what wrong with my iptables?

i have 2 pc, one is FC4,another one is WINXP. The following is my home
network structure, my iptables setting is also appended at the bottom. I
need to use ip masquerade to make 2 pc can go online at the same time,
but when i apply my iptables as following, the FC4 box can build up the
connection with ISP, but i cannot use it to browse website, the browser
pop up a error message: "cannot connect to server.....", i am wondering
i have already applied "iptables -A INPUT -i eth0 -p udp --dport 80 -j
ACCEPT", why i cannot browse website use browser?
my iptables also cannot forward the WINXP packets to outside,why?
anyone can tell me what's wrong of my iptables setting?

thanks for your help!
================================================== ================================
FC4 has 2 network cards:

eth0
use vpn connect to ISP, use dynamic ip.

eth1
ip: 192.168.0.1/24
DNS: ISP DNS
================================================== =================================
WINXP

eth2
ip: 192.168.0.2/24
gateway: 192.168.0.1
DNS: ISP DNS

================================================== ================================

------------ ---------------
| | | WINXP |
ISP | FC4 |192.168.0.1 | eth2 |
---------| eth0 eth1 |---------------|192.168.0.2 |
------------ ----------------

================================================== ================================

#!/bin/bash

### Loading firewall modules
############################
modprobe ip_conntrack
modprobe ip_conntrack_ftp

### Enable Packet Forwarding
############################
echo 1 > /proc/sys/net/ipv4/ip_forward
### Remove all previous rules/chains
####################################
iptables -F
iptables -X
iptables -Z

### Create defaut policies
##########################
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

### Input Rules
###############
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 80 -j ACCEPT
### Forward Rules
#################
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED,NEW -j
ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -j ACCEPT

### Post/Preroute Rules
#######################
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT
--to-destination 192.168.0.2:3389

nick wrote:
> i have 2 pc, one is FC4,another one is WINXP. The following is my home
> network structure, my iptables setting is also appended at the bottom. I
> need to use ip masquerade to make 2 pc can go online at the same time,
> but when i apply my iptables as following, the FC4 box can build up the
> connection with ISP, but i cannot use it to browse website, the browser
> pop up a error message: "cannot connect to server.....", i am wondering
> i have already applied "iptables -A INPUT -i eth0 -p udp --dport 80 -j
> ACCEPT",

This is a INPUT rule and that would make the world able to connect
udp-connections to your system at port 80. But it doesn't help you to
connect to an http-server (tcp) outside.

> why i cannot browse website use browser?
> my iptables also cannot forward the WINXP packets to outside,why?
> anyone can tell me what's wrong of my iptables setting?
>
> thanks for your help!
> ================================================== ================================
>
> FC4 has 2 network cards:
>
> eth0
> use vpn connect to ISP, use dynamic ip.
>
> eth1
> ip: 192.168.0.1/24
> DNS: ISP DNS
> ================================================== =================================
>
> WINXP
>
> eth2

eth2? Is this configured on your linux or win box?
Your win box should be configured with this IP and mask 255.255.255.0
but plugged into eth1 of your FC4 box.

> ip: 192.168.0.2/24
> gateway: 192.168.0.1
> DNS: ISP DNS
>
> ================================================== ================================
>
>
> ------------ ---------------
> | | | WINXP |
> ISP | FC4 |192.168.0.1 | eth2 |
> ---------| eth0 eth1 |---------------|192.168.0.2 |
> ------------ ----------------
>
> ================================================== ================================
>
>
> #!/bin/bash
>
> ### Loading firewall modules
> ############################
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
>
> ### Enable Packet Forwarding
> ############################
> echo 1 > /proc/sys/net/ipv4/ip_forward
> ### Remove all previous rules/chains
> ####################################
> iptables -F
> iptables -X
> iptables -Z
>
> ### Create defaut policies
> ##########################
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
>
> ### Input Rules
> ###############
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -i eth1 -j ACCEPT
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED,NEW -j
> ACCEPT

You don't want that for sure, then again you wouldn't need a firewall on
your FC4 box! Should be that way:
iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT


> iptables -A INPUT -i eth0 -p udp --dport 80 -j ACCEPT

As said before this rule doesn't help you, delete it!

> ### Forward Rules
> #################
> iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED,NEW -j
> ACCEPT

You don't want that for sure either!
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED -j ACCEPT


> iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -j ACCEPT
>
> ### Post/Preroute Rules
> #######################
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT
> --to-destination 192.168.0.2:3389

Since the OUTPUT table policy is ACCEPT, the rules should let the
desired traffic through. Could you post the ouput of `iptables -L` to
have a real look at your tables?

greetz,
Eric

On Mon, 28 Nov 2005 20:12:40 +0100, EricT wrote:

>> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED,NEW -j
>> ACCEPT
>
> You don't want that for sure, then again you wouldn't need a firewall on
> your FC4 box! Should be that way:
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT

I would leave in the RELATED also

>> iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED,NEW -j
>> ACCEPT
>
> You don't want that for sure either!
> iptables -A FORWARD -i eth0 -m state --state ESTABLISHED -j ACCEPT

Same here


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Robert wrote:
> On Mon, 28 Nov 2005 20:12:40 +0100, EricT wrote:
>
>
>>>iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED,NEW -j
>>>ACCEPT
>>
>>You don't want that for sure, then again you wouldn't need a firewall on
>>your FC4 box! Should be that way:
>>iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT
>
>
> I would leave in the RELATED also

why would you? Incoming RELATED packets are only needed for special
services such as ftp or a service hosted by the own network and these
should be handled by its own and the appropriate rules.

greetz,
Eric

On Wed, 30 Nov 2005 22:17:25 +0100, EricT wrote:

>>>iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT
>>
>>
>> I would leave in the RELATED also
>
> why would you? Incoming RELATED packets are only needed for special
> services such as ftp or a service hosted by the own network and these
> should be handled by its own and the appropriate rules.

FTP is handled by ip_conntrack_ftp. IRC is handled by ip_conntrack_irc.
This is because they are 2 of the most popular one. I'm sure there are
more out there and without having the Related in State you are going to
have a problem. But, hey it's your machine and you can do as you please.
It's just I don't have the time to troubleshoot problems that could have
been avoided.


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Robert wrote:
> On Wed, 30 Nov 2005 22:17:25 +0100, EricT wrote:
>
>
>>>>iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT
>>>
>>>
>>>I would leave in the RELATED also
>>
>>why would you? Incoming RELATED packets are only needed for special
>>services such as ftp or a service hosted by the own network and these
>>should be handled by its own and the appropriate rules.
>
>
> FTP is handled by ip_conntrack_ftp. IRC is handled by ip_conntrack_irc.
> This is because they are 2 of the most popular one. I'm sure there are
> more out there and without having the Related in State you are going to
> have a problem. But, hey it's your machine and you can do as you please.
> It's just I don't have the time to troubleshoot problems that could have
> been avoided.
>
>

Sorry Robert,

even it's my machine, i do not have any trouble or problem with the
rules. Incoming RELATED packets could easily exploit any connections by
spoofing or anything like it, that's why i am not letting'em through!

Only established conns are identified by the associated checksum.

greetz,
Eric

the output of "iptables -L"

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

nick wrote:
> the output of "iptables -L"
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination

Well, you post firewall rules here...

> #!/bin/bash
>
> ### Loading firewall modules
> ############################
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
>
> ### Enable Packet Forwarding
> ############################
> echo 1 > /proc/sys/net/ipv4/ip_forward
> ### Remove all previous rules/chains
> ####################################
> iptables -F
> iptables -X
> iptables -Z
>
> ### Create defaut policies
> ##########################
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
>
> ### Input Rules
> ###############
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -i eth1 -j ACCEPT
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
> iptables -A INPUT -i eth0 -p udp --dport 80 -j ACCEPT
> ### Forward Rules
> #################
> iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
> iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -j ACCEPT
>
> ### Post/Preroute Rules
> #######################
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.2:3389

which are obviously not active. You should activate them, considering
the past posts in this thread.

greetz,
Eric

how to activative them?
can u give me some website or more information about setup iptables?
thanks!

"nick" <(E-Mail Removed)> wrote in message
news:dn31th$1f20$(E-Mail Removed)

> can u give me some website or more information about setup iptables?

http://iptables-tutorial.frozentux.n...-tutorial.html