Linux ipmasq and firewall

your rc.ipmasq does not share it but it does IP masquerading or NAT (network adress translation) Sharing means that you can control the connection which is not the case. You only translate traffic with private IP's to public one's.
Your setup is correct so do not worry about that part.

This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
This is not good. First of all I would not allow ping to my firewall from outside.

 I would have something like this
iptables -A INPUT -i ppp0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 1024:  -j ACCEPT
UDP is stateless so allowing it like the rule above is good enough. For tcp it will allow back connections for all non-priiveleged ports.


The rules below make it obsolete to specify inbound rules for ssh and ftp unless you wonna have those from the outside.

$IIPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT


Now for your FTP and WWW forwarding you need this

iptables -A FORWARD -s 0.0.0.0/0 -d  212.111.120.210/32  -p tcp --destination-port 80 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d  212.111.120.210/32 -p tcp --destination-port 21 -j ACCEPT

iptables -t nat -A PREROUTING --dport 80-j DNAT --to-destination <local-ip-address for webserver>
iptables -t nat -A PREROUTING --dport 21-j DNAT --to-destination <local-ip-address for ftpserver>

iptables -t nat -A POSTROUTING -o eth0 -s <local-ip-address webserver> -j SNAT --to-source 212.111.120.210
iptables -t nat -A POSTROUTING -o eth0 -s <local-ip-address ftpserver> -j SNAT --to-source 212.111.120.210

this should help you

your rc.firewall  probaly allows any routed traffic, that's bad in most cases ...
you shoud add also:

$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# then decide which what to be forwarded or redirected (see bloemkool1980's suggestion for example)

about the rc.ipmasq i follow the instruction from web site how to share my internet connection from eth0 to other NIC such as eth1 adn eth2....correct me if i'm wrong...for my thinking, the rc.ipmasq is for sharing my internet connection to others NIC including eth0

iptables -A INPUT -i ppp0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 1024:  -j ACCEPT

~~~~~~~~~~~~~~~~

did i have to use eth0? or ppp0?

bloemkool1980,

after i try change my firewall to your modification...i try to run the script...after i type chmod 755 /etc/rc.d/rc.firewall and then run it /etc/rc.d/rc.firewall, i get this error

iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.

you have to use the interface on which you like to accept the traffic
I took it from my firewall script and I have outside traffci comming in on ppp0. If you like to have the traffic accepted on eth0 replace ppp0 with it.
I forgot to remove the --dport command should work though as I run it for years.
my fw script is here http://users.skynet.be/bk392628/S93iptables

how do i fix the --dport?

fix ? it should work if you change the interface name

here my rc.firewall after modification

#!/bin/sh


#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT

#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:  -j ACCEPT


#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT

iptables -A FORWARD -s 0.0.0.0/0 -d  212.111.120.210/32  -p tcp --destination-port 3000 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d  212.111.120.210/32 -p tcp --destination-port 21 -j ACCEPT

iptables -t nat -A PREROUTING --dport 3000-j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21-j DNAT --to-destination 192.168.0.101

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 212.111.120.210
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 212.111.120.210


#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT


#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP

#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog


the output after running it still

iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.

after i type iptables --help...i cannot see any dport command

i see this

[root@domain root]# iptables --help
iptables v1.2.8

Usage: iptables -[AD] chain rule-specification [options]
       iptables -[RI] chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LFZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain            Append to chain
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain]          List the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain]          Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
  --delete-chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
  --proto       -p [!] proto    protocol: by number or name, eg. `tcp'
  --source      -s [!] address[/mask]
                                source specification
  --destination -d [!] address[/mask]
                                destination specification
  --in-interface -i [!] input name[+]
                                network interface name ([+] for wildcard)
  --jump        -j target
                                target for rule (may load target extension)
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
  --out-interface -o [!] output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=<command>          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.
[root@domain root]#

OK thanks for showing your rules because its a typo issue nothing bad so far
change these rules
iptables -t nat -A PREROUTING --dport 3000-j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21-j DNAT --to-destination 192.168.0.101

to

iptables -t nat -A PREROUTING --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21 -j DNAT --to-destination 192.168.0.101

i am sorry coz you helping me so hard....

after changging is stil the same...but i try to do one thing and run it...

i remove :
iptables -t nat -A PREROUTING --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21 -j DNAT --to-destination 192.168.0.101

then i do /etc/rc.firewall

then it succesfull running...what happen actually?

now my server has 3 NIC,

how about if temporary i connected my eth2 directly to the hardware router, and the router foward any port 80 to my server. do the firewall will run? ( just asking )

that would not change anything
if you connect it differently but I would specify a interface
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101

assuming that eth0 is connected to the outside

typo do this

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101

fedoragirls == lynxkid2004 ??

for sharing your internet connection with other interfaces you siply need:
iptables -A POSTROUTING -t nat -o ippp0 -j MASQUERADE
# adapt interface as needed

and make shure that your kernel has routing enabled:
echo 1 > /proc/sys/net/ipv4/ip_forward


And note that your firewall rules are useless somehow, if the default policy is not DROP (see my first comment)

which one is correct, you give me 2 option? anywhere i succesfully run the script after i replace your suggestion...both of them are works...but what the different between them? which one is better to use?

iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101

or

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101

p/s:  fedoragirls == lynxkid2004 ?? > kid is my little bro...he doing programming...a beginner

need more help register your self at

www.linuxjalali.com/forum  it is good for ipmasq

which one ahoffman?

"which" what?

ops..sorry...not you...the bloemkool1980...he giving me two option on his last message...what are the different between those

***********************
Comment from bloemkool1980  feedback
Date: 09/09/2004 12:37AM PDT
 Comment  

that would not change anything
if you connect it differently but I would specify a interface

iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101

assuming that eth0 is connected to the outside

 
Comment from bloemkool1980  feedback
Date: 09/09/2004 12:40AM PDT
 Comment  


typo do this

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
 
***************************************************

the first pair is wrong 'caue it uses "-t nat" twice

i see...thanks....

1-after i do /etc/rc.d/rc.firewall to make it run on my fc system, will i have to type it again after restart?

2- At the first installation of my fc, i choose medium firewall...so after i run this script, will it affect anything?..

ok thanks....

ok now i test the linux from external and doing some full port scan

but i get this :

port 53       UDP       Domain Name Server
port 1080    UDP      Socks                               Posible Trojan: WinHole

so how can i fix this?

is this firewall script is enough for the security?

the firewall script is first layer or second layer?

did i need to add aditional firewall?

53 is ok if your firewall runs a DNS server
1080 is unusal, check with
   netstat -pan
what it is (probably a http proxy)

> does it start at reboot?
/etc/rc.d/rc.firewall sounds like a rc-script which is started at boot automatically. You need to check your destribution how to get this info, i.g. their should be a link in either /etc/rc[2345].d to /etc/rc.d/rc.firewall

Did you verify that the default policy for al chains is DROP?

Did you verify that the default policy for al chains is DROP? <- i not sure....is it important?

p/s: damn...my bro changing his nick again...he always save the username and password as cookies...so i accidently use his nick...sorry.

Did you verify that the default policy for al chains is DROP? <- i not sure....is it important?

last night i do more on port scanning to all ports and i see list of reports which contains all ports from 1 until * and showing also possible trojan that could break my system.

So that mean the rc.firewall is not good enough?

> .. <- i not sure....is it important?
yes, otherwise your firewall might except something you don't want 'cause the default policy is ACCEPT

> .. i see list of reports which contains all ports from 1 until * ..
ok, it's time to inspect your rules now.
  1. please set your default policies to DROP first (in your script)
      iptables -F INPUT
      iptables -F OUTPUT
      iptables -F FORWARD
      iptables -P INPUT DROP
      iptables -P OUTPUT DROP
      iptables -P FORWARD DROP
      # all your other rules follow here ...

   2. stop and start the iptables rules:
 
   3. start your scan again

   4. if you still feel unsave post result of:
       iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n

where should i put this? in rc.masq? or rc.firewall? if rc.firewall, which part should i paste or replace?

write it in that script which will be called first at boot, probably rc.firewall

i already has IPTABLES -F INPUT in rc.firewall...paste it here?....but my current is $IPTABLES -F INPUT. do i need to add $ sign at the beginning like this?

$iptables -F INPUT
$iptables -F OUTPUT
$iptables -F FORWARD
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP

if your script uses
   iptables=/usr/sbin/iptables
then use $iptbales

if your script uses
   IPTABLES =/usr/sbin/iptables
then use $IPTABLES

if there is none of the above, then use iptbales as in the other examples of this script (without $ probably)
   

Now is my time to implement the firewall in my linux. I connect the modem to eth0, and for testing other NIC, i connect to a single pc to eth1 using cross cable. Then I run this firewall script...there is a problem where my linux router itself cannot surf the net. and the client...this thing happen after i change the firewall like below. If i using the previous script like you can see at the first post, my linux and client can use the internet normally. Can you check what are the problem is? I use this command to run it....

1) chmod 755 /etc/rc.d/rc.firewall
2) /etc/rc.d/rc.firewall

here is my network configuration..
eth0
ip: 212.111.120.210
netmask:255.255.255.252
gateway:212.111.120.209

eth1
ip:192.168.1.1
netmask:255.255.255.0

eth2
ip:192.168.2.1
netmask:255.255.255.0
_______________________________________________________________________

#!/bin/sh


#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:  -j ACCEPT


#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT

iptables -A FORWARD -s 0.0.0.0/0 -d  218.111.120.210/32  -p tcp --destination-port 3000 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d  218.111.120.210/32 -p tcp --destination-port 21 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 218.111.120.210
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 218.111.120.210


#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT


#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP

#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog

> .. .there is a problem where my linux router itself cannot surf the net.
for shure, 'cause
  $IPTABLES -P INPUT DROP
  $IPTABLES -P OUTPUT DROP
after that you need propper rules to allow your system to "browse", obviously

> ..  and the client...
the client shoud if there is a MASQERADING rule and proper FORWARD rules (like for linux router itself, see above comment:)

Again, again, again, again: why do you not follow what have been suggested? for example:


   4. if you still feel unsave post result of:
       iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n


firewalls are no click&go programs, you need to know what you do.
Either make yourself used to the concepts (packetfilters here), or do what experts suggest please.
Playing arround with this and that just wastes time, at least for me :-(

sorry...i a bit slow...but what i know is learning

learning, that's why we are here :-)
but if you don't know better (that's why you're asking, probably), then please do what have been suggested and not trying something ...
no offense, just clarifying.

this is output command for   iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n

-----------------------------------------
[root@domain root]#  iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:3000 to:192.168.0.101
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 to:192.168.0.101

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0
SNAT       all  --  192.168.0.101        0.0.0.0/0          to:111.111.111.111
SNAT       all  --  192.168.0.101        0.0.0.0/0          to:111.111.111.111

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:1024:65535
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
LOG        all  --  0.0.0.0/0            0.0.0.0/0          limit: avg 3/sec burst 5 LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            111.111.111.111    tcp dpt:3000
ACCEPT     tcp  --  0.0.0.0/0            111.111.111.111    tcp dpt:21

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
REJECT     all  --  0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-prohibited
[root@domain root]#

-----------------------------------------


temporary i used this firewall script
--------------------------------------
#!/bin/sh


#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT

#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp


#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT


#Allow incoming FTP requests
#$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT

#Allow incoming SSH requests
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

#Allow incoming HTTP requests (to Web server)
#$IPTABLES -A INPUT -p tcp --dport 3000 -j ACCEPT


#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT


#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP

#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
----------------------------------

i will post the latest iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n output after 6pm because my office is depends on it...i will post the output about 1 and half hour from now...thanks

ok (your current posted output should allow all incomming and forwarded traffic)
BTW, 192.168.0.101 is not the "cross-over" connected pc, right?

yeah...temporary i connect the linux router to the d-link router. because i havent feel secure yet so i make the d-link be ahead first...but after office hours, i will change the router to linux router...before this i succesfully create a linux router, the other NIC like eth1, eth2, i connect them to Windows XP PC for testing the internet connection...yeah i got the connection on the XP pc, but have to do manually cause i didn't set the dhcp yet. but for time being i set it static.

so i try to connect the eth1 to a xp pc. eth1 ( ip:192.168.1.1, netmask: 255.255.255.0 gateway:i leave it blank[not sure about this]) and xp (ip:192.168.1.2, netmask: 255.255.255.0 gateway: 192.168.1.1)....the xp get the internet succesfully.

i plan to connect the eth1 to the router[ maybe to WAN port, but i dont know how to setting]. the router is wireless router. so my client will recieve the internet...but this comes later because firewall come first

how about my current firewall..is it ok?

i scanning again and found the port 25 is open but i didn't run any mail server....even my sendmail is stop.

and port 110

sorry i modifying something...help me....i getting trouble...i up the eth0, eth1 and eth2....and i run the firewall...let we focus on eth1...i use cross cable to connect to WAN port at the wireless router. all the wireless client can recieve the internet but very slow...is that the problem from the firewall script? i check the system log and i found this keep on looping

Sep 16 23:32:23 domain kernel: IN=eth0 OUT= MAC=00:11:09:14:68:93:00:d0:d0:44:e0:00:08:00 SRC=218.191.24.250 DST=111.111.111.111 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=14982 DF PROTO=TCP SPT=4182 DPT=1025 WINDOW=16384 RES=0x00 SYN URGP=0
Sep 16 23:32:23 scvfc kernel: IN=eth0 OUT= MAC=00:11:09:14:68:93:00:d0:d0:44:e0:00:08:00 SRC=218.191.24.250 DST=111.111.111.111 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=14985 DF PROTO=TCP SPT=4187 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
and so on...

here is the firewall script...i change the previouse setting ip 192.168.0.101 to the eth0 ip... 111.111.111.111
( before this the 1 layer is the router...modem connect to the router at wan port...and the router foward any web surfing or ftp to my pc ( fedora core, which suppose to be the 1 layer...a linux router. ) ( and now i making the linux router as main router...the eth0 is connect to modem....eth1 connec to wireless router at wan port... the setting it's fine...all client get the internet but slow..and some times time out... )


My ip setting
eth0
ip: 111.111.111.111
netmask:255.255.255.252
gateway:111.111.111.110

eth1
ip:192.168.1.1
netmask:255.255.255.0
gateway:192.168.1.1

eth2
ip:192.168.2.1
netmask:255.255.255.0
gateway:192.168.2.1

... thanks for the help

here is my firewall script that i change from previous...and problem happen started from here...

#!/bin/sh


#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT

#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:  -j ACCEPT


#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT

iptables -A FORWARD -s 0.0.0.0/0 -d  111.111.111.111/32  -p tcp --destination-port 3000 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d  111.111.111.111/32 -p tcp --destination-port 21 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 111.111.111.111
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 111.111.111.111

iptables -t nat -A POSTROUTING -o eth0 -s 111.111.111.111 -j SNAT --to-source 111.111.111.111
iptables -t nat -A POSTROUTING -o eth0 -s 111.111.111.111 -j SNAT --to-source 111.111.111.111


#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT


#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP

#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog

help

ahoffman...i need help

i'm a bit bussy, and first need to verify your postings ... but I'm still there

i hope when you free you can help me...my network still down and still wait for your suggestion to fix it

any one?

ahhofman, i begging for help...my current status is:

                                                _ a ftp server ( 21 )
                                                |(eth1  192.168.1.1,255.255.255.0)
internet---> linux router --->(eth0 111.111.111.111, 255.255.255.252, 111.111.111.109 )
                                                |(eth2  192.168.2.1, 255.255.255.0)
                                                 _ wireless router
My problem is...
1) Yes i can share the internet ampong eth1 and eth2...but from eth2 to wireless router, i face a problem.
as you know my eth2 is 192.168.2.1,255.255.255.0. gateway is blank... so i set the static ip into the wireless router web configuration like this 192.168.2.2,255.255.255.0,192.168.2.1. i connect the eth2 and wireless router WAN port by using cross cable. My wireless client seems like getting internet connection slower than direct cable. even normally in cable the network packet send is less than packet recieve, but for wireless client, thier network packet for sending is bigger than recieving. something problem here...it seems like my linux router didn't give much speed to the wireless client. Help me fix
this. I begging..i surffering to surf a lot of documents  but failed.

This is my rc.ipmasq
#!/bin/sh

IPTABLES=/sbin/iptables

#All The lines below are NAT routing

# flush any old rules
$IPTABLES -F -t nat

# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE

# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forward


And this is my rc.firewall
#!/bin/sh

#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT

#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:  -j ACCEPT

#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT


iptables -A FORWARD -s 0.0.0.0/0 -d  111.111.111.111/32 -p tcp --destination-port 21 -j ACCEPT


iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j   DNAT --to-destination 192.168.1.1

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.1 -j SNAT --to-source 111.111.111.111


#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT


#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP

#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog

please anyone help...my network is down about a week!!!!!!!!! please

> Yes i can share the internet ampong eth1 and eth2 ..
does this mean that all computers on eth1 and eth2 networks have access to Internet (over eth0)?

> ...but from eth2 to wireless router, i face a problem.
can we please leave out the wireless thing for know, until anything else is fixed.

>  gateway is blank...
what do you mean by that?
dou you mean the setting for "default router"? if so, on which computer?

Meanwhile I'll examine your iptables rules ...

your script rc.firewall posted in http:#12153888  does not match the current iptables rules posted in http:#12072910
please post result of:
  iptables -L -n -v

I assume that there is another rc.whetever script setting iptables rules ...

does this mean that all computers on eth1 and eth2 networks have access to Internet (over eth0)?
>yes

 gateway is blank...
>in my linux router i simply set it, i just left it empty in the network configuration...but it seems direct cable client get the internet but only when i connect the eth2 to WAN port at wireless router, it seems my wireless client getting internet up and down...and some time didnt recieve the internet. i didn't setup anthing at the router. i just set the static ip at the wireless router connection,
my eth2 is ip=192.168.2.1, netmask=255.255.255.0, gatewat: blank...so at the router wan configuration i set it ip:192.168.2.2, netmask:255.255.255.0 and gateway:192.168.2.1.  From wireless client i see their network status for packet sending is bigger size than packet recieving...is this any connection with my firewall? seems like my firewall give the connection to low to the router and that's why wireless client only recieve slow connection?

result of iptables -L -n -v ( this is status when the server monitoring is  down, i mean didn't connect at any thing )

[root@lynx root]# iptables -L -n -v
Chain INPUT (policy ACCEPT 26 packets, 1352 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0          tcp dpts:1024:65535 state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0          udp dpts:1024:65535
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  !lo    *       0.0.0.0/0            0.0.0.0/0          limit: avg 3/sec burst 5 LOG flags 0 level 4
    0     0 DROP       all  --  !lo    *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   13   544 RH-Lokkit-0-50-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            111.111.111.111    tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            111.111.111.111    tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            111.111.111.111    tcp dpt:21

Chain OUTPUT (policy ACCEPT 39003 packets, 2248K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain RH-Lokkit-0-50-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    6   774 ACCEPT     udp  --  *      *       202.188.1.5          0.0.0.0/0          udp spt:53 dpts:1025:65535
   55  7348 ACCEPT     udp  --  *      *       202.188.0.133        0.0.0.0/0          udp spt:53 dpts:1025:65535
35021 1938K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
 7785 1816K ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:2049 flags:0x16/0x02 reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp dpts:0:1023 reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp dpt:2049 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:7100 flags:0x16/0x02 reject-with icmp-port-unreachable
[root@lynx root]#


And here my current firewall...i remove port 3000 where it for ntop monitoring network which already installed in my server...but i stop it temporary.

#!/bin/sh

#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables

#flush existing rules
$IPTABLES -F INPUT

#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024:  -j ACCEPT

#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT

iptables -A FORWARD -s 0.0.0.0/0 -d  111.111.111.111/32 -p tcp --destination-port 21 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j   DNAT --to-destination 192.168.1.3

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.3 -j SNAT --to-source 111.111.111.111


#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT


#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP

#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog



I assume that there is another rc.whetever script setting iptables rules ...
> yeah no other script...what i know is i got two file...rc.ipmasq and rc.firewall
this what i do to make it up and running
chmod 755 /etc/rc.d/rc.ipmasq
/etc/rc.d/rc.ipmasq
chmod 755 /etc/rc.d/rc.firewall
/etc/rc.d/rc.firewall

Below is my ipmasq

#!/bin/sh

IPTABLES=/sbin/iptables

#All The lines below are NAT routing

# flush any old rules
$IPTABLES -F -t nat

# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE

# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forward


Thank you...

And after booting i see this in the status:

Sep 27 16:12:13 lynx kernel: eth1: Promiscuous mode enabled.
Sep 27 16:12:13 lynx kernel: eth1: Promiscuous mode enabled.

pfff this is not a correct approach fedoragirls
your question is extended to a guide on how to use linux iptables instead of the few questions solved in the beginning by me.
This forum gets abused instead of being used

abuse?...i never think about that...i think this place is for asking question is it?..am i doing something wrong here?

please help because my boss already scold me because the server havent up and running yet...if you want the point i can give you...or else i have to open new question

leaving the wireless thing beside, can you please give an example with IP what is not working?

the ip which is not working is eth2 = 192.168.2.1...ok forget about the router....i connect to the hub and from  hub to the client...my problem is seems the client recieve the internet a bit slow and some time is down. seems like the firewall script split the network packet to small pecies for each client...i want the client recieve internet as usual. is my firewall script is good or do i missing something in the firewall scripting line?

> .. seems like the firewall script split the network packet to small pecies for each client.
don't think so.
This is more likely a configuration problem of the NIC and/or its driver. Check the MTU on both ends.

>  is my firewall script is good or do i missing something in the firewall scripting line?
please reread the complete thread, starting at the initial question, then all comments, this answer have still been given ;-)

ok thanks for the fast reply....is that what do you think the cause of problem?...i will try to check it out...do i need to set the gateway for eth1 and eth2 because previously i left it blank..i mean i insert the ip 192.168.2.1 and gateway 192.168.2.1

and how about my

#flush existing rules
$IPTABLES -F INPUT

i see only one lines...some else i saw even have more than 1 lines...such as $IPTABLES -F FOWARD, DROP....do i need to add this? and what are the purposes?

gateway==default route ??
A computer can only have *one* default route, so you never assign it to a NIC.
If your setup files/scripts do this, I'd check them twice what they realy do.

try iptables -F cuz this 10 milion dollar question has no end :P

> ..  $IPTABLES -F FOWARD, DROP....do i need to add this?
hmm, how about simply trying it yourself?
takes 2 seconds, or so ... much faster than writing down the problem ;-)

ok i will try...it...

still the same...the client network status still the same...the network packet send is more than recieve....my hub/router configuration is normall....i connect the eth2 to router by using cross cable at WAN port...the WAN port is set the ip as 192.168.2.2 netmask 255.255.255.0 gateway 192.168.2.1. what is mtu...my default mtu is 1500...

Packet Send: 1820
Packet Recieve : 1446

.. and what's the problem with that?

the connection is to slow...

if the firewall is not cause...i will give a point...unless you see something wrong with what am i doing

if you say my firewall is normall...then i will try to look another solution or open a new question...thanks for the help

thank you so much for helping me...and for the guidance

long thread, hopefully got a solution, somehow ...

still the same...but never mind...i give up already

when i connect the modem to the wireless router...everything works normall but when i connect the modem to my server at eth0 and from eth1 i use crosscable to wireless router WAN port. And start from that my wireless client get slow connection. Thier client is using XP...so from the network status i see the network send packet is bigger than recieve....so the connection is slow

here my iptables status:

Table: nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
Table: filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere          

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere          

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain RH-Lokkit-0-50-INPUT (2 references)
target     prot opt source               destination        
ACCEPT     udp  --  cns2.tm.net.my       anywhere           udp spt:domain dpts:1025:65535
ACCEPT     udp  --  cns3.tm.net.my       anywhere           udp spt:domain dpts:1025:65535
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
REJECT     tcp  --  anywhere             anywhere           tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere           udp dpts:0:1023 reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere           udp dpt:nfs reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable

....

I'm blank already...all network card in my linux is autodetect...and work correctly

> .. XP .. so the connection is slow
XP or hardware problem. Never a iptables problem.