Re: [newbie] ip tables and ip masq
On Wednesday 23 Jul 2003 4:24 am, Sharrea wrote: Disclaimer: I'm NO expert on iptables but I've been playing around with these scripts lately too. If my advice here is incorrect, someone please correct me. On Wed, 23 Jul 2003 02:29, L.V.Gandhi wrote: Slightly I want to modify my yesterday mail. In a PC with modem, which is to act as masq server, I have already installed iptables. However starting its daemon during startup was disabled by me. Now I have followed IP-masquerade howto. I made rc.firewall-2.4 , put it in /etc/rc.d and firewall-2.4 in /etc/rc.d/init.d/. Now when I ran rc.firewall-2.4 in command line, I get errors many modules are already running. Before running your firewall script you should flush the current tables. Either use the rc.flush-iptables script to flush the tables with a default policy of ACCEPT or if you can use the command: # iptables --flush to flush the tables with a default policy of DROP. Further gateway ip address of eth0, I can ping. When masq server is connected to internet, I can ping its dynamically allocated ip address. But I can't ping its dns server by its number also. The rules were intially as propsed by ip-masq howto snip In this copndition masq is working. Only I want some clarification. Why it is now working but not with previous rules. In both general condition of ACCEPT all -- anywhere anywhere exists. This may be because the tables were not flushed before running your script. Also, I note that you have a default policy of accept rather than drop on some of your chains. From what I understand that is not very secure (I could be wrong, often am). I think the idea is to block ALL ports and then only open the ones you want from/to wherever. I'm not sure which tutorial/script you're using L.V., but I recommend Oskar Andreasson's one at http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/ipt ables-tutorial.html and try the rc.firewall script in there. I was using IP-masquerading Howto scripts. I have installed iptables in the gateway. But disabled its daemon service. Then I installed the scripts given in the above howto. It had default policy of drop for forward and but below it had ACCEPT all -- anywhere anywhere Still when I did ping ISP dns, I was not successful. But making the default policy ACCEPT for forward, then I could get connected and browse. Here only I needed clarification why the above line almost equal to default ploicy of ACCEPT didn't allow me to ping ISP dns. -- L.V.Gandhi 203, Soundaryalahari Apartments, Lawsons Bay colony, Visakhapatnam, 530017 MECON, 5th Floor, RTC Complex, Visakhapatnam AP 530020 INDIA Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] ip tables and ip masq
On Wed, 23 Jul 2003 13:31, L.V.Gandhi wrote: On Wednesday 23 Jul 2003 4:24 am, Sharrea wrote: Disclaimer: I'm NO expert on iptables but I've been playing around with these scripts lately too. If my advice here is incorrect, someone please correct me. I was using IP-masquerading Howto scripts. I have installed iptables in the gateway. But disabled its daemon service. Then I installed the scripts given in the above howto. It had default policy of drop for forward and but below it had ACCEPT all -- anywhere anywhere Still when I did ping ISP dns, I was not successful. But making the default policy ACCEPT for forward, then I could get connected and browse. Here only I needed clarification why the above line almost equal to default ploicy of ACCEPT didn't allow me to ping ISP dns. I think it depends on what rules follow after that one. If the packet is accepted with the first rule, it is then checked with the next rule, then the next, etc until all rules have been traversed - unless one of the rules applies that tells iptables to drop/reject the packet or jumped to another rule/chain. Lastly (I think) it is checked against the default policy. I'm not very good at explaining this I know. If you have a default policy of DROP on your INPUT chain, then you need to specifically allow packets from wherever to whatever ip/port. There are *many* ways of doing this. Examples: -- IPTABLES=/sbin/iptables INET_IFACE=ppp0 LAN_IFACE=eth0 FOR DNS: $IPTABLES -A INPUT -p UDP -s 0/0 --sport 53 -j ACCEPT will accept all udp packets from anywhere with a source port 53. $IPTABLES -A INPUT -p UDP -i $INET_IFACE --dport 53 -j ACCEPT will accept all udp packets that are input via your internet interface (eg. ppp0) and are destined for port 53. $IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 53 -j ACCEPT will accept all udp packets that are input via your LAN interface (eg. eth0) and are destined for port 53. FOR PING: $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT will accept all icmp packets of type 8 from anywhere $IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT will accept all icmp packets of type 11 from anywhere --- ***NOTE*** As I don't know how your script is written, the above rules may not work for you with reference to the variables as shown. Sharrea -- Help Microsoft stamp out piracy - give Linux to a friend today Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] ip tables and ip masq
Slightly I want to modify my yesterday mail. In a PC with modem, which is to act as masq server, I have already installed iptables. However starting its daemon during startup was disabled by me. Now I have followed IP-masquerade howto. I made rc.firewall-2.4 , put it in /etc/rc.d and firewall-2.4 in /etc/rc.d/init.d/. Now when I ran rc.firewall-2.4 in command line, I get errors many modules are already running. Further gateway ip address of eth0, I can ping. When masq server is connected to internet, I can ping its dynamically allocated ip address. But I can't ping its dns server by its number also. The rules were intially as propsed by ip-masq howto [EMAIL PROTECTED] root]# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 61.1.161.42 0.0.0.0 255.255.255.255 UH0 0 0 ppp0 192.168.16.00.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 61.1.161.42 0.0.0.0 UG0 0 0 ppp0 [EMAIL PROTECTED] root]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination [EMAIL PROTECTED] root]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere LOGall -- anywhere anywhere LOG level warning Chain OUTPUT (policy ACCEPT) target prot opt source destination but after doing [EMAIL PROTECTED] root]# iptables -P FORWARD ACCEPT [EMAIL PROTECTED] root]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere LOGall -- anywhere anywhere LOG level warning Chain OUTPUT (policy ACCEPT) target prot opt source destination In this copndition masq is working. Only I want some clarification. Why it is now working but not with previous rules. In both general condition of ACCEPT all -- anywhere anywhere exists. -- L.V.Gandhi 203, Soundaryalahari Apartments, Lawsons Bay colony, Visakhapatnam, 530017 MECON, 5th Floor, RTC Complex, Visakhapatnam AP 530020 INDIA Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] ip tables and ip masq
In a PC with modem, which is to act as masq server, I have already installed iptables. However starting its daemon during startup was disabled by me. Now I have followed IP-masquerade howto. I made rc.firewall-2.4 , put it in /etc/rc.d and firewall-2.4 in /etc/rc.d/init.d/. Now when I ran rc.firewall-2.4 in command line, I get errors many modules are already running. Further gateway ip address of eth0, I can ping. When masq server is connected to internet, I can ping its dynamically allocated ip address. But I can't ping its dns server by its number also. Why. How to make masq work. -- L.V.Gandhi 203, Soundaryalahari Apartments, Lawsons Bay colony, Visakhapatnam, 530017 MECON, 5th Floor, RTC Complex, Visakhapatnam AP 530020 INDIA Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com