Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 285
  • Last Modified:

Help needed to troubleshoot internet sharing for RH 9.0 and WinXP

I have RH 9.0 setup as internet gateway using 2 NICs,  eth0 connectedto my ADSL modem while eth1 connected to my WinXP pc.

I modified the scipt from jlevie and I'm able to ping the eth0 and eth1 but I couldnt get my web browser on my xp pc working, can someone help me out?

Here's my ifconfig
eth0      Link encap:Ethernet  HWaddr 00:D0:B7:B8:44:A7
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2916 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2613 errors:0 dropped:0 overruns:0 carrier:0
          collisions:8 txqueuelen:100
          RX bytes:2914179 (2.7 Mb)  TX bytes:379324 (370.4 Kb)
          Interrupt:18 Base address:0xd000
 
eth1      Link encap:Ethernet  HWaddr 00:08:A1:58:F5:7A
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:51 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:6048 (5.9 Kb)  TX bytes:2416 (2.3 Kb)
          Interrupt:23 Base address:0xf000
 
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:7733 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7733 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:523802 (511.5 Kb)  TX bytes:523802 (511.5 Kb)
 
ppp0      Link encap:Point-to-Point Protocol
          inet addr:219.95.15.137  P-t-P:219.93.218.177  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:2752 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2446 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:2843729 (2.7 Mb)  TX bytes:320207 (312.7 Kb)


0
ckyoon
Asked:
ckyoon
  • 7
  • 6
1 Solution
 
jlevieCommented:
The only change to my script that would be strictly necessary is to set:

OUTSIDE=ppp0
INSIDE=eth1

You will need to set the default gateway on the XP box to 192.168.0.1 and configure name servers the same as those found in /etc/resolv.conf on the Linux box.

Oh yes, you did enable IP forwarding on the Linux box, right?
0
 
owensleftfootCommented:
I would say your problem is name servers as jlevie said. You need to add valid dns servers for your nic in winXP. Windows needs to know when to use the gateway.
0
 
ckyoonAuthor Commented:
This is the script I'm using. The DNS  on the WinXP are same as  my RH 9.0 and gateway is 192.168.1.2 (eth0)

#!/bin/sh
#
# Save this to /root/iptables-gw
#
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save
# the running config with 'iptables save' for RedHat to reinstate at the next
# boot IP fordarding must be enabled by other than this script for production
# use. That's best done by editing /etc/sysctl.conf and setting:
#
# net.ipv4.ip_forward = 1
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
#
# I find it easier to modify this file and run it (make sure it is executable
# with 'chmod +x iptables-gw') to change the rulesets, rather than
# modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
#
IPT="/sbin/iptables"
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
OUTSIDE=eth0
INSIDE=eth1
INSIDE_IP=192.168.0.1
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP

$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP
$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# Use  NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT if to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# Don't leak SMB traffic onto the Internet. We've slipped the surly bonds of windows
# and are dancing on the silvery wings of Linux.
#
$IPT -A FORWARD -p udp --dport 137 -j silent
$IPT -A FORWARD -p udp --dport 138 -j silent
$IPT -A FORWARD -p udp --dport 139 -j silent
$IPT -A FORWARD -p udp --dport 445 -j silent
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.0.1
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 192.168.0.1
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 192.168.0.1
$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 192.168.0.1
#
# Examples of allowing inbound for the port forwarding examples above.
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following  if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the  IP to be that of the INSIDE interface
# of the firewall.
#
#$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT
#
# If you are running a DHCP server on the firewall uncomment the next line
#
#$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPT -A INPUT -j firewalled
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
ckyoonAuthor Commented:
jlevie,
I did set the name servers on the WinXP found at /etc/resolv.conf as well as enable the IP forwarding on the linux box.

BTW, appreciate if you can help me out for the following questions:-
Why I need to set the OUTSIDE=ppp0 not eth0 because this is the NIC connect to my ADSL modem? Can I know why?
Why I must set the WinXP gateway to 192.168.0.1 not 192.168.1.2?
0
 
jlevieCommented:
You need OUTSIDE=ppp0 and not eth0 because eth0 is just used as a transport media for the PPP connection. Your outside IP is 219.95.15.137 and that's attached to ppp0. Change the script and reload it and things will work oh so much better.
0
 
ckyoonAuthor Commented:
So how about the gateway I should set it on WinXP?
0
 
jlevieCommented:
The inside IP is that of the interface your XP box connects to. It is eth1 (192.168.0.1) in this case and that's the default gateway for the XP box. Packets from the XP box destined for the Internet will go to that IP, be NAT'ed by iptables and sent out to the Internet via ppp0.
0
 
ckyoonAuthor Commented:
I added this to connect via telnet from Internet but I found that it is not working.

$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 23 -j ACCEPT
0
 
ckyoonAuthor Commented:
Sorry forgot to mention I cannot telnet to from internet using microsoft telnet.
0
 
jlevieCommented:
Is the telnet server installed and enabled on the firewall? Unless you chose "Everything" when installing RedHat 9 the telnet-server package would not have been installed. And even if the package is installed it won't be enabled, as a security measure.

Check to see if telnet-server is installed with 'rpm -q telnet-server'. If necessary install it from your distro CD's and enable it with 'chkconfig telnet on', followed by 'service xinetd restart'. Then make sure that it is working by executing 'telnet localhost' while logged on to the firewall.
0
 
ckyoonAuthor Commented:
I'm able to telnet from on LAN from my winxp pc but not through the internet. I'm using no-ip services on my linux box and I'm sure my IP updated using ping my no-ip domain.
0
 
jlevieCommented:
Get the current outside IP from the output of ifconfig ppp0, make sure that the running rule set was generated from the iptables-gw file that includes the rule allowing telnet by executing iptables-gw, and then try a telnet session from outside by the IP of the firewall. If that fails you could look at /var/log/messages to see if the firewall blocked the connection, which I don't think would be the case if:

$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 23 -j ACCEPT

is in iptables-gw and you've installed that rule by running the script. It is more likely, when attempting the telnet session to the outside IP, that you ISP may be blocking inbound access to standard servers.
0
 
ckyoonAuthor Commented:
Well, it seems like I'm able to telnet to my linux box from outside pc but not from the windows box in my LAN. Should I add a rule to forward telnet to linux box LAN ip?

BTW, I'm using p2p software (Edonkey2000) but it's firewalled even though I've added a rule for the tcp & udp port I'm using and permit the inbound traffic.

$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 4662 -j DNAT --to 192.168.0.1
$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 5460 -j DNAT --to 192.168.0.1

$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 4662 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 5460 -j ACCEPT
 

0
 
jlevieCommented:
Right, the rule you added:

$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 23 -j ACCEPT

permits connections from outside on the telnet port, but if has no affect of connections from inside of the firewall to the firewall. You could explicitly allow telnet to the firewall with:

$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -p tcp --dport 23 -j ACCEPT

or allow any type of connection from the inside to the firewall with:

$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT

which is commented out in my firewall script. Be sure that INSIDE_IP is correctly set to the IP assigned to the inside ethernet interface of the firewall.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now