Solved

Firewall setup

Posted on 2004-04-04
2
225 Views
Last Modified: 2010-03-18
I have four  machines A,B,C,D
A and B are in one network(192.168.1.0 mask 255.255.255.0)
         
C and  D are in another network(192.168.0.0 mask 255.255.255.0)
For A pc  B is the gateway.
||-ly for C pc D is the gateway.
I want to connect from machine A to aother network(i.e C and D) using B as the gateway.
||=ly  I want to connect from machine D to aother network(i.e A and B) using C as the gateway.
what i did was I enabled ipforwarding in Both my gateways B and C.

The I create a Static route in machine C for machine B

In machine C the routing entry is  
 route add 192.168.1.1 dev eth0
 route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1


In machine B the routing entry is  
route add -net 192.168.0.0 netmask 255.255.255.0 dev eth0
 
Both my machine A and D are using B and C as default gateways respectivley.
i am able to ping and ssh form both the sides.

Now  i planned to setup a firewall in my Gateways using iptables.Here only i have a problem.After i sets up the firewall my Client machines can not access the other network.But gateways can access to each other.They too can not access the other side clinets.

My Firewall rules are
                         
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP



iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 5000 -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -j ACCEPT

Similary in my other gateway i have a rule.
Both the sides i enabled ip forwarding.
         I guess something wrong in my firewall rules.But i don't know where it is going wrong.I am totally new to this area.Can any one help me?
0
Comment
Question by:palanisaravanan
2 Comments
 
LVL 9

Accepted Solution

by:
Alf666 earned 250 total points
ID: 10752298
Your forward rules do not allow packets to "come back".

On machines B and D, you should have :

iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.0.0/24 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT

One good way of diagnosing this kind of problems is using ethereal (or the text version : tethereal).

tethereal -i eth0
will give you everything that comes in/out of this interface. On the gateways, you can run :

tethereal -i eth0
tethereal -i eth1

On two different terminals.
That way, you would have seen that your packets come in one way, but not the other :-)

If you use ssh to connect to the gateways, then better filter out ssh from tethereal if you don't want your terminal to be filled up with non-interesting packets :

tethereal -i eth0 not port 22

0
 
LVL 40

Expert Comment

by:jlevie
ID: 10752453
At the least you need to change your forward rule (its backwards). You need a bit more in the rule set and I'd suggest that you try:

iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT

0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Ubuntu VNC server rejects access by client 7 121
LDAP setup? 9 82
SIP Trunk provider 20 93
IPA - running on unsupported CentOS servers? 1 85
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now