Re: [gentoo-user] Idiots guide to NAT and DHCP
On Sun, Sep 28, 2003 at 10:48:37AM +0200, Paidhi wrote: I'm doing this using Shorewall, DHCP and dnsmasq. One PC with one interface to the internet and the second one on a little switch. A notebook and another PC connected to the switch. All of them use the internet. My internet connection has a fixed IP. Thanks very much, I've got it working now! Cheers Adam -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Sun, Sep 28, 2003 at 04:57:28AM +0300, Sami N??t?nen wrote: Do you have DNS in the nat firewall? If you do, you don't allow these queries to come in to it. But you should see these in your log. Thats one thing that someone on the netfilter list has suggest, that my firewall isn't letting dns queries through. Flushing all rules and just having the rule from the NAT howto iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE doesn't work, where eth0 is the connection to the outside world. using ethereal it appears that packets are being received at eth1, the local network, but eth1 is not transmitting these packets. I know that the card that supplies eth1 works as it used to supply eth0 in my old machine. Could you possibly post what the status thing in your script outputs? skymoo root # /etc/init.d/firewall showstatus * Status... Chain INPUT (policy DROP 10 packets, 1392 bytes) num pkts bytes target prot opt in out source destination 10 0 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 2 15 1136 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 30 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:22 Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 10 0 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 20 0 ACCEPT all -- * * 10.0.0.0/24 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 13 749 ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 * NAT status Chain PREROUTING (policy ACCEPT 10 packets, 1392 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1160 MASQUERADE all -- * eth00.0.0.0/00.0.0.0/0 Chain OUTPUT (policy ACCEPT 1 packets, 60 bytes) num pkts bytes target prot opt in out source destination [ ok ] skymoo root # Cheers Adam -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
Hi, I'm doing this using Shorewall, DHCP and dnsmasq. One PC with one interface to the internet and the second one on a little switch. A notebook and another PC connected to the switch. All of them use the internet. My internet connection has a fixed IP. Just install Shorewall and follow the Two-Interfaces guide in the QuickStart guides section on the Shorewall website. http://www.shorewall.net/ http://www.shorewall.net/two-interface.htm Below are entries from my configuration files (eth0=local net, eth1=internet). I hope this helps. For me this works great and I dont't have to know anything about iptables stuff because Shorewall is doing this for me. Don't forget to do a rc-update add shorewall default. Rgds, -Markus- /etc/shorewall/interfaces: #ZONEINTERFACE BROADCAST OPTIONS net eth1detect routefilter,norfc1918 loc eth0192.168.0.255 /etc/shorewall/masq: #ZONEINTERFACE BROADCAST OPTIONS net eth1detect routefilter,norfc1918 loc eth0192.168.0.255 /etc/shorewall/policy: #SOURCE DESTPOLICY LOG LEVEL LIMIT:BURST loc net ACCEPT fw net ACCEPT net all DROPwarning all all DROPwarning /etc/shorewall/routestopped: #INTERFACE HOST(S) eth0192.168.0.0/24 /etc/shorewall/rules: ## #ACTION SOURCE DESTPROTO DESTSOURCE ORIGINAL # PORTPORT(S)DEST # # Accept SSH connections from the local network for administration # ACCEPT loc fw tcp 22 # # Accept SSH connections from the firewall to local network # ACCEPT fw loc tcp 22 # # Allow Ping To And From Firewall # ACCEPT loc fw icmp8 ACCEPT net fw icmp8 ACCEPT fw loc icmp8 ACCEPT fw net icmp8 # # Accept DNS connections to the internal caching nameserver # ACCEPT loc fw tcp 53 ACCEPT loc fw udp 53 # # Accept ftp sessions to local network # ACCEPT fw loc tcp 20,21 # # Allow DHCP communication # ACCEPT fw loc tcp 67,68 ACCEPT fw loc udp 67,68 ACCEPT loc fw tcp 67,68 ACCEPT loc fw udp 67,68 # # Accept Samba sessions from local network # See http://www.shorewall.net/samba.htm # Note: In W2K MS has created new transport over TCP 445! # See http://www.iss.net/security_center/advice/Exploits/Ports/445/default.htm # ACCEPT fw loc udp 137:139 ACCEPT fw loc tcp 137,139 ACCEPT fw loc udp 1024: 137 ACCEPT loc fw udp 137:139 ACCEPT loc fw tcp 137,139 ACCEPT loc fw udp 1024: 137 # # Accept NFS sessions from local network to firewall # PortUsage # 111 portmapper # 2049nfsd or rpc.nfsd (nfs in rpcinfo) # 4000rpc.statd (status in rpcinfo) # (see /etc/conf.d/nfs) # 4001lockd or rpc.lockd (nlockmgr in rpcinfo) # (see /etc/modules.d/nfs) # 4002rpc.mountd (mountd in rpcinfo) # (see /etc/conf.d/nfs) # 4003rpc.quotad (rquotad in rpcinfo) # (see /etc/conf.d/nfs) # ACCEPT loc fw tcp 111 ACCEPT loc fw udp 111 ACCEPT loc fw tcp 2049 ACCEPT loc fw udp 2049 ACCEPT loc fw tcp 4000 ACCEPT loc fw udp 4000 ACCEPT loc fw tcp 4001 ACCEPT loc fw udp 4001 ACCEPT loc fw tcp 4002 ACCEPT loc fw udp 4002 ACCEPT loc fw tcp 4003 ACCEPT loc fw udp 4003 # # Accept BitTorrent sessions from the internet to firewall # See http://bitconjurer.org/BitTorrent/index.html # ACCEPT net fw tcp 6881:6889 # # Accept SMTP from local network to firewall # ACCEPT loc fw
Re: [gentoo-user] Idiots guide to NAT and DHCP
[EMAIL PROTECTED] said: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE doesn't work, where eth0 is the connection to the outside world. using ethereal it appears that packets are being received at eth1, the local network, but eth1 is not transmitting these packets. I know that the card that supplies eth1 works as it used to supply eth0 in my old machine. Is /proc/sys/net/ipv4/ip_forward set to 1? It seems it's not /A -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Sun, Sep 28, 2003 at 11:32:31AM +0200, [EMAIL PROTECTED] wrote: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE doesn't work, where eth0 is the connection to the outside world. using ethereal it appears that packets are being received at eth1, the local network, but eth1 is not transmitting these packets. I know that the card that supplies eth1 works as it used to supply eth0 in my old machine. Is /proc/sys/net/ipv4/ip_forward set to 1? It seems it's not is is, I have echo 1 /proc/sys/net/ipv4/ip_forward in my script Cheers Adam -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Sun, Sep 28, 2003 at 10:48:37AM +0200, Paidhi wrote: I'm doing this using Shorewall, DHCP and dnsmasq. One PC with one interface to the internet and the second one on a little switch. A notebook and another PC connected to the switch. All of them use the internet. My internet connection has a fixed IP. Just install Shorewall and follow the Two-Interfaces guide in the QuickStart guides section on the Shorewall website. http://www.shorewall.net/ http://www.shorewall.net/two-interface.htm Below are entries from my configuration files (eth0=local net, eth1=internet). I hope this helps. For me this works great and I dont't have to know anything about iptables stuff because Shorewall is doing this for me. Don't forget to do a rc-update add shorewall default. Thanks, I'll give this a try Cheers Adam -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Sunday 28 September 2003 18:32, [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] said: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE doesn't work, where eth0 is the connection to the outside world. using ethereal it appears that packets are being received at eth1, the local network, but eth1 is not transmitting these packets. I know that the card that supplies eth1 works as it used to supply eth0 in my old machine. Is /proc/sys/net/ipv4/ip_forward set to 1? It seems it's not You've just reminded me that I'm having the same problem. I very rarely need to nat on my box so I just forgot... What kernel are you running? I'm running 2.6.0-test5 and am unable to nat at all. My rules worked when I was using 2.4 and the earlier 2.6 but at some stage it stopped. I haven't bothered to figure out when or why yet. So, perhaps try a different kernel? Jason -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Sun, Sep 28, 2003 at 07:13:15PM +0900, Jason Stubbs wrote: You've just reminded me that I'm having the same problem. I very rarely need to nat on my box so I just forgot... What kernel are you running? vanilla 2.4.22 I'm running 2.6.0-test5 and am unable to nat at all. My rules worked when I was using 2.4 and the earlier 2.6 but at some stage it stopped. I haven't bothered to figure out when or why yet. So, perhaps try a different kernel? Thats what I'm in the middle of trying now, my friend has similar set up and his rules don't work on my box. He runs Red Hat 9, so I'm trying the Red Hat 2.4.20-20.9 kernel, its compiling now. Cheers Adam -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Mon, Sep 22, 2003 at 09:43:37AM +0900, Jason Stubbs wrote: I want to setup a DHCP server on my desktop machine so that I can plug my laptop into my second network port and then access the internet through my desktop using NAT. However I can't get it too work. I've followed as much of the NAT and DHCP howtos that I can but can't get it too work. Does anyone know of an idiots guide to setting this up? The only guide I know of is http://www.netfilter.org/documentation/HOWTO/ NAT-HOWTO.html It should be fairly straight forward to set up though. Try the following: If you are using dhcp to get your ip address for your internet connection on eth0 and eth1 is your local network connection, you can set up dhcpd to give out ip addresses in the 192.168.1.0/24 range and use the following to enable natting: iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE echo 1 /proc/sys/net/ipv4/ip_forward If you have a static ip address for the internet that is 1.2.3.4 for example, the following should work: iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 1.2.3.4 echo 1 /proc/sys/net/ipv4/ip_forward If the above doesn't work, indicate how you have it set up so far and we can go from there. Well I've followed the NAT HOWTO and I still can't get it working. I have managed to get a DHCP server running, it gives an IP address out in the range 10.0.0.0 to 10.0.0.100 - this works. I've attached my firewall script, one thing I've noticed is that firewall status doesn't say anything regarding NAT when looking at the script it should? skymoo root # /etc/init.d/firewall status * status: started skymoo root # Also iptables -L shows nothing regarding NAT skymoo root # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh LOGall -- anywhere anywhere LOG level warning prefix `FIREWALL:INPUT ' Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere skymoo root # Any pointers would be appreciated. Cheers Adam -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Sat, Sep 27, 2003 at 07:39:20AM +0100, Adam Mercer wrote: I've attached my firewall script... This time really attached Cheers Adam #!/sbin/runscript IPTABLES=/sbin/iptables IPTABLESSAVE=/sbin/iptables-save IPTABLESRESTORE=/sbin/iptables-restore FIREWALL=/etc/firewall.rules opts=${opts} showstatus panic save restore showoptions depend() { need net } rules() { stop # insert connection tracking modules modprobe ip_tables modprobe iptable_filter modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_state modprobe ipt_LOG modprobe iptable_nat # allow local-only connections ${IPTABLES} -A INPUT -i lo -j ACCEPT # free output on any interface to any ip for any service ${IPTABLES} -A OUTPUT -j ACCEPT # permit answers on already established connections # and permit new connections related to established ones ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow incomg ssh connections ${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT # NAT ${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE # log everything else ${IPTABLES} -A INPUT -j LOG --log-prefix FIREWALL:INPUT # everything not accepted /dev/null ${IPTABLES} -P INPUT DROP ${IPTABLES} -P FORWARD DROP ${IPTABLES} -P OUTPUT DROP # be verbose on dynamic ip-addresses echo 2 /proc/sys/net/ipv4/ip_dynaddr # disable ExplicitCongestionNotification echo 0 /proc/sys/net/ipv4/tcp_ecn # turn on IP forwarding echo 1 /proc/sys/net/ipv4/ip_forward eend $? } start() { ebegin Starting firewall if [ -e ${FIREWALL} ]; then restore else einfo ${FIREWALL} does not exists. Using default rules. rules fi eend $? } stop() { ebegin Stopping firewall ${IPTABLES} -F ${IPTABLES} -t nat -F ${IPTABLES} -X ${IPTABLES} -P FORWARD ACCEPT ${IPTABLES} -P INPUT ACCEPT ${IPTABLES} -P OUTPUT ACCEPT eend $? } showstatus() { ebegin Status ${IPTABLES} -L -n -v --line-numbers einfo NAT status ${IPTABLES} -L -n -v --line-numbers -t nat eend $? } panic() { ebegin Setting panic rules ${IPTABLES} -F ${IPTABLES} -X ${IPTABLES} -t nat -F ${IPTABLES} -P FORWARD DROP ${IPTABLES} -P INPUT DROP ${IPTABLES} -P OUTPUT DROP ${IPTABLES} -A INPUT -i lo -j ACCEPT ${IPTABLES} -A OUTPUT -o lo -j ACCEPT eend $? } save() { ebegin Saving Firewall rules ${IPTABLESSAVE} ${FIREWALL} eend $? } restore() { ebegin Restoring Firewall rules ${IPTABLESRESTORE} ${FIREWALL} eend $? } restart() { svc_stop; svc_start } showoptions() { echo Usage: $0 {start|save|restore|panic|stop|restart|showstatus} echo start) will restore setting if exists else force rule settings echo stop) delete all rules and set all to accept echo rules) force settings of new rules echo save) will store settings in ${FIREWALL} echo restore)will restore settings from ${FIREWALL} echo showstatus) Shows the status } -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
Adam == Adam Mercer [EMAIL PROTECTED] writes: On Mon, Sep 22, 2003 at 09:43:37AM +0900, Jason Stubbs wrote: Well I've followed the NAT HOWTO and I still can't get it working. I have managed to get a DHCP server running, it gives an IP address out in the range 10.0.0.0 to 10.0.0.100 - this works. I've attached my firewall script, one thing I've noticed is that firewall status doesn't say anything regarding NAT when looking at the script it should? skymoo root # /etc/init.d/firewall status * status: started skymoo root # Also iptables -L shows nothing regarding NAT iptables -L -t nat but you proabably know that by now. skymoo root # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh LOG all -- anywhere anywhere LOG level warning prefix `FIREWALL:INPUT ' Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere skymoo root # Any pointers would be appreciated. I'm not sure I know what your problem is, but this may help. # basic nat on extrenal device. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE This should get your nating working. I highly recommend using LOG to determine and trouble shoot what is going on in your firewall. If you have a rule that you don't know what it is doing copy the rule and replace the -J ACCEPT (whatever) with -j LOG --prefix TESTING RULE 3 in the first copy of the rule, or even comment out the old one until LOG is LOGING the rule you want. happy natting, Mojo -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Sat, Sep 27, 2003 at 07:28:23AM -0500, Mojo B. Nichols wrote: I'm not sure I know what your problem is, but this may help. # basic nat on extrenal device. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE I've already got this rule in my firewall This should get your nating working. I highly recommend using LOG to determine and trouble shoot what is going on in your firewall. If you have a rule that you don't know what it is doing copy the rule and replace the -J ACCEPT (whatever) with -j LOG --prefix TESTING RULE 3 in the first copy of the rule, or even comment out the old one until LOG is LOGING the rule you want. Logging info regarding the NAT line doesn't show anything in the system logs? Cheers Adam #!/sbin/runscript IPTABLES=/sbin/iptables IPTABLESSAVE=/sbin/iptables-save IPTABLESRESTORE=/sbin/iptables-restore FIREWALL=/etc/firewall.rules opts=${opts} showstatus panic save restore showoptions depend() { need net } rules() { stop # insert connection tracking modules modprobe ip_tables modprobe iptable_filter modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_state modprobe ipt_LOG modprobe iptable_nat # allow local-only connections ${IPTABLES} -A INPUT -i lo -j ACCEPT # free output on any interface to any ip for any service ${IPTABLES} -A OUTPUT -j ACCEPT # permit answers on already established connections # and permit new connections related to established ones ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow incomg ssh connections ${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT # NAT ${IPTABLES} -t nat -A POSTROUTING -o eth0 -j LOG --log-prefix Nat rule # log everything else #${IPTABLES} -A INPUT -j LOG --log-prefix FIREWALL:INPUT # everything not accepted /dev/null ${IPTABLES} -P INPUT DROP ${IPTABLES} -P FORWARD DROP ${IPTABLES} -P OUTPUT DROP # be verbose on dynamic ip-addresses echo 2 /proc/sys/net/ipv4/ip_dynaddr # disable ExplicitCongestionNotification echo 0 /proc/sys/net/ipv4/tcp_ecn # turn on IP forwarding echo 1 /proc/sys/net/ipv4/ip_forward eend $? } start() { ebegin Starting firewall if [ -e ${FIREWALL} ]; then restore else einfo ${FIREWALL} does not exists. Using default rules. rules fi eend $? } stop() { ebegin Stopping firewall ${IPTABLES} -F ${IPTABLES} -t nat -F ${IPTABLES} -X ${IPTABLES} -P FORWARD ACCEPT ${IPTABLES} -P INPUT ACCEPT ${IPTABLES} -P OUTPUT ACCEPT eend $? } showstatus() { ebegin Status ${IPTABLES} -L -n -v --line-numbers einfo NAT status ${IPTABLES} -L -n -v --line-numbers -t nat eend $? } panic() { ebegin Setting panic rules ${IPTABLES} -F ${IPTABLES} -X ${IPTABLES} -t nat -F ${IPTABLES} -P FORWARD DROP ${IPTABLES} -P INPUT DROP ${IPTABLES} -P OUTPUT DROP ${IPTABLES} -A INPUT -i lo -j ACCEPT ${IPTABLES} -A OUTPUT -o lo -j ACCEPT eend $? } save() { ebegin Saving Firewall rules ${IPTABLESSAVE} ${FIREWALL} eend $? } restore() { ebegin Restoring Firewall rules ${IPTABLESRESTORE} ${FIREWALL} eend $? } restart() { svc_stop; svc_start } showoptions() { echo Usage: $0 {start|save|restore|panic|stop|restart|showstatus} echo start) will restore setting if exists else force rule settings echo stop) delete all rules and set all to accept echo rules) force settings of new rules echo save) will store settings in ${FIREWALL} echo restore)will restore settings from ${FIREWALL} echo showstatus) Shows the status } -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Saturday 27 September 2003 21:58, Adam Mercer wrote: (B On Sat, Sep 27, 2003 at 07:28:23AM -0500, Mojo B. Nichols wrote: (B I'm not sure I know what your problem is, but this may help. (B (B # basic nat on extrenal device. (B iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (B (B I've already got this rule in my firewall (B (B This should get your nating working. I highly recommend using LOG to (B determine and trouble shoot what is going on in your firewall. If you (B have a rule that you don't know what it is doing copy the rule and (B replace the -J ACCEPT (whatever) with -j LOG --prefix "TESTING RULE (B 3" in the first copy of the rule, or even comment out the old one (B until LOG is LOGING the rule you want. (B (B Logging info regarding the NAT line doesn't show anything in the system (B logs? (B (BExcerpt from your script: (B (Bstart() { (Bebegin "Starting firewall" (Bif [ -e "${FIREWALL}" ]; then (Brestore (Belse (Beinfo "${FIREWALL} does not exists. Using default rules." (Brules (Bfi (Beend $? (B} (B (BDoes ${FIREWALL} (/etc/firewall.rules) exist? If so then any changes you make (Bto rules() won't be used. (B (BJason (B (B-- (B[EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Sat, Sep 27, 2003 at 10:28:49PM +0900, Jason Stubbs wrote: Excerpt from your script: start() { ebegin Starting firewall if [ -e ${FIREWALL} ]; then restore else einfo ${FIREWALL} does not exists. Using default rules. rules fi eend $? } Does ${FIREWALL} (/etc/firewall.rules) exist? If so then any changes you make to rules() won't be used. Everytime I make changes to the rules I delete /etc/firewall.rules Cheers Adam -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
Adam Mercer wrote: rules() { stop # insert connection tracking modules modprobe ip_tables modprobe iptable_filter modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_state modprobe ipt_LOG modprobe iptable_nat # allow local-only connections ${IPTABLES} -A INPUT -i lo -j ACCEPT # free output on any interface to any ip for any service ${IPTABLES} -A OUTPUT -j ACCEPT # permit answers on already established connections # and permit new connections related to established ones ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow incomg ssh connections ${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT # NAT ${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE # log everything else ${IPTABLES} -A INPUT -j LOG --log-prefix FIREWALL:INPUT # everything not accepted /dev/null ${IPTABLES} -P INPUT DROP ${IPTABLES} -P FORWARD DROP This line here is your problem. You need to either change it to: ${IPTABLES} -P FORWARD ACCEPT -or- ${IPTABLES} -A FORWARD -s 10.0.0.0/24 -j ACCEPT -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Sat, Sep 27, 2003 at 11:17:52AM -0500, Andrew Gaffney wrote: This line here is your problem. You need to either change it to: ${IPTABLES} -P FORWARD ACCEPT -or- ${IPTABLES} -A FORWARD -s 10.0.0.0/24 -j ACCEPT rules are now # allow local-only connections ${IPTABLES} -A INPUT -i lo -j ACCEPT # free output on any interface to any ip for any service ${IPTABLES} -A OUTPUT -j ACCEPT # permit answers on already established connections # and permit new connections related to established ones ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # allow incomg ssh connections ${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT # NAT ${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE ${IPTABLES} -A FORWARD -s 10.0.0.0/24 -j ACCEPT # log everything else ${IPTABLES} -A INPUT -j LOG --log-prefix FIREWALL:INPUT # everything not accepted /dev/null ${IPTABLES} -P INPUT DROP ${IPTABLES} -P FORWARD DROP ${IPTABLES} -P OUTPUT DROP still nothing Cheers Adam -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
Adam Mercer wrote: On Sat, Sep 27, 2003 at 11:17:52AM -0500, Andrew Gaffney wrote: This line here is your problem. You need to either change it to: ${IPTABLES} -P FORWARD ACCEPT -or- ${IPTABLES} -A FORWARD -s 10.0.0.0/24 -j ACCEPT rules are now # allow local-only connections ${IPTABLES} -A INPUT -i lo -j ACCEPT # free output on any interface to any ip for any service ${IPTABLES} -A OUTPUT -j ACCEPT # permit answers on already established connections # and permit new connections related to established ones ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # allow incomg ssh connections ${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT # NAT ${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE ${IPTABLES} -A FORWARD -s 10.0.0.0/24 -j ACCEPT # log everything else ${IPTABLES} -A INPUT -j LOG --log-prefix FIREWALL:INPUT # everything not accepted /dev/null ${IPTABLES} -P INPUT DROP ${IPTABLES} -P FORWARD DROP ${IPTABLES} -P OUTPUT DROP still nothing How are you testing that it is working? Try 'ping 195.66.242.4' to test it out. If this works, then you either need to setup a DNS server on the NAT box, or have DHCP give the inside box the IP to a real DNS server. -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Sat, Sep 27, 2003 at 01:24:18PM -0500, Andrew Gaffney wrote: How are you testing that it is working? Try 'ping 195.66.242.4' to test it out. If this works, then you either need to setup a DNS server on the NAT box, or have DHCP give the inside box the IP to a real DNS server. I've been on irc all afternoon with a friend trying to sort it out, using packet sniffers etc... It appears that NAT isn't passing on requests to the outside world, we tried a test like you mention and the request wasn't making in to eth0. Cheers Adam -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Saturday 27 September 2003 21:42, Adam Mercer wrote: On Sat, Sep 27, 2003 at 01:24:18PM -0500, Andrew Gaffney wrote: How are you testing that it is working? Try 'ping 195.66.242.4' to test it out. If this works, then you either need to setup a DNS server on the NAT box, or have DHCP give the inside box the IP to a real DNS server. I've been on irc all afternoon with a friend trying to sort it out, using packet sniffers etc... It appears that NAT isn't passing on requests to the outside world, we tried a test like you mention and the request wasn't making in to eth0. Do you have DNS in the nat firewall? If you do, you don't allow these queries to come in to it. But you should see these in your log. Could you possibly post what the status thing in your script outputs? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
Adam Mercer wrote: Hi I want to setup a DHCP server on my desktop machine so that I can plug my laptop into my second network port and then access the internet through my desktop using NAT. However I can't get it too work. I've followed as much of the NAT and DHCP howtos that I can but can't get it too work. Does anyone know of an idiots guide to setting this up? First of all, you must have iptables support with Full NAT enabled in your kernel or built as modules. That is the most important thing. Do you have 2 NICs in your desktop machine or a hub? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
I want to setup a DHCP server on my desktop machine so that I can plug my laptop into my second network port and then access the internet through my desktop using NAT. However I can't get it too work. I've followed as much of the NAT and DHCP howtos that I can but can't get it too work. Does anyone know of an idiots guide to setting this up? The only guide I know of is http://www.netfilter.org/documentation/HOWTO/ NAT-HOWTO.html It should be fairly straight forward to set up though. Try the following: If you are using dhcp to get your ip address for your internet connection on eth0 and eth1 is your local network connection, you can set up dhcpd to give out ip addresses in the 192.168.1.0/24 range and use the following to enable natting: iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE echo 1 /proc/sys/net/ipv4/ip_forward If you have a static ip address for the internet that is 1.2.3.4 for example, the following should work: iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 1.2.3.4 echo 1 /proc/sys/net/ipv4/ip_forward If the above doesn't work, indicate how you have it set up so far and we can go from there. Jason -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
Who's theory was it? The simplest answer is usually the correct one. On Monday 22 September 2003 09:44, bob bob wrote: It appears that he's running two nic's, in which case he'll need a cross over cable or to go and buy a hub/switch.. Imagine a school with children that can read and write, but with teachers who cannot, and you have a metaphor of the Information Age in which we live. - Peter Cochrane From: Andrew Gaffney [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [gentoo-user] Idiots guide to NAT and DHCP Date: Sun, 21 Sep 2003 19:40:25 -0500 MIME-Version: 1.0 Received: from gentoo.org ([204.126.2.42]) by mc12-f34.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Sun, 21 Sep 2003 17:37:56 -0700 Received: (qmail 16676 invoked by uid 1002); 22 Sep 2003 00:37:46 - Received: (qmail 3210 invoked from network); 22 Sep 2003 00:37:46 - X-Message-Info: JGTYoYF78jHdKmwpq1Wkt8fAo4SYEFhg Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Id: Gentoo Linux mail gentoo-user.gentoo.org X-BeenThere: [EMAIL PROTECTED] Delivered-To: mailing list [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] X-Enigmail-Version: 0.76.4.0 X-Enigmail-Supports: pgp-inline, pgp-mime Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 22 Sep 2003 00:37:56.0734 (UTC) FILETIME=[C44349E0:01C380A1] Adam Mercer wrote: Hi I want to setup a DHCP server on my desktop machine so that I can plug my laptop into my second network port and then access the internet through my desktop using NAT. However I can't get it too work. I've followed as much of the NAT and DHCP howtos that I can but can't get it too work. Does anyone know of an idiots guide to setting this up? First of all, you must have iptables support with Full NAT enabled in your kernel or built as modules. That is the most important thing. Do you have 2 NICs in your desktop machine or a hub? -- Andrew Gaffney -- [EMAIL PROTECTED] mailing list _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus -- [EMAIL PROTECTED] mailing list -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
Occums Razor? Imagine a school with children that can read and write, but with teachers who cannot, and you have a metaphor of the Information Age in which we live. - Peter Cochrane _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Sunday 21 September 2003 07:43 pm, Jason Stubbs wrote: I want to setup a DHCP server on my desktop machine so that I can plug my laptop into my second network port and then access the internet through my desktop using NAT. However I can't get it too work. I've followed as much of the NAT and DHCP howtos that I can but can't get it too work. Remember to set dhcpd to serve up IP's only on your private interface - i.e set IFACE=eth1 in /etc/conf.d/dhcp. Dave -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Mon, Sep 22, 2003 at 10:34:43AM +0900, Jason Stubbs wrote: On Monday 22 September 2003 09:44, bob bob wrote: It appears that he's running two nic's, in which case he'll need a cross over cable or to go and buy a hub/switch.. thats the case Cheers Adam -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Mon, Sep 22, 2003 at 09:43:37AM +0900, Jason Stubbs wrote: I want to setup a DHCP server on my desktop machine so that I can plug my laptop into my second network port and then access the internet through my desktop using NAT. However I can't get it too work. I've followed as much of the NAT and DHCP howtos that I can but can't get it too work. Does anyone know of an idiots guide to setting this up? The only guide I know of is http://www.netfilter.org/documentation/HOWTO/ NAT-HOWTO.html It should be fairly straight forward to set up though. Try the following: If you are using dhcp to get your ip address for your internet connection on eth0 and eth1 is your local network connection, you can set up dhcpd to give out ip addresses in the 192.168.1.0/24 range and use the following to enable natting: iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE echo 1 /proc/sys/net/ipv4/ip_forward If you have a static ip address for the internet that is 1.2.3.4 for example, the following should work: iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 1.2.3.4 echo 1 /proc/sys/net/ipv4/ip_forward If the above doesn't work, indicate how you have it set up so far and we can go from there. I'm away at a meeting until thursday, I'll give it a go when I get back. Cheers Adam -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
weee.. I like being right ;-D So, on the hardware side.. do you have a cross over cable? if not can you buy a switch/hub? Then you can try the software side of it.. :-P Imagine a school with children that can read and write, but with teachers who cannot, and you have a metaphor of the Information Age in which we live. - Peter Cochrane From: Adam Mercer [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [gentoo-user] Idiots guide to NAT and DHCP Date: Mon, 22 Sep 2003 05:24:21 +0100 MIME-Version: 1.0 Received: from gentoo.org ([204.126.2.42]) by mc2-f15.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Sun, 21 Sep 2003 21:24:39 -0700 Received: (qmail 26460 invoked by uid 1002); 22 Sep 2003 04:24:22 - Received: (qmail 9386 invoked from network); 22 Sep 2003 04:24:22 - X-Message-Info: JGTYoYF78jHUXVe97x61Y2RSzoWkJhye Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Id: Gentoo Linux mail gentoo-user.gentoo.org X-BeenThere: [EMAIL PROTECTED] Delivered-To: mailing list [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Mail-Followup-To: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] User-Agent: Mutt/1.5.4i X-OriginalArrivalTime: 22 Sep 2003 04:24:21.0708 (UTC) FILETIME=[6589D0C0:01C380C1] Return-Path: [EMAIL PROTECTED] On Mon, Sep 22, 2003 at 10:34:43AM +0900, Jason Stubbs wrote: On Monday 22 September 2003 09:44, bob bob wrote: It appears that he's running two nic's, in which case he'll need a cross over cable or to go and buy a hub/switch.. thats the case Cheers Adam -- [EMAIL PROTECTED] mailing list _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Idiots guide to NAT and DHCP
On Monday 22 September 2003 13:25, Adam Mercer wrote: On Mon, Sep 22, 2003 at 09:43:37AM +0900, Jason Stubbs wrote: I want to setup a DHCP server on my desktop machine so that I can plug my laptop into my second network port and then access the internet through my desktop using NAT. However I can't get it too work. I've followed as much of the NAT and DHCP howtos that I can but can't get it too work. Does anyone know of an idiots guide to setting this up? The only guide I know of is http://www.netfilter.org/documentation/HOWTO/ NAT-HOWTO.html It should be fairly straight forward to set up though. Try the following: If you are using dhcp to get your ip address for your internet connection on eth0 and eth1 is your local network connection, you can set up dhcpd to give out ip addresses in the 192.168.1.0/24 range and use the following to enable natting: iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE echo 1 /proc/sys/net/ipv4/ip_forward If you have a static ip address for the internet that is 1.2.3.4 for example, the following should work: iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 1.2.3.4 echo 1 /proc/sys/net/ipv4/ip_forward If the above doesn't work, indicate how you have it set up so far and we can go from there. I'm away at a meeting until thursday, I'll give it a go when I get back. bobbob (?) is right, though. Make sure you've got a crossover cable! Jason -- [EMAIL PROTECTED] mailing list