| View previous topic :: View next topic |
| Author |
Message |
Syntech
n00b
Joined: 07 Jan 2003
Posts: 30
|
 Posted: Tue Apr 22, 2003 12:04 am Post subject: Newbie Question about Internet Sharing |
 |
|
Hi!
I'm done with my Gentoo 1.4 rc4 install, but I can't get my box to share the internet connection.
I have 2 network adapters in the gentoo box (eth0 = dhcp -> Internet & eth1 at IP:192.168.0.1)
My Windows box has IP: 192.168.0.10 and default gateway 192.168.0.1 connected to eth1 on the gentoo box.
Can someone please just post a simple iptables explanation how to do it since I found the iptables howto's to be a bit confusing to me...
It would be nice to have the firewall stop all incoming traffic (deny all), and a short explanation how to open just certain ports (my girlfriend is playing EverQuest on the window box).
Anders Kallander |
|
| Back to top |
|
 |
Zombie[BRAAAINS]
n00b
Joined: 19 Mar 2003
Posts: 62
|
| Posted: Tue Apr 22, 2003 2:54 am Post subject: |
|
|
OK, here's what I understand of your setup:
Internal interface: eth1
External interface: eth0
Internal IP/SN: 192.168.0.1/24 (or 192.168.0.1/255.255.255.0)
External IP/SN: I don't know, so just enter it where you see ${XIP}
| Code: | # Clear the tables
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
# Set the default policies (blocks everything)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Set up SNAT (this is the main thing you were asking about)
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to-source ${XIP}
# Open up your loopback wide
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
# Open your internal interface wide
# EDIT: Correcting a typo. Original (incorrect) line commented.
#iptables -t filter -A INPUT -i eth1 -j ACCEPT
# EDIT: AARGH! Double-tard. Original (incorrect) lines commented.
#iptables -t filter -A INPUT -i eth0 -j ACCEPT
#iptables -t filter -A OUTPUT -o eth0 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -j ACCEPT
iptables -t filter -A OUTPUT -o eth1 -j ACCEPT
# Allow all packets to leave
iptables -t filter -A OUTPUT -s ${XIP}/32 -o eth0 -j accept
# Allow forwarding from the inside
iptables -t filter -A FORWARD -s 192.168.0.0/24 -i eth1 -o eth0 -j ACCEPT
# Allow packets back in that are a part of a connection
# that originated from inside the network, or any that we have explicitly
# allowed elsewhere.
iptables -t filter -A INPUT -d ${XIP}/32 -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.0.0/24 -m state --state ESTABLISHED,RELATED -o eth1 -j ACCEPT
# Turn on ip forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward |
That should get your basic firewall/router set up. As for allowing connections to your services, here's how:
| Code: | # Here's one if you're running a DNS server on the firewall. DNS
# is supposed to listen on both the TCP and UDP protocols, that's why the
# two lines below.
iptables -t filter -A INPUT -d ${XIP}/32 -p tcp -m state --state NEW -i eth0 --syn --destination-port 53 -j ACCEPT
iptables -t filter -A INPUT -d ${XIP}/32 -p udp -m state --state NEW -i eth0 --destination-port 53 -j ACCEPT
# You may notice that only one particular packet is allowed here.
# That's because ESTABLISHED,RELATED section above will recognize
# that a new connection has been established. Also, the UDP does not
# check for a SYN packet. This is because there are no SYN packets in the
# UDP protocol.
# Setting up a connection to another computer inside the firewall is a little
# trickier. You must allow that first packet through, and you must also tell
# the firewall where to send the information.
# First, tell it where to send the packet. This example is for a webserver.
iptables -t nat -A PREROUTING -i eth0 -d ${XIP}/32 -p tcp --dport 80 -j DNAT --to-destination ${YOUR_SERVER_INTERNAL_IP}
# Then allow that initial packet through. Since a web server operates with
# the TCP protocol, we'll check for a SYN packet.
iptables -t filter -A FORWARD -d ${YOU_SERVER_INTERNAL_IP} -p tcp -m state --state NEW -i eth0 -o eth1 --syn --destination-port 80 -j ACCEPT |
That should about do it. 'man iptables' gives some fairly decent documentation. I don't know if EverQuest requires the ability to accept incoming connections. Their website should have more info. What I would suggest is just getting the NAT set up first, make sure browsing works, and then try out EverQuest. If it fails for you but browsing works, then look into setting up incoming NAT.
Oh, one more thing. You'll probably have to force the DNS to whatever you find in /etc/resolv.conf on the Windows machine. Good luck!
_________________
RAWR! Brains, BRAINS! BRAAAINS! MUST EAT BRAINS!
Last edited by Zombie[BRAAAINS] on Tue Apr 22, 2003 8:41 pm; edited 2 times in total |
|
| Back to top |
|
|
Syntech
n00b
Joined: 07 Jan 2003
Posts: 30
|
| Posted: Tue Apr 22, 2003 10:51 am Post subject: |
|
|
Hi!
Will try it now ...
eth0 is using DHCP and that's why I don't know the IP since my ISP provide me with one. Usually it is in the range 213.65.51.x but I'm sure there is a iptables command for DHCP too ... I'll check it out and post a message if I can't get it to work ...
Thank you for the answer.
Anders Kallander |
|
| Back to top |
|
|
ruomad
Tux's lil' helper
Joined: 17 Apr 2003
Posts: 93
|
| Posted: Tue Apr 22, 2003 2:21 pm Post subject: |
|
|
Hi,
I'm simply doing :
iptables -t nat -A POSTROUTING -j MASQUERADE
And it seems to work...
Is there anything wrong with that ?
Also running iptables as a service (rc-update add iptables default)
and it will save this rule and apply it again when you reboot
Please comment this if I'm wrong ? |
|
| Back to top |
|
|
ruomad
Tux's lil' helper
Joined: 17 Apr 2003
Posts: 93
|
| Posted: Tue Apr 22, 2003 2:26 pm Post subject: |
|
|
oops !
I mean :
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE |
|
| Back to top |
|
|
Zombie[BRAAAINS]
n00b
Joined: 19 Mar 2003
Posts: 62
|
| Posted: Tue Apr 22, 2003 6:50 pm Post subject: |
|
|
No, I can't say there's really anything wrong with that, but your computer is acting as simply a router instead of a firewall/router. Also, masquerading is a bit more limited in terms of what it can do and what kind of restrictions you can place on it, and if you want to do any firewall debugging while it's running you're going to take down everyone behind you instead of interrupting the connection for a second or two. None of this is probably a concern on a dialup connection. If you have a static / mostly static IP, you're probably better off with SNAT.
_________________
RAWR! Brains, BRAINS! BRAAAINS! MUST EAT BRAINS! |
|
| Back to top |
|
|
Syntech
n00b
Joined: 07 Jan 2003
Posts: 30
|
| Posted: Tue Apr 22, 2003 7:39 pm Post subject: |
|
|
Hi again!
Hmmm ... seems to be a problem here.
I did put all commands in a script. And before I ran it I could ping 192.168.0.10 (from server -> my client), and 192.168.0.1 (from client -> my server) All seems to work ok. But after I run the script I can't ping either way. I tried to lynx www.sunet.se and it seemed to work fine, so the connection from my server to the outside world works, but not my internal network.
The script seems to work ok (no errors displayed anyway) and I changed the ${XIP} to my external IP recieved from my ISP.
Actually I put the line MY_EXT_IP=213.65.51.204 on top in the script and replaced all ${XIP} with $MY_EXT_IP
Any suggestions ?
Anders Kallander |
|
| Back to top |
|
|
Zombie[BRAAAINS]
n00b
Joined: 19 Mar 2003
Posts: 62
|
| Posted: Tue Apr 22, 2003 7:45 pm Post subject: |
|
|
Oops... sorry. There's a typo here:
| Code: | # Open your internal interface wide
iptables -t filter -A INPUT -i eth1 -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -j ACCEPT |
eth1 on the first line should be eth0.
_________________
RAWR! Brains, BRAINS! BRAAAINS! MUST EAT BRAINS! |
|
| Back to top |
|
|
Syntech
n00b
Joined: 07 Jan 2003
Posts: 30
|
| Posted: Tue Apr 22, 2003 7:49 pm Post subject: |
|
|
This maybee will be of interest:
On my client (windows box):
IP Address : 192.168.0.10
Subnet mask : 255.255.255.0
Default gateway : 192.168.0.1
On my Server (linux box):
IP Address (eth0) : 213.65.51.204
Subnet mask : 255.255.255.0
IP Address (eth1) : 192.168.0.1
Subnet mask : 255.255.255.0
Cheers |
|
| Back to top |
|
|
Syntech
n00b
Joined: 07 Jan 2003
Posts: 30
|
| Posted: Tue Apr 22, 2003 7:49 pm Post subject: |
|
|
| hehe will try it right on ... |
|
| Back to top |
|
|
Syntech
n00b
Joined: 07 Jan 2003
Posts: 30
|
| Posted: Tue Apr 22, 2003 8:08 pm Post subject: |
|
|
Still no success ....
I'm probably missing something here...
No www connection on the windows box. And when I try to ping my client from the server I got:
ping 192.168.0.10
ping: sent 64 octets to 192.168.0.10, ret=-1
sendto: Operation not permitted
...
... |
|
| Back to top |
|
|
Zombie[BRAAAINS]
n00b
Joined: 19 Mar 2003
Posts: 62
|
| Posted: Tue Apr 22, 2003 8:34 pm Post subject: |
|
|
Hmm... sounds like there probably is a typo. Could you post the results of these two commands?
| Code: | iptables --list -v
iptables --list -t nat -v |
_________________
RAWR! Brains, BRAINS! BRAAAINS! MUST EAT BRAINS! |
|
| Back to top |
|
|
Zombie[BRAAAINS]
n00b
Joined: 19 Mar 2003
Posts: 62
|
| Posted: Tue Apr 22, 2003 8:43 pm Post subject: |
|
|
Bleh... I gotta stop posting from work. That typo I told you to fix... I told you to fix it wrong. Here's the right lines:
| Code: | # Open your internal interface wide
# EDIT: Correcting a typo. Original (incorrect) line commented.
#iptables -t filter -A INPUT -i eth1 -j ACCEPT
# EDIT: AARGH! Double-tard. Original (incorrect) lines commented.
#iptables -t filter -A INPUT -i eth0 -j ACCEPT
#iptables -t filter -A OUTPUT -o eth0 -j ACCEPT
iptables -t filter -A INPUT -i eth1 -j ACCEPT
iptables -t filter -A OUTPUT -o eth1 -j ACCEPT |
That SHOULD do it 
_________________
RAWR! Brains, BRAINS! BRAAAINS! MUST EAT BRAINS! |
|
| Back to top |
|
|
Syntech
n00b
Joined: 07 Jan 2003
Posts: 30
|
| Posted: Tue Apr 22, 2003 9:06 pm Post subject: |
|
|
I'll try it immediately!
anyway ... here are the dumps: (maybee not needed now)
iptables --list -v
Chain INPUT (policy DROP 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
10 1512 ACCEPT all -- eth0 any anywhere anywhere
0 0 ACCEPT all -- eth0 any anywhere h204n2fls34o282.telia.comstate RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 eth0 192.168.0.0/24 anywhere
0 0 ACCEPT all -- any eth1 anywhere 192.168.0.0/24 state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any lo anywhere anywhere
10 734 ACCEPT all -- any eth0 anywhere anywhere
0 0 ACCEPT all -- any eth0 h204n2fls34o282.telia.com anywhere
iptables --list -t nat -v
Chain PREROUTING (policy ACCEPT 5 packets, 993 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 6 packets, 478 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- any eth0 192.168.0.0/24 anywhere to:213.65.51.204
Chain OUTPUT (policy ACCEPT 6 packets, 478 bytes)
pkts bytes target prot opt in out source destination |
|
| Back to top |
|
|
Syntech
n00b
Joined: 07 Jan 2003
Posts: 30
|
| Posted: Tue Apr 22, 2003 9:20 pm Post subject: |
|
|
Now the pinging works in all directions! whoa!
Now all I have to do to get www to work is like this I guess then:
iptables -t nat -A PREROUTING -i eth0 -d ${XIP}/32 -p tcp --dport 80 -j DNAT --to-destination ${YOUR_SERVER_INTERNAL_IP}
iptables -t filter -A FORWARD -d ${YOU_SERVER_INTERNAL_IP} -p tcp -m state --state NEW -i eth0 -o eth1 --syn --destination-port 80 -j ACCEPT
Thanx for your help, appreciated it alot .... now I'm introduced to the wonderful world of iptables and I will study examples alot, kinda fun
I will also check out the documents on iptables to fully understand what the commands you gave me do.
Thank you |
|
| Back to top |
|
|
Zombie[BRAAAINS]
n00b
Joined: 19 Mar 2003
Posts: 62
|
| Posted: Tue Apr 22, 2003 9:45 pm Post subject: |
|
|
Glad I could help. I've certainly gotten enough help on these forums
Yep, those are the relevant lines, should work fine.
_________________
RAWR! Brains, BRAINS! BRAAAINS! MUST EAT BRAINS! |
|
| Back to top |
|
|
djco
Retired Dev
Joined: 29 Mar 2003
Posts: 67
Location: 52.36, 4.89
|
| Posted: Wed Apr 23, 2003 11:34 am Post subject: |
|
|
This is gonna be a great help, but I have two more questions:
- Is it possible to use iptables directly from the LiveCD, without following through with much of the Gentoo installation?
- Is there a way to handle an IP that changes for this? My ISP sometimes changes my IP (which is assigned by DHCP), and it would be annoying to have to go in and change the code every time they do this. |
|
| Back to top |
|
|
Genone
Retired Dev
Joined: 14 Mar 2003
Posts: 9533
Location: beyond the rim
|
| Posted: Wed Apr 23, 2003 2:14 pm Post subject: |
|
|
The LiveCD contains iptables, I've used this several times for my router (at least it was on the 1.4-rc1 LiveCD). For a dynamic IP you should use the MASQUERADE target of iptables instead of SNAT. Just change the SNAT line in the script to | Code: | | iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE |
You can also completely automate the iptables stuff if you edit /etc/conf.d/iptables and run the following: | Code: | /etc/init.d/iptables save
rc-update add iptables default |
|
|
| Back to top |
|
|
|
Networking & Security
