Re: IP Forwarding to Windows machine
Nemeth Gyorgy a écrit : >> > Yes, it can work as a short go-nogo test. But the suggestion was not > mentioned it, that it is only for that. And it is very likely that when > the OP tries this and it 'works' (I mean the Windows machine behind the > Linux works well), then the rules will remain. I wrote in my previous message : "Then when everything works add the filtering." ^ > And - as the Linux server > can have a lot of services - it will leave a lot of secholes to the world. Then the security holes are the services, not the firewall. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53eb3f15.4040...@plouf.fr.eu.org
Re: IP Forwarding to Windows machine
I adopted Mr. Gyorgy's suggested iptables rules with only a couple of additions based on nmap's report that port 411 was open because it passed with flying colors nmaps tcp and udp scan of the first 1056 ports, grc.com tests and pcflank.com tests. For a single user system running no services to the web is there anything I ought to look at? I'm not asking for guarantees, just suggestions. Thanks, Mike -- "Humor is an affirmation of dignity, a declaration of man's superiority to all that befalls him." - Romain Gary -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140813035216.GB3802@playground
Re: IP Forwarding to Windows machine
2014-08-10 22:30 keltezéssel, Joe írta: > Why is it unresolvable? A DROP/REJECT policy is fail-safe, ACCEPT > isn't. If the rest of the rules are correct, (and more importantly, > guaranteed always to stay that way in the face of editing, sometimes > rushed) an ACCEPT policy is redundant, and if they're not, it's > dangerous. You will never *ever* want that ACCEPT policy rule to be > traversed. > > But it greatly simplifies matters during a short go-nogo test, during > which the probability of an attack is quite small. And here's another > reason that the Internet connection should be farmed out to a dedicated > device containing at least a simple stateful packet filter, so that > experimentation with the main firewall carries little risk. > Yes, it can work as a short go-nogo test. But the suggestion was not mentioned it, that it is only for that. And it is very likely that when the OP tries this and it 'works' (I mean the Windows machine behind the Linux works well), then the rules will remain. And - as the Linux server can have a lot of services - it will leave a lot of secholes to the world. So I wouldn't suggest such situation, in my opinion the minimum policy should be still safe (at least a bit). So default policy for nat and mangle can be ACCEPT without too much risk, but on filter table set ACCEPT to OUTPUT chain and set DROP for INPUT and FORWARD and explicitely allow what you want. This should be the minimum security level for a home firewall. -- --- Friczy --- 'Death is not a bug, it's a feature' -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53ea6edb.4070...@freemail.hu
Re: IP Forwarding to Windows machine
On Tue, Aug 12, 2014 at 5:19 AM, Joe wrote: > On Tue, 12 Aug 2014 04:53:51 -0400 > Tom H wrote: >> >> And you've proven my point... > > Agreed, I just can't see why there is any controversy. You misunderstand. The fact that you can't accept that there may be others who have good reason (whatever it may be; I don't care) to consider that having ACCEPT as a policy is the proof that this is as controversial and contentious as vi/emacs, postfix/sendmail/exim, etc. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAOdo=SwYrGZA=jjptdkm_x-mrp5a38nznqoahcy8sr0huaa...@mail.gmail.com
Re: IP Forwarding to Windows machine
On Tue, 12 Aug 2014 04:53:51 -0400 Tom H wrote: > > And you've proven my point... > > Agreed, I just can't see why there is any controversy. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140812101956.764ec...@jresid.jretrading.com
Re: IP Forwarding to Windows machine
On Sun, Aug 10, 2014 at 4:30 PM, Joe wrote: > On Sun, 10 Aug 2014 16:07:01 -0400 > Tom H wrote: >> On Sun, Aug 10, 2014 at 2:24 PM, Nemeth Gyorgy >> wrote: >>> 2014-08-10 11:33 keltezéssel, Pascal Hambourg írta: sysctl -w net.ipv4.ip_forward=1 iptables -t nat -P ACCEPT iptables -t filter -P ACCEPT >>> >>> This is really a big sechole. >> >> This is one of these hopelessly unresolvable issues where some people >> believe that the correct config is to have policy DROP/REJECT and >> others believe that the correct config is to have a policy of ACCEPT >> and to have the final rule in the respective chains be DROP/REJECT.. > > Why is it unresolvable? A DROP/REJECT policy is fail-safe, ACCEPT > isn't. If the rest of the rules are correct, (and more importantly, > guaranteed always to stay that way in the face of editing, sometimes > rushed) an ACCEPT policy is redundant, and if they're not, it's > dangerous. You will never *ever* want that ACCEPT policy rule to be > traversed. And you've proven my point... -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAOdo=swtrbbs2otn-70xukucaozz8umhlk5o592qpkhsuc2...@mail.gmail.com
Re: IP Forwarding to Windows machine [SOLVED]
On Mon, Aug 11, 2014 at 02:06:28PM +0200, Pascal Hambourg wrote: > Mike McClain a ?crit : > > > > Clearly DNS lookup is working and I have a problem with the > > configuration of IE. > > Check in its network settings whether a proxy is defined, and remove it. Hi Pascal, Nope, no proxy. Though I had told Windows via the 'Local Area Connection' properties that the Linux box (192.168.1.2) was the gateway for the Win2K box I had failed to tell Internet Explorer that the Linux box was on the LAN. Silly me. After fixing that IE could find Google, GRC.com and many other sites on the web but curiously failed to find Mozilla hence wouldn't DL Firefox. After I put the router back between the two boxes IE couldn't even find Google but tracert assured me DNS lookup was still there. I DL'd the last version of Firefox that would work with Win2k from the Debian box and used smbclient to move it to the Win2K box. After install I have no trouble accessing the web from the Win2K box with FF. I want to say thank you to all that helped. I learned quite a bit from you guys. Sincerely, Mike McClain -- "Your assumptions are your windows on the world. Scrub them off every once in a while or the light won't come in." - Alan Alda, Connecticut College 62nd Commencement Speech, 1980 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140812053823.GA20606@playground
Re: IP Forwarding to Windows machine
Mike McClain a écrit : > > Clearly DNS lookup is working and I have a problem with the > configuration of IE. Check in its network settings whether a proxy is defined, and remove it. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53e8b1c4.8050...@plouf.fr.eu.org
Re: IP Forwarding to Windows machine
On Mon, 11 Aug 2014 17:44:52 +1000 Andrew McGlashan wrote: > > I give another vote for IPCop btw that or pfsense, but IPCop is > simpler. > Yes, but it's a distribution in itself, which means you need to dedicate an entire computer to it. (No, I don't think there is any point in running a network firewall within a virtual machine). -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140811090546.3cec3...@jresid.jretrading.com
Re: IP Forwarding to Windows machine
On 10/08/2014 10:06 AM, Mike McClain wrote: >> Please describe your network topology. Where's the Win2k box ? > __ > | Debian| LAN| Windows 2000 | > Inet|Linux|-| S40 | > (ppp) | 192.168.1.2 | cross-over| 192.168.1.3 | > |_| |___| > >> What's S40 ? > S40 short for south40 the name of the Win2K box. You do know that Windows 2000 is very old and hasn't been supported for an eternity in /IT/ years? I wouldn't trust the box these days, it's like running an unregistered and roadworthy motor car... I give another vote for IPCop btw that or pfsense, but IPCop is simpler. Cheers A. signature.asc Description: OpenPGP digital signature
Re: IP Forwarding to Windows machine
On Sun, 10 Aug 2014 16:07:01 -0400 Tom H wrote: > On Sun, Aug 10, 2014 at 2:24 PM, Nemeth Gyorgy > wrote: > > 2014-08-10 11:33 keltezéssel, Pascal Hambourg írta: > >> > >> Nemeth Gyorgy's ruleset is too complicated. Use the bare minimum : > >> > >> sysctl -w net.ipv4.ip_forward=1 > >> iptables -t nat -P ACCEPT > >> iptables -t filter -P ACCEPT > > > > This is really a big sechole. > > This is one of these hopelessly unresolvable issues where some people > believe that the correct config is to have policy DROP/REJECT and > others believe that the correct config is to have a policy of ACCEPT > and to have the final rule in the respective chains be DROP/REJECT.. > > Why is it unresolvable? A DROP/REJECT policy is fail-safe, ACCEPT isn't. If the rest of the rules are correct, (and more importantly, guaranteed always to stay that way in the face of editing, sometimes rushed) an ACCEPT policy is redundant, and if they're not, it's dangerous. You will never *ever* want that ACCEPT policy rule to be traversed. But it greatly simplifies matters during a short go-nogo test, during which the probability of an attack is quite small. And here's another reason that the Internet connection should be farmed out to a dedicated device containing at least a simple stateful packet filter, so that experimentation with the main firewall carries little risk. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140810213030.1e3a3...@jretrading.com
Re: IP Forwarding to Windows machine
On Sun, Aug 10, 2014 at 2:24 PM, Nemeth Gyorgy wrote: > 2014-08-10 11:33 keltezéssel, Pascal Hambourg írta: >> >> Nemeth Gyorgy's ruleset is too complicated. Use the bare minimum : >> >> sysctl -w net.ipv4.ip_forward=1 >> iptables -t nat -P ACCEPT >> iptables -t filter -P ACCEPT > > This is really a big sechole. This is one of these hopelessly unresolvable issues where some people believe that the correct config is to have policy DROP/REJECT and others believe that the correct config is to have a policy of ACCEPT and to have the final rule in the respective chains be DROP/REJECT.. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAOdo=sxfu3syvakxq5vjwpst0gbmcmf7ko0ood-0j-tfdzr...@mail.gmail.com
Re: IP Forwarding to Windows machine
2014-08-10 11:33 keltezéssel, Pascal Hambourg írta: > Nemeth Gyorgy's ruleset is too complicated. Use the bare minimum : > > sysctl -w net.ipv4.ip_forward=1 > iptables -t nat -P ACCEPT > iptables -t filter -P ACCEPT This is really a big sechole. > iptables -t mangle -P ACCEPT > iptables -t nat -F > iptables -t filter -F > iptables -t mangle -F > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > Then test the following commands from Windows in order : > tracert -d 130.89.148.12 > tracert ftp.debian.org > telnet ftp.debian.org 21 > (if you get the server banner then type "quit" to exit) > > -- --- Friczy --- 'Death is not a bug, it's a feature' -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53e7b8f1.5080...@freemail.hu
Re: IP Forwarding to Windows machine
2014-08-10 01:49 keltezéssel, Mike McClain írta: >> It's a rather complicated, sometimes overcomplicated script. But some >> rules are missing and/or not in the correct order. > > I've little doubt you are correct, admittedly I'm flailing a bit. > Trying this and that with little luck. > I'd appreciate it if you'ld be a little more explicit as to what's > missing and out of order. I'm running no external services. Sorry, there were too many mistakes in the script, it would be too many mails to clean the errors in it. > I did exactly as you suggested, implimenting a minimalist set of rules, > only the 5 you mentioned and saw improvement. now the Win2K box can > ping google.com and get a reply but IE still can't connect to > Google.com nor several other sites I tried, still reporting, > "Cannot find server or DNS error." > > Thanks for your help. > Any further suggestions? If the DNS seems to be the problem (according to the message) then the first todo is to debug DNS settings. On Windows you can check the proper DNS with ipconfig /all command and check whether DNS is properly set or not. Another debug solution can be to insert LOG rules at the end of the script iptables -A FORWARD -j LOG --log-prefix iptables-forward iptables -A INPUT -j LOG --log-prefix iptables-input then with checking the log you can see what is dropped. But be careful. There can be a lot of log lines. But for debugging it can be a good solution. Usually it is worth to create a junk chain and drop a lot of known packets without logging (of course only if you know they are really junk) -- --- Friczy --- 'Death is not a bug, it's a feature' -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53e7b86b.9030...@freemail.hu
Re: IP Forwarding to Windows machine
On Sun, Aug 10, 2014 at 11:33:27AM +0200, Pascal Hambourg wrote: > > Nemeth Gyorgy's ruleset is too complicated. Use the bare minimum : > > sysctl -w net.ipv4.ip_forward=1 > iptables -t nat -P ACCEPT > iptables -t filter -P ACCEPT > iptables -t mangle -P ACCEPT > iptables -t nat -F > iptables -t filter -F > iptables -t mangle -F > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > Then test the following commands from Windows in order : > tracert -d 130.89.148.12 > tracert ftp.debian.org > telnet ftp.debian.org 21 > (if you get the server banner then type "quit" to exit) Hi Pascal, Thank you very much I didn't know about 'tracert' and running it as you suggested shows that I've been barking up the wrong tree. Here's the results of running tracert from Windows: Mike@Win2K:~> tracert -d 130.89.142.12 Tracing route to 130.89.142.12 over a maximum of 30 hops 1 <10 ms <10 ms <10 ms 192.168.1.2 2 110 ms 110 ms 120 ms 69.19.219.6 3 110 ms 111 ms 120 ms 69.19.219.19 4 100 ms 110 ms 101 ms 69.19.223.17 5 100 ms 110 ms 110 ms 66.220.13.33 6 110 ms 100 ms 110 ms 72.52.92.121 7 161 ms 180 ms 170 ms 72.52.92.225 8 241 ms 240 ms 240 ms 72.52.92.165 9 231 ms 240 ms 270 ms 195.66.225.122 10 241 ms 240 ms 251 ms 145.145.4.46 11 *** Request timed out. . . snipped . 30 *** Request timed out. Trace complete. Mike@Win2K:~> tracert ftp.debian.org Tracing route to ftp.debian.org [130.89.148.12] over a maximum of 30 hops: 1 <10 ms <10 ms <10 ms 192.168.1.2 2 100 ms 120 ms 110 ms laxapx05.o1.com [69.19.219.6] 3 101 ms 100 ms 110 ms o1-69-19-219-19.static.o1.com [69.19.219.19] 4 100 ms90 ms 111 ms o1-69-19-223-17.static.o1.com [69.19.223.17] 5 100 ms 100 ms 100 ms ge2-4.core1.lax2.he.net [64.62.142.157] 6 110 ms 110 ms 120 ms 10ge10-2.core1.lax1.he.net [72.52.92.121] 7 171 ms 160 ms 180 ms 10ge10-8.core1.nyc4.he.net [72.52.92.225] 8 231 ms 240 ms 240 ms 100ge7-2.core1.lon2.he.net [72.52.92.165] 9 231 ms 240 ms 240 ms jnr01.asd002a.surf.net [195.66.225.122] 10 240 ms 240 ms 251 ms UTwente-router.Customer.surf.net [145.145.4.46] 11 240 ms 240 ms 251 ms klecker2.snt.utwente.nl [130.89.148.12] Trace complete. Clearly DNS lookup is working and I have a problem with the configuration of IE. Again thanks, Mike -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140810181558.GB32267@playground
Re: IP Forwarding to Windows machine
On Sat, Aug 09, 2014 at 10:30:53PM -0600, Bob Proulx wrote: > Mike McClain wrote: > > Pascal Hambourg wrote: > > > Please describe your network topology. Where's the Win2k box ? > > > > __ > > | Debian| LAN| Windows 2000 | > > Inet|Linux|-| S40 | > > (ppp) | 192.168.1.2 | cross-over| 192.168.1.3 | > > |_| |___| > > It isn't 100% clear so I will ask. What IP address is the Debian box > getting on the ppp connection? You only list one IP address for it > but of course it must have another one for the upstream connection. > And you left that one out leaving us guessing about it. > Hi Bob, Sorry I left that out, I should have shown ISP between Inet and the Debian box. my external IP address I get via dhcp from the ISP and it varies but is in the 69.19.x.x range. Mike -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140810162441.GA32267@playground
Re: IP Forwarding to Windows machine
Mike McClain a écrit : > > from a zsh prompt: > Mike zsh:~> nslookup > Default Server: resolver1.opendns.com > Address: 208.67.222.222 > > Didn't return. Of course not. If you don't provide a domain name to query in the command line, nslookup just sits there and waits for a command or a name to query. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53e73d91.3090...@plouf.fr.eu.org
Re: IP Forwarding to Windows machine
Mike McClain a écrit : > On Fri, Aug 08, 2014 at 09:13:23PM +0200, Pascal Hambourg wrote: >> >> Same as Nemeth Gyorgy : restart without any filtering, just the IP >> forwarding and masquerading. If it does not work, it's not due to >> filtering. Then when everything works add the filtering. > > All suggestions appreciated. Nemeth Gyorgy's ruleset is too complicated. Use the bare minimum : sysctl -w net.ipv4.ip_forward=1 iptables -t nat -P ACCEPT iptables -t filter -P ACCEPT iptables -t mangle -P ACCEPT iptables -t nat -F iptables -t filter -F iptables -t mangle -F iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE Then test the following commands from Windows in order : tracert -d 130.89.148.12 tracert ftp.debian.org telnet ftp.debian.org 21 (if you get the server banner then type "quit" to exit) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53e73c67.3090...@plouf.fr.eu.org
Re: IP Forwarding to Windows machine
Bob Proulx a écrit : > Mike McClain wrote: >> __ >> | Debian| LAN| Windows 2000 | >> Inet|Linux|-| S40 | >> (ppp) | 192.168.1.2 | cross-over| 192.168.1.3 | >> |_| |___| > > It isn't 100% clear so I will ask. What IP address is the Debian box > getting on the ppp connection? You only list one IP address for it > but of course it must have another one for the upstream connection. Not necessarily. The PPP interface may have the same address as the Ethernet interface, or even be left unnumbered (without an address) and use the address of the other interface. Example here of same address on eth0 (to LAN) and ppp0 (to ISP) : 2: eth0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 inet6 2001:7a8:6d23:1::1/64 scope global valid_lft forever preferred_lft forever 15: ppp0: mtu 1460 qdisc pfifo_fast state UNKNOWN qlen 3 link/ppp inet6 2001:7a8:6d23:1::1/128 scope global I used to leave ppp0 unnumbered and it happily used the address of eth0, until I added a 6to4 tunnel interface and ppp0 started to use the local tunnel address instead, which I didn't want. > And you left that one out leaving us guessing about it. Anyway, it does not matter so much. If ping to the outside works, then IP connectivity, addressing and routing are correct. > Hopefully it isn't getting another 192.168.1.x IP address there from > its upstream. If so then that would create routing problems for it. > It would have the 192.168.1 subnet on both ports and that would cause > it problems. Not necessarily. > For simple operation a router needs different IP subnets > on the different ethernet ports. A PPP link is not an Ethernet link. It does not have a subnet. At most just a pair of arbitrary addresses at each end. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53e739de.6060...@plouf.fr.eu.org
Re: IP Forwarding to Windows machine
Mike McClain wrote: > Pascal Hambourg wrote: > > Please describe your network topology. Where's the Win2k box ? > > __ > | Debian| LAN| Windows 2000 | > Inet|Linux|-| S40 | > (ppp) | 192.168.1.2 | cross-over| 192.168.1.3 | > |_| |___| It isn't 100% clear so I will ask. What IP address is the Debian box getting on the ppp connection? You only list one IP address for it but of course it must have another one for the upstream connection. And you left that one out leaving us guessing about it. Hopefully it isn't getting another 192.168.1.x IP address there from its upstream. If so then that would create routing problems for it. It would have the 192.168.1 subnet on both ports and that would cause it problems. For simple operation a router needs different IP subnets on the different ethernet ports. If the Debian box is getting a 192.168.1.x address from ppp then that would be a problem. In which case the downstream connection would need to change to a different subnet than the upstream subnet. Bob signature.asc Description: Digital signature
Re: IP Forwarding to Windows machine
On Fri, Aug 08, 2014 at 09:13:23PM +0200, Pascal Hambourg wrote: > Hello, > > Mike McClain a ?crit : > > I've been trying to get my hand rolled iptables firewall to > > masquerade traffic on the LAN to/from a Win2K box. > > Please describe your network topology. Where's the Win2k box ? __ | Debian| LAN| Windows 2000 | Inet|Linux|-| S40 | (ppp) | 192.168.1.2 | cross-over| 192.168.1.3 | |_| |___| > What's S40 ? S40 short for south40 the name of the Win2K box. > > I've gotten it to > > the point that I can ping from the boxes both ways, > > Which boxes ? > > > smbclient can move files both ways > > Smbclient run on which box ? Smbclient run on the Linux box. > > and the Win2K box can ping Google's IP address but DNS > > lookup fails even though I've used the same DNS server in the Win2K > > box as on my Debian box which access the Inet via dialup. IE says > > "Cannot find server or DNS error." > > I've read every HOWTO and the iptables man pages several times but > > am at a loss. > > Suggestions? > > Same as Nemeth Gyorgy : restart without any filtering, just the IP > forwarding and masquerading. If it does not work, it's not due to > filtering. Then when everything works add the filtering. All suggestions appreciated. Thanks, Mike -- "Imagination is looking at a dot in the sky and seeing it as another world is looking at the world and seeing it as as just a dot in the sky. is seeing a garden in the galaxy Is seeing a galaxy in the garden." - Jon Lomberg, space artist and journalist.. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2014081633.GE11824@playground
Re: IP Forwarding to Windows machine
On Fri, Aug 08, 2014 at 08:24:11PM +0200, Nemeth Gyorgy wrote: > 2014-08-08 09:04 keltez?ssel, Mike McClain ?rta: > > I've been trying to get my hand rolled iptables firewall to > > masquerade traffic on the LAN to/from a Win2K box. I've gotten it to > > the point that I can ping from the boxes both ways, smbclient can move > > files both ways and the Win2K box can ping Google's IP address but DNS > > lookup fails even though I've used the same DNS server in the Win2K > > box as on my Debian box which access the Inet via dialup. IE says > > "Cannot find server or DNS error." < > > It's a rather complicated, sometimes overcomplicated script. But some > rules are missing and/or not in the correct order. I've little doubt you are correct, admittedly I'm flailing a bit. Trying this and that with little luck. I'd appreciate it if you'ld be a little more explicit as to what's missing and out of order. I'm running no external services. > To keep things more simple I suggest to do a minimal script and you can > make it more complicated later. I did exactly as you suggested, implimenting a minimalist set of rules, only the 5 you mentioned and saw improvement. now the Win2K box can ping google.com and get a reply but IE still can't connect to Google.com nor several other sites I tried, still reporting, "Cannot find server or DNS error." Thanks for your help. Any further suggestions? Mike -- "Imagination is looking at a dot in the sky and seeing it as another world is looking at the world and seeing it as as just a dot in the sky. is seeing a garden in the galaxy Is seeing a galaxy in the garden." - Jon Lomberg, space artist and journalist.. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140809234918.GD11824@playground
Re: IP Forwarding to Windows machine
On Fri, Aug 08, 2014 at 09:16:05PM -0700, Matt Ventura wrote: > On 8/8/2014 12:04 AM, Mike McClain wrote: > > I've been trying to get my hand rolled iptables firewall to > >masquerade traffic on the LAN to/from a Win2K box. I've gotten it to > >the point that I can ping from the boxes both ways, smbclient can move > >files both ways and the Win2K box can ping Google's IP address but DNS > >lookup fails even though I've used the same DNS server in the Win2K > >box as on my Debian box which access the Inet via dialup. IE says > >"Cannot find server or DNS error." > > I've read every HOWTO and the iptables man pages several times but > >am at a loss. > > Suggestions? > >Thanks, > >Mike > Can you post the exact output of the nslookup attempt from the win2k box? > > Thanks, > Matt Ventura from a zsh prompt: Mike zsh:~> nslookup Default Server: resolver1.opendns.com Address: 208.67.222.222 > Didn't return. from a cmd.exe prompt: C:\WINNT\system32>nslookup DNS request timed out. timeout was 2 seconds. *** Can't find server name for address 208.67.222.222: Timed out Default Server: resolver2.opendns.com Address: 208.67.220.220 > Didn't return. from a bash prompt: Mike@Win2k:~> nslookup Default Server: resolver1.opendns.com Address: 208.67.222.222 > Didn't return. I'm quite sure I didn't enter 'resolver1' or 'resolver2' in anything in Windows so the DNS lookup must have worked to some degree. Mike -- "Imagination is looking at a dot in the sky and seeing it as another world is looking at the world and seeing it as as just a dot in the sky. is seeing a garden in the galaxy Is seeing a galaxy in the garden." - Jon Lomberg, space artist and journalist.. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140809230007.GB11824@playground
Re: IP Forwarding to Windows machine
On Fri, Aug 08, 2014 at 07:05:28PM -0700, David Christensen wrote: > On 08/08/2014 12:04 AM, Mike McClain wrote: > > I've been trying to get my hand rolled iptables firewall to > >masquerade traffic on the LAN to/from a Win2K box. > > I used to write my own firewall/ router rules, but then discovered > purpose-built firewall/ router FOSS distributions. I used IPCop for > many years, and was very pleased: > > http://www.ipcop.org/ > Hi David, I learn best by studying and doing. Maybe what I'll learn is that it's beyond me and give ipcop a try but not yet. Thanks for the idea, Mike -- "Imagination is looking at a dot in the sky and seeing it as another world is looking at the world and seeing it as as just a dot in the sky. is seeing a garden in the galaxy Is seeing a galaxy in the garden." - Jon Lomberg, space artist and journalist.. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140809225547.GA11824@playground
Re: IP Forwarding to Windows machine
On 8/8/2014 12:04 AM, Mike McClain wrote: I've been trying to get my hand rolled iptables firewall to masquerade traffic on the LAN to/from a Win2K box. I've gotten it to the point that I can ping from the boxes both ways, smbclient can move files both ways and the Win2K box can ping Google's IP address but DNS lookup fails even though I've used the same DNS server in the Win2K box as on my Debian box which access the Inet via dialup. IE says "Cannot find server or DNS error." I've read every HOWTO and the iptables man pages several times but am at a loss. Suggestions? Thanks, Mike Can you post the exact output of the nslookup attempt from the win2k box? Thanks, Matt Ventura -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53e5a085.6010...@mattventura.net
Re: IP Forwarding to Windows machine
On 08/08/2014 12:04 AM, Mike McClain wrote: I've been trying to get my hand rolled iptables firewall to masquerade traffic on the LAN to/from a Win2K box. I used to write my own firewall/ router rules, but then discovered purpose-built firewall/ router FOSS distributions. I used IPCop for many years, and was very pleased: http://www.ipcop.org/ HTH, David -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53e581e8.6070...@holgerdanske.com
Re: IP Forwarding to Windows machine
Hello, Mike McClain a écrit : > I've been trying to get my hand rolled iptables firewall to > masquerade traffic on the LAN to/from a Win2K box. Please describe your network topology. Where's the Win2k box ? What's S40 ? > I've gotten it to > the point that I can ping from the boxes both ways, Which boxes ? > smbclient can move files both ways Smbclient run on which box ? > and the Win2K box can ping Google's IP address but DNS > lookup fails even though I've used the same DNS server in the Win2K > box as on my Debian box which access the Inet via dialup. IE says > "Cannot find server or DNS error." > I've read every HOWTO and the iptables man pages several times but > am at a loss. > Suggestions? Same as Nemeth Gyorgy : restart without any filtering, just the IP forwarding and masquerading. If it does not work, it's not due to filtering. Then when everything works add the filtering. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53e52153.2070...@plouf.fr.eu.org
Re: IP Forwarding to Windows machine
2014-08-08 09:04 keltezéssel, Mike McClain írta: > I've been trying to get my hand rolled iptables firewall to > masquerade traffic on the LAN to/from a Win2K box. I've gotten it to > the point that I can ping from the boxes both ways, smbclient can move > files both ways and the Win2K box can ping Google's IP address but DNS > lookup fails even though I've used the same DNS server in the Win2K > box as on my Debian box which access the Inet via dialup. IE says > "Cannot find server or DNS error." > I've read every HOWTO and the iptables man pages several times but > am at a loss. > Suggestions? > Thanks, > Mike > > Here's the firewall code: > #!/bin/sh > # /mc/bin/my_iptables_fw_lan.sh July 29, 2014 Mc > # install fowarding to south40 > # from /mc/bin/my_iptables_fw.sh July 25, 2014 Mc > # from ~/nixSecurity/LFS_firewall.txt > # which copied from packet-filtering-HOWTO.html > # and attributed to Rusty Russell > # resources: docs/nixSecurity/IPtables_Basics.html > > # You can send test packets using > # Code: telnet ip 445 > # and listen incoming packets on 445 port this way > # Code: tcpdump -i eth0 dst port 445 > # scan from this side > # Code: nmap -vv --reason -p 1-1056 192.168.1.2 > > INET=ppp0 > LAN=eth1 > router='192.168.1.1' > S40='192.168.1.3' > > # Insert connection-tracking modules > # (not needed if built into the kernel) > modprobe ip_tables > modprobe iptable_filter > modprobe ip_conntrack > modprobe ip_conntrack_ftp > modprobe ipt_state > modprobe ipt_LOG > # for masq > modprobe ipt_MASQUERADE > > # for masqallow forwarding > echo 1 > /proc/sys/net/ipv4/ip_forward > echo 1 > /proc/sys/net/ipv4/conf/all/forwarding > echo 1 > /proc/sys/net/ipv4/conf/default/forwarding > echo 1 > /proc/sys/net/ipv4/conf/lo/forwarding > echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding > echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding > > # Set a known state - > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT ACCEPT > > # remove all rules and pre-existing user defined chains before we implement > new rules. > iptables -F # delete all rules in all chains > iptables -t nat -F > iptables -t filter -F > iptables -t mangle -F > iptables -X # all chains but those built (INPUT,OUTPUT,FORWARD) will be > deleted. > iptables -Z # zero all counters in all chains. > > # - > # iptables [-t table(nat,mangle,filter,raw)] command(-AIRD > [INPUT,OUTPUT,FORWARD]) [match] [target/jump] > > # INPUT -- > # accept GRC.com for testing > # iptables -A INPUT -s 4.79.142.206 -j ACCEPT > # GRC scan: 411 open, > # most blocked, > 88:93,113:114,138:138,210,211,213,215:220,267:271,273,275:280,398 stealth > # second run different stealth > iptables -A INPUT -p tcp --dport 411 -j DROP > iptables -A INPUT -p udp --dport 411 -j DROP > > # without SYN packets other computers cannot open communications > iptables -A INPUT -i $INET -p tcp --syn -j DROP > > # ICMP echo from south40 conflicts with sysctl > # echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all prevents ping router > # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all prevents s40:ping play > > # Disallow NEW and INVALID incoming or forwarded packets from ppp0. > iptables -A INPUT -i $INET -m state --state NEW,INVALID -j DROP > iptables -A FORWARD -i $INET -m state --state NEW,INVALID -j DROP > > # deny ping from Inet > iptables -A INPUT -i $INET -p icmp --icmp-type echo-request -j DROP > > # Allow local-only connections > iptables -A INPUT -i $LAN -j ACCEPT > > # allow mail to get through127.0.0.1:25exim4 loopback > iptables -A INPUT -i lo -j ACCEPT > > # for masq > # iptables -A INPUT -m state --state NEW -i $LAN -j ACCEPT > iptables -A INPUT -m state --state NEW ! -i $INET -j ACCEPT > > # Permit answers on already established connections > # and permit new connections related to established ones > # (e.g. port mode ftp) > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > # Log everything else. What's Windows' latest exploitable vulnerability? > iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " --log-level 4 > > # OUTPUT -- ACCEPT > # drop fragments to south40 > iptables -A OUTPUT -f -d $S40 -j DROP > > # port 411 showing as open even though DROPed on INPUT > iptables -A OUTPUT -p tcp --dport 411 -j DROP > iptables -A OUTPUT -p udp --dport 411 -j DROP > > # MASQ- > # from Masquerading-Simple-HOWTO > # Masquerade out ppp0 > iptables -t nat -A POSTROUTING -o $INET -j MASQUERADE > iptables -A FORWARD -i $INET -p tcp --syn -j DROP > # not sure why but this keeps south40 from pinging Inet > # iptables -A FORWARD -i $INET -o $INET -j DROP > >
IP Forwarding to Windows machine
I've been trying to get my hand rolled iptables firewall to masquerade traffic on the LAN to/from a Win2K box. I've gotten it to the point that I can ping from the boxes both ways, smbclient can move files both ways and the Win2K box can ping Google's IP address but DNS lookup fails even though I've used the same DNS server in the Win2K box as on my Debian box which access the Inet via dialup. IE says "Cannot find server or DNS error." I've read every HOWTO and the iptables man pages several times but am at a loss. Suggestions? Thanks, Mike Here's the firewall code: #!/bin/sh # /mc/bin/my_iptables_fw_lan.sh July 29, 2014 Mc # install fowarding to south40 # from /mc/bin/my_iptables_fw.sh July 25, 2014 Mc # from ~/nixSecurity/LFS_firewall.txt # which copied from packet-filtering-HOWTO.html # and attributed to Rusty Russell # resources: docs/nixSecurity/IPtables_Basics.html # You can send test packets using # Code: telnet ip 445 # and listen incoming packets on 445 port this way # Code: tcpdump -i eth0 dst port 445 # scan from this side # Code: nmap -vv --reason -p 1-1056 192.168.1.2 INET=ppp0 LAN=eth1 router='192.168.1.1' S40='192.168.1.3' # Insert connection-tracking modules # (not needed if built into the kernel) modprobe ip_tables modprobe iptable_filter modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_state modprobe ipt_LOG # for masq modprobe ipt_MASQUERADE # for masqallow forwarding echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/all/forwarding echo 1 > /proc/sys/net/ipv4/conf/default/forwarding echo 1 > /proc/sys/net/ipv4/conf/lo/forwarding echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding echo 1 > /proc/sys/net/ipv4/conf/eth1/forwarding # Set a known state - iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # remove all rules and pre-existing user defined chains before we implement new rules. iptables -F # delete all rules in all chains iptables -t nat -F iptables -t filter -F iptables -t mangle -F iptables -X # all chains but those built (INPUT,OUTPUT,FORWARD) will be deleted. iptables -Z # zero all counters in all chains. # - # iptables [-t table(nat,mangle,filter,raw)] command(-AIRD [INPUT,OUTPUT,FORWARD]) [match] [target/jump] # INPUT -- # accept GRC.com for testing # iptables -A INPUT -s 4.79.142.206 -j ACCEPT # GRC scan: 411 open, # most blocked, 88:93,113:114,138:138,210,211,213,215:220,267:271,273,275:280,398 stealth # second run different stealth iptables -A INPUT -p tcp --dport 411 -j DROP iptables -A INPUT -p udp --dport 411 -j DROP # without SYN packets other computers cannot open communications iptables -A INPUT -i $INET -p tcp --syn -j DROP # ICMP echo from south40 conflicts with sysctl # echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all prevents ping router # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all prevents s40:ping play # Disallow NEW and INVALID incoming or forwarded packets from ppp0. iptables -A INPUT -i $INET -m state --state NEW,INVALID -j DROP iptables -A FORWARD -i $INET -m state --state NEW,INVALID -j DROP # deny ping from Inet iptables -A INPUT -i $INET -p icmp --icmp-type echo-request -j DROP # Allow local-only connections iptables -A INPUT -i $LAN -j ACCEPT # allow mail to get through127.0.0.1:25exim4 loopback iptables -A INPUT -i lo -j ACCEPT # for masq # iptables -A INPUT -m state --state NEW -i $LAN -j ACCEPT iptables -A INPUT -m state --state NEW ! -i $INET -j ACCEPT # Permit answers on already established connections # and permit new connections related to established ones # (e.g. port mode ftp) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Log everything else. What's Windows' latest exploitable vulnerability? iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " --log-level 4 # OUTPUT -- ACCEPT # drop fragments to south40 iptables -A OUTPUT -f -d $S40 -j DROP # port 411 showing as open even though DROPed on INPUT iptables -A OUTPUT -p tcp --dport 411 -j DROP iptables -A OUTPUT -p udp --dport 411 -j DROP # MASQ- # from Masquerading-Simple-HOWTO # Masquerade out ppp0 iptables -t nat -A POSTROUTING -o $INET -j MASQUERADE iptables -A FORWARD -i $INET -p tcp --syn -j DROP # not sure why but this keeps south40 from pinging Inet # iptables -A FORWARD -i $INET -o $INET -j DROP -- "You may not control all the events that happen to you, but you can decide not to be reduced by them." - Maya Angelou -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201408
