?
Solved

Yet another router/firewall question

Posted on 2003-02-25
4
Medium Priority
?
262 Views
Last Modified: 2010-03-18
My goal: Linux box connects to the internet via modem. PC is  able to share that connection to access the internet.

I'm almost there! (I think)

Here is my config atm:
Redhat 7.2 Linux box: Netgear FA311 and Generic connexant modem
ifconfig:

eth0      Link encap:Ethernet  HWaddr 00:A0:CC:E1:16:9F
          inet addr:169.254.104.236  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:113 errors:0 dropped:0 overruns:0 frame:0
          TX packets:65 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:13041 (12.7 Kb)  TX bytes:8170 (7.9 Kb)
          Interrupt:11 Base address:0x7000

ppp0      Link encap:Point-to-Point Protocol
          inet addr:206.252.244.149  P-t-P:206.252.227.82  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:474 errors:1 dropped:0 overruns:0 frame:0
          TX packets:564 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:374941 (366.1 Kb)  TX bytes:70964 (69.3 Kb)

Windows XP PC: Built in network card
ipconfig:

Ethernet adapter:
Connection-specific DNS suffix: NONE
IP Address: 169.254.104.237
Subnet Mask: 255.255.0.0
Default Gateway: 169.254.104.236

With this config I am able to ping my linux box(169.254.104.236) from my PC(169.254.104.237). And vice-versa.

Then I began to read some posts about IPTABLES so I found a prebuilt iptables configuration script and configured it so it would run on boot (by calling it from rc.local). Its kind of long but I'll post it for completeness.

rc.firewall:

#!/bin/sh
# You could either run this simple script or do the long way and recompile your kernel with IPTABLES.

# Turn off/flush IPCHAINS
/sbin/ipchains -F

# Remove IPCHAINS mod
#/sbin/rmmod ipchains

# Insert IPTABLES mod
#/sbin/insmod ip_tables
#/sbin/insmod iptable_filter

# Clear out any existing firewall rules, and any chains that might have been created
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -F -t nat
/sbin/iptables -X

# Setup our policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

# This enables ip forwarding, and thus by extension, NAT. Turn this on if you're going to be doing NAT or Masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward

# Source NAT everything heading out the ppp0 or eth0 (external) interface to be the given IP. If you have a dynamic IP or a DHCP IP that changes semi-regularly then comment this and uncomment the 2nd line.
#
# Remember to change the ip address to your static ip

#/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 169.254.104.237

# Use this for dhcp assigned IP addresses (ppp0=1st modem/ eth0=1st nic which is your external connection to the internet.
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Now, our firewall chain. We use the limit commands to cap the rate at which it alerts to 15 log messages per minute.
/sbin/iptables -N firewall
/sbin/iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
/sbin/iptables -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter
/sbin/iptables -N dropwall
/sbin/iptables -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
/sbin/iptables -A dropwall -j DROP

# Our "hey, them's some bad tcp flags!" chain
/sbin/iptables -N badflags
/sbin/iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
/sbin/iptables -A badflags -j DROP

# And our silent logging chain
/sbin/iptables -N silent
/sbin/iptables -A silent -j DROP

# Accept ourselves (loopback interface), 'cause we're all warm and friendly
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Drop those nasty packets! These are all TCP flag combinations that should never, ever occur in the wild.
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through
/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j firewall

# Lets do some basic state-matching. This allows us to accept related and established connections.
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Uncomment to drop port 137 netbios packets silently. We don't like that netbios stuff, and it's way too spammy.
/sbin/iptables -A INPUT -p udp --sport 137 --dport 137 -j silent

# Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
/sbin/iptables -A INPUT -j dropwall
#######END OF RC.FIREWALL#############

I also after reading another post manually changed the IP forwarding option, in some file I can't recall the name of any longer.

Anyway, after all of this, >>>I can't access the internet on my PC<<<. Also I just noticed that I can no longer ping out from my linux box (i can still ping my pc), probably due to a firewall option?

So thats my life, I would appreciate any and all help. I see a couple places that I can toy with in my firewall script that I will do now.

Thanks and sorry for the huge post.
-jared
0
Comment
Question by:jaredb0t
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 

Accepted Solution

by:
jeordsta earned 120 total points
ID: 8031468

It is probably a good idea to get an idea of what your firewall script actually does before whacking it all on your system! That way you can progressively make your firewall more complicated to suit you needs. So, start with a clean system. Make sure you restart without the firewall script in your rc.local.

Basically you need to perform three steps:
1) make sure that your interfaces are working. So in your case you need to bring up both your interfaces. You can probably do this by calling:
/etc/rc.d/init.d/network restart
then do an:
ifconfig
and make sure that you have your ppp and ethernet links up.

2) Do some basic firewalling. To test initially all that it is necessary to do is:
iptables -t nat -A POSTROUTING -i ppp0 -j SNAT --to 169.254.104.237
This will ensure that all outgoing packets from your pc get SNATed to 169.254.104.237.

3) Enable ip forwarding. This is done by:
echo 1 > /proc/sys/net/ipv4/ip_forward

You then should be able to connect to the internet from your pc.
0
 

Author Comment

by:jaredb0t
ID: 8035048
I figured out my problem yesterday.  It turned out that I really did have access to the internet on my windows pc, I could ping static IPs, telnet to static IPs, the problem was that I didn't have a DNS server entered.  I figured that It would automatically be assigned like everything else when with dialup.  Anyway, I looked up the DNS servers in /etc/resolv.conf and just added those to the settings of my windows nic and everything is GTG.

Thanks for the reply though.
0
 

Expert Comment

by:jeremynd01
ID: 8048985
Hey Jared,

If you've got the time and the patience, you could set up a DHCP server on your linux box for your windows box, and set DNS servers and stuff.  Then your windows machine WOULD automatically find this stuff out, and you may even notice a decrease in startup-speed (windows is a real pig when it can't find a DCHP server, so it just sits there awhile until the timeout period expires, and then gives itself the typical 169.254.x.x APIPA).  If you're interested, I can offer some tips.

PS. That iptables script you used is about the longest thing I have ever seen.... including defining its own tables!!  Overkill!
0
 

Expert Comment

by:CleanupPing
ID: 9077777
jaredb0t:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question