[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Linux Router Not Working - Not sure why...

Posted on 2004-11-11
9
Medium Priority
?
288 Views
Last Modified: 2010-03-18
I have recently installed SuSE 9.1 onto an old PMMX laptop that has two PCMCIA cards installed. One is assinged DHCP through my cable modem (eth1) and the other is configured as 192.168.111.254 (eth0). I turned on ip forwarding in the NIC management portion of YAST.

I have internet connectivity and LAN connectivity from the Laptop. The machines on the LAN can ping 192.168.111.254 but will not route through the interface to the internet. I have used several different iptables configs with no avail. Is the only commands/iptables entry I absolutely need to get the laptop to forward:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


When I try this I get "destination unreachable" from the LAN machines ping an internet ip.

I have disabled the SuSEfirewall2 service and used:  iptables -F; iptables -t nat -F; iptables -t mangle -F
to clean the iptables before trying the above mentioned commands.

What have I missed or done wrong? I know this should work, I had this same config running on this laptop until I tried recompiling the kernel to 2.6.9 and jacked it all up and had to reload. When I reloaded I upgraded to 9.1 (which installs a 2.6 kernel which I then upgraded to 2.6.9).




0
Comment
Question by:intreeg
  • 5
  • 4
9 Comments
 
LVL 14

Accepted Solution

by:
pablouruguay earned 2000 total points
ID: 12557866
ok try this script i have the same like you and work great only change the eth in masquerade if you need


iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -P POSTROUTING ACCEPT -t nat
iptables -P PREROUTING ACCEPT -t nat
iptables -P OUTPUT ACCEPT -t nat


modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -j ACCEPT -i eth0 -o eth0 -d 0/0
iptables -A FORWARD -j ACCEPT -i ppp0 -o eth0 -d 0/0
iptables -A FORWARD -j ACCEPT -i eth0 -o ppp0 -d 0/0
iptables -A OUTPUT -j ACCEPT -s 200.0.0.0/255.0.0.0  -d 0/0
iptables -A OUTPUT -j ACCEPT -s 192.168.111.0/255.255.255.0 -d 0/0
iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i ppp0 -j ACCEPT
iptables -A INPUT  -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21  --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp  --dport 8080  -j ACCEPT
iptables -A INPUT -p tcp -m tcp  --dport 995 -j ACCEPT
iptables -A INPUT -p icmp -m icmp -j DROP
iptables -A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4662 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4672 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 953 -j ACCEPT
iptables -A INPUT  -p tcp --dport 53 -j ACCEPT
iptables -A INPUT  -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp  --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -N dropwall
iptables -A dropwall -j DROP
iptables -A INPUT -j dropwall

0
 
LVL 5

Author Comment

by:intreeg
ID: 12557930
iptables -A OUTPUT -j ACCEPT -s 200.0.0.0/255.0.0.0  -d 0/0

This line defines the network that you ppp0 address is going to reside in? If so I am not sure what I should change this too, I have no idea what range my ip will be in for sure. I think it will start with 24.x.x.x but I couldn't say that it would stay that way.

Other than that I should be able to change ppp0 to eth1 and be set?
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12557994
yep i wrong in this line. 0/0

if your eth0 is your external nic. you need to replace ppp0 for eth0
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 5

Author Comment

by:intreeg
ID: 12558074
So just to make sure, this is what my script should look like?
eth0 - 192.168.111.254
eth1 - DHCP from cable modem


-------------------------------------------
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -P POSTROUTING ACCEPT -t nat
iptables -P PREROUTING ACCEPT -t nat
iptables -P OUTPUT ACCEPT -t nat


modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -j ACCEPT -i eth0 -o eth0 -d 0/0
iptables -A FORWARD -j ACCEPT -i eth1-o eth0 -d 0/0
iptables -A FORWARD -j ACCEPT -i eth0 -o eth1-d 0/0
iptables -A OUTPUT -j ACCEPT -s 0/0  -d 0/0
iptables -A OUTPUT -j ACCEPT -s 192.168.111.0/255.255.255.0 -d 0/0
iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1-j ACCEPT
iptables -A INPUT  -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21  --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp  --dport 8080  -j ACCEPT
iptables -A INPUT -p tcp -m tcp  --dport 995 -j ACCEPT
iptables -A INPUT -p icmp -m icmp -j DROP
iptables -A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4662 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4672 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 953 -j ACCEPT
iptables -A INPUT  -p tcp --dport 53 -j ACCEPT
iptables -A INPUT  -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp  --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -N dropwall
iptables -A dropwall -j DROP
iptables -A INPUT -j dropwall
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12558123
yep... is ok.
0
 
LVL 5

Author Comment

by:intreeg
ID: 12558404
Also, is this the bare minimum to get this config to work?

$> modprobe ipt_MASQUERADE # If this fails, try continuing anyway
$> iptables -F; iptables -t nat -F; iptables -t mangle -F
$> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
$> echo 1 > /proc/sys/net/ipv4/ip_forward
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12561331
$> iptables -F; iptables -t nat -F; iptables -t mangle -F
$> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
$> echo 1 > /proc/sys/net/ipv4/ip_forward

yes is this the minimun to work but modprobe is if you compile your kernel with iptables mask in module format. i dont think this happend the best way to do this is compile the kernel with iptables included. not a module.
besides you need to accept traffic from eths forwards outside and inside

0
 
LVL 5

Author Comment

by:intreeg
ID: 12567406
As it turns out, SuSEfirewall was not totaly disabled; after double checking my service settings and disabling all 3(!) entires for SuSEfirewall and rebooting, my firewall is now working with the minimum command set I  posted.

 modprobe ipt_MASQUERADE # If this fails, try continuing anyway
 iptables -F; iptables -t nat -F; iptables -t mangle -F
 iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
 echo 1 > /proc/sys/net/ipv4/ip_forward

Looks like I should recompile my kernel too, so I can remove the modprobe issue. I will be using the script you originally posted as my template when I work out my ruleset today. I really appreicate all of your help!

Thanks
Intreeg
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 12567661
your welcome!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question