nexisvi
asked on
Problems setting up Linux Gateway
I'm having problems getting a Linux Gateway set-up. I've gone over the LDP Networking HOWTO's, and as far as I know I've set everything up correctly. Of course, I'm sure I'm overlooking something and I was hoping someone could point it out for me. ;-)
At my work, our traditional internal network is 192.168.0.0/24. A gateway sits at the I.P. address 192.168.0.4, and also acts as a proxy server. The problem with this is the fact that it's an old MS Proxy server (All the computers in the internal network are also running a MS Operating system). Now I have nothing to do with this network, however in my spare I've been trying to set up a linux gateway as an alternative path outside the network, which could also offer tons of other services. I've managed to get a static I.P. assigned for the Linux Box, which is directly accessible from the internet. I'm using the 2.4 linux kernel, and have compiled in the necessary items to run the machine as a gateway. FYI, I'm running Debian woody. Also for safety I won't use the 'real' I.P. address that the outside see's.
The Linux Box has two NIC's, eth0 and eth1. Here's some info extracted from ifconfig (w the real external I.P. being omited):
eth0 Link encap:Ethernet HWaddr 00:01:02:36:E6:A2
inet addr:192.168.0.95 Bcast:192.168.0.255 Mask:255.255.255.0
eth1 Link encap:Ethernet HWaddr 00:01:02:78:6D:77
inet addr:141.117.101.135 Bcast:141.117.101.43.143 Mask:255.255.255.240
eth0 is connected to the internal network, and eth1 is connected to the internet. In the above example, the I.P. address 141.117.101.135 is an address you can use to directly connect to the box from the outside.
Here is the results of the route command:
Destination Gateway Genmask Flags Metric Ref Use Iface
141.117.101.128 * 255.255.255.240 U 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
default 141.117.101.129 0.0.0.0 UG 0 0 0 eth1
From the above routing table, you can see that the box has a gateway at 141.117.101.129 to access the internet.
My first task was to set up NAT, so I could use the linux box as the new gateway for a windows xp machine, and make internet connections through this gateway. After completely flushing out and deleting all chains in both the "filter" and "nat" tables, I've tried the following commands with iptables:
iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT --to 141.117.101.135
iptables -t filter -I FORWARD -s 192.168.0.0/24 -i eth0 -j ACCEPT
The following is a list of the two resulting tables (I'm omiting the empty tables):
iptables -t nat -L:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.0.0/24 anywhere to:141.117.101.135
iptables -t filter -L:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
I've also turned on I.P. forwarding by using the following command:
echo 1 > /proc/sys/net/ipv4/ip_forw
and checked to make sure it is indeed set to 1. Now, on the windows XP side all that I'm assuming I would need to do is change the gateway to point to my linux machine instead of the old gateway. Ex. the old gateway is at 192.168.0.4, so I just change that to 192.168.0.95. I can get DNS working later, so for now I've put in a couple external DNS servers in the DNS section of the windows network configuration. With this current setup, I can't seem to get an outside connection from the windows machine. A Few more notes: 1. I can ping the linux gateway from the windows machine. 2. The linux machine can ping computers both inside the internal network (such as my test windows computer), and computers on the outside. 3. I'm using I.P. addresses to test the outside connection, just to eliminate the chance that it's a DNS issue.
It's probably something stupid that I overlooked or left out, so I'm hoping someone could take a look at this setup and notice what's wrong with it.
Thanks in advance.
At my work, our traditional internal network is 192.168.0.0/24. A gateway sits at the I.P. address 192.168.0.4, and also acts as a proxy server. The problem with this is the fact that it's an old MS Proxy server (All the computers in the internal network are also running a MS Operating system). Now I have nothing to do with this network, however in my spare I've been trying to set up a linux gateway as an alternative path outside the network, which could also offer tons of other services. I've managed to get a static I.P. assigned for the Linux Box, which is directly accessible from the internet. I'm using the 2.4 linux kernel, and have compiled in the necessary items to run the machine as a gateway. FYI, I'm running Debian woody. Also for safety I won't use the 'real' I.P. address that the outside see's.
The Linux Box has two NIC's, eth0 and eth1. Here's some info extracted from ifconfig (w the real external I.P. being omited):
eth0 Link encap:Ethernet HWaddr 00:01:02:36:E6:A2
inet addr:192.168.0.95 Bcast:192.168.0.255 Mask:255.255.255.0
eth1 Link encap:Ethernet HWaddr 00:01:02:78:6D:77
inet addr:141.117.101.135 Bcast:141.117.101.43.143 Mask:255.255.255.240
eth0 is connected to the internal network, and eth1 is connected to the internet. In the above example, the I.P. address 141.117.101.135 is an address you can use to directly connect to the box from the outside.
Here is the results of the route command:
Destination Gateway Genmask Flags Metric Ref Use Iface
141.117.101.128 * 255.255.255.240 U 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
default 141.117.101.129 0.0.0.0 UG 0 0 0 eth1
From the above routing table, you can see that the box has a gateway at 141.117.101.129 to access the internet.
My first task was to set up NAT, so I could use the linux box as the new gateway for a windows xp machine, and make internet connections through this gateway. After completely flushing out and deleting all chains in both the "filter" and "nat" tables, I've tried the following commands with iptables:
iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT --to 141.117.101.135
iptables -t filter -I FORWARD -s 192.168.0.0/24 -i eth0 -j ACCEPT
The following is a list of the two resulting tables (I'm omiting the empty tables):
iptables -t nat -L:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.0.0/24 anywhere to:141.117.101.135
iptables -t filter -L:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
I've also turned on I.P. forwarding by using the following command:
echo 1 > /proc/sys/net/ipv4/ip_forw
and checked to make sure it is indeed set to 1. Now, on the windows XP side all that I'm assuming I would need to do is change the gateway to point to my linux machine instead of the old gateway. Ex. the old gateway is at 192.168.0.4, so I just change that to 192.168.0.95. I can get DNS working later, so for now I've put in a couple external DNS servers in the DNS section of the windows network configuration. With this current setup, I can't seem to get an outside connection from the windows machine. A Few more notes: 1. I can ping the linux gateway from the windows machine. 2. The linux machine can ping computers both inside the internal network (such as my test windows computer), and computers on the outside. 3. I'm using I.P. addresses to test the outside connection, just to eliminate the chance that it's a DNS issue.
It's probably something stupid that I overlooked or left out, so I'm hoping someone could take a look at this setup and notice what's wrong with it.
Thanks in advance.
ASKER
I tried adding the rule
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
which produced this entry in the INPUT chain of the filter table:
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
but unfortunately I still can't get NAT from my windows machine. Just for testing, I also tried adding rules to basically accept everything, forward everything, etc but I didn't have any luck with that either.
I'll try and look into figuring out the best way to log if/when the packets are arriving at the linux box, to see if they are getting there and why they are being dropped.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
which produced this entry in the INPUT chain of the filter table:
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
but unfortunately I still can't get NAT from my windows machine. Just for testing, I also tried adding rules to basically accept everything, forward everything, etc but I didn't have any luck with that either.
I'll try and look into figuring out the best way to log if/when the packets are arriving at the linux box, to see if they are getting there and why they are being dropped.
If I understand you correctly, you're saying that none of the machines, except for the gateway machine itself, can ping
hosts external to your LAN?
If so, I'm wondering if you're suffering from a problem I had here once, which had me pulling my hair out for a while...
I found that I had forgotten to enable ip_forward on the gateway machine.
Check (and amend if neccesary), that /proc/sys/net/ipv4/ip_forw
hosts external to your LAN?
If so, I'm wondering if you're suffering from a problem I had here once, which had me pulling my hair out for a while...
I found that I had forgotten to enable ip_forward on the gateway machine.
Check (and amend if neccesary), that /proc/sys/net/ipv4/ip_forw
ASKER
ip_forwarding is definately enabled on the gateway
what happens if you just turn iptables off entirely? Are clients then able to connect?
On my firewall, I just run /etc/init.d/iptables stop to do this, but your mileage may vary.
On my firewall, I just run /etc/init.d/iptables stop to do this, but your mileage may vary.
ASKER
My iptables doesn't have a "stop" script. It can start, force-start, and restart. I don't think turning it off would help though. I've tried both a completely empty table, and one that accepts everything, but didn't have any luck. I can ssh into the box from both outside and inside the lan, and the box can ping both outside and inside from the box. Somethings just not forwarding the packets from inside to outside correctly.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The above rules worked great! Since I got that working I've been able to add additional rules to my firewall and make it fairly secure while at the same time still providing NAT for the clients on the inside of the LAN.
Thanks for all your help!
Thanks for all your help!
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
just to get the firewall to work. FWIW, the rule sets shown below give a bit more protection and are what I use. They were written for a RedHat system, but with a bit of editing could be adapted to your Debian box
#!/bin/sh
#
# Save this in root's home directory as iptables-gw and make it executable
# with 'chmod +x iptables-gw'. Then to install the rule set simply run it
# with './iptables-gw'.
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save
# the running config with 'iptables save' for RedHat to reinstate at the next
# boot IP fordarding must be enabled by other than this script for production
# use. That's best done by editing /etc/sysctl.conf and setting:
#
# net.ipv4.ip_forward = 1
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
#echo 1 > /proc/sys/net/ipv4/ip_forw
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
# I find it easier to modify this file and run it to change the rulesets.,
# rather than modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
#
IPT="/sbin/iptables"
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
OUTSIDE=eth1
INSIDE=eth0
INSIDE_IP=10.0.0.254
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent - Just dop the packet
# tcpflags - Log packets with bad flags, most likely an attack
# firewalled - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP
$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP
$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# Use NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4
#
# To Statically NAT an outside IP (1.2.3.4) to an inside IP (10.0.0.2) you'd
# do something like:
#
#$IPT -t nat -A PREROUTING -i $OUTSIDE -d 1.2.3.4 -j DNAT --to-destination 10.0.0.2
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -s 10.0.0.2 -j SNAT --to-source 1.2.3.4
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# We've slipped the surly bonds of windows and are dancing on the
# silvery wings of Linux, so don't allow that windows broadcast trash
# to leak out of the firewall.
#
$IPT -A FORWARD -p udp --dport 137 -j silent
$IPT -A FORWARD -p udp --dport 138 -j silent
$IPT -A FORWARD -p udp --dport 139 -j silent
$IPT -A FORWARD -p udp --dport 445 -j silent
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.0.0.10
#
# Examples of allowing inbound for the port forwarding examples above or for
# allowing access to services running on the firewall
#
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the IP to be that of the INSIDE interface
# of the firewall.
#
#$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT
#
# If you are running a DHCP server on the firewall uncomment the next line
#
#$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPT -A INPUT -j firewalled