[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.4

NAT with Linux Host and XP client. What am I doing wrong

Asked by gripped in Miscellaneous Networking, Networking Hardware Firewalls, Dynamic Host Configuration Protocol (DHCP)

Tags: 21614, activating, change

I recently decided to have another try with linux. I have almost everything working but can't get NAT working.

I have a speedtouch 330 usb adsl modem on my linux box and one other computer connected with a crossover cable and a Realtec Nic on each. The machines are pingable at each end and windows/samba file shares work.

But the XP machine can't see the internet at all although I have set up forwarding I believe.

I am one step away from buying a router/modem because this is doing my head in but am hopeful someone on here will see the mistake I am making. So I'm giving this 500 points as you could save me some money :)

I'm going to include all the config files and network command output I think could be relevant. If anyone needs more info just let me know

----------------------------------------------------------------
/etc/rc.firewall  

#!/bin/bash
# Configuration Part of the script - If you are unsure of any of these points, leave them as
# the default setting, changing these
# options can seriously affect the security of your firewall.

# call what we are running.  Ipchains not supported.  Theoretically, this will also
# work on kernel 2.6 but has not been tested yet.
TYPE="iptables"

# Change INETDEV to the network device connceted to the Internet (ppp0/eth0)
# This is ppp0 by default for dial-up connections.  Most cable modem users
# will probably want eth0 or possibly eth1.  When in doubt look at the command
# 'ifconfig' and put the device connected to the internet here.
INETDEV="ppp0"
 
# Change LAN to the correct network address and network mask for your LAN
# this can be found by using ifconfig from one of the clients.  Make sure to change it to
# what your network is using for an address.
LAN="192.168.1.0/24"
 
# Change LANDEV to the network device connected to your LAN
LANDEV="eth0"
 
# There should be no need to change this
LOCALIP=`ifconfig $LANDEV | grep inet | cut -d : -f 2 | cut -d \  -f 1`

#Do you want other machines on the internet to be able to PING your machine?
#(If unsure, leave as no)
PING="no"

#If you selected no as the previous option, do you want the machine to log
#the dropped pings?
LOGPINGS="no"

#If you trust all data coming from your local network, put yes.
TRUST="yes"

#If you want to share this machines internet connection, put yes
#(This will provide Masquerading services for you LAN)
#Otherwise, put no
SHARE="yes"

# Is this machine connected to a Samba Network?
# If yes, over a LAN?  WAN means you can connect from an external source to your samba # # system.  LAN means only connections from the network adresses would be allowed.
SAMBALAN="yes"
#Or over a WAN?
SAMBAWAN="no"
#Or over both?
SAMBA="no"

# If you are running any servers on your machine, you need to specify them below,
# you also need to specify wether these servers/ports should be open to just your local
# network, or the whole world. If you answer yes to PORTNAMEPUBLIC, then the specified port
# will be open to the whole internet, if this is left to the default, which is no, but you
# have specified that you are running a server on the port, the port will only be available
# your local lan.

#Do you run a FTP server?
FTP="no"
FTPPUBLIC="no"

#Do you run a SSH server?
SSH="no"
SSHPUBLIC="no"

#Do you run a telnet server?
TELNET="no"
TELNETPUBLIC="no"

#Do you run a Web server?
WEB="no"
WEBPUBLIC="no"

#Do you run a mail server?
MAIL="no"
MAILPUBLIC="no"

#Do you run identd?
IDENT="no"
IDENTPUBLIC="no"

#If you want to add any trusted hosts, that is, machines on the internet or on your local network
#which you want to fully trust (Allow all data from these machines pass through the firewall), then
#list these machines below.
TRUSTEDHOST1="198.168.0.100"
TRUSTEDHOST2="1.1.1.1"
TRUSTEDHOST3="1.1.1.1"
TRUSTEDHOST4="1.1.1.1"
TRUSTEDHOST5="1.1.1.1"

#If you want to block any hosts from accessing your machine, please list them below, these machines
#will not be able to access your machine at all, even your public access servers.
DENYHOST1="1.1.1.1"
DENYHOST2="1.1.1.1"
DENYHOST3="1.1.1.1"
DENYHOST4="1.1.1.1"
DENYHOST5="1.1.1.1"

#End of Configuration.
#************************************************************************************************************

echo "---------------------------------------------------------"
echo "Local Network Device: $LANDEV"
echo "Local IP: $LOCALIP"
echo "Local Network Address: $LAN"
echo "External Network Device: $INETDEV"
echo "---------------------------------------------------------"
echo ""

#Set default chain policy
echo -n "Setting default chain policies..."
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
echo " Done!"

#Flush all chains
echo -n "Flushing chains..."
iptables  -F
iptables  -X
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
echo " Done!"

#Add custom chains
echo -n "Adding custom chains..."
iptables -N inet-in
iptables -N inet-out
echo " Done!"

#Set INPUT rules
echo -n "Setting rules for INPUT chain..."
iptables -A INPUT -i lo -j ACCEPT
if [ "$TRUST" = "yes" -o "$TRUST" = "YES" ]; then
   iptables -A INPUT -i $LANDEV -j ACCEPT
else
   iptables -A INPUT -i $LANDEV -j inet-in
fi
iptables -A INPUT -i $INETDEV -j inet-in
echo " Done!"

#Set FORWARD rules
echo -n "Setting rules for FORWARD chain..."
if [ "$SHARE" = "yes" -o "$SHARE" = "YES" ]; then
   modprobe iptable_nat
   iptables -A FORWARD -s $LAN -j ACCEPT
   iptables -A FORWARD -d $LAN -j ACCEPT
   echo 1 > /proc/sys/net/ipv4/ip_forward
      #Activate masquerade
      echo -n "Activating masquerade..."
      iptables -t nat -A POSTROUTING -o $INETDEV -j MASQUERADE
      echo " Done!"    
fi
echo " Done!"

#Set OUTPUT rules
echo -n "Setting rules for OUTPUT chain..."
iptables -A OUTPUT -j inet-out
echo " Done!"

#Set inet-in rules
echo -n "Setting rules for internet device incoming chain: "
   echo -n "Setting open ports for specified servers / Network Services .... "i
   if [ "$SAMBALAN" = "YES" -o "$SAMBALAN" = "yes" ]; then
      iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 138:139 -j ACCEPT
   fi
   if [ "$SAMBAWAN" = "YES" -o "$SAMBAWAN" = "yes" ]; then
      iptables -A inet-in -p tcp -i $INETDEV -o $INETDEV --dport 138:139 -j ACCEPT
   fi
   if [ "$SAMBA" = "YES" -o "$SAMBA" = "yes" ]; then
      iptables -A inet-in -p tcp --dport 138:139 -j ACCEPT
   fi
   if [ "$FTP" = "YES" -o "$FTP" = "yes" ]; then
      iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 21 -j ACCEPT
      if [ "$FTPPUBLIC" = "YES" -o "$FTPPUBLIC" = "yes" ]; then
         iptables -A inet-in -p tcp --dport 21 -j ACCEPT
      fi
   fi
   if [ "$TELNET" = "YES" -o "$TELNET" = "yes" ]; then
      iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 23 -j ACCEPT
      if [ "$TELNETPUBLIC" = "YES" -o "$TELNETPUBLIC" = "yes" ]; then
         iptables -A inet-in -p tcp --dport 23 -j ACCEPT
      fi
   fi
   if [ "$SSH" = "YES" -o "$SSH" = "yes" ]; then
      iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 22 -j ACCEPT
      if [ "$SSHPUBLIC" = "YES" -o "$SSHPUBLIC" = "yes" ]; then
         iptables -A inet-in -p tcp --dport 22 -j ACCEPT
      fi
   fi
   if [ "$WEB" = "YES" -o "$WEB" = "yes" ]; then
      iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 80 -j ACCEPT
      if [ "$WEBPUBLIC" = "YES" -o "$WEBPUBLIC" = "yes" ]; then
         iptables -A inet-in -p tcp --dport 80 -j ACCEPT
      fi
   fi
   if [ "$MAIL" = "YES" -o "$MAIL" = "yes" ]; then
      iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 110 -j ACCEPT
      if [ "$MAILPUBLIC" = "YES" -o "$MAILPUBLIC" = "yes" ]; then
         iptables -A inet-in -p tcp --dport 110 -j ACCEPT
      fi
   fi
   if [ "$IDENT" = "YES" -o "$IDENT" = "yes" ]; then
      iptables -A inet-in -p tcp -i $LANDEV -o $LANDEV --dport 113 -j ACCEPT
      if [ "$IDENTPUBLIC" = "YES" -o "$IDENTPUBLIC" = "yes" ]; then
         iptables -A inet-in -p tcp --dport 113 -j ACCEPT
      fi
   fi
   echo "Done!"

   echo -n "Adding trusted hosts.... "
   iptables -A inet-in -s $TRUSTEDHOST1 -j ACCEPT
   iptables -A inet-in -s $TRUSTEDHOST2 -j ACCEPT
   iptables -A inet-in -s $TRUSTEDHOST3 -j ACCEPT
   iptables -A inet-in -s $TRUSTEDHOST4 -j ACCEPT
   iptables -A inet-in -s $TRUSTEDHOST5 -j ACCEPT
   echo "Done!"

   echo -n "Denying all specified hosts.... "
   iptables -A inet-in -s $DENYHOST1 -j DROP
   iptables -A inet-in -s $DENYHOST2 -j DROP
   iptables -A inet-in -s $DENYHOST3 -j DROP
   iptables -A inet-in -s $DENYHOST4 -j DROP
   iptables -A inet-in -s $DENYHOST5 -j DROP
   echo "Done!"

echo -n "  Setup ping option on/off..."
if [ "$PING" = "YES" -o "$PING" = "yes" ]; then
   iptables -A inet-in -p ICMP -j ACCEPT
fi
if [ "$LOGPINGS" = "YES" -o "$LOGPINGS" = "yes" ]; then
                iptables -A inet-in -p ICMP -j LOG
fi
echo "Done!"

echo -n "  Setup port blocking on vulnerable ports..."
#Block NFS
iptables -A inet-in -p tcp --dport 2049 -j LOG
iptables -A inet-in -p udp --dport 2049 -j LOG
iptables -A inet-in -p tcp --dport 2049 -j DROP
iptables -A inet-in -p udp --dport 2049 -j DROP
#Block X
iptables -A inet-in -p tcp --dport 5999:6003 -j LOG
iptables -A inet-in -p udp --dport 5999:6003 -j LOG
iptables -A inet-in -p tcp --dport 5999:6003 -j DROP
iptables -A inet-in -p udp --dport 5999:6003 -j DROP
#Block XFS
iptables -A inet-in -p tcp --dport 7100 -j LOG
iptables -A inet-in -p udp --dport 7100 -j LOG
iptables -A inet-in -p tcp --dport 7100 -j DROP
iptables -A inet-in -p udp --dport 7100 -j DROP
#Block Back Orifice
iptables -A inet-in -p tcp --dport 31337 -j LOG
iptables -A inet-in -p udp --dport 31337 -j LOG
iptables -A inet-in -p tcp --dport 31337 -j DROP
iptables -A inet-in -p udp --dport 31337 -j DROP
#Block netbus
iptables -A inet-in -p tcp --dport 12345:12346 -j LOG
iptables -A inet-in -p udp --dport 12345:12346 -j LOG
iptables -A inet-in -p tcp --dport 12345:12346 -j DROP
iptables -A inet-in -p udp --dport 12345:12346 -j DROP
echo " Done!"
echo " Done!"
echo -n "  Setting connection tracking..."
iptables -A INPUT -i $INETDEV  -m state --state NEW,INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo " Done!"


-------------------------------------------------------------------
Output of rc.firewall if hand executed

./rc.firewall
---------------------------------------------------------
Local Network Device: eth0
Local IP: 192.168.0.10
Local Network Address: 192.168.1.0/24
External Network Device: ppp0
---------------------------------------------------------

Setting default chain policies... Done!
Flushing chains... Done!
Adding custom chains... Done!
Setting rules for INPUT chain... Done!
Setting rules for FORWARD chain...Activating masquerade... Done!
 Done!
Setting rules for OUTPUT chain... Done!
Setting rules for internet device incoming chain: Setting open ports for specified servers / Network Services .... iDone!
Adding trusted hosts.... Done!
Denying all specified hosts.... Done!
  Setup ping option on/off...Done!
  Setup port blocking on vulnerable ports... Done!
 Done!
  Setting connection tracking... Done!


-----------------------------------------------------------

#------------------ /etc/ppp/options Beginning -------------
noauth
usepeerdns
lock
noipdefault
#------------------ /etc/ppp/options End ------------------



*I use pppd call adsl*

#-------------------/etc/ppp/peers/adsl Beginning------------
debug
kdebug 1
noipdefault
defaultroute
pty "/usr/local/sbin/pppoa3 -m -1 -c -vpi 0 -vci 38"
sync
user "zen14915@zen"
noauth
noaccomp
nopcomp
noccp
novj
holdoff 4
persist
maxfail 25
usepeerdns
#------------------/etc/ppp/peers/adsl EOF------------------

----------------------------------------------------------
ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:FC:A3:1E:57
          inet addr:192.168.0.10  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2146 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3645 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:645909 (630.7 KiB)  TX bytes:327973 (320.2 KiB)
          Interrupt:11 Base address:0x4000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:271 errors:0 dropped:0 overruns:0 frame:0
          TX packets:271 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:21614 (21.1 KiB)  TX bytes:21614 (21.1 KiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:217.155.157.110  P-t-P:62.3.82.18  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1029 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1067 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:792036 (773.4 KiB)  TX bytes:143409 (140.0 KiB)
-----------------------------------------------------------
route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
gauss-dsl.zen.n *               255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
default         gauss-dsl.zen.n 0.0.0.0         UG    0      0        0 ppp0
----------------------------------------------------

XP ipconfig & route print
Windows IP Configuration



        Host Name . . . . . . . . . . . . : computer2

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Mixed

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 6:



        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC #3

        Physical Address. . . . . . . . . : 00-50-FC-A3-2C-9A

        Dhcp Enabled. . . . . . . . . . . : No

        IP Address. . . . . . . . . . . . : 192.168.0.100

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.0.10

        DNS Servers . . . . . . . . . . . : 212.23.3.11

                                            212.23.6.35




===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 50 fc a3 2c 9a ...... Realtek RTL8139 Family PCI Fast Ethernet NIC #3 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.0.10   192.168.0.100   1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
      192.168.0.0    255.255.255.0    192.168.0.100   192.168.0.100   1
    192.168.0.100  255.255.255.255        127.0.0.1       127.0.0.1   1
    192.168.0.255  255.255.255.255    192.168.0.100   192.168.0.100   1
        224.0.0.0        240.0.0.0    192.168.0.100   192.168.0.100   1
  255.255.255.255  255.255.255.255    192.168.0.100   192.168.0.100   1
Default Gateway:      192.168.0.10
===========================================================================
Persistent Routes:
  None



[+][-]10/03/04 06:53 PM, ID: 12214169Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]10/03/04 08:18 PM, ID: 12214404Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]10/03/04 10:30 PM, ID: 12214767Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Miscellaneous Networking, Networking Hardware Firewalls, Dynamic Host Configuration Protocol (DHCP)
Tags: 21614, activating, change
Sign Up Now!
Solution Provided By: SithLoaded
Participating Experts: 3
Solution Grade: A
 
[+][-]10/03/04 10:34 PM, ID: 12214776Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]10/04/04 04:17 AM, ID: 12216111Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]10/04/04 07:13 PM, ID: 12223359Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091021-EE-VQP-81