We help IT Professionals succeed at work.

Help needed to troubleshoot internet sharing for RH 9.0 and WinXP

ckyoon
ckyoon asked
on
Medium Priority
298 Views
Last Modified: 2010-03-18
I have RH 9.0 setup as internet gateway using 2 NICs,  eth0 connectedto my ADSL modem while eth1 connected to my WinXP pc.

I modified the scipt from jlevie and I'm able to ping the eth0 and eth1 but I couldnt get my web browser on my xp pc working, can someone help me out?

Here's my ifconfig
eth0      Link encap:Ethernet  HWaddr 00:D0:B7:B8:44:A7
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2916 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2613 errors:0 dropped:0 overruns:0 carrier:0
          collisions:8 txqueuelen:100
          RX bytes:2914179 (2.7 Mb)  TX bytes:379324 (370.4 Kb)
          Interrupt:18 Base address:0xd000
 
eth1      Link encap:Ethernet  HWaddr 00:08:A1:58:F5:7A
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:51 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:6048 (5.9 Kb)  TX bytes:2416 (2.3 Kb)
          Interrupt:23 Base address:0xf000
 
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:7733 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7733 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:523802 (511.5 Kb)  TX bytes:523802 (511.5 Kb)
 
ppp0      Link encap:Point-to-Point Protocol
          inet addr:219.95.15.137  P-t-P:219.93.218.177  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:2752 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2446 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:2843729 (2.7 Mb)  TX bytes:320207 (312.7 Kb)


Comment
Watch Question

Top Expert 2005

Commented:
The only change to my script that would be strictly necessary is to set:

OUTSIDE=ppp0
INSIDE=eth1

You will need to set the default gateway on the XP box to 192.168.0.1 and configure name servers the same as those found in /etc/resolv.conf on the Linux box.

Oh yes, you did enable IP forwarding on the Linux box, right?
I would say your problem is name servers as jlevie said. You need to add valid dns servers for your nic in winXP. Windows needs to know when to use the gateway.

Author

Commented:
This is the script I'm using. The DNS  on the WinXP are same as  my RH 9.0 and gateway is 192.168.1.2 (eth0)

#!/bin/sh
#
# Save this to /root/iptables-gw
#
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save
# the running config with 'iptables save' for RedHat to reinstate at the next
# boot IP fordarding must be enabled by other than this script for production
# use. That's best done by editing /etc/sysctl.conf and setting:
#
# net.ipv4.ip_forward = 1
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
#
# I find it easier to modify this file and run it (make sure it is executable
# with 'chmod +x iptables-gw') to change the rulesets, rather than
# modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
#
IPT="/sbin/iptables"
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
OUTSIDE=eth0
INSIDE=eth1
INSIDE_IP=192.168.0.1
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP

$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP
$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# Use  NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT if to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# Don't leak SMB traffic onto the Internet. We've slipped the surly bonds of windows
# and are dancing on the silvery wings of Linux.
#
$IPT -A FORWARD -p udp --dport 137 -j silent
$IPT -A FORWARD -p udp --dport 138 -j silent
$IPT -A FORWARD -p udp --dport 139 -j silent
$IPT -A FORWARD -p udp --dport 445 -j silent
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.0.1
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 192.168.0.1
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 192.168.0.1
$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 192.168.0.1
#
# Examples of allowing inbound for the port forwarding examples above.
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following  if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the  IP to be that of the INSIDE interface
# of the firewall.
#
#$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT
#
# If you are running a DHCP server on the firewall uncomment the next line
#
#$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPT -A INPUT -j firewalled

Author

Commented:
jlevie,
I did set the name servers on the WinXP found at /etc/resolv.conf as well as enable the IP forwarding on the linux box.

BTW, appreciate if you can help me out for the following questions:-
Why I need to set the OUTSIDE=ppp0 not eth0 because this is the NIC connect to my ADSL modem? Can I know why?
Why I must set the WinXP gateway to 192.168.0.1 not 192.168.1.2?
Top Expert 2005

Commented:
You need OUTSIDE=ppp0 and not eth0 because eth0 is just used as a transport media for the PPP connection. Your outside IP is 219.95.15.137 and that's attached to ppp0. Change the script and reload it and things will work oh so much better.

Author

Commented:
So how about the gateway I should set it on WinXP?
Top Expert 2005

Commented:
The inside IP is that of the interface your XP box connects to. It is eth1 (192.168.0.1) in this case and that's the default gateway for the XP box. Packets from the XP box destined for the Internet will go to that IP, be NAT'ed by iptables and sent out to the Internet via ppp0.

Author

Commented:
I added this to connect via telnet from Internet but I found that it is not working.

$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 23 -j ACCEPT

Author

Commented:
Sorry forgot to mention I cannot telnet to from internet using microsoft telnet.
Top Expert 2005

Commented:
Is the telnet server installed and enabled on the firewall? Unless you chose "Everything" when installing RedHat 9 the telnet-server package would not have been installed. And even if the package is installed it won't be enabled, as a security measure.

Check to see if telnet-server is installed with 'rpm -q telnet-server'. If necessary install it from your distro CD's and enable it with 'chkconfig telnet on', followed by 'service xinetd restart'. Then make sure that it is working by executing 'telnet localhost' while logged on to the firewall.

Author

Commented:
I'm able to telnet from on LAN from my winxp pc but not through the internet. I'm using no-ip services on my linux box and I'm sure my IP updated using ping my no-ip domain.
Top Expert 2005

Commented:
Get the current outside IP from the output of ifconfig ppp0, make sure that the running rule set was generated from the iptables-gw file that includes the rule allowing telnet by executing iptables-gw, and then try a telnet session from outside by the IP of the firewall. If that fails you could look at /var/log/messages to see if the firewall blocked the connection, which I don't think would be the case if:

$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 23 -j ACCEPT

is in iptables-gw and you've installed that rule by running the script. It is more likely, when attempting the telnet session to the outside IP, that you ISP may be blocking inbound access to standard servers.

Author

Commented:
Well, it seems like I'm able to telnet to my linux box from outside pc but not from the windows box in my LAN. Should I add a rule to forward telnet to linux box LAN ip?

BTW, I'm using p2p software (Edonkey2000) but it's firewalled even though I've added a rule for the tcp & udp port I'm using and permit the inbound traffic.

$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 4662 -j DNAT --to 192.168.0.1
$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 5460 -j DNAT --to 192.168.0.1

$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 4662 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 5460 -j ACCEPT
 

Top Expert 2005
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.