| View previous topic :: View next topic |
| Author |
Message |
Hose
n00b
Joined: 30 Dec 2004
Posts: 35
|
 Posted: Wed Mar 04, 2009 12:49 am Post subject: Home Gateway Server - IPTABLES not working |
 |
|
I have a server that I'm trying to dedicate as a Home NAS/Router/Gateway. After getting the NAS working, I'm trying to setup the router part of it and after many google searches I made several attempts all failed. I suspect that is my NIC setup, but then again IPTABLES are complex and new to me.
After running "firewall.sh" I point my browser (in the Client) to the Google site http://74.125.19.99 and it fails to connect !!!
Any HELP will be very welcomed !!!!
Server:
Qwest DSL modem (2-Wire 2700HG-D) -> IP: 192.168.0.1
/etc/conf.d/net
| Code: | # External (WAN) Internet
config_eth0=( "192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255" )
routes_eth0=( "default via 192.168.0.1" )
# Internal (LAN) Home
config_eth1=( "192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255" ) |
/etc/hosts | Code: | | 127.0.0.1 me.mydomain.lan me localhost |
Firewall script | Code: | #! /bin/sh
#---------------#
# Setup aliases #
#---------------#
export WAN=eth0
export WAN_IP=192.168.0.2
echo "Internet:" ${WAN} "/" ${WAN_IP}
export LAN=eth1
export LAN_IP=192.168.1.1
echo "Internal:" ${LAN} "/" ${LAN_IP}
export IPT=/sbin/iptables
#------------------------------------------------------------------#
# Initialize all the chains by removing all the rules tied to them #
#------------------------------------------------------------------#
${IPT} -F
${IPT} -t nat -F
${IPT} -t mangle -F
${IPT} -X
#---------------------------------#
# Allow packets from loop adapter #
#---------------------------------#
${IPT} -A INPUT -i lo -j ACCEPT
${IPT} -A OUTPUT -o lo -j ACCEPT
#-----------------------#
# Allow outgoing trafic #
#-----------------------#
${IPT} -A OUTPUT -o ${WAN} -j ACCEPT
#----------------#
# Block spoofing #
#----------------#
#
${IPT} -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
${IPT} -A INPUT -s ${WAN_IP} -j DROP
#------------------#
# stop bad packets #
#------------------#
${IPT} -A INPUT -m state --state INVALID -j DROP
#-------------#
# TCP allowed #
#-------------#
# pop3 / smtp
${IPT} -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
${IPT} -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# http / https
${IPT} -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
${IPT} -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
#---------------------------------#
# Enable kernel for IP forwarding #
#---------------------------------#
echo 1 > /proc/sys/net/ipv4/ip_forward |
# iptables -L | Code: | Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- loopback/8 anywhere
DROP all -- 192.168.0.2 anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere |
Client:
/etc/conf.d/net | Code: | config_eth0=( "192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255" )
gateway=( "eth0/192.168.1.1" ) |
_________________
Regards,
Hose
Build: Stage1/AMD64/2008.0/no-multilib
Kernel: 2.6.28 |
|
| Back to top |
|
 |
Knute
Guru
Joined: 28 Jun 2004
Posts: 362
Location: Fargo, ND
|
| Posted: Wed Mar 04, 2009 12:59 am Post subject: |
|
|
Your gateway is 192.168.0.1 not 192.168.1.1.
With your current setup, you are telling your web traffic to use your internal network, rather than going thru your modem.
_________________
Knute
----------
The human race has one really effective weapon, and that is laughter.
-- Mark Twain
If you want proof of that, take a look at windows sometime.  |
|
| Back to top |
|
|
cyrillic
Watchman
Joined: 19 Feb 2003
Posts: 7313
Location: Groton, Massachusetts USA
|
|
| Back to top |
|
|
Hose
n00b
Joined: 30 Dec 2004
Posts: 35
|
|
| Back to top |
|
|
Knute
Guru
Joined: 28 Jun 2004
Posts: 362
Location: Fargo, ND
|
| Posted: Wed Mar 04, 2009 2:01 am Post subject: |
|
|
Ok, so what's the output of the route command?
_________________
Knute
----------
The human race has one really effective weapon, and that is laughter.
-- Mark Twain
If you want proof of that, take a look at windows sometime. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23689
|
| Posted: Wed Mar 04, 2009 4:02 am Post subject: |
|
|
If you do not run the firewall script, can the client use the Internet normally?
You may need to add a masquerade rule to that script. |
|
| Back to top |
|
|
Hose
n00b
Joined: 30 Dec 2004
Posts: 35
|
| Posted: Wed Mar 04, 2009 4:16 am Post subject: |
|
|
Server "route"
| Code: | Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
loopback me.domain. 255.0.0.0 UG 0 0 0 lo
default 192.168.0.1 0.0.0.0 UG 3 0 0 eth0 |
Client "route"
| Code: | Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.160.0 * 255.255.255.0 U 0 0 0 vmnet8
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
172.16.180.0 * 255.255.255.0 U 0 0 0 vmnet1
loopback me.domain 255.0.0.0 UG 0 0 0 lo |
_________________
Regards,
Hose
Build: Stage1/AMD64/2008.0/no-multilib
Kernel: 2.6.28 |
|
| Back to top |
|
|
Hose
n00b
Joined: 30 Dec 2004
Posts: 35
|
| Posted: Wed Mar 04, 2009 4:18 am Post subject: |
|
|
Hu,
Same result in the client, script or not
_________________
Regards,
Hose
Build: Stage1/AMD64/2008.0/no-multilib
Kernel: 2.6.28 |
|
| Back to top |
|
|
Knute
Guru
Joined: 28 Jun 2004
Posts: 362
Location: Fargo, ND
|
| Posted: Wed Mar 04, 2009 5:26 am Post subject: |
|
|
Ok, if I get this right, you are trying to access the internet from one of your computers on the internal network, right??
What happens if you try to access the internet from your server?
Also, I think that you need to go back and check your IP addresses to make sure that they are consistent.
I see one place (/etc/conf.d/net and your firewall script) where eth0 is 192.168.0.2 and another place (your server route command) where eth0 is showing up as 192.168.0.0.
Now, unless you have eth0 setup for multi ip's, and I don't think that's the case, this would need to be changed.
Also, your client machine is set up the same way with different ip's for the same interface. /etc/conf.d/net says 192.168.1.10 and route says that it's 192.168.1.0.
And from my understanding the gateway line in /etc/conf.d/net needs to be something to the effect of | Code: | | gateway_eth0="192.168.1.1" |
Take a quick peek in your /etc/conf.d/net.example file and it will give you an example.
HTH
_________________
Knute
----------
The human race has one really effective weapon, and that is laughter.
-- Mark Twain
If you want proof of that, take a look at windows sometime. |
|
| Back to top |
|
|
Hose
n00b
Joined: 30 Dec 2004
Posts: 35
|
| Posted: Wed Mar 04, 2009 4:03 pm Post subject: |
|
|
| Quote: |
Ok, if I get this right, you are trying to access the internet from one of your computers on the internal network, right?? |
Yes you are correct ! | Quote: | | What happens if you try to access the internet from your server? |
Works fine, including DNS resolution.
| Quote: | | Also, I think that you need to go back and check your IP addresses to make sure that they are consistent. I see one place (/etc/conf.d/net and your firewall script) where eth0 is 192.168.0.2 and another place (your server route command) where eth0 is showing up as 192.168.0.0. Now, unless you have eth0 setup for multi ip's, and I don't think that's the case, this would need to be changed. |
I'm certainly not (conscious) setting up for multi-IP/NIC . I did also noticed the "192.168.0.0" in the output of route, but I am being consistent where I assign "/etc/conf.d/net" and use "firewall.sh" static IP addresses in the Sever. Where's the "192.168.0.0" coming from ????
| Quote: | And from my understanding the gateway line in /etc/conf.d/net needs to be something to the effect of
Code:
gateway_eth0="192.168.1.1" |
I corrected this (no dif) which I had picked up from https://forums.gentoo.org/viewtopic-t-159133-highlight-fwbuilder.html however I tried using the "iface" notation on my system and that did not work at all, defaulted to DHCP for eth0.
_________________
Regards,
Hose
Build: Stage1/AMD64/2008.0/no-multilib
Kernel: 2.6.28 |
|
| Back to top |
|
|
Hose
n00b
Joined: 30 Dec 2004
Posts: 35
|
| Posted: Wed Mar 04, 2009 4:53 pm Post subject: |
|
|
Is this just a problem with my routing. Using just my client configuration:
Given a "/etc/conf.d/net": | Code: | config_eth0=( "192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255" )
gateway_eth0=( "192.168.1.1" ) |
And looking at the output of route: | Code: | Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
loopback my.domain 255.0.0.0 UG 0 0 0 lo |
Should'nt the destination for eth0 be "192.168.1.1" from "etc/conf.d/net" ???
_________________
Regards,
Hose
Build: Stage1/AMD64/2008.0/no-multilib
Kernel: 2.6.28 |
|
| Back to top |
|
|
Hose
n00b
Joined: 30 Dec 2004
Posts: 35
|
| Posted: Wed Mar 04, 2009 5:47 pm Post subject: Home Gateway Server - IPTABLES not working (SOLVED) |
|
|
Well, after googling some more I decided to experiment with the "/etc/conf.d/net" file and I found a working solution:
| Code: | config_eth0=( "192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255" )
routes_eth0=( "default gw 192.168.1.1" ) |
This time the "route" command took a few seconds and returned:
| Code: | Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
loopback my.domain 255.0.0.0 UG 0 0 0 lo
default 192.168.1.1 0.0.0.0 UG 2 0 0 eth0 |
having that "default" route made the difference. However the "192.168.0.0" still shows up. Could this be a default for each NIC on the system ???
Thanks for all the suggestions, they drove me to the solution !!!
_________________
Regards,
Hose
Build: Stage1/AMD64/2008.0/no-multilib
Kernel: 2.6.28 |
|
| Back to top |
|
|
|
Networking & Security
