fedoragirls
asked on
Linux ipmasq and firewall
Here is my sample of rc.ipmasq
#!/bin/sh
IPTABLES=/sbin/iptables
#All The lines below are NAT routing
# flush any old rules
$IPTABLES -F -t nat
# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forw ard
And here is my sample of rc.firewall
#!/bin/sh
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
#Allow incoming FTP requests
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
#Allow incoming SSH requests
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#Allow incoming HTTP requests (to Web server)
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
I have 3 NIC. eth0 is connected to my modem using static ip.
eth0
ip: 212.111.120.210
netmask:255.255.255.252
gateway:212.111.120.209
eth1
ip:192.168.1.1
netmask:255.255.255.0
eth2
ip:192.168.2.1
netmask:255.255.255.0
i getting confuse...
1) rc.ipmasq is to share the internet from eth0 to eth1 and eth2...[ is this correct? ]
2) is it my rc.firewall is secure, am i doing correct thing?? is the port fowarding is good?....
i have a ftp server which running on my linux router it self for temporary. how about i want to make other pc to act as ftp server and connected to eth1. So is it my rc.firewall script is correct?...every ftp connection request from external have to directed to my eth1 and connected to the ftp pc server.
external request ftp -> [eth0]linux router -> [eth1]direct to pc which only link to eth1 or pc ip
external request www ->[eth0]linux router -> [eth2] direct to pc which only link to eth2 or pc ip
Please I need help.
#!/bin/sh
IPTABLES=/sbin/iptables
#All The lines below are NAT routing
# flush any old rules
$IPTABLES -F -t nat
# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forw
And here is my sample of rc.firewall
#!/bin/sh
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
#Allow incoming FTP requests
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
#Allow incoming SSH requests
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#Allow incoming HTTP requests (to Web server)
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
I have 3 NIC. eth0 is connected to my modem using static ip.
eth0
ip: 212.111.120.210
netmask:255.255.255.252
gateway:212.111.120.209
eth1
ip:192.168.1.1
netmask:255.255.255.0
eth2
ip:192.168.2.1
netmask:255.255.255.0
i getting confuse...
1) rc.ipmasq is to share the internet from eth0 to eth1 and eth2...[ is this correct? ]
2) is it my rc.firewall is secure, am i doing correct thing?? is the port fowarding is good?....
i have a ftp server which running on my linux router it self for temporary. how about i want to make other pc to act as ftp server and connected to eth1. So is it my rc.firewall script is correct?...every ftp connection request from external have to directed to my eth1 and connected to the ftp pc server.
external request ftp -> [eth0]linux router -> [eth1]direct to pc which only link to eth1 or pc ip
external request www ->[eth0]linux router -> [eth2] direct to pc which only link to eth2 or pc ip
Please I need help.
your rc.firewall probaly allows any routed traffic, that's bad in most cases ...
you shoud add also:
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# then decide which what to be forwarded or redirected (see bloemkool1980's suggestion for example)
you shoud add also:
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# then decide which what to be forwarded or redirected (see bloemkool1980's suggestion for example)
ASKER
about the rc.ipmasq i follow the instruction from web site how to share my internet connection from eth0 to other NIC such as eth1 adn eth2....correct me if i'm wrong...for my thinking, the rc.ipmasq is for sharing my internet connection to others NIC including eth0
ASKER
iptables -A INPUT -i ppp0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 1024: -j ACCEPT
~~~~~~~~~~~~~~~~
did i have to use eth0? or ppp0?
iptables -A INPUT -i ppp0 -p udp --dport 1024: -j ACCEPT
~~~~~~~~~~~~~~~~
did i have to use eth0? or ppp0?
ASKER
bloemkool1980,
after i try change my firewall to your modification...i try to run the script...after i type chmod 755 /etc/rc.d/rc.firewall and then run it /etc/rc.d/rc.firewall, i get this error
iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
after i try change my firewall to your modification...i try to run the script...after i type chmod 755 /etc/rc.d/rc.firewall and then run it /etc/rc.d/rc.firewall, i get this error
iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
you have to use the interface on which you like to accept the traffic
I took it from my firewall script and I have outside traffci comming in on ppp0. If you like to have the traffic accepted on eth0 replace ppp0 with it.
I forgot to remove the --dport command should work though as I run it for years.
my fw script is here http://users.skynet.be/bk392628/S93iptables
I took it from my firewall script and I have outside traffci comming in on ppp0. If you like to have the traffic accepted on eth0 replace ppp0 with it.
I forgot to remove the --dport command should work though as I run it for years.
my fw script is here http://users.skynet.be/bk392628/S93iptables
how do i fix the --dport?
fix ? it should work if you change the interface name
here my rc.firewall after modification
#!/bin/sh
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024: -j ACCEPT
#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 212.111.120.210/32 -p tcp --destination-port 3000 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 212.111.120.210/32 -p tcp --destination-port 21 -j ACCEPT
iptables -t nat -A PREROUTING --dport 3000-j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21-j DNAT --to-destination 192.168.0.101
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 212.111.120.210
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 212.111.120.210
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
the output after running it still
iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
#!/bin/sh
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024: -j ACCEPT
#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 212.111.120.210/32 -p tcp --destination-port 3000 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 212.111.120.210/32 -p tcp --destination-port 21 -j ACCEPT
iptables -t nat -A PREROUTING --dport 3000-j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21-j DNAT --to-destination 192.168.0.101
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 212.111.120.210
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 212.111.120.210
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
the output after running it still
iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
after i type iptables --help...i cannot see any dport command
i see this
[root@domain root]# iptables --help
iptables v1.2.8
Usage: iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain] List the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain] Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--proto -p [!] proto protocol: by number or name, eg. `tcp'
--source -s [!] address[/mask]
source specification
--destination -d [!] address[/mask]
destination specification
--in-interface -i [!] input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
--out-interface -o [!] output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
[root@domain root]#
i see this
[root@domain root]# iptables --help
iptables v1.2.8
Usage: iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain] List the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain] Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--proto -p [!] proto protocol: by number or name, eg. `tcp'
--source -s [!] address[/mask]
source specification
--destination -d [!] address[/mask]
destination specification
--in-interface -i [!] input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
--out-interface -o [!] output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
[root@domain root]#
OK thanks for showing your rules because its a typo issue nothing bad so far
change these rules
iptables -t nat -A PREROUTING --dport 3000-j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21-j DNAT --to-destination 192.168.0.101
to
iptables -t nat -A PREROUTING --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21 -j DNAT --to-destination 192.168.0.101
change these rules
iptables -t nat -A PREROUTING --dport 3000-j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21-j DNAT --to-destination 192.168.0.101
to
iptables -t nat -A PREROUTING --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21 -j DNAT --to-destination 192.168.0.101
i am sorry coz you helping me so hard....
after changging is stil the same...but i try to do one thing and run it...
i remove :
iptables -t nat -A PREROUTING --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21 -j DNAT --to-destination 192.168.0.101
then i do /etc/rc.firewall
then it succesfull running...what happen actually?
after changging is stil the same...but i try to do one thing and run it...
i remove :
iptables -t nat -A PREROUTING --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING --dport 21 -j DNAT --to-destination 192.168.0.101
then i do /etc/rc.firewall
then it succesfull running...what happen actually?
now my server has 3 NIC,
how about if temporary i connected my eth2 directly to the hardware router, and the router foward any port 80 to my server. do the firewall will run? ( just asking )
how about if temporary i connected my eth2 directly to the hardware router, and the router foward any port 80 to my server. do the firewall will run? ( just asking )
that would not change anything
if you connect it differently but I would specify a interface
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
assuming that eth0 is connected to the outside
if you connect it differently but I would specify a interface
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
assuming that eth0 is connected to the outside
typo do this
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
fedoragirls == lynxkid2004 ??
for sharing your internet connection with other interfaces you siply need:
iptables -A POSTROUTING -t nat -o ippp0 -j MASQUERADE
# adapt interface as needed
and make shure that your kernel has routing enabled:
echo 1 > /proc/sys/net/ipv4/ip_forw ard
And note that your firewall rules are useless somehow, if the default policy is not DROP (see my first comment)
for sharing your internet connection with other interfaces you siply need:
iptables -A POSTROUTING -t nat -o ippp0 -j MASQUERADE
# adapt interface as needed
and make shure that your kernel has routing enabled:
echo 1 > /proc/sys/net/ipv4/ip_forw
And note that your firewall rules are useless somehow, if the default policy is not DROP (see my first comment)
ASKER
which one is correct, you give me 2 option? anywhere i succesfully run the script after i replace your suggestion...both of them are works...but what the different between them? which one is better to use?
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
or
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
p/s: fedoragirls == lynxkid2004 ?? > kid is my little bro...he doing programming...a beginner
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
or
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
p/s: fedoragirls == lynxkid2004 ?? > kid is my little bro...he doing programming...a beginner
ASKER
which one ahoffman?
"which" what?
ASKER
ops..sorry...not you...the bloemkool1980...he giving me two option on his last message...what are the different between those
***********************
Comment from bloemkool1980 feedback
Date: 09/09/2004 12:37AM PDT
Comment
that would not change anything
if you connect it differently but I would specify a interface
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
assuming that eth0 is connected to the outside
Comment from bloemkool1980 feedback
Date: 09/09/2004 12:40AM PDT
Comment
typo do this
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
************************** ********** ********** *****
***********************
Comment from bloemkool1980 feedback
Date: 09/09/2004 12:37AM PDT
Comment
that would not change anything
if you connect it differently but I would specify a interface
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
assuming that eth0 is connected to the outside
Comment from bloemkool1980 feedback
Date: 09/09/2004 12:40AM PDT
Comment
typo do this
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
**************************
the first pair is wrong 'caue it uses "-t nat" twice
ASKER
i see...thanks....
1-after i do /etc/rc.d/rc.firewall to make it run on my fc system, will i have to type it again after restart?
2- At the first installation of my fc, i choose medium firewall...so after i run this script, will it affect anything?..
1-after i do /etc/rc.d/rc.firewall to make it run on my fc system, will i have to type it again after restart?
2- At the first installation of my fc, i choose medium firewall...so after i run this script, will it affect anything?..
ASKER
ok thanks....
ok now i test the linux from external and doing some full port scan
but i get this :
port 53 UDP Domain Name Server
port 1080 UDP Socks Posible Trojan: WinHole
so how can i fix this?
ok now i test the linux from external and doing some full port scan
but i get this :
port 53 UDP Domain Name Server
port 1080 UDP Socks Posible Trojan: WinHole
so how can i fix this?
ASKER
is this firewall script is enough for the security?
the firewall script is first layer or second layer?
did i need to add aditional firewall?
the firewall script is first layer or second layer?
did i need to add aditional firewall?
53 is ok if your firewall runs a DNS server
1080 is unusal, check with
netstat -pan
what it is (probably a http proxy)
> does it start at reboot?
/etc/rc.d/rc.firewall sounds like a rc-script which is started at boot automatically. You need to check your destribution how to get this info, i.g. their should be a link in either /etc/rc[2345].d to /etc/rc.d/rc.firewall
Did you verify that the default policy for al chains is DROP?
1080 is unusal, check with
netstat -pan
what it is (probably a http proxy)
> does it start at reboot?
/etc/rc.d/rc.firewall sounds like a rc-script which is started at boot automatically. You need to check your destribution how to get this info, i.g. their should be a link in either /etc/rc[2345].d to /etc/rc.d/rc.firewall
Did you verify that the default policy for al chains is DROP?
Did you verify that the default policy for al chains is DROP? <- i not sure....is it important?
ASKER
p/s: damn...my bro changing his nick again...he always save the username and password as cookies...so i accidently use his nick...sorry.
ASKER
Did you verify that the default policy for al chains is DROP? <- i not sure....is it important?
last night i do more on port scanning to all ports and i see list of reports which contains all ports from 1 until * and showing also possible trojan that could break my system.
So that mean the rc.firewall is not good enough?
last night i do more on port scanning to all ports and i see list of reports which contains all ports from 1 until * and showing also possible trojan that could break my system.
So that mean the rc.firewall is not good enough?
> .. <- i not sure....is it important?
yes, otherwise your firewall might except something you don't want 'cause the default policy is ACCEPT
> .. i see list of reports which contains all ports from 1 until * ..
ok, it's time to inspect your rules now.
1. please set your default policies to DROP first (in your script)
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# all your other rules follow here ...
2. stop and start the iptables rules:
3. start your scan again
4. if you still feel unsave post result of:
iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n
yes, otherwise your firewall might except something you don't want 'cause the default policy is ACCEPT
> .. i see list of reports which contains all ports from 1 until * ..
ok, it's time to inspect your rules now.
1. please set your default policies to DROP first (in your script)
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# all your other rules follow here ...
2. stop and start the iptables rules:
3. start your scan again
4. if you still feel unsave post result of:
iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n
ASKER
where should i put this? in rc.masq? or rc.firewall? if rc.firewall, which part should i paste or replace?
write it in that script which will be called first at boot, probably rc.firewall
ASKER
i already has IPTABLES -F INPUT in rc.firewall...paste it here?....but my current is $IPTABLES -F INPUT. do i need to add $ sign at the beginning like this?
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -F FORWARD
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -F FORWARD
$iptables -P INPUT DROP
$iptables -P OUTPUT DROP
$iptables -P FORWARD DROP
if your script uses
iptables=/usr/sbin/iptable s
then use $iptbales
if your script uses
IPTABLES =/usr/sbin/iptables
then use $IPTABLES
if there is none of the above, then use iptbales as in the other examples of this script (without $ probably)
iptables=/usr/sbin/iptable
then use $iptbales
if your script uses
IPTABLES =/usr/sbin/iptables
then use $IPTABLES
if there is none of the above, then use iptbales as in the other examples of this script (without $ probably)
ASKER
Now is my time to implement the firewall in my linux. I connect the modem to eth0, and for testing other NIC, i connect to a single pc to eth1 using cross cable. Then I run this firewall script...there is a problem where my linux router itself cannot surf the net. and the client...this thing happen after i change the firewall like below. If i using the previous script like you can see at the first post, my linux and client can use the internet normally. Can you check what are the problem is? I use this command to run it....
1) chmod 755 /etc/rc.d/rc.firewall
2) /etc/rc.d/rc.firewall
here is my network configuration..
eth0
ip: 212.111.120.210
netmask:255.255.255.252
gateway:212.111.120.209
eth1
ip:192.168.1.1
netmask:255.255.255.0
eth2
ip:192.168.2.1
netmask:255.255.255.0
__________________________ __________ __________ __________ __________ _____
#!/bin/sh
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024: -j ACCEPT
#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 218.111.120.210/32 -p tcp --destination-port 3000 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 218.111.120.210/32 -p tcp --destination-port 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 218.111.120.210
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 218.111.120.210
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
1) chmod 755 /etc/rc.d/rc.firewall
2) /etc/rc.d/rc.firewall
here is my network configuration..
eth0
ip: 212.111.120.210
netmask:255.255.255.252
gateway:212.111.120.209
eth1
ip:192.168.1.1
netmask:255.255.255.0
eth2
ip:192.168.2.1
netmask:255.255.255.0
__________________________
#!/bin/sh
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024: -j ACCEPT
#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 218.111.120.210/32 -p tcp --destination-port 3000 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 218.111.120.210/32 -p tcp --destination-port 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.101
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 218.111.120.210
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.101 -j SNAT --to-source 218.111.120.210
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
> .. .there is a problem where my linux router itself cannot surf the net.
for shure, 'cause
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
after that you need propper rules to allow your system to "browse", obviously
> .. and the client...
the client shoud if there is a MASQERADING rule and proper FORWARD rules (like for linux router itself, see above comment:)
Again, again, again, again: why do you not follow what have been suggested? for example:
4. if you still feel unsave post result of:
iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n
firewalls are no click&go programs, you need to know what you do.
Either make yourself used to the concepts (packetfilters here), or do what experts suggest please.
Playing arround with this and that just wastes time, at least for me :-(
for shure, 'cause
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
after that you need propper rules to allow your system to "browse", obviously
> .. and the client...
the client shoud if there is a MASQERADING rule and proper FORWARD rules (like for linux router itself, see above comment:)
Again, again, again, again: why do you not follow what have been suggested? for example:
4. if you still feel unsave post result of:
iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n
firewalls are no click&go programs, you need to know what you do.
Either make yourself used to the concepts (packetfilters here), or do what experts suggest please.
Playing arround with this and that just wastes time, at least for me :-(
ASKER
sorry...i a bit slow...but what i know is learning
learning, that's why we are here :-)
but if you don't know better (that's why you're asking, probably), then please do what have been suggested and not trying something ...
no offense, just clarifying.
but if you don't know better (that's why you're asking, probably), then please do what have been suggested and not trying something ...
no offense, just clarifying.
ASKER
this is output command for iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n
-------------------------- ---------- -----
[root@domain root]# iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3000 to:192.168.0.101
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.0.101
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
SNAT all -- 192.168.0.101 0.0.0.0/0 to:111.111.111.111
SNAT all -- 192.168.0.101 0.0.0.0/0 to:111.111.111.111
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 LOG flags 0 level 4
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 111.111.111.111 tcp dpt:3000
ACCEPT tcp -- 0.0.0.0/0 111.111.111.111 tcp dpt:21
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@domain root]#
-------------------------- ---------- -----
temporary i used this firewall script
-------------------------- ---------- --
#!/bin/sh
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
#Allow incoming FTP requests
#$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
#Allow incoming SSH requests
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#Allow incoming HTTP requests (to Web server)
#$IPTABLES -A INPUT -p tcp --dport 3000 -j ACCEPT
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
-------------------------- --------
--------------------------
[root@domain root]# iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3000 to:192.168.0.101
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.0.101
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
SNAT all -- 192.168.0.101 0.0.0.0/0 to:111.111.111.111
SNAT all -- 192.168.0.101 0.0.0.0/0 to:111.111.111.111
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 LOG flags 0 level 4
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 111.111.111.111 tcp dpt:3000
ACCEPT tcp -- 0.0.0.0/0 111.111.111.111 tcp dpt:21
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@domain root]#
--------------------------
temporary i used this firewall script
--------------------------
#!/bin/sh
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
#Allow incoming FTP requests
#$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
#Allow incoming SSH requests
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#Allow incoming HTTP requests (to Web server)
#$IPTABLES -A INPUT -p tcp --dport 3000 -j ACCEPT
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
--------------------------
ASKER
i will post the latest iptables -L -n -t nat && iptables -L -n -t mangle && iptables -L -n output after 6pm because my office is depends on it...i will post the output about 1 and half hour from now...thanks
ok (your current posted output should allow all incomming and forwarded traffic)
BTW, 192.168.0.101 is not the "cross-over" connected pc, right?
BTW, 192.168.0.101 is not the "cross-over" connected pc, right?
ASKER
yeah...temporary i connect the linux router to the d-link router. because i havent feel secure yet so i make the d-link be ahead first...but after office hours, i will change the router to linux router...before this i succesfully create a linux router, the other NIC like eth1, eth2, i connect them to Windows XP PC for testing the internet connection...yeah i got the connection on the XP pc, but have to do manually cause i didn't set the dhcp yet. but for time being i set it static.
so i try to connect the eth1 to a xp pc. eth1 ( ip:192.168.1.1, netmask: 255.255.255.0 gateway:i leave it blank[not sure about this]) and xp (ip:192.168.1.2, netmask: 255.255.255.0 gateway: 192.168.1.1)....the xp get the internet succesfully.
so i try to connect the eth1 to a xp pc. eth1 ( ip:192.168.1.1, netmask: 255.255.255.0 gateway:i leave it blank[not sure about this]) and xp (ip:192.168.1.2, netmask: 255.255.255.0 gateway: 192.168.1.1)....the xp get the internet succesfully.
ASKER
i plan to connect the eth1 to the router[ maybe to WAN port, but i dont know how to setting]. the router is wireless router. so my client will recieve the internet...but this comes later because firewall come first
ASKER
how about my current firewall..is it ok?
ASKER
i scanning again and found the port 25 is open but i didn't run any mail server....even my sendmail is stop.
ASKER
and port 110
ASKER
sorry i modifying something...help me....i getting trouble...i up the eth0, eth1 and eth2....and i run the firewall...let we focus on eth1...i use cross cable to connect to WAN port at the wireless router. all the wireless client can recieve the internet but very slow...is that the problem from the firewall script? i check the system log and i found this keep on looping
Sep 16 23:32:23 domain kernel: IN=eth0 OUT= MAC=00:11:09:14:68:93:00:d 0:d0:44:e0 :00:08:00 SRC=218.191.24.250 DST=111.111.111.111 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=14982 DF PROTO=TCP SPT=4182 DPT=1025 WINDOW=16384 RES=0x00 SYN URGP=0
Sep 16 23:32:23 scvfc kernel: IN=eth0 OUT= MAC=00:11:09:14:68:93:00:d 0:d0:44:e0 :00:08:00 SRC=218.191.24.250 DST=111.111.111.111 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=14985 DF PROTO=TCP SPT=4187 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
and so on...
here is the firewall script...i change the previouse setting ip 192.168.0.101 to the eth0 ip... 111.111.111.111
( before this the 1 layer is the router...modem connect to the router at wan port...and the router foward any web surfing or ftp to my pc ( fedora core, which suppose to be the 1 layer...a linux router. ) ( and now i making the linux router as main router...the eth0 is connect to modem....eth1 connec to wireless router at wan port... the setting it's fine...all client get the internet but slow..and some times time out... )
My ip setting
eth0
ip: 111.111.111.111
netmask:255.255.255.252
gateway:111.111.111.110
eth1
ip:192.168.1.1
netmask:255.255.255.0
gateway:192.168.1.1
eth2
ip:192.168.2.1
netmask:255.255.255.0
gateway:192.168.2.1
... thanks for the help
Sep 16 23:32:23 domain kernel: IN=eth0 OUT= MAC=00:11:09:14:68:93:00:d
Sep 16 23:32:23 scvfc kernel: IN=eth0 OUT= MAC=00:11:09:14:68:93:00:d
and so on...
here is the firewall script...i change the previouse setting ip 192.168.0.101 to the eth0 ip... 111.111.111.111
( before this the 1 layer is the router...modem connect to the router at wan port...and the router foward any web surfing or ftp to my pc ( fedora core, which suppose to be the 1 layer...a linux router. ) ( and now i making the linux router as main router...the eth0 is connect to modem....eth1 connec to wireless router at wan port... the setting it's fine...all client get the internet but slow..and some times time out... )
My ip setting
eth0
ip: 111.111.111.111
netmask:255.255.255.252
gateway:111.111.111.110
eth1
ip:192.168.1.1
netmask:255.255.255.0
gateway:192.168.1.1
eth2
ip:192.168.2.1
netmask:255.255.255.0
gateway:192.168.2.1
... thanks for the help
ASKER
here is my firewall script that i change from previous...and problem happen started from here...
#!/bin/sh
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024: -j ACCEPT
#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 111.111.111.111/32 -p tcp --destination-port 3000 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 111.111.111.111/32 -p tcp --destination-port 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 111.111.111.111
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 111.111.111.111
iptables -t nat -A POSTROUTING -o eth0 -s 111.111.111.111 -j SNAT --to-source 111.111.111.111
iptables -t nat -A POSTROUTING -o eth0 -s 111.111.111.111 -j SNAT --to-source 111.111.111.111
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
#!/bin/sh
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024: -j ACCEPT
#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 111.111.111.111/32 -p tcp --destination-port 3000 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 111.111.111.111/32 -p tcp --destination-port 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3000 -j DNAT --to-destination 111.111.111.111
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 111.111.111.111
iptables -t nat -A POSTROUTING -o eth0 -s 111.111.111.111 -j SNAT --to-source 111.111.111.111
iptables -t nat -A POSTROUTING -o eth0 -s 111.111.111.111 -j SNAT --to-source 111.111.111.111
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
ASKER
help
ASKER
ahoffman...i need help
i'm a bit bussy, and first need to verify your postings ... but I'm still there
ASKER
i hope when you free you can help me...my network still down and still wait for your suggestion to fix it
ASKER
any one?
ASKER
ahhofman, i begging for help...my current status is:
_ a ftp server ( 21 )
|(eth1 192.168.1.1,255.255.255.0)
internet---> linux router --->(eth0 111.111.111.111, 255.255.255.252, 111.111.111.109 )
|(eth2 192.168.2.1, 255.255.255.0)
_ wireless router
My problem is...
1) Yes i can share the internet ampong eth1 and eth2...but from eth2 to wireless router, i face a problem.
as you know my eth2 is 192.168.2.1,255.255.255.0. gateway is blank... so i set the static ip into the wireless router web configuration like this 192.168.2.2,255.255.255.0, 192.168.2. 1. i connect the eth2 and wireless router WAN port by using cross cable. My wireless client seems like getting internet connection slower than direct cable. even normally in cable the network packet send is less than packet recieve, but for wireless client, thier network packet for sending is bigger than recieving. something problem here...it seems like my linux router didn't give much speed to the wireless client. Help me fix
this. I begging..i surffering to surf a lot of documents but failed.
This is my rc.ipmasq
#!/bin/sh
IPTABLES=/sbin/iptables
#All The lines below are NAT routing
# flush any old rules
$IPTABLES -F -t nat
# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forw ard
And this is my rc.firewall
#!/bin/sh
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024: -j ACCEPT
#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 111.111.111.111/32 -p tcp --destination-port 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.1.1
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.1 -j SNAT --to-source 111.111.111.111
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
_ a ftp server ( 21 )
|(eth1 192.168.1.1,255.255.255.0)
internet---> linux router --->(eth0 111.111.111.111, 255.255.255.252, 111.111.111.109 )
|(eth2 192.168.2.1, 255.255.255.0)
_ wireless router
My problem is...
1) Yes i can share the internet ampong eth1 and eth2...but from eth2 to wireless router, i face a problem.
as you know my eth2 is 192.168.2.1,255.255.255.0.
this. I begging..i surffering to surf a lot of documents but failed.
This is my rc.ipmasq
#!/bin/sh
IPTABLES=/sbin/iptables
#All The lines below are NAT routing
# flush any old rules
$IPTABLES -F -t nat
# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forw
And this is my rc.firewall
#!/bin/sh
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024: -j ACCEPT
#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 111.111.111.111/32 -p tcp --destination-port 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.1.1
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.1 -j SNAT --to-source 111.111.111.111
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
ASKER
please anyone help...my network is down about a week!!!!!!!!! please
> Yes i can share the internet ampong eth1 and eth2 ..
does this mean that all computers on eth1 and eth2 networks have access to Internet (over eth0)?
> ...but from eth2 to wireless router, i face a problem.
can we please leave out the wireless thing for know, until anything else is fixed.
> gateway is blank...
what do you mean by that?
dou you mean the setting for "default router"? if so, on which computer?
Meanwhile I'll examine your iptables rules ...
does this mean that all computers on eth1 and eth2 networks have access to Internet (over eth0)?
> ...but from eth2 to wireless router, i face a problem.
can we please leave out the wireless thing for know, until anything else is fixed.
> gateway is blank...
what do you mean by that?
dou you mean the setting for "default router"? if so, on which computer?
Meanwhile I'll examine your iptables rules ...
your script rc.firewall posted in http:#12153888 does not match the current iptables rules posted in http:#12072910
please post result of:
iptables -L -n -v
I assume that there is another rc.whetever script setting iptables rules ...
please post result of:
iptables -L -n -v
I assume that there is another rc.whetever script setting iptables rules ...
ASKER
does this mean that all computers on eth1 and eth2 networks have access to Internet (over eth0)?
>yes
gateway is blank...
>in my linux router i simply set it, i just left it empty in the network configuration...but it seems direct cable client get the internet but only when i connect the eth2 to WAN port at wireless router, it seems my wireless client getting internet up and down...and some time didnt recieve the internet. i didn't setup anthing at the router. i just set the static ip at the wireless router connection,
my eth2 is ip=192.168.2.1, netmask=255.255.255.0, gatewat: blank...so at the router wan configuration i set it ip:192.168.2.2, netmask:255.255.255.0 and gateway:192.168.2.1. From wireless client i see their network status for packet sending is bigger size than packet recieving...is this any connection with my firewall? seems like my firewall give the connection to low to the router and that's why wireless client only recieve slow connection?
result of iptables -L -n -v ( this is status when the server monitoring is down, i mean didn't connect at any thing )
[root@lynx root]# iptables -L -n -v
Chain INPUT (policy ACCEPT 26 packets, 1352 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- !lo * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 LOG flags 0 level 4
0 0 DROP all -- !lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13 544 RH-Lokkit-0-50-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 111.111.111.111 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 111.111.111.111 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 111.111.111.111 tcp dpt:21
Chain OUTPUT (policy ACCEPT 39003 packets, 2248K bytes)
pkts bytes target prot opt in out source destination
Chain RH-Lokkit-0-50-INPUT (1 references)
pkts bytes target prot opt in out source destination
6 774 ACCEPT udp -- * * 202.188.1.5 0.0.0.0/0 udp spt:53 dpts:1025:65535
55 7348 ACCEPT udp -- * * 202.188.0.133 0.0.0.0/0 udp spt:53 dpts:1025:65535
35021 1938K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
7785 1816K ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 flags:0x16/0x02 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7100 flags:0x16/0x02 reject-with icmp-port-unreachable
[root@lynx root]#
And here my current firewall...i remove port 3000 where it for ntop monitoring network which already installed in my server...but i stop it temporary.
#!/bin/sh
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024: -j ACCEPT
#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 111.111.111.111/32 -p tcp --destination-port 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.3 -j SNAT --to-source 111.111.111.111
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
I assume that there is another rc.whetever script setting iptables rules ...
> yeah no other script...what i know is i got two file...rc.ipmasq and rc.firewall
this what i do to make it up and running
chmod 755 /etc/rc.d/rc.ipmasq
/etc/rc.d/rc.ipmasq
chmod 755 /etc/rc.d/rc.firewall
/etc/rc.d/rc.firewall
Below is my ipmasq
#!/bin/sh
IPTABLES=/sbin/iptables
#All The lines below are NAT routing
# flush any old rules
$IPTABLES -F -t nat
# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forw ard
Thank you...
>yes
gateway is blank...
>in my linux router i simply set it, i just left it empty in the network configuration...but it seems direct cable client get the internet but only when i connect the eth2 to WAN port at wireless router, it seems my wireless client getting internet up and down...and some time didnt recieve the internet. i didn't setup anthing at the router. i just set the static ip at the wireless router connection,
my eth2 is ip=192.168.2.1, netmask=255.255.255.0, gatewat: blank...so at the router wan configuration i set it ip:192.168.2.2, netmask:255.255.255.0 and gateway:192.168.2.1. From wireless client i see their network status for packet sending is bigger size than packet recieving...is this any connection with my firewall? seems like my firewall give the connection to low to the router and that's why wireless client only recieve slow connection?
result of iptables -L -n -v ( this is status when the server monitoring is down, i mean didn't connect at any thing )
[root@lynx root]# iptables -L -n -v
Chain INPUT (policy ACCEPT 26 packets, 1352 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- !lo * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 LOG flags 0 level 4
0 0 DROP all -- !lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13 544 RH-Lokkit-0-50-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 111.111.111.111 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 111.111.111.111 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 111.111.111.111 tcp dpt:21
Chain OUTPUT (policy ACCEPT 39003 packets, 2248K bytes)
pkts bytes target prot opt in out source destination
Chain RH-Lokkit-0-50-INPUT (1 references)
pkts bytes target prot opt in out source destination
6 774 ACCEPT udp -- * * 202.188.1.5 0.0.0.0/0 udp spt:53 dpts:1025:65535
55 7348 ACCEPT udp -- * * 202.188.0.133 0.0.0.0/0 udp spt:53 dpts:1025:65535
35021 1938K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
7785 1816K ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 flags:0x16/0x02 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7100 flags:0x16/0x02 reject-with icmp-port-unreachable
[root@lynx root]#
And here my current firewall...i remove port 3000 where it for ntop monitoring network which already installed in my server...but i stop it temporary.
#!/bin/sh
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
#This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -i eth0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 1024: -j ACCEPT
#Allow traffic from ethernet adapter eth1 to pass through if
#you have a network, or
#as using linux as a router for internet etc.
#Your first ethernet card is eth0 and the second would be eth1 etc.
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 111.111.111.111/32 -p tcp --destination-port 21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.1.3
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.3 -j SNAT --to-source 111.111.111.111
#Allow Ping echo
#I have commented this line, so ping from an outside machine will not work.
#Uncomment the next line to make ping from outside work.
#$IPTABLES -A INPUT -p icmp -j ACCEPT
#Drop and log all other data
#The logging is set so if more than 5 packets are dropped in
#three seconds they will be ignored. This helps to prevent a DOS attack
#Crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
$IPTABLES -A INPUT -i ! lo -j DROP
#The logs from the firewall are put into your system log file, which can be found at #/var/log/syslog
I assume that there is another rc.whetever script setting iptables rules ...
> yeah no other script...what i know is i got two file...rc.ipmasq and rc.firewall
this what i do to make it up and running
chmod 755 /etc/rc.d/rc.ipmasq
/etc/rc.d/rc.ipmasq
chmod 755 /etc/rc.d/rc.firewall
/etc/rc.d/rc.firewall
Below is my ipmasq
#!/bin/sh
IPTABLES=/sbin/iptables
#All The lines below are NAT routing
# flush any old rules
$IPTABLES -F -t nat
# turn on NAT (IP masquerading for outgoing packets)
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
# enable IP forwarding (of incoming packets)
echo 1 > /proc/sys/net/ipv4/ip_forw
Thank you...
ASKER
And after booting i see this in the status:
Sep 27 16:12:13 lynx kernel: eth1: Promiscuous mode enabled.
Sep 27 16:12:13 lynx kernel: eth1: Promiscuous mode enabled.
Sep 27 16:12:13 lynx kernel: eth1: Promiscuous mode enabled.
Sep 27 16:12:13 lynx kernel: eth1: Promiscuous mode enabled.
pfff this is not a correct approach fedoragirls
your question is extended to a guide on how to use linux iptables instead of the few questions solved in the beginning by me.
This forum gets abused instead of being used
your question is extended to a guide on how to use linux iptables instead of the few questions solved in the beginning by me.
This forum gets abused instead of being used
ASKER
abuse?...i never think about that...i think this place is for asking question is it?..am i doing something wrong here?
ASKER
please help because my boss already scold me because the server havent up and running yet...if you want the point i can give you...or else i have to open new question
leaving the wireless thing beside, can you please give an example with IP what is not working?
ASKER
the ip which is not working is eth2 = 192.168.2.1...ok forget about the router....i connect to the hub and from hub to the client...my problem is seems the client recieve the internet a bit slow and some time is down. seems like the firewall script split the network packet to small pecies for each client...i want the client recieve internet as usual. is my firewall script is good or do i missing something in the firewall scripting line?
> .. seems like the firewall script split the network packet to small pecies for each client.
don't think so.
This is more likely a configuration problem of the NIC and/or its driver. Check the MTU on both ends.
> is my firewall script is good or do i missing something in the firewall scripting line?
please reread the complete thread, starting at the initial question, then all comments, this answer have still been given ;-)
don't think so.
This is more likely a configuration problem of the NIC and/or its driver. Check the MTU on both ends.
> is my firewall script is good or do i missing something in the firewall scripting line?
please reread the complete thread, starting at the initial question, then all comments, this answer have still been given ;-)
ASKER
ok thanks for the fast reply....is that what do you think the cause of problem?...i will try to check it out...do i need to set the gateway for eth1 and eth2 because previously i left it blank..i mean i insert the ip 192.168.2.1 and gateway 192.168.2.1
ASKER
and how about my
#flush existing rules
$IPTABLES -F INPUT
i see only one lines...some else i saw even have more than 1 lines...such as $IPTABLES -F FOWARD, DROP....do i need to add this? and what are the purposes?
#flush existing rules
$IPTABLES -F INPUT
i see only one lines...some else i saw even have more than 1 lines...such as $IPTABLES -F FOWARD, DROP....do i need to add this? and what are the purposes?
gateway==default route ??
A computer can only have *one* default route, so you never assign it to a NIC.
If your setup files/scripts do this, I'd check them twice what they realy do.
A computer can only have *one* default route, so you never assign it to a NIC.
If your setup files/scripts do this, I'd check them twice what they realy do.
try iptables -F cuz this 10 milion dollar question has no end :P
> .. $IPTABLES -F FOWARD, DROP....do i need to add this?
hmm, how about simply trying it yourself?
takes 2 seconds, or so ... much faster than writing down the problem ;-)
hmm, how about simply trying it yourself?
takes 2 seconds, or so ... much faster than writing down the problem ;-)
ASKER
ok i will try...it...
ASKER
still the same...the client network status still the same...the network packet send is more than recieve....my hub/router configuration is normall....i connect the eth2 to router by using cross cable at WAN port...the WAN port is set the ip as 192.168.2.2 netmask 255.255.255.0 gateway 192.168.2.1. what is mtu...my default mtu is 1500...
ASKER
Packet Send: 1820
Packet Recieve : 1446
Packet Recieve : 1446
.. and what's the problem with that?
ASKER
the connection is to slow...
ASKER
if the firewall is not cause...i will give a point...unless you see something wrong with what am i doing
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
if you say my firewall is normall...then i will try to look another solution or open a new question...thanks for the help
ASKER
thank you so much for helping me...and for the guidance
long thread, hopefully got a solution, somehow ...
ASKER
still the same...but never mind...i give up already
ASKER
when i connect the modem to the wireless router...everything works normall but when i connect the modem to my server at eth0 and from eth1 i use crosscable to wireless router WAN port. And start from that my wireless client get slow connection. Thier client is using XP...so from the network status i see the network send packet is bigger than recieve....so the connection is slow
ASKER
here my iptables status:
Table: nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Lokkit-0-50-INPUT (2 references)
target prot opt source destination
ACCEPT udp -- cns2.tm.net.my anywhere udp spt:domain dpts:1025:65535
ACCEPT udp -- cns3.tm.net.my anywhere udp spt:domain dpts:1025:65535
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpts:0:1023 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:nfs reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
....
I'm blank already...all network card in my linux is autodetect...and work correctly
Table: nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Lokkit-0-50-INPUT (2 references)
target prot opt source destination
ACCEPT udp -- cns2.tm.net.my anywhere udp spt:domain dpts:1025:65535
ACCEPT udp -- cns3.tm.net.my anywhere udp spt:domain dpts:1025:65535
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpts:0:1023 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:nfs reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
....
I'm blank already...all network card in my linux is autodetect...and work correctly
> .. XP .. so the connection is slow
XP or hardware problem. Never a iptables problem.
XP or hardware problem. Never a iptables problem.
Your setup is correct so do not worry about that part.
This allows all data that has been sent out for the computer running the firewall
# to come back
#(for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
This is not good. First of all I would not allow ping to my firewall from outside.
I would have something like this
iptables -A INPUT -i ppp0 -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 1024: -j ACCEPT
UDP is stateless so allowing it like the rule above is good enough. For tcp it will allow back connections for all non-priiveleged ports.
The rules below make it obsolete to specify inbound rules for ssh and ftp unless you wonna have those from the outside.
$IIPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A INPUT -i eth2 -j ACCEPT
Now for your FTP and WWW forwarding you need this
iptables -A FORWARD -s 0.0.0.0/0 -d 212.111.120.210/32 -p tcp --destination-port 80 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 212.111.120.210/32 -p tcp --destination-port 21 -j ACCEPT
iptables -t nat -A PREROUTING --dport 80-j DNAT --to-destination <local-ip-address for webserver>
iptables -t nat -A PREROUTING --dport 21-j DNAT --to-destination <local-ip-address for ftpserver>
iptables -t nat -A POSTROUTING -o eth0 -s <local-ip-address webserver> -j SNAT --to-source 212.111.120.210
iptables -t nat -A POSTROUTING -o eth0 -s <local-ip-address ftpserver> -j SNAT --to-source 212.111.120.210
this should help you