Solved

Linux ipmasq and firewall

Posted on 2004-09-08
84
749 Views
Last Modified: 2008-02-01
Here is my sample of rc.ipmasq

#!/bin/sh

IPTABLES=/sbin/iptables

#All The lines below are NAT routing

# flush any old rules
$IPTABLES -F -t nat

# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE

# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forward

And here is my sample of rc.firewall

#!/bin/sh


#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT

#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp


#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT


#Allow incoming FTP requests
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT

#Allow incoming SSH requests
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

#Allow incoming HTTP requests (to Web server)
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT


#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT


#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP

#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog

I have 3 NIC. eth0 is connected to my modem using static ip.

eth0
ip: 212.111.120.210
netmask:255.255.255.252
gateway:212.111.120.209

eth1
ip:192.168.1.1
netmask:255.255.255.0

eth2
ip:192.168.2.1
netmask:255.255.255.0

i getting confuse...

1) rc.ipmasq is to share the internet from eth0 to eth1 and eth2...[ is this correct? ]

2) is it my rc.firewall is secure, am i doing correct thing?? is the port fowarding is good?....

i have a ftp server which running on my linux router it self for temporary. how about i want to make other pc to  act as ftp server and connected to eth1. So is it my rc.firewall script is correct?...every ftp connection request from external have to directed to my eth1 and connected to the ftp pc server.

external request ftp -> [eth0]linux router -> [eth1]direct to pc which only link to eth1 or pc ip

external request www ->[eth0]linux router -> [eth2] direct to pc which only link to eth2 or pc ip

Please I need help.

0
Comment
Question by:fedoragirls
  • 47
  • 22
  • 8
  • +3
84 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 12006430
your rc.ipmasq does not share it but it does IP masquerading or NAT (network adress translation) Sharing means that you can control the connection which is not the case. You only translate traffic with private IP's to public one's.
Your setup is correct so do not worry about that part.

This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
This is not good. First of all I would not allow ping to my firewall from outside.

 I would have something like this
iptables -A INPUT -i ppp0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 1024:  -j ACCEPT
UDP is stateless so allowing it like the rule above is good enough. For tcp it will allow back connections for all non-priiveleged ports.


The rules below make it obsolete to specify inbound rules for ssh and ftp unless you wonna have those from the outside.

$IIPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT


Now for your FTP and WWW forwarding you need this

iptables -A FORWARD -s 0.0.0.0/0 -d  212.111.120.210/32  -p tcp --destination-port 80 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d  212.111.120.210/32 -p tcp --destination-port 21 -j ACCEPT

iptables -t nat -A PREROUTING --dport 80-j DNAT --to-destination <local-ip-address for webserver>
iptables -t nat -A PREROUTING --dport 21-j DNAT --to-destination <local-ip-address for ftpserver>

iptables -t nat -A POSTROUTING -o eth0 -s <local-ip-address webserver> -j SNAT --to-source 212.111.120.210
iptables -t nat -A POSTROUTING -o eth0 -s <local-ip-address ftpserver> -j SNAT --to-source 212.111.120.210

this should help you



0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12008376
your rc.firewall  probaly allows any routed traffic, that's bad in most cases ...
you shoud add also:

$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# then decide which what to be forwarded or redirected (see bloemkool1980's suggestion for example)
0
 

Author Comment

by:fedoragirls
ID: 12012486
about the rc.ipmasq i follow the instruction from web site how to share my internet connection from eth0 to other NIC such as eth1 adn eth2....correct me if i'm wrong...for my thinking, the rc.ipmasq is for sharing my internet connection to others NIC including eth0
0
 

Author Comment

by:fedoragirls
ID: 12013327
iptables -A INPUT -i ppp0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 1024:  -j ACCEPT

~~~~~~~~~~~~~~~~

did i have to use eth0? or ppp0?
0
 

Author Comment

by:fedoragirls
ID: 12013345
bloemkool1980,

after i try change my firewall to your modification...i try to run the script...after i type chmod 755 /etc/rc.d/rc.firewall and then run it /etc/rc.d/rc.firewall, i get this error

iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 12013416
you have to use the interface on which you like to accept the traffic
I took it from my firewall script and I have outside traffci comming in on ppp0. If you like to have the traffic accepted on eth0 replace ppp0 with it.
I forgot to remove the --dport command should work though as I run it for years.
my fw script is here http://users.skynet.be/bk392628/S93iptables

0
 

Expert Comment

by:lynxkid2004
ID: 12013450
how do i fix the --dport?
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 12013456
fix ? it should work if you change the interface name
0
 

Expert Comment

by:lynxkid2004
ID: 12013508
here my rc.firewall after modification

#!/bin/sh


#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT

#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:  -j ACCEPT


#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT

iptables -A FORWARD -s 0.0.0.0/0 -d  212.111.120.210/32  -p tcp --destination-port 3000 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d  212.111.120.210/32 -p tcp --destination-port 21 -j ACCEPT

iptables -t nat -A PREROUTING --dport 3000-j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21-j DNAT --to-destination 192.168.0.101

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 212.111.120.210
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 212.111.120.210


#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT


#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP

#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog


the output after running it still

iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
0
 

Expert Comment

by:lynxkid2004
ID: 12013514
after i type iptables --help...i cannot see any dport command

i see this

[root@domain root]# iptables --help
iptables v1.2.8

Usage: iptables -[AD] chain rule-specification [options]
       iptables -[RI] chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LFZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain            Append to chain
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain]          List the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain]          Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
  --delete-chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
  --proto       -p [!] proto    protocol: by number or name, eg. `tcp'
  --source      -s [!] address[/mask]
                                source specification
  --destination -d [!] address[/mask]
                                destination specification
  --in-interface -i [!] input name[+]
                                network interface name ([+] for wildcard)
  --jump        -j target
                                target for rule (may load target extension)
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
  --out-interface -o [!] output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=<command>          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.
[root@domain root]#
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 12013522
OK thanks for showing your rules because its a typo issue nothing bad so far
change these rules
iptables -t nat -A PREROUTING --dport 3000-j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21-j DNAT --to-destination 192.168.0.101

to

iptables -t nat -A PREROUTING --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21 -j DNAT --to-destination 192.168.0.101
0
 

Expert Comment

by:lynxkid2004
ID: 12013563
i am sorry coz you helping me so hard....

after changging is stil the same...but i try to do one thing and run it...

i remove :
iptables -t nat -A PREROUTING --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21 -j DNAT --to-destination 192.168.0.101

then i do /etc/rc.firewall

then it succesfull running...what happen actually?
0
 

Expert Comment

by:lynxkid2004
ID: 12013575
now my server has 3 NIC,

how about if temporary i connected my eth2 directly to the hardware router, and the router foward any port 80 to my server. do the firewall will run? ( just asking )
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 12013720
that would not change anything
if you connect it differently but I would specify a interface
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101

assuming that eth0 is connected to the outside
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 12013737
typo do this

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12014622
fedoragirls == lynxkid2004 ??

for sharing your internet connection with other interfaces you siply need:
iptables -A POSTROUTING -t nat -o ippp0 -j MASQUERADE
# adapt interface as needed

and make shure that your kernel has routing enabled:
echo 1 > /proc/sys/net/ipv4/ip_forward


And note that your firewall rules are useless somehow, if the default policy is not DROP (see my first comment)
0
 

Author Comment

by:fedoragirls
ID: 12024163
which one is correct, you give me 2 option? anywhere i succesfully run the script after i replace your suggestion...both of them are works...but what the different between them? which one is better to use?

iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101

or

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101

p/s:  fedoragirls == lynxkid2004 ?? > kid is my little bro...he doing programming...a beginner
0
 

Expert Comment

by:aadilfahad
ID: 12031449
need more help register your self at

www.linuxjalali.com/forum  it is good for ipmasq
0
 

Author Comment

by:fedoragirls
ID: 12037520
which one ahoffman?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12037618
"which" what?
0
 

Author Comment

by:fedoragirls
ID: 12040657
ops..sorry...not you...the bloemkool1980...he giving me two option on his last message...what are the different between those

***********************
Comment from bloemkool1980  feedback
Date: 09/09/2004 12:37AM PDT
 Comment  

that would not change anything
if you connect it differently but I would specify a interface

iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101

assuming that eth0 is connected to the outside

 
Comment from bloemkool1980  feedback
Date: 09/09/2004 12:40AM PDT
 Comment  


typo do this

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
 
***************************************************
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12041533
the first pair is wrong 'caue it uses "-t nat" twice
0
 

Author Comment

by:fedoragirls
ID: 12042087
i see...thanks....

1-after i do /etc/rc.d/rc.firewall to make it run on my fc system, will i have to type it again after restart?

2- At the first installation of my fc, i choose medium firewall...so after i run this script, will it affect anything?..
0
 

Author Comment

by:fedoragirls
ID: 12042205
ok thanks....

ok now i test the linux from external and doing some full port scan

but i get this :

port 53       UDP       Domain Name Server
port 1080    UDP      Socks                               Posible Trojan: WinHole

so how can i fix this?
0
 

Author Comment

by:fedoragirls
ID: 12042490
is this firewall script is enough for the security?

the firewall script is first layer or second layer?

did i need to add aditional firewall?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12044111
53 is ok if your firewall runs a DNS server
1080 is unusal, check with
   netstat -pan
what it is (probably a http proxy)

> does it start at reboot?
/etc/rc.d/rc.firewall sounds like a rc-script which is started at boot automatically. You need to check your destribution how to get this info, i.g. their should be a link in either /etc/rc[2345].d to /etc/rc.d/rc.firewall

Did you verify that the default policy for al chains is DROP?
0
 

Expert Comment

by:ftpfreak
ID: 12050618
Did you verify that the default policy for al chains is DROP? <- i not sure....is it important?

0
 

Author Comment

by:fedoragirls
ID: 12050641
p/s: damn...my bro changing his nick again...he always save the username and password as cookies...so i accidently use his nick...sorry.
0
 

Author Comment

by:fedoragirls
ID: 12050755
Did you verify that the default policy for al chains is DROP? <- i not sure....is it important?

last night i do more on port scanning to all ports and i see list of reports which contains all ports from 1 until * and showing also possible trojan that could break my system.

So that mean the rc.firewall is not good enough?

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12053090
> .. <- i not sure....is it important?
yes, otherwise your firewall might except something you don't want 'cause the default policy is ACCEPT

> .. i see list of reports which contains all ports from 1 until * ..
ok, it's time to inspect your rules now.
  1. please set your default policies to DROP first (in your script)
      iptables -F INPUT
      iptables -F OUTPUT
      iptables -F FORWARD
      iptables -P INPUT DROP
      iptables -P OUTPUT DROP
      iptables -P FORWARD DROP
      # all your other rules follow here ...

   2. stop and start the iptables rules:
 
   3. start your scan again

   4. if you still feel unsave post result of:
       iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n
0
 

Author Comment

by:fedoragirls
ID: 12061012
where should i put this? in rc.masq? or rc.firewall? if rc.firewall, which part should i paste or replace?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12061862
write it in that script which will be called first at boot, probably rc.firewall
0
 

Author Comment

by:fedoragirls
ID: 12061926
i already has IPTABLES -F INPUT in rc.firewall...paste it here?....but my current is $IPTABLES -F INPUT. do i need to add $ sign at the beginning like this?

$iptables -F INPUT
$iptables -F OUTPUT
$iptables -F FORWARD
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12063178
if your script uses
   iptables=/usr/sbin/iptables
then use $iptbales

if your script uses
   IPTABLES =/usr/sbin/iptables
then use $IPTABLES

if there is none of the above, then use iptbales as in the other examples of this script (without $ probably)
   
0
 

Author Comment

by:fedoragirls
ID: 12071764
Now is my time to implement the firewall in my linux. I connect the modem to eth0, and for testing other NIC, i connect to a single pc to eth1 using cross cable. Then I run this firewall script...there is a problem where my linux router itself cannot surf the net. and the client...this thing happen after i change the firewall like below. If i using the previous script like you can see at the first post, my linux and client can use the internet normally. Can you check what are the problem is? I use this command to run it....

1) chmod 755 /etc/rc.d/rc.firewall
2) /etc/rc.d/rc.firewall

here is my network configuration..
eth0
ip: 212.111.120.210
netmask:255.255.255.252
gateway:212.111.120.209

eth1
ip:192.168.1.1
netmask:255.255.255.0

eth2
ip:192.168.2.1
netmask:255.255.255.0
_______________________________________________________________________

#!/bin/sh


#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:  -j ACCEPT


#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT

iptables -A FORWARD -s 0.0.0.0/0 -d  218.111.120.210/32  -p tcp --destination-port 3000 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d  218.111.120.210/32 -p tcp --destination-port 21 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 218.111.120.210
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 218.111.120.210


#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT


#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP

#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12072617
> .. .there is a problem where my linux router itself cannot surf the net.
for shure, 'cause
  $IPTABLES -P INPUT DROP
  $IPTABLES -P OUTPUT DROP
after that you need propper rules to allow your system to "browse", obviously

> ..  and the client...
the client shoud if there is a MASQERADING rule and proper FORWARD rules (like for linux router itself, see above comment:)

Again, again, again, again: why do you not follow what have been suggested? for example:


   4. if you still feel unsave post result of:
       iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n


firewalls are no click&go programs, you need to know what you do.
Either make yourself used to the concepts (packetfilters here), or do what experts suggest please.
Playing arround with this and that just wastes time, at least for me :-(
0
 

Author Comment

by:fedoragirls
ID: 12072734
sorry...i a bit slow...but what i know is learning
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12072802
learning, that's why we are here :-)
but if you don't know better (that's why you're asking, probably), then please do what have been suggested and not trying something ...
no offense, just clarifying.
0
 

Author Comment

by:fedoragirls
ID: 12072910
this is output command for   iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n

-----------------------------------------
[root@domain root]#  iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:3000 to:192.168.0.101
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 to:192.168.0.101

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0
SNAT       all  --  192.168.0.101        0.0.0.0/0          to:111.111.111.111
SNAT       all  --  192.168.0.101        0.0.0.0/0          to:111.111.111.111

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:1024:65535
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 3/sec burst 5 LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            111.111.111.111    tcp dpt:3000
ACCEPT     tcp  --  0.0.0.0/0            111.111.111.111    tcp dpt:21

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
REJECT     all  --  0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-prohibited
[root@domain root]#

-----------------------------------------


temporary i used this firewall script
--------------------------------------
#!/bin/sh


#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT

#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp


#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT


#Allow incoming FTP requests
#$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT

#Allow incoming SSH requests
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

#Allow incoming HTTP requests (to Web server)
#$IPTABLES -A INPUT -p tcp --dport 3000 -j ACCEPT


#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT


#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP

#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
----------------------------------
0
 

Author Comment

by:fedoragirls
ID: 12072946
i will post the latest iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n output after 6pm because my office is depends on it...i will post the output about 1 and half hour from now...thanks
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12073369
ok (your current posted output should allow all incomming and forwarded traffic)
BTW, 192.168.0.101 is not the "cross-over" connected pc, right?
0
 

Author Comment

by:fedoragirls
ID: 12073507
yeah...temporary i connect the linux router to the d-link router. because i havent feel secure yet so i make the d-link be ahead first...but after office hours, i will change the router to linux router...before this i succesfully create a linux router, the other NIC like eth1, eth2, i connect them to Windows XP PC for testing the internet connection...yeah i got the connection on the XP pc, but have to do manually cause i didn't set the dhcp yet. but for time being i set it static.

so i try to connect the eth1 to a xp pc. eth1 ( ip:192.168.1.1, netmask: 255.255.255.0 gateway:i leave it blank[not sure about this]) and xp (ip:192.168.1.2, netmask: 255.255.255.0 gateway: 192.168.1.1)....the xp get the internet succesfully.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:fedoragirls
ID: 12073529
i plan to connect the eth1 to the router[ maybe to WAN port, but i dont know how to setting]. the router is wireless router. so my client will recieve the internet...but this comes later because firewall come first
0
 

Author Comment

by:fedoragirls
ID: 12073601
how about my current firewall..is it ok?
0
 

Author Comment

by:fedoragirls
ID: 12073683
i scanning again and found the port 25 is open but i didn't run any mail server....even my sendmail is stop.
0
 

Author Comment

by:fedoragirls
ID: 12073688
and port 110
0
 

Author Comment

by:fedoragirls
ID: 12081336
sorry i modifying something...help me....i getting trouble...i up the eth0, eth1 and eth2....and i run the firewall...let we focus on eth1...i use cross cable to connect to WAN port at the wireless router. all the wireless client can recieve the internet but very slow...is that the problem from the firewall script? i check the system log and i found this keep on looping

Sep 16 23:32:23 domain kernel: IN=eth0 OUT= MAC=00:11:09:14:68:93:00:d0:d0:44:e0:00:08:00 SRC=218.191.24.250 DST=111.111.111.111 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=14982 DF PROTO=TCP SPT=4182 DPT=1025 WINDOW=16384 RES=0x00 SYN URGP=0
Sep 16 23:32:23 scvfc kernel: IN=eth0 OUT= MAC=00:11:09:14:68:93:00:d0:d0:44:e0:00:08:00 SRC=218.191.24.250 DST=111.111.111.111 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=14985 DF PROTO=TCP SPT=4187 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
and so on...

here is the firewall script...i change the previouse setting ip 192.168.0.101 to the eth0 ip... 111.111.111.111
( before this the 1 layer is the router...modem connect to the router at wan port...and the router foward any web surfing or ftp to my pc ( fedora core, which suppose to be the 1 layer...a linux router. ) ( and now i making the linux router as main router...the eth0 is connect to modem....eth1 connec to wireless router at wan port... the setting it's fine...all client get the internet but slow..and some times time out... )


My ip setting
eth0
ip: 111.111.111.111
netmask:255.255.255.252
gateway:111.111.111.110

eth1
ip:192.168.1.1
netmask:255.255.255.0
gateway:192.168.1.1

eth2
ip:192.168.2.1
netmask:255.255.255.0
gateway:192.168.2.1

... thanks for the help
0
 

Author Comment

by:fedoragirls
ID: 12081343
here is my firewall script that i change from previous...and problem happen started from here...

#!/bin/sh


#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT

#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:  -j ACCEPT


#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT

iptables -A FORWARD -s 0.0.0.0/0 -d  111.111.111.111/32  -p tcp --destination-port 3000 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d  111.111.111.111/32 -p tcp --destination-port 21 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 111.111.111.111
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 111.111.111.111

iptables -t nat -A POSTROUTING -o eth0 -s 111.111.111.111 -j SNAT --to-source 111.111.111.111
iptables -t nat -A POSTROUTING -o eth0 -s 111.111.111.111 -j SNAT --to-source 111.111.111.111


#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT


#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP

#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
0
 

Author Comment

by:fedoragirls
ID: 12098810
help
0
 

Author Comment

by:fedoragirls
ID: 12109819
ahoffman...i need help
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12110303
i'm a bit bussy, and first need to verify your postings ... but I'm still there
0
 

Author Comment

by:fedoragirls
ID: 12119664
i hope when you free you can help me...my network still down and still wait for your suggestion to fix it
0
 

Author Comment

by:fedoragirls
ID: 12120693
any one?
0
 

Author Comment

by:fedoragirls
ID: 12153888
ahhofman, i begging for help...my current status is:

                                                _ a ftp server ( 21 )
                                                |(eth1  192.168.1.1,255.255.255.0)
internet---> linux router --->(eth0 111.111.111.111, 255.255.255.252, 111.111.111.109 )
                                                |(eth2  192.168.2.1, 255.255.255.0)
                                                 _ wireless router
My problem is...
1) Yes i can share the internet ampong eth1 and eth2...but from eth2 to wireless router, i face a problem.
as you know my eth2 is 192.168.2.1,255.255.255.0. gateway is blank... so i set the static ip into the wireless router web configuration like this 192.168.2.2,255.255.255.0,192.168.2.1. i connect the eth2 and wireless router WAN port by using cross cable. My wireless client seems like getting internet connection slower than direct cable. even normally in cable the network packet send is less than packet recieve, but for wireless client, thier network packet for sending is bigger than recieving. something problem here...it seems like my linux router didn't give much speed to the wireless client. Help me fix
this. I begging..i surffering to surf a lot of documents  but failed.

This is my rc.ipmasq
#!/bin/sh

IPTABLES=/sbin/iptables

#All The lines below are NAT routing

# flush any old rules
$IPTABLES -F -t nat

# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE

# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forward


And this is my rc.firewall
#!/bin/sh

#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT

#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:  -j ACCEPT

#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT


iptables -A FORWARD -s 0.0.0.0/0 -d  111.111.111.111/32 -p tcp --destination-port 21 -j ACCEPT


iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j   DNAT --to-destination 192.168.1.1

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.1 -j SNAT --to-source 111.111.111.111


#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT


#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP

#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog


0
 

Author Comment

by:fedoragirls
ID: 12153893
please anyone help...my network is down about a week!!!!!!!!! please
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12153926
> Yes i can share the internet ampong eth1 and eth2 ..
does this mean that all computers on eth1 and eth2 networks have access to Internet (over eth0)?

> ...but from eth2 to wireless router, i face a problem.
can we please leave out the wireless thing for know, until anything else is fixed.

>  gateway is blank...
what do you mean by that?
dou you mean the setting for "default router"? if so, on which computer?

Meanwhile I'll examine your iptables rules ...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12153959
your script rc.firewall posted in http:#12153888  does not match the current iptables rules posted in http:#12072910
please post result of:
  iptables -L -n -v

I assume that there is another rc.whetever script setting iptables rules ...
0
 

Author Comment

by:fedoragirls
ID: 12158074
does this mean that all computers on eth1 and eth2 networks have access to Internet (over eth0)?
>yes

 gateway is blank...
>in my linux router i simply set it, i just left it empty in the network configuration...but it seems direct cable client get the internet but only when i connect the eth2 to WAN port at wireless router, it seems my wireless client getting internet up and down...and some time didnt recieve the internet. i didn't setup anthing at the router. i just set the static ip at the wireless router connection,
my eth2 is ip=192.168.2.1, netmask=255.255.255.0, gatewat: blank...so at the router wan configuration i set it ip:192.168.2.2, netmask:255.255.255.0 and gateway:192.168.2.1.  From wireless client i see their network status for packet sending is bigger size than packet recieving...is this any connection with my firewall? seems like my firewall give the connection to low to the router and that's why wireless client only recieve slow connection?

result of iptables -L -n -v ( this is status when the server monitoring is  down, i mean didn't connect at any thing )

[root@lynx root]# iptables -L -n -v
Chain INPUT (policy ACCEPT 26 packets, 1352 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0          tcp dpts:1024:65535 state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0          udp dpts:1024:65535
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  !lo    *       0.0.0.0/0            0.0.0.0/0          limit: avg 3/sec burst 5 LOG flags 0 level 4
    0     0 DROP       all  --  !lo    *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   13   544 RH-Lokkit-0-50-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            111.111.111.111    tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            111.111.111.111    tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            111.111.111.111    tcp dpt:21

Chain OUTPUT (policy ACCEPT 39003 packets, 2248K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain RH-Lokkit-0-50-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    6   774 ACCEPT     udp  --  *      *       202.188.1.5          0.0.0.0/0          udp spt:53 dpts:1025:65535
   55  7348 ACCEPT     udp  --  *      *       202.188.0.133        0.0.0.0/0          udp spt:53 dpts:1025:65535
35021 1938K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
 7785 1816K ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:2049 flags:0x16/0x02 reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp dpts:0:1023 reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp dpt:2049 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:7100 flags:0x16/0x02 reject-with icmp-port-unreachable
[root@lynx root]#


And here my current firewall...i remove port 3000 where it for ntop monitoring network which already installed in my server...but i stop it temporary.

#!/bin/sh

#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT

#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:  -j ACCEPT

#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT

iptables -A FORWARD -s 0.0.0.0/0 -d  111.111.111.111/32 -p tcp --destination-port 21 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j   DNAT --to-destination 192.168.1.3

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.3 -j SNAT --to-source 111.111.111.111


#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT


#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP

#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog



I assume that there is another rc.whetever script setting iptables rules ...
> yeah no other script...what i know is i got two file...rc.ipmasq and rc.firewall
this what i do to make it up and running
chmod 755 /etc/rc.d/rc.ipmasq
/etc/rc.d/rc.ipmasq
chmod 755 /etc/rc.d/rc.firewall
/etc/rc.d/rc.firewall

Below is my ipmasq

#!/bin/sh

IPTABLES=/sbin/iptables

#All The lines below are NAT routing

# flush any old rules
$IPTABLES -F -t nat

# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE

# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forward


Thank you...
0
 

Author Comment

by:fedoragirls
ID: 12158462
And after booting i see this in the status:

Sep 27 16:12:13 lynx kernel: eth1: Promiscuous mode enabled.
Sep 27 16:12:13 lynx kernel: eth1: Promiscuous mode enabled.
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 12158477
pfff this is not a correct approach fedoragirls
your question is extended to a guide on how to use linux iptables instead of the few questions solved in the beginning by me.
This forum gets abused instead of being used
0
 

Author Comment

by:fedoragirls
ID: 12158711
abuse?...i never think about that...i think this place is for asking question is it?..am i doing something wrong here?
0
 

Author Comment

by:fedoragirls
ID: 12165956
please help because my boss already scold me because the server havent up and running yet...if you want the point i can give you...or else i have to open new question
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12168118
leaving the wireless thing beside, can you please give an example with IP what is not working?
0
 

Author Comment

by:fedoragirls
ID: 12176808
the ip which is not working is eth2 = 192.168.2.1...ok forget about the router....i connect to the hub and from  hub to the client...my problem is seems the client recieve the internet a bit slow and some time is down. seems like the firewall script split the network packet to small pecies for each client...i want the client recieve internet as usual. is my firewall script is good or do i missing something in the firewall scripting line?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12177231
> .. seems like the firewall script split the network packet to small pecies for each client.
don't think so.
This is more likely a configuration problem of the NIC and/or its driver. Check the MTU on both ends.

>  is my firewall script is good or do i missing something in the firewall scripting line?
please reread the complete thread, starting at the initial question, then all comments, this answer have still been given ;-)
0
 

Author Comment

by:fedoragirls
ID: 12177579
ok thanks for the fast reply....is that what do you think the cause of problem?...i will try to check it out...do i need to set the gateway for eth1 and eth2 because previously i left it blank..i mean i insert the ip 192.168.2.1 and gateway 192.168.2.1
0
 

Author Comment

by:fedoragirls
ID: 12178465
and how about my

#flush existing rules
$IPTABLES -F INPUT

i see only one lines...some else i saw even have more than 1 lines...such as $IPTABLES -F FOWARD, DROP....do i need to add this? and what are the purposes?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12178474
gateway==default route ??
A computer can only have *one* default route, so you never assign it to a NIC.
If your setup files/scripts do this, I'd check them twice what they realy do.
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 12178482
try iptables -F cuz this 10 milion dollar question has no end :P
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12178532
> ..  $IPTABLES -F FOWARD, DROP....do i need to add this?
hmm, how about simply trying it yourself?
takes 2 seconds, or so ... much faster than writing down the problem ;-)
0
 

Author Comment

by:fedoragirls
ID: 12178600
ok i will try...it...
0
 

Author Comment

by:fedoragirls
ID: 12178955
still the same...the client network status still the same...the network packet send is more than recieve....my hub/router configuration is normall....i connect the eth2 to router by using cross cable at WAN port...the WAN port is set the ip as 192.168.2.2 netmask 255.255.255.0 gateway 192.168.2.1. what is mtu...my default mtu is 1500...
0
 

Author Comment

by:fedoragirls
ID: 12179018
Packet Send: 1820
Packet Recieve : 1446
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12179839
.. and what's the problem with that?
0
 

Author Comment

by:fedoragirls
ID: 12186816
the connection is to slow...
0
 

Author Comment

by:fedoragirls
ID: 12186825
if the firewall is not cause...i will give a point...unless you see something wrong with what am i doing
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 125 total points
ID: 12187624
>  the connection is to slow...
that's not a firewall/iptables problem, usually (except you have strange configurations)
Check your hardware, then the driver settings
0
 

Author Comment

by:fedoragirls
ID: 12187776
if you say my firewall is normall...then i will try to look another solution or open a new question...thanks for the help
0
 

Author Comment

by:fedoragirls
ID: 12187796
thank you so much for helping me...and for the guidance
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12188258
long thread, hopefully got a solution, somehow ...
0
 

Author Comment

by:fedoragirls
ID: 12197766
still the same...but never mind...i give up already
0
 

Author Comment

by:fedoragirls
ID: 12198298
when i connect the modem to the wireless router...everything works normall but when i connect the modem to my server at eth0 and from eth1 i use crosscable to wireless router WAN port. And start from that my wireless client get slow connection. Thier client is using XP...so from the network status i see the network send packet is bigger than recieve....so the connection is slow
0
 

Author Comment

by:fedoragirls
ID: 12198328
here my iptables status:

Table: nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
Table: filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere          

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere          

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain RH-Lokkit-0-50-INPUT (2 references)
target     prot opt source               destination        
ACCEPT     udp  --  cns2.tm.net.my       anywhere           udp spt:domain dpts:1025:65535
ACCEPT     udp  --  cns3.tm.net.my       anywhere           udp spt:domain dpts:1025:65535
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
REJECT     tcp  --  anywhere             anywhere           tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere           udp dpts:0:1023 reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere           udp dpt:nfs reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable

....

I'm blank already...all network card in my linux is autodetect...and work correctly
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12213095
> .. XP .. so the connection is slow
XP or hardware problem. Never a iptables problem.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Fail2Ban restart 5 63
Issue to building connection 55 80
FTP: Servname not supported for ai_socktype 7 343
zmeu infection? 49 163
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now