IP Forwarding

I tried making a home network (SOHO) connected to the internet thru a
firewal which doubles as the server (DHCP,DNS,MAIL,WEB)but I got
fustrated.
First I enable IP forward ipv4_forward = 1.I also configured the
network card. eth0 and eth1.The eth0 is up and running but the eth1 is
just up and not running (as it did not displayed running but only up).
Could this make workstations (basically Windows) not to ping/connect to
the firewall/server machine?I tried pinging the firewal but it couldn't
(Destination host unreachable).Infact the firewall could not ping the
gateway machine (the ISP's machine) .This may b understandable as the
ISP might have blocked machines from pinging it or telnetting it.

how do i make it forward the packets to workstations?
How do I configure the DHCP services?
How do I masquerade and route the ip addresses of the workstations
How do I define the gateways both for the ISP and for the workstations.
How do I know when I can connect to the ISP server without the pinging
option?
How do I enable workstations to Ping my Firewall machine?



lekkie.aydot@gmail.com

(E-Mail Removed) wrote:
> I tried making a home network (SOHO) connected to the internet thru a
> firewal which doubles as the server (DHCP,DNS,MAIL,WEB)but I got
> fustrated.
> First I enable IP forward ipv4_forward = 1.I also configured the
> network card. eth0 and eth1.The eth0 is up and running but the eth1 is
> just up and not running (as it did not displayed running but only up).
> Could this make workstations (basically Windows) not to ping/connect to
> the firewall/server machine?I tried pinging the firewal but it couldn't
> (Destination host unreachable).Infact the firewall could not ping the
> gateway machine (the ISP's machine) .This may b understandable as the
> ISP might have blocked machines from pinging it or telnetting it.
>
> how do i make it forward the packets to workstations?
> How do I configure the DHCP services?
> How do I masquerade and route the ip addresses of the workstations
> How do I define the gateways both for the ISP and for the workstations.
> How do I know when I can connect to the ISP server without the pinging
> option?
> How do I enable workstations to Ping my Firewall machine?
>

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

--
################################################## ###########
# http://users.teledisnet.be/web/ari01350/ToYKillAS.jpg #
# -=- Der Säger von St. Georg -=- #
################################################## ###########

(E-Mail Removed) wrote:
> I tried making a home network (SOHO) connected to the internet thru a
> firewal which doubles as the server (DHCP,DNS,MAIL,WEB)but I got
> fustrated.
> First I enable IP forward ipv4_forward = 1.I also configured the
> network card. eth0 and eth1.The eth0 is up and running but the eth1 is
> just up and not running (as it did not displayed running but only up).
> Could this make workstations (basically Windows) not to ping/connect to
> the firewall/server machine?I tried pinging the firewal but it couldn't
> (Destination host unreachable).Infact the firewall could not ping the
> gateway machine (the ISP's machine) .This may b understandable as the
> ISP might have blocked machines from pinging it or telnetting it.
>
> how do i make it forward the packets to workstations?
> How do I configure the DHCP services?
> How do I masquerade and route the ip addresses of the workstations
> How do I define the gateways both for the ISP and for the workstations.
> How do I know when I can connect to the ISP server without the pinging
> option?
> How do I enable workstations to Ping my Firewall machine?
>

Get Rusty's Remarkably Unreliable Guides, read them and
come back with the remaining questions.

The URL is <http://people.netfilter.org/~rusty/unreliable-guides/>.

--

Tauno Voipio
tauno voipio (at) iki fi

(E-Mail Removed) wrote:
> I tried making a home network (SOHO) connected to the internet thru a
> firewal which doubles as the server (DHCP,DNS,MAIL,WEB)but I got
> fustrated.
> First I enable IP forward ipv4_forward = 1.I also configured the
> network card. eth0 and eth1.The eth0 is up and running but the eth1 is
> just up and not running (as it did not displayed running but only up).
> Could this make workstations (basically Windows) not to ping/connect to
> the firewall/server machine?I tried pinging the firewal but it couldn't
> (Destination host unreachable).Infact the firewall could not ping the
> gateway machine (the ISP's machine) .This may b understandable as the
> ISP might have blocked machines from pinging it or telnetting it.
>
> how do i make it forward the packets to workstations?
> How do I configure the DHCP services?
> How do I masquerade and route the ip addresses of the workstations
> How do I define the gateways both for the ISP and for the workstations.
> How do I know when I can connect to the ISP server without the pinging
> option?
> How do I enable workstations to Ping my Firewall machine?
>
You just go into the config and enable all those options

Coenraad Loubser wrote:
> (E-Mail Removed) wrote:
>
>> I tried making a home network (SOHO) connected to the internet thru a
>> firewal which doubles as the server (DHCP,DNS,MAIL,WEB)but I got
>> fustrated.
>> First I enable IP forward ipv4_forward = 1.I also configured the
>> network card. eth0 and eth1.The eth0 is up and running but the eth1 is
>> just up and not running (as it did not displayed running but only up).
>> Could this make workstations (basically Windows) not to ping/connect to
>> the firewall/server machine?I tried pinging the firewal but it couldn't
>> (Destination host unreachable).Infact the firewall could not ping the
>> gateway machine (the ISP's machine) .This may b understandable as the
>> ISP might have blocked machines from pinging it or telnetting it.
>>
>> how do i make it forward the packets to workstations?
>> How do I configure the DHCP services?
>> How do I masquerade and route the ip addresses of the workstations
>> How do I define the gateways both for the ISP and for the workstations.
>> How do I know when I can connect to the ISP server without the pinging
>> option?
>> How do I enable workstations to Ping my Firewall machine?
>>
> You just go into the config and enable all those options
Okay guy,
theres no simple answer

forwarding enabled is the 1st step
then

look at the attached pf script, its fairly straightforward and will sort
out stuff like masquerading, port forwarding and transparent proxying
for you, just be sure to edit it as its what I use. Hello hackers, come
in come in on these ports bitches

Next, the dhcp stuff is located in /etc/dhcpd.conf and the logs in
/var/logs/dhcpd/,... on my setup
edit the .conf and run dhcp server with "rcdhcpd start" and "rcdhcpd
stop" or "dhcpd" and "killproc dhcpd"

gateways go in the dhcpd conf
mine is attached, also

have a good look at the files before you use then

of the pf is setup then your workstations will be able to ping

NJOY




#!/bin/bash
echo Flushing tables...

iptables -t nat -F
iptables -F

echo Activating Masquerading...
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# if squid is running, try this baby!
#echo Activating Transparent Proxying...
#iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128

#iptables -t nat -A PREROUTING -i $ethinet -p udp --dport $ports -j DNAT --to-dest $dest
#iptables -A FORWARD -p udp -i $ethinet --dport $ports -d $dest -j ACCEPT

ethinet=eth0

#this is for a range
#ports=666:668
#dest=192.168.0.95
#
#echo Forwarding ports $ports to $dest...
#iptables -t nat -A PREROUTING -i $ethinet -p udp --dport $ports -j DNAT --to-dest $dest
#iptables -A FORWARD -p udp -i $ethinet --dport $ports -d $dest -j ACCEPT
#
#ports=27001
#dest=192.168.0.95
#
#echo Forwarding ports $ports to $dest...
#iptables -t nat -A PREROUTING -i $ethinet -p udp --dport $ports -j DNAT --to-dest $dest
#iptables -A FORWARD -p udp -i $ethinet --dport $ports -d $dest -j ACCEPT

ports=27001
dest=192.168.0.4

echo Forwarding udp ports $ports to $dest...
iptables -t nat -A PREROUTING -i $ethinet -p udp --dport $ports -j DNAT --to-dest $dest
#iptables -A FORWARD -p udp -i $ethinet --dport $ports -d $dest -j ACCEPT

echo Forwarding tcp ports $ports to $dest...
iptables -t nat -A PREROUTING -i $ethinet -p tcp --dport $ports -j DNAT --to-dest $dest
#iptables -A FORWARD -p tcp -i $ethinet --dport $ports -d $dest -j ACCEPT

ports=6112
dest=192.168.0.4

echo Forwarding tcp ports $ports to $dest...
iptables -t nat -A PREROUTING -i $ethinet -p tcp --dport $ports -j DNAT --to-dest $dest


#ports=445
#dest=192.168.0.4
#
#echo Forwarding tcp ports $ports to $dest...
#iptables -t nat -A PREROUTING -i $ethinet -p tcp --dport $ports -j DNAT --to-dest $dest

#ports=6113
#dest=192.168.0.91
#
#echo Forwarding tcp ports $ports to $dest...
#iptables -t nat -A PREROUTING -i $ethinet -p tcp --dport $ports -j DNAT --to-dest $dest

ports=5060
dest=192.168.0.4

echo Forwarding tcp,udp ports $ports to $dest...
iptables -t nat -A PREROUTING -i $ethinet -p udp --dport $ports -j DNAT --to-dest $dest
iptables -t nat -A PREROUTING -i $ethinet -p tcp --dport $ports -j DNAT --to-dest $dest


ports=5900
dest=192.168.0.4

echo Forwarding tcp ports $ports to $dest...
iptables -t nat -A PREROUTING -i $ethinet -p tcp --dport $ports -j DNAT --to-dest $dest


#ports=5061
#dest=192.168.0.89
#
#echo Forwarding tcp ports $ports to $dest...
#iptables -t nat -A PREROUTING -i $ethinet -p tcp --dport $ports -j DNAT --to-dest $dest


option netbios-name-servers 192.168.0.1;
option domain-name-servers 192.168.0.1;
option subnet-mask 255.255.255.0;
option routers 192.168.0.1;
option domain-name "hackme.org.za";

option netbios-dd-server 192.168.0.1;
option netbios-node-type 8;
#allow client-updates;
ignore client-updates;

#option time-servers 192.168.0.1;

# dhcpd.conf

#ddns-update-style ad-hoc;
ddns-updates on;
ddns-ttl 900;
ddns-update-style interim;
ddns-domainname "hackme.org.za";
ddns-rev-domainname "in-addr.arpa";
use-host-decl-names on;
default-lease-time 900;
max-lease-time 7200;

# if you do not use dynamical DNS updates:
#
# this statement is needed by dhcpd-3 needs at least this statement.
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
authoritative ;
deny unknown-clients;
#include "/DynDNSKey";
#include "/DynDNSKey";
include "/etc/named.keys";
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
# This is a very basic subnet declaration.
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
class "foo" {
match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
}
# My Clients
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.99;
allow unknown-clients;
authoritative;
zone hackme.org.za { primary 127.0.0.1; key DHCP_UPDATER; }
zone 0.168.192.in-addr.arpa. { primary 127.0.0.1; key DHCP_UPDATER; }
}
# gaga description
host gaga {
hardware ethernet 00:02:6F:35:29:B9;
fixed-address 192.168.0.4;
}