Solved

Help needed to troubleshoot internet sharing for RH 9.0 and WinXP

Posted on 2004-04-08
16
233 Views
Last Modified: 2010-03-18
I have RH 9.0 setup as internet gateway using 2 NICs,  eth0 connectedto my ADSL modem while eth1 connected to my WinXP pc.

I modified the scipt from jlevie and I'm able to ping the eth0 and eth1 but I couldnt get my web browser on my xp pc working, can someone help me out?

Here's my ifconfig
eth0      Link encap:Ethernet  HWaddr 00:D0:B7:B8:44:A7
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2916 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2613 errors:0 dropped:0 overruns:0 carrier:0
          collisions:8 txqueuelen:100
          RX bytes:2914179 (2.7 Mb)  TX bytes:379324 (370.4 Kb)
          Interrupt:18 Base address:0xd000
 
eth1      Link encap:Ethernet  HWaddr 00:08:A1:58:F5:7A
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:51 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:6048 (5.9 Kb)  TX bytes:2416 (2.3 Kb)
          Interrupt:23 Base address:0xf000
 
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:7733 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7733 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:523802 (511.5 Kb)  TX bytes:523802 (511.5 Kb)
 
ppp0      Link encap:Point-to-Point Protocol
          inet addr:219.95.15.137  P-t-P:219.93.218.177  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:2752 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2446 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:2843729 (2.7 Mb)  TX bytes:320207 (312.7 Kb)


0
Comment
Question by:ckyoon
  • 7
  • 6
16 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 10786970
The only change to my script that would be strictly necessary is to set:

OUTSIDE=ppp0
INSIDE=eth1

You will need to set the default gateway on the XP box to 192.168.0.1 and configure name servers the same as those found in /etc/resolv.conf on the Linux box.

Oh yes, you did enable IP forwarding on the Linux box, right?
0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 10787853
I would say your problem is name servers as jlevie said. You need to add valid dns servers for your nic in winXP. Windows needs to know when to use the gateway.
0
 

Author Comment

by:ckyoon
ID: 10787973
This is the script I'm using. The DNS  on the WinXP are same as  my RH 9.0 and gateway is 192.168.1.2 (eth0)

#!/bin/sh
#
# Save this to /root/iptables-gw
#
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save
# the running config with 'iptables save' for RedHat to reinstate at the next
# boot IP fordarding must be enabled by other than this script for production
# use. That's best done by editing /etc/sysctl.conf and setting:
#
# net.ipv4.ip_forward = 1
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
#
# I find it easier to modify this file and run it (make sure it is executable
# with 'chmod +x iptables-gw') to change the rulesets, rather than
# modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
#
IPT="/sbin/iptables"
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
OUTSIDE=eth0
INSIDE=eth1
INSIDE_IP=192.168.0.1
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just dop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP

$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP
$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# Use  NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT if to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# Don't leak SMB traffic onto the Internet. We've slipped the surly bonds of windows
# and are dancing on the silvery wings of Linux.
#
$IPT -A FORWARD -p udp --dport 137 -j silent
$IPT -A FORWARD -p udp --dport 138 -j silent
$IPT -A FORWARD -p udp --dport 139 -j silent
$IPT -A FORWARD -p udp --dport 445 -j silent
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 192.168.0.1
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 192.168.0.1
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 192.168.0.1
$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 192.168.0.1
#
# Examples of allowing inbound for the port forwarding examples above.
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following  if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the  IP to be that of the INSIDE interface
# of the firewall.
#
#$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT
#
# If you are running a DHCP server on the firewall uncomment the next line
#
#$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPT -A INPUT -j firewalled
0
 

Author Comment

by:ckyoon
ID: 10788447
jlevie,
I did set the name servers on the WinXP found at /etc/resolv.conf as well as enable the IP forwarding on the linux box.

BTW, appreciate if you can help me out for the following questions:-
Why I need to set the OUTSIDE=ppp0 not eth0 because this is the NIC connect to my ADSL modem? Can I know why?
Why I must set the WinXP gateway to 192.168.0.1 not 192.168.1.2?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10788691
You need OUTSIDE=ppp0 and not eth0 because eth0 is just used as a transport media for the PPP connection. Your outside IP is 219.95.15.137 and that's attached to ppp0. Change the script and reload it and things will work oh so much better.
0
 

Author Comment

by:ckyoon
ID: 10788806
So how about the gateway I should set it on WinXP?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10788925
The inside IP is that of the interface your XP box connects to. It is eth1 (192.168.0.1) in this case and that's the default gateway for the XP box. Packets from the XP box destined for the Internet will go to that IP, be NAT'ed by iptables and sent out to the Internet via ppp0.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:ckyoon
ID: 10793092
I added this to connect via telnet from Internet but I found that it is not working.

$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 23 -j ACCEPT
0
 

Author Comment

by:ckyoon
ID: 10793269
Sorry forgot to mention I cannot telnet to from internet using microsoft telnet.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10793514
Is the telnet server installed and enabled on the firewall? Unless you chose "Everything" when installing RedHat 9 the telnet-server package would not have been installed. And even if the package is installed it won't be enabled, as a security measure.

Check to see if telnet-server is installed with 'rpm -q telnet-server'. If necessary install it from your distro CD's and enable it with 'chkconfig telnet on', followed by 'service xinetd restart'. Then make sure that it is working by executing 'telnet localhost' while logged on to the firewall.
0
 

Author Comment

by:ckyoon
ID: 10793755
I'm able to telnet from on LAN from my winxp pc but not through the internet. I'm using no-ip services on my linux box and I'm sure my IP updated using ping my no-ip domain.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10793902
Get the current outside IP from the output of ifconfig ppp0, make sure that the running rule set was generated from the iptables-gw file that includes the rule allowing telnet by executing iptables-gw, and then try a telnet session from outside by the IP of the firewall. If that fails you could look at /var/log/messages to see if the firewall blocked the connection, which I don't think would be the case if:

$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 23 -j ACCEPT

is in iptables-gw and you've installed that rule by running the script. It is more likely, when attempting the telnet session to the outside IP, that you ISP may be blocking inbound access to standard servers.
0
 

Author Comment

by:ckyoon
ID: 10802962
Well, it seems like I'm able to telnet to my linux box from outside pc but not from the windows box in my LAN. Should I add a rule to forward telnet to linux box LAN ip?

BTW, I'm using p2p software (Edonkey2000) but it's firewalled even though I've added a rule for the tcp & udp port I'm using and permit the inbound traffic.

$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 4662 -j DNAT --to 192.168.0.1
$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 5460 -j DNAT --to 192.168.0.1

$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 4662 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 5460 -j ACCEPT
 

0
 
LVL 40

Accepted Solution

by:
jlevie earned 125 total points
ID: 10803106
Right, the rule you added:

$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 23 -j ACCEPT

permits connections from outside on the telnet port, but if has no affect of connections from inside of the firewall to the firewall. You could explicitly allow telnet to the firewall with:

$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -p tcp --dport 23 -j ACCEPT

or allow any type of connection from the inside to the firewall with:

$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT

which is commented out in my firewall script. Be sure that INSIDE_IP is correctly set to the IP assigned to the inside ethernet interface of the firewall.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now