove the "#" on the next line to activate # #echo -e "ip_nat_irc" #$MODPROBE ip_nat_irc echo "----------------------------------------------------------------------" # Just to be complete, here is a list of the remaining kernel modules # and their function. Please note that several modules should be only # loaded by the correct master kernel module for proper operation. # -------------------------------------------------------------------- # # ipt_mark - this target marks a given packet for future action. # This automatically loads the ipt_MARK module # # ipt_tcpmss - this target allows to manipulate the TCP MSS # option for braindead remote firewalls. # This automatically loads the ipt_TCPMSS module # # ipt_limit - this target allows for packets to be limited to # to many hits per sec/min/hr # # ipt_multiport - this match allows for targets within a range # of port numbers vs. listing each port individually # # ipt_state - this match allows to catch packets with various # IP and TCP flags set/unset # # ipt_unclean - this match allows to catch packets that have invalid # IP/TCP flags set # # iptable_filter - this module allows for packets to be DROPped, # REJECTed, or LOGged. This module automatically # loads the following modules: # # ipt_LOG - this target allows for packets to be # logged # # ipt_REJECT - this target DROPs the packet and returns # a configurable ICMP packet back to the # sender. # # iptable_mangle - this target allows for packets to be manipulated # for things like the TCPMSS option, etc. echo -e " Done loading modules.\n" #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable this following option. This enables dynamic-address hacking # which makes the life with Diald and similar programs much easier. # echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable simple IP forwarding and Masquerading # # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. # # NOTE #2: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on external interface "eth0". This # example will MASQ internal traffic out to the Internet but not # allow non-initiated traffic into your internal network. # # # ** Please change the above network numbers, subnet mask, and your # *** Internet connection interface name to match your setup # #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is DROP (REJECT is not a valid policy) # echo " Clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e "\nrc.firewall-2.4 done.\n" <--------end of script---------> |
|
|
|
|
|||
|
|||
|
|
|
| |
|
Chris
Guest
Posts: n/a
|
(E-Mail Removed) (Chris) wrote in message news:<(E-Mail Removed). com>...
> Hi, I am trying to run a IP MASQ firewall for 2 computers. The > linuxbox will sit in between the university network and my 2 winboxes. > eth0 is the exterior interface, eth1 is the interior. I have > everything except the firewall script setup. I have used a couple from > different HOWTOs and none of them will work. I have even tried just > "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" with everything > else set to accept, and it won't work. > Here is the script I am currently using: > > #!/bin/bash > # > # rc.firewall-2.4 > # > # Initial SIMPLE IP Masquerade test for 2.4.x kernels > # using IPTABLES. > # > # Once IP Masquerading has been tested, with this simple > # ruleset, it is highly recommended to use a stronger > # IPTABLES ruleset either given later in this HOWTO or > # from another reputable resource. > # > # > # > > > echo -e "\n\nLoading simple rc.firewall\n" > > > # The location of the iptables and kernel module programs > # > # If your Linux distribution came with a copy of iptables, > # most likely all the programs will be located in /sbin. If > # you manually compiled iptables, the default location will > # be in /usr/local/sbin > # > # ** Please use the "whereis iptables" command to figure out > # ** where your copy is and change the path below to reflect > # ** your setup > # > IPTABLES=/sbin/iptables > DEPMOD=/sbin/depmod > MODPROBE=/sbin/modprobe > > > #Setting the EXTERNAL and INTERNAL interfaces for the network > # > # Each IP Masquerade network needs to have at least one > # external and one internal network. The external network > # is where the natting will occur and the internal network > # should preferably be addressed with a RFC1918 private address > # scheme. > # > # For this example, "eth0" is external and "eth1" is internal" > # > # > # NOTE: If this doesnt EXACTLY fit your configuration, you must > # change the EXTIF or INTIF variables above. For example: > # > # If you are a PPPoE or analog modem user: > # > # EXTIF="ppp0" > # > # > EXTIF="eth0" > INTIF="eth1" > echo " External Interface: $EXTIF" > echo " Internal Interface: $INTIF" > > > #================================================= ===================== > #== No editing beyond this line is required for initial MASQ testing > == > > > echo -en " loading modules: " > > # Need to verify that all modules have all required dependencies > # > echo " - Verifying that all kernel modules are ok" > $DEPMOD -a > > # With the new IPTABLES code, the core MASQ functionality is now > either > # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES > # options as MODULES. If your kernel is compiled correctly, there is > # NO need to load the kernel modules manually. > # > # NOTE: The following items are listed ONLY for informational > reasons. > # There is no reason to manual load these modules unless your > # kernel is either mis-configured or you intentionally disabled > # the kernel module autoloader. > # > > # Upon the commands of starting up IP Masq on the server, the > # following kernel modules will be automatically loaded: > # > # NOTE: Only load the IP MASQ modules you need. All current IP MASQ > # modules are shown below but are commented out from loading. > # ================================================== ============= > > echo "----------------------------------------------------------------------" > > #Load the main body of the IPTABLES module - "iptable" > # - Loaded automatically when the "iptables" command is invoked > # > # - Loaded manually to clean up kernel auto-loading timing issues > # > echo -en "ip_tables, " > $MODPROBE ip_tables > > > #Load the IPTABLES filtering module - "iptable_filter" > # - Loaded automatically when filter policies are activated > > > #Load the stateful connection tracking framework - "ip_conntrack" > # > # The conntrack module in itself does nothing without other specific > # conntrack modules being loaded afterwards such as the > "ip_conntrack_ftp" > # module > # > # - This module is loaded automatically when MASQ functionality is > # enabled > # > # - Loaded manually to clean up kernel auto-loading timing issues > # > echo -en "ip_conntrack, " > $MODPROBE ip_conntrack > > > #Load the FTP tracking mechanism for full FTP tracking > # > # Enabled by default -- insert a "#" on the next line to deactivate > # > echo -en "ip_conntrack_ftp, " > $MODPROBE ip_conntrack_ftp > > > #Load the IRC tracking mechanism for full IRC tracking > # > # Enabled by default -- insert a "#" on the next line to deactivate > # > echo -en "ip_conntrack_irc, " > $MODPROBE ip_conntrack_irc > > > #Load the general IPTABLES NAT code - "iptable_nat" > # - Loaded automatically when MASQ functionality is turned on > # > # - Loaded manually to clean up kernel auto-loading timing issues > # > echo -en "iptable_nat, " > $MODPROBE iptable_nat > > > #Loads the FTP NAT functionality into the core IPTABLES code > # Required to support non-PASV FTP. > # > # Enabled by default -- insert a "#" on the next line to deactivate > # > echo -en "ip_nat_ftp, " > $MODPROBE ip_nat_ftp > > > #Loads the IRC NAT functionality into the core IPTABLES code > # Require to support NAT of IRC DCC requests > # > # Disabled by default -- remove the "#" on the next line to activate > # > #echo -e "ip_nat_irc" > #$MODPROBE ip_nat_irc > > echo "----------------------------------------------------------------------" > > # Just to be complete, here is a list of the remaining kernel modules > # and their function. Please note that several modules should be only > # loaded by the correct master kernel module for proper operation. > # -------------------------------------------------------------------- > # > # ipt_mark - this target marks a given packet for future > action. > # This automatically loads the ipt_MARK module > # > # ipt_tcpmss - this target allows to manipulate the TCP MSS > # option for braindead remote firewalls. > # This automatically loads the ipt_TCPMSS module > # > # ipt_limit - this target allows for packets to be limited to > # to many hits per sec/min/hr > # > # ipt_multiport - this match allows for targets within a range > # of port numbers vs. listing each port > individually > # > # ipt_state - this match allows to catch packets with various > # IP and TCP flags set/unset > # > # ipt_unclean - this match allows to catch packets that have > invalid > # IP/TCP flags set > # > # iptable_filter - this module allows for packets to be DROPped, > # REJECTed, or LOGged. This module automatically > # loads the following modules: > # > # ipt_LOG - this target allows for packets to be > # logged > # > # ipt_REJECT - this target DROPs the packet and > returns > # a configurable ICMP packet back to > the > # sender. > # > # iptable_mangle - this target allows for packets to be manipulated > # for things like the TCPMSS option, etc. > > echo -e " Done loading modules.\n" > > > > #CRITICAL: Enable IP forwarding since it is disabled by default since > # > # Redhat Users: you may try changing the options in > # /etc/sysconfig/network from: > # > # FORWARD_IPV4=false > # to > # FORWARD_IPV4=true > # > echo " Enabling forwarding.." > echo "1" > /proc/sys/net/ipv4/ip_forward > > > # Dynamic IP users: > # > # If you get your IP address dynamically from SLIP, PPP, or DHCP, > # enable this following option. This enables dynamic-address > hacking > # which makes the life with Diald and similar programs much easier. > # > echo " Enabling DynamicAddr.." > echo "1" > /proc/sys/net/ipv4/ip_dynaddr > > > # Enable simple IP forwarding and Masquerading > # > # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or > SNAT. > # > # NOTE #2: The following is an example for an internal LAN address > in the > # 192.168.0.x network with a 255.255.255.0 or a "24" bit > subnet mask > # connecting to the Internet on external interface "eth0". > This > # example will MASQ internal traffic out to the Internet > but not > # allow non-initiated traffic into your internal network. > # > # > # ** Please change the above network numbers, subnet mask, and > your > # *** Internet connection interface name to match your setup > # > > > #Clearing any previous configuration > # > # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT > # The default for FORWARD is DROP (REJECT is not a valid policy) > # > echo " Clearing any existing rules and setting default policy.." > $IPTABLES -P INPUT ACCEPT > $IPTABLES -F INPUT > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -F OUTPUT > $IPTABLES -P FORWARD DROP > $IPTABLES -F FORWARD > $IPTABLES -t nat -F > > echo " FWD: Allow all connections OUT and only existing and related > ones IN" > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state > ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > $IPTABLES -A FORWARD -j LOG > > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > echo -e "\nrc.firewall-2.4 done.\n" > > <--------end of script---------> Does anybody have any clues as to why this script will not work? I am running Red Hat linux 7.3 with all updates. |
|
|
|
|
|||
|
|
|||
|
jack
Guest
Posts: n/a
|
Chris wrote:
>>Here is the script I am currently using: > Does anybody have any clues as to why this script will not work? I am > running Red Hat linux 7.3 with all updates. Hi, Your script seems to be ok, basically, but it would be helpful if You could say what exactly "does not work"... Firstly, the output of "lsmod" after running this script would be of interest, and then "iptables -L -n -x -v", and this again with "-t nat" appended - providing that Your script for itself doesn't produce any errors. If so, post them first. I assume that some line breaks come from posting the script and are not in the original one. Cheers, Jack. -- ---------------------------------------------------------------------- My personal reading of the string "MicroSoft" expands to "NanoWeak"... |
|
|
|
|
|||
|
|
|||
|
Chris
Guest
Posts: n/a
|
jack <(E-Mail Removed)> wrote in message news:<bj3vnq$tvf$01$(E-Mail Removed)>...
> Chris wrote: > > >>Here is the script I am currently using: > > > Does anybody have any clues as to why this script will not work? I am > > running Red Hat linux 7.3 with all updates. > > Hi, > > Your script seems to be ok, basically, but it would be helpful if You > could say what exactly "does not work"... > > Firstly, the output of "lsmod" after running this script would be of > interest, and then "iptables -L -n -x -v", and this again with "-t nat" > appended - providing that Your script for itself doesn't produce any > errors. If so, post them first. I assume that some line breaks come > from posting the script and are not in the original one. > > > Cheers, Jack. When I do lsmod after starting the script everything seems to be ok. Here is the iptables output: iptables -L -n -v -x Chain INPUT (policy DROP 36 packets, 3024 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth1 * 192.168.1.100 192.168.1.1 0 0 ACCEPT all -- eth1 * 192.168.1.101 192.168.1.1 107 10239 ACCEPT all -- * * 192.168.1.1 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 Chain OUTPUT (policy ACCEPT 143 packets, 13263 bytes) pkts bytes target prot opt in out source destination iptables -L -n -v -x -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 10 packets, 1428 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 10 packets, 1428 bytes) pkts bytes target prot opt in out source destination <------end of iptables output---------> There are line breaks in the original script from the HOWTO, which I just copied over. All i did was make any slight changes in the INPUT chains or anything regaurding DHCP and such. The line break I believe you are talking about are the #======== and #------- and echo "---------". Those are put there just so things are separated nicely. I'm sorry for being so general about my post, I must learn to stop that. |
|
|
|
|
|||
|
|
|||
|
jack
Guest
Posts: n/a
|
Chris wrote:
> When I do lsmod after starting the script everything seems to be ok. > Here is the iptables output: > > iptables -L -n -v -x > Chain INPUT (policy DROP 36 packets, 3024 bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- eth1 * 192.168.1.100 > 192.168.1.1 > 0 0 ACCEPT all -- eth1 * 192.168.1.101 > 192.168.1.1 > 107 10239 ACCEPT all -- * * 192.168.1.1 > 0.0.0.0/0 You should withdraw this rule. Read about "spoofing ip addresses". Better use something like "-i lo" for this. > Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 > 0.0.0.0/0 > 0 0 LOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 LOG flags 0 level 4 One question here: What does Your outside NIC (eth0) connect to? For testing, it may be a good idea to simply allow everything to be forwarded. This is not harmful, because Your inside clients cannot be addressed directly from the outside, and everything else will be dropped by the INPUT chain or has come through masquerading already and will be sent to its destination. > Chain OUTPUT (policy ACCEPT 143 packets, 13263 bytes) > pkts bytes target prot opt in out source > destination > > iptables -L -n -v -x -t nat > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 10 packets, 1428 bytes) > pkts bytes target prot opt in out source > destination > 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 > 0.0.0.0/0 In what context did You list all this...? - Have You tried to reach the world from one of Your clients already? If so, the counters should be != 0 here. > Chain OUTPUT (policy ACCEPT 10 packets, 1428 bytes) > pkts bytes target prot opt in out source > destination > <------end of iptables output---------> > > There are line breaks in the original script from the HOWTO, which I > just copied over. All i did was make any slight changes in the INPUT > chains or anything regaurding DHCP and such. The line break I believe > you are talking about are the #======== and #------- and echo > "---------". Those are put there just so things are separated nicely. There were some comments broken, so that some words appeared at the beginning of a line which will make them being read in as commands. - If the script produces no errors on that, it okay. The question is, what does eth0 connect to. Cheers, Jack. -- ---------------------------------------------------------------------- My personal reading of the string "MicroSoft" expands to "NanoWeak"... |
|
|
|
|
|||
|
|
|||
|
W Cardwell
Guest
Posts: n/a
|
RedHat has another way to enable and disable IP forwarding, in
/etc/sysctl.conf. Make sure yours says net.ipv4.ip_forward=1 If that looks OK, can you post the output of 'ifconfig' and 'route -n' ? -- wcardwell at nc dot rr dot com |
|
|
|
|
|||
|
|
|||
|
Chris
Guest
Posts: n/a
|
jack <(E-Mail Removed)> wrote in message news:<bj6q3o$jfn$04$(E-Mail Removed)>...
> Chris wrote: > > > When I do lsmod after starting the script everything seems to be ok. > > Here is the iptables output: > > > > iptables -L -n -v -x > > Chain INPUT (policy DROP 36 packets, 3024 bytes) > > pkts bytes target prot opt in out source > > destination > > 0 0 ACCEPT all -- eth1 * 192.168.1.100 > > 192.168.1.1 > > 0 0 ACCEPT all -- eth1 * 192.168.1.101 > > 192.168.1.1 > > 107 10239 ACCEPT all -- * * 192.168.1.1 > > 0.0.0.0/0 > > You should withdraw this rule. Read about "spoofing ip addresses". > Better use something like "-i lo" for this. > > > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > > destination > > 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 > > 0.0.0.0/0 state RELATED,ESTABLISHED > > 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 > > 0.0.0.0/0 > > 0 0 LOG all -- * * 0.0.0.0/0 > > 0.0.0.0/0 LOG flags 0 level 4 > > One question here: What does Your outside NIC (eth0) connect to? > > For testing, it may be a good idea to simply allow everything to be > forwarded. This is not harmful, because Your inside clients cannot > be addressed directly from the outside, and everything else will be > dropped by the INPUT chain or has come through masquerading already > and will be sent to its destination. > > > > Chain OUTPUT (policy ACCEPT 143 packets, 13263 bytes) > > pkts bytes target prot opt in out source > > destination > > > > iptables -L -n -v -x -t nat > > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > > destination > > > > Chain POSTROUTING (policy ACCEPT 10 packets, 1428 bytes) > > pkts bytes target prot opt in out source > > destination > > 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 > > 0.0.0.0/0 > > In what context did You list all this...? - Have You tried to reach > the world from one of Your clients already? If so, the counters should > be != 0 here. > > > > Chain OUTPUT (policy ACCEPT 10 packets, 1428 bytes) > > pkts bytes target prot opt in out source > > destination > > <------end of iptables output---------> > > > > There are line breaks in the original script from the HOWTO, which I > > just copied over. All i did was make any slight changes in the INPUT > > chains or anything regaurding DHCP and such. The line break I believe > > you are talking about are the #======== and #------- and echo > > "---------". Those are put there just so things are separated nicely. > > There were some comments broken, so that some words appeared at the > beginning of a line which will make them being read in as commands. - > If the script produces no errors on that, it okay. > > The question is, what does eth0 connect to. > > > Cheers, Jack. eth0 is connected to my university network. I have tried forwarding everything but that doesn't work. |
|
|
|
|
|||
|
|
|||
|
Chris
Guest
Posts: n/a
|
"W Cardwell" <(E-Mail Removed)> wrote in message news:<Ft%5b.7555$(E-Mail Removed) m>...
> RedHat has another way to enable and disable IP forwarding, in > /etc/sysctl.conf. Make sure yours says > > net.ipv4.ip_forward=1 > > If that looks OK, can you post the output of 'ifconfig' and 'route -n' ? output of ifconfig eth0 Link encap:Ethernet HWaddr 00:04:5A:57:98:4A inet addr:150.135.180.52 Bcast:150.135.181.255 Mask:255.255.254.0 UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:30896 errors:0 dropped:0 overruns:0 frame:0 TX packets:463 errors:2 dropped:0 overruns:0 carrier:4 collisions:18 txqueuelen:100 RX bytes:2788946 (2.6 Mb) TX bytes:53529 (52.2 Kb) Interrupt:11 Base address:0xcc00 eth1 Link encap:Ethernet HWaddr 00:01:03  E:08:CFinet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:517 errors:0 dropped:0 overruns:0 frame:0 TX packets:968 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:69822 (68.1 Kb) TX bytes:285424 (278.7 Kb) Interrupt:10 Base address:0xec00 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:18 errors:0 dropped:0 overruns:0 frame:0 TX packets:18 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1400 (1.3 Kb) TX bytes:1400 (1.3 Kb) <--------end of ifconfig---------> output of route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 150.135.180.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 150.135.180.1 0.0.0.0 UG 0 0 0 eth0 <--------end of route-----------> |
|
|
|
|
|||
|
|
|||
|
Chris
Guest
Posts: n/a
|
(E-Mail Removed) (Chris) wrote in message news:<(E-Mail Removed). com>...
> jack <(E-Mail Removed)> wrote in message news:<bj6q3o$jfn$04$(E-Mail Removed)>... > > Chris wrote: > > > > > When I do lsmod after starting the script everything seems to be ok. > > > Here is the iptables output: > > > > > > iptables -L -n -v -x > > > Chain INPUT (policy DROP 36 packets, 3024 bytes) > > > pkts bytes target prot opt in out source > > > destination > > > 0 0 ACCEPT all -- eth1 * 192.168.1.100 > > > 192.168.1.1 > > > 0 0 ACCEPT all -- eth1 * 192.168.1.101 > > > 192.168.1.1 > > > 107 10239 ACCEPT all -- * * 192.168.1.1 > > > 0.0.0.0/0 > > > > You should withdraw this rule. Read about "spoofing ip addresses". > > Better use something like "-i lo" for this. > > > > > > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > > > pkts bytes target prot opt in out source > > > destination > > > 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 > > > 0.0.0.0/0 state RELATED,ESTABLISHED > > > 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 > > > 0.0.0.0/0 > > > 0 0 LOG all -- * * 0.0.0.0/0 > > > 0.0.0.0/0 LOG flags 0 level 4 > > > > One question here: What does Your outside NIC (eth0) connect to? > > > > For testing, it may be a good idea to simply allow everything to be > > forwarded. This is not harmful, because Your inside clients cannot > > be addressed directly from the outside, and everything else will be > > dropped by the INPUT chain or has come through masquerading already > > and will be sent to its destination. > > > > > > > Chain OUTPUT (policy ACCEPT 143 packets, 13263 bytes) > > > pkts bytes target prot opt in out source > > > destination > > > > > > iptables -L -n -v -x -t nat > > > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) > > > pkts bytes target prot opt in out source > > > destination > > > > > > Chain POSTROUTING (policy ACCEPT 10 packets, 1428 bytes) > > > pkts bytes target prot opt in out source > > > destination > > > 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 > > > 0.0.0.0/0 > > > > In what context did You list all this...? - Have You tried to reach > > the world from one of Your clients already? If so, the counters should > > be != 0 here. > > > > > > > Chain OUTPUT (policy ACCEPT 10 packets, 1428 bytes) > > > pkts bytes target prot opt in out source > > > destination > > > <------end of iptables output---------> > > > > > > There are line breaks in the original script from the HOWTO, which I > > > just copied over. All i did was make any slight changes in the INPUT > > > chains or anything regaurding DHCP and such. The line break I believe > > > you are talking about are the #======== and #------- and echo > > > "---------". Those are put there just so things are separated nicely. > > > > There were some comments broken, so that some words appeared at the > > beginning of a line which will make them being read in as commands. - > > If the script produces no errors on that, it okay. > > > > The question is, what does eth0 connect to. > > > > > > Cheers, Jack. > > eth0 is connected to my university network. I have tried forwarding > everything but that doesn't work. I have been doing some testing but I can't seem to resolve this thing. I am trying to use my laptop to connect to the internet through my linuxbox, I can see the internet but I can only surf the web using ip addresses. I can't ping or go to www.arizona.edu, but I can ping and go to 128.196.133.81. In /etc/resolve.conf I have: nameserver 128.196.11.233 nameserver 128.196.11.234 nameserver 128.196.11.235 As those are the nameservers I get on my desktop winbox when I run ipconfig /all. My laptop connects to my linuxbox through eth1 with a crossover cable. I have eth0 get its IP from the DHCP server, and eth1 is static at 192.168.1.1. I set my /etc/sysconfig/network file to get the ip address of eth0 `ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e s/.*://' and assign it to GATEWAY and GATEWAYDEV=eth0. /etc/sysctl.conf has net.ipv4.ip_forward = 1. I can ping www.arizona.edu from a tty on the linuxbox. I am just unsure as to how I can get the laptop to resolve domain names. Thank you for any help you can provide. |
|
|
|
|
|||
|
|
|||
|
Chris
Guest
Posts: n/a
|
(E-Mail Removed) (Chris) wrote in message news:<(E-Mail Removed). com>...
> (E-Mail Removed) (Chris) wrote in message news:<(E-Mail Removed). com>... > > jack <(E-Mail Removed)> wrote in message news:<bj6q3o$jfn$04$(E-Mail Removed)>... > > > Chris wrote: > > > > > > > When I do lsmod after starting the script everything seems to be ok. > > > > Here is the iptables output: > > > > > > > > iptables -L -n -v -x > > > > Chain INPUT (policy DROP 36 packets, 3024 bytes) > > > > pkts bytes target prot opt in out source > > > > destination > > > > 0 0 ACCEPT all -- eth1 * 192.168.1.100 > > > > 192.168.1.1 > > > > 0 0 ACCEPT all -- eth1 * 192.168.1.101 > > > > 192.168.1.1 > > > > 107 10239 ACCEPT all -- * * 192.168.1.1 > > > > 0.0.0.0/0 > > > > > > You should withdraw this rule. Read about "spoofing ip addresses". > > > Better use something like "-i lo" for this. > > > > > > > > > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > > > > pkts bytes target prot opt in out source > > > > destination > > > > 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 > > > > 0.0.0.0/0 state RELATED,ESTABLISHED > > > > 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 > > > > 0.0.0.0/0 > > > > 0 0 LOG all -- * * 0.0.0.0/0 > > > > 0.0.0.0/0 LOG flags 0 level 4 > > > > > > One question here: What does Your outside NIC (eth0) connect to? > > > > > > For testing, it may be a good idea to simply allow everything to be > > > forwarded. This is not harmful, because Your inside clients cannot > > > be addressed directly from the outside, and everything else will be > > > dropped by the INPUT chain or has come through masquerading already > > > and will be sent to its destination. > > > > > > > > > > Chain OUTPUT (policy ACCEPT 143 packets, 13263 bytes) > > > > pkts bytes target prot opt in out source > > > > destination > > > > > > > > iptables -L -n -v -x -t nat > > > > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) > > > > pkts bytes target prot opt in out source > > > > destination > > > > > > > > Chain POSTROUTING (policy ACCEPT 10 packets, 1428 bytes) > > > > pkts bytes target prot opt in out source > > > > destination > > > > 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 > > > > 0.0.0.0/0 > > > > > > In what context did You list all this...? - Have You tried to reach > > > the world from one of Your clients already? If so, the counters should > > > be != 0 here. > > > > > > > > > > Chain OUTPUT (policy ACCEPT 10 packets, 1428 bytes) > > > > pkts bytes target prot opt in out source > > > > destination > > > > <------end of iptables output---------> > > > > > > > > There are line breaks in the original script from the HOWTO, which I > > > > just copied over. All i did was make any slight changes in the INPUT > > > > chains or anything regaurding DHCP and such. The line break I believe > > > > you are talking about are the #======== and #------- and echo > > > > "---------". Those are put there just so things are separated nicely. > > > > > > There were some comments broken, so that some words appeared at the > > > beginning of a line which will make them being read in as commands. - > > > If the script produces no errors on that, it okay. > > > > > > The question is, what does eth0 connect to. > > > > > > > > > Cheers, Jack. > > > > eth0 is connected to my university network. I have tried forwarding > > everything but that doesn't work. > > I have been doing some testing but I can't seem to resolve this thing. > I am trying to use my laptop to connect to the internet through my > linuxbox, I can see the internet but I can only surf the web using ip > addresses. I can't ping or go to www.arizona.edu, but I can ping and > go to 128.196.133.81. In /etc/resolve.conf I have: > nameserver 128.196.11.233 > nameserver 128.196.11.234 > nameserver 128.196.11.235 > > As those are the nameservers I get on my desktop winbox when I run > ipconfig /all. My laptop connects to my linuxbox through eth1 with a > crossover cable. I have eth0 get its IP from the DHCP server, and eth1 > is static at 192.168.1.1. I set my /etc/sysconfig/network file to get > the ip address of eth0 `ifconfig eth0 | grep 'inet addr' | awk '{print > $2}' | sed -e s/.*://' and assign it to GATEWAY and GATEWAYDEV=eth0. > /etc/sysctl.conf has net.ipv4.ip_forward = 1. I can ping > www.arizona.edu from a tty on the linuxbox. I am just unsure as to how > I can get the laptop to resolve domain names. Thank you for any help > you can provide. Is there anything I may be missing? |
|
|
|
|
|||
|
|
|||
|
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Odd Masq/NAT problem under 2.4.22 | Mark Olbert | Linux Networking | 2 | 01-17-2004 11:15 AM |
| example of iptables with masq.? | dan | Linux Networking | 2 | 12-12-2003 05:13 AM |
| ip masq problem | Snuffy Smith | Linux Networking | 3 | 09-16-2003 08:28 PM |
| Another won't work IP MASQ | Sitorus Wenny | Linux Networking | 2 | 09-06-2003 05:22 PM |
| High latency with MASQ, not without | Ted Behling | Linux Networking | 1 | 09-04-2003 01:03 PM |
Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc. |
Linear Mode
