nishi_k_79
asked on
LAN machine unable to browse Websites because of firewall on gateway
Hi,
I have my Linux machine connected as gateway on my network where machines are connected in a workgrp.
I have configured NAT and Firewall and can browse the Internet sites through the gateway.
However, LAN machines cannot browse the Internet when i put filter rules (given below)
Tracert from LAN machine shows following behaviour:
1 ...........Linuxmachine
2 * * * Request Timed Out.
Interfaces : eth0 : Connected to LAN.
Interfaces : eth1 : Connected to Internet
##########################
echo "CONFIGURING NAT"
echo "==============="
##########################
#iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.x.x.x
#iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 10.168.168.1-10.168.168.30
##****RULES TO SET UP GATEWAY**********#
##########################
echo "FLUSH ALL RULES AND CHAINS"
##########################
echo "=========================
iptables -F #Flush all the rules in filter and nat tables
iptables -X
iptables -t nat -F
iptables --delete-chain
iptables -t nat --delete-chain
##########################
echo "ENABLES PACKET FORWARDING BY KERNEL"
##########################
echo "=========================
echo 1 > /proc/sys/net/ipv4/ip_forw
#**************END GATEWAY RULES ***********************#
#**************FIREWALL RULES*********************
##########################
echo "DEFAULT POLICIES"
##########################
echo "=========================
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
##########################
echo "LOCAL TRAFFIC"
##########################
echo "=========================
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
#ALLOW ALL ON INTERNAL ETH0
iptables -A INPUT -p all -i eth0 -s 10.168.168.0/24 -j ACCEPT
iptables -A OUTPUT -p all -o eth0 -s 10.168.168.0/24 -j ACCEPT
##########################
echo "ICMP RULES"
##########################
# This allows neighbouring machines to ping by ip addr.
echo "=========================
iptables -A INPUT -p icmp -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -j ACCEPT
##########################
echo "ALLOW SAMBA RULES"
##########################
echo "=================="
iptables -A INPUT -p udp -s 10.168.168.0/24 --destination-port 137:139 -j ACCEPT
iptables -A INPUT -p tcp -s 10.168.168.0/24 --destination-port 137:139 -j ACCEPT
##########################
echo "ALLOW SERVICES"
##########################
echo "=============="
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT #OPEN HTTP PORT.
iptables -A INPUT -i eth1 -p udp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT #Open secure shell port
iptables -A INPUT -p udp -i eth1 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 53 -j ACCEPT #Open DNS port
iptables -A INPUT -p udp -i eth1 --dport 53 -j ACCEPT
##########################
echo "BLOCK SERVICES"
##########################
echo "=================="
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p udp -i eth1 -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 7100 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p udp -i eth1 -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 111 -j DROP
iptables -A INPUT -p udp -i eth1 -s 0/0 -d 0/0 --dport 111 -j DROP
##########################
echo "ENABLE CONNECTION TRACKING"
##########################
echo "=========================
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
##########################
echo "ACCEPT ESTABLISHED CONNECTION"
##########################
echo "=========================
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT #reject-with tcp-reset
##########################
echo "ANTI SPOOFING RULES"
##########################
echo "=================="
#Deny outside packets from internet which claim to be from your loopback interface.
iptables -A INPUT -p all -s localhost -i eth1 -j DROP
iptables -A INPUT -p all -s x.x.x.x -i eth1 -j DROP
I have my Linux machine connected as gateway on my network where machines are connected in a workgrp.
I have configured NAT and Firewall and can browse the Internet sites through the gateway.
However, LAN machines cannot browse the Internet when i put filter rules (given below)
Tracert from LAN machine shows following behaviour:
1 ...........Linuxmachine
2 * * * Request Timed Out.
Interfaces : eth0 : Connected to LAN.
Interfaces : eth1 : Connected to Internet
##########################
echo "CONFIGURING NAT"
echo "==============="
##########################
#iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.x.x.x
#iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 10.168.168.1-10.168.168.30
##****RULES TO SET UP GATEWAY**********#
##########################
echo "FLUSH ALL RULES AND CHAINS"
##########################
echo "=========================
iptables -F #Flush all the rules in filter and nat tables
iptables -X
iptables -t nat -F
iptables --delete-chain
iptables -t nat --delete-chain
##########################
echo "ENABLES PACKET FORWARDING BY KERNEL"
##########################
echo "=========================
echo 1 > /proc/sys/net/ipv4/ip_forw
#**************END GATEWAY RULES ***********************#
#**************FIREWALL RULES*********************
##########################
echo "DEFAULT POLICIES"
##########################
echo "=========================
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
##########################
echo "LOCAL TRAFFIC"
##########################
echo "=========================
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
#ALLOW ALL ON INTERNAL ETH0
iptables -A INPUT -p all -i eth0 -s 10.168.168.0/24 -j ACCEPT
iptables -A OUTPUT -p all -o eth0 -s 10.168.168.0/24 -j ACCEPT
##########################
echo "ICMP RULES"
##########################
# This allows neighbouring machines to ping by ip addr.
echo "=========================
iptables -A INPUT -p icmp -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -j ACCEPT
##########################
echo "ALLOW SAMBA RULES"
##########################
echo "=================="
iptables -A INPUT -p udp -s 10.168.168.0/24 --destination-port 137:139 -j ACCEPT
iptables -A INPUT -p tcp -s 10.168.168.0/24 --destination-port 137:139 -j ACCEPT
##########################
echo "ALLOW SERVICES"
##########################
echo "=============="
iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT #OPEN HTTP PORT.
iptables -A INPUT -i eth1 -p udp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT #Open secure shell port
iptables -A INPUT -p udp -i eth1 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --dport 53 -j ACCEPT #Open DNS port
iptables -A INPUT -p udp -i eth1 --dport 53 -j ACCEPT
##########################
echo "BLOCK SERVICES"
##########################
echo "=================="
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p udp -i eth1 -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 7100 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p udp -i eth1 -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p tcp -i eth1 -s 0/0 -d 0/0 --dport 111 -j DROP
iptables -A INPUT -p udp -i eth1 -s 0/0 -d 0/0 --dport 111 -j DROP
##########################
echo "ENABLE CONNECTION TRACKING"
##########################
echo "=========================
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
##########################
echo "ACCEPT ESTABLISHED CONNECTION"
##########################
echo "=========================
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT #reject-with tcp-reset
##########################
echo "ANTI SPOOFING RULES"
##########################
echo "=================="
#Deny outside packets from internet which claim to be from your loopback interface.
iptables -A INPUT -p all -s localhost -i eth1 -j DROP
iptables -A INPUT -p all -s x.x.x.x -i eth1 -j DROP
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That's just an informational message from IPtables. It's telling you that the conntack module is starting with 1015 buckets read for use for Internet connections and that it can allocate as many as 8120, based on need.
ASKER
First of all let me thank you very very much for the help extended!! Really good work...Kudos to you and experts-exchange.com !!
After running the script at boot up however ..I see several of this on the Terminal when i boot up next time , not always though:
kernel: NET: 1 messages suppressed.
kernel: ip_conntrack: table full, dropping packet.
kernel: NET: 2 messages suppressed.
kernel: ip_conntrack: table full, dropping packet.
kernel: NET: 3 messages suppressed.
kernel: ip_conntrack: table full, dropping packet.
1 ) I suspect this is due to the fact that ip_conntrack table is full...however if i increase the table capacity to 8120(max) will it solve the problem ? I browsed through some message-boards and found out that increasing it to the max size still gives the same problem.
Thanks in advance..
After running the script at boot up however ..I see several of this on the Terminal when i boot up next time , not always though:
kernel: NET: 1 messages suppressed.
kernel: ip_conntrack: table full, dropping packet.
kernel: NET: 2 messages suppressed.
kernel: ip_conntrack: table full, dropping packet.
kernel: NET: 3 messages suppressed.
kernel: ip_conntrack: table full, dropping packet.
1 ) I suspect this is due to the fact that ip_conntrack table is full...however if i increase the table capacity to 8120(max) will it solve the problem ? I browsed through some message-boards and found out that increasing it to the max size still gives the same problem.
Thanks in advance..
How many machines do you have inside of the firewall?
ASKER
We have around 14 machines accessing internet through firewall ...all are connected in a workgroup.
Thanks..
Thanks..
It certainly doesn't sound like your network is so large that it floods the firewall, if everything is normal. However, if you had an inside machine that was misbehaving or was virus infected it could be producing such a large volume of traffic as to swap IPtables.
What Linux are you using on the firewall?
What Linux are you using on the firewall?
ASKER
I 'm using Redhat 7.1 and Kernel 2.4.2.
Apparently you are running 7.1 "out of the box" since you have the 2.4.2 kernel. The first thing I'd do is to apply all of the RedHat errata to your system, as in running up2date. That probably will fix the problem.
ASKER
Thanks jlevie ..Have been a great help..Thanks..
ASKER
Have exactly the same script as suggested above..Now, i have my firewall script running on bootup.
dmesg shows following status :
====================
ip_tables: (c)2000 Netfilter core team
ip_conntrack (1015 buckets, 8120 max)
====================
What does this mean ??? Will it have any repurcussions in future ??? Any help greatly appreciated...