Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: Iptables for newbies. PART I: Getting Started
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Mon Apr 26, 2004 5:31 am    Post subject: Reply with quote

weyhan wrote:
Quote:
Interface configuration:

In my set up, I have three NIC's, one is connected to the WAN through pppoe, the other two to my internal network. In order for them all to play nicely with iptables and masquerading (NAT'ing), they must be set to different subnets. For example, the two NIC's connected to my internal computers, e.g., the “internal NIC's”, are assigned: 192.168.1.78 and 192.168.2.78 respectively. It should be noted here that it is perfectly acceptable to connect these internal NIC's to any network capable device, such as a switch or hub. For pppoe conections we make sure the NIC connected to the outside world, e.g. the external NIC is not assigned any ip....it's entries in /etc/conf.d/net should be left blank. We must also assign proper netmasks and broadcast values to these interfaces. Your conf.d should look like this for the server:

Server
Code:


# For pppoe connections you do not want to set values for eth0, simply add \
# net.ppp0 to your default runlevel
#iface_eth0="192.168.0.78 broadcast 192.168.0.255 netmask 255.255.0.0"
iface_eth1="192.168.1.78 broadcast 192.168.1.255 netmask 255.255.255.0"
iface_eth2="192.168.2.78 broadcast 192.168.2.255 netmask 255.255.255.0"


Just to point out that leaving external NIC setting blank will cause "/etc/init.d/net.eth0 start" to fail when you do:
Quote:

Now add all the interfaces to the default run level and restart connections:

Server
Code:

rc-update add net.eth0 default; rc-update add net.eth1 default; rc-update add net.eth2 default; rc-update add net.ppp0 default; \
/etc/init.d/net.eth0 start; /etc/init.d/net.eth1 start; /etc/init.d/net.eth2 start; /etc/init.d/net.ppp0 start;


Instead your example net file should be:
Code:
# For pppoe connections you do not want to set values for eth0, simply add \

# net.ppp0 to your default runlevel
iface_eth0="up"
iface_eth1="192.168.1.78 broadcast 192.168.1.255 netmask 255.255.255.0"
iface_eth2="192.168.2.78 broadcast 192.168.2.255 netmask 255.255.255.0"


Not sure why it worked for you in the first place.


Actually I missed editing out net.eth0 in the starting of interfaces. Thanks for pointing it out. It works anyway because the rp-pppoe init script brings eth0 up properly. Thanks.
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
weyhan
Apprentice
Apprentice


Joined: 27 May 2003
Posts: 245

PostPosted: Mon Apr 26, 2004 6:00 am    Post subject: Reply with quote

Quote:
Actually I missed editing out net.eth0 in the starting of interfaces. Thanks for pointing it out. It works anyway because the rp-pppoe init script brings eth0 up properly. Thanks.


You are using rp-pppoe to dialout? I thought you need to use the rp-pppoe init.d script instead of the net.ppp0? AFAICT, net.ppp0 have nothing to do with rp-pppoe. No? Mind sharing how you get net.ppp0 up?

When I use net.ppp0 to bring up pppoe, it complains that the interface is not up. :( So I do need to have:
Code:

# my external interface is eth1
iface_eth1="up"

in my net file. and do a:
Code:

/etc/init.d/net.eth1 start


I'm actually trying to get pppoeup without using the rp-pppoe package without much success but having good progress.
_________________
Han.
Back to top
View user's profile Send private message
weyhan
Apprentice
Apprentice


Joined: 27 May 2003
Posts: 245

PostPosted: Tue Apr 27, 2004 4:00 pm    Post subject: Reply with quote

Edit: Never mind. I have found a typo in my dhcp server's for the gateway entry... :oops:
Anyway, great tips. Maybe it's time for me to move to part II


Okay, I am going with rp-pppoe for now and have tried out your iptables script. I did have a little problem with the setting as it is.

I have a very similar setup as you have described except I have only 2 NIC on the server and only 2 subnets (192.168.0.x and 192.168.1.x). If I use the exact setup you have, I can't access the Internet from my clients. Not sure why the server is not routing the packets to my ADSL modem. However if I change the gateway to the dynamic IP my ISP have supply (IP of the ppp0 interface), it works. As in your example, the gateway is the NIC’s IP on the server.

Any ideas?
_________________
Han.
Back to top
View user's profile Send private message
soulfire
n00b
n00b


Joined: 09 Apr 2004
Posts: 70
Location: Italy

PostPosted: Sun May 16, 2004 9:29 am    Post subject: Reply with quote

great HOWTO, thank u !!!!
_________________
I can divide by zero
Back to top
View user's profile Send private message
gwion
Apprentice
Apprentice


Joined: 15 May 2003
Posts: 212
Location: Helsinki

PostPosted: Sun May 16, 2004 5:21 pm    Post subject: Reply with quote

dear krunk,

thank you very much. this howto is exactly what i needed to get my router and my homenetwork going :D

cheers,

gwion
_________________
But the best thing about being an older goth? The fact that no one tries to tell you "It's a phase!" anymore.
--
gwion@jabber.org
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Fri May 21, 2004 4:31 pm    Post subject: Reply with quote

thanks a lot. this helped me to solve a problem. within time i'm trying out your PART II
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
siroxo
n00b
n00b


Joined: 10 Feb 2004
Posts: 62

PostPosted: Sat May 22, 2004 10:24 am    Post subject: Reply with quote

Awesome tutorial.

One question: Is it considered bad form to use iptables firewalls on your main box? (I'm living on a budget here hehe)
Back to top
View user's profile Send private message
Lepaca Kliffoth
l33t
l33t


Joined: 28 Apr 2004
Posts: 737
Location: Florence, Italy

PostPosted: Sat Jun 12, 2004 12:34 pm    Post subject: No resolving addresses Reply with quote

I'm tired... I just can't understand what is wrong. I used the script you posted. My setup: desktop with internet connection on ip 192.168.0.1 . Net access is through ppp0. Desktop's connected to a laptop with a cross-over cable. Laptop's ip is 192.168.0.2, gateway 192.168.0.1 and nameserver 192.168.0.1 . Here is the script. As you can see intif is eth0. There's no intif2, it's got just ONE ethernet card.

Code:

#!/bin/bash
IPTABLES='/sbin/iptables'

# Set interface values
EXTIF='ppp0'
INTIF1='eth0'
#INTIF2='eth2'

# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# forward LAN traffic from $INTIF1 to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT

# forward LAN traffic from $INTIF2 to Internet interace $EXTIF
#$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT

#echo -e "       - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT

#echo -e "       - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT


I didn't bother with the last two lines since all that talk about security's good as crap until you put up a proper firewall (right?) however thing don't work anyway, even if I put those two lines back. lsmod output:

Code:

bash-2.05b# lsmod
Module                  Size  Used by    Tainted: P
n_hdlc                  6496   1  (autoclean)
ppp_synctty             6560   1  (autoclean)
ppp_generic            20836   3  (autoclean) [ppp_synctty]
slhc                    5152   0  (autoclean) [ppp_generic]
agpgart                14248   3  (autoclean)
ipt_state                536   3  (autoclean)
ipt_MASQUERADE          1496   5  (autoclean)
iptable_nat            18094   1  (autoclean) [ipt_MASQUERADE]
ip_conntrack           22500   0  (autoclean) [ipt_state ipt_MASQUERADE iptable_nat]
iptable_filter          1740   1  (autoclean)
ip_tables              13056   6  [ipt_state ipt_MASQUERADE iptable_nat iptable_filter]
i810_audio             25308   0
ac97_codec             13396   0  [i810_audio]
sis900                 13292   1
crc32                   2912   0  [sis900]
supermount             77888   1  (autoclean)
nvidia               1965984   6
usb-ohci               19464   0  (unused)
ehci-hcd               19052   0  (unused)
usbcore                63628   2  [usb-ohci ehci-hcd]


After executing the script, setting ips gateways and everything like I said before, still the laptop cant't resolve the address www.google.it (or anything else). If I ping an external ip it's all nice and working, it's just that dns requests aren't being forwarded (or whatever). So please, someone help me :((( Oh I'm on the experimental gentoo-sources 2.4.26
_________________
It isn't enough to win - everyone else must lose, and you also have to rub it in their face (maybe chop off an arm too for good measure).
Animebox!
Back to top
View user's profile Send private message
Lepaca Kliffoth
l33t
l33t


Joined: 28 Apr 2004
Posts: 737
Location: Florence, Italy

PostPosted: Sat Jun 12, 2004 12:58 pm    Post subject: Reply with quote

Sorry I'm the dumbest creature on earth. I just had to put my isp's dns in the client's /etc/resolv.conf. Sorry for that.
_________________
It isn't enough to win - everyone else must lose, and you also have to rub it in their face (maybe chop off an arm too for good measure).
Animebox!
Back to top
View user's profile Send private message
CompiledMonkey
n00b
n00b


Joined: 05 Dec 2002
Posts: 68
Location: Richmond, VA

PostPosted: Fri Jun 18, 2004 3:21 am    Post subject: Reply with quote

Get ready for a stupid question...

Where exactly do I save this iptables config file?
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Fri Jun 18, 2004 4:16 am    Post subject: Reply with quote

CompiledMonkey wrote:
Get ready for a stupid question...

Where exactly do I save this iptables config file?


Anywhere you want. :D

I personally put it in /root/scripts.

All you do is make it executeable and than ./firewall_script. :)
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Fri Jun 18, 2004 6:51 am    Post subject: Reply with quote

i prefer to put any script into either /usr/bin or /usr/sbin for superuser scripts so your script gets recognized with tabcompletion. of course you may export another path to PATH (within your .bashrc) but i don't like that alternative. to see which paths are exporteted execute
Code:
echo $PATH

you may save your file in any of these paths and it will be recognized simply by typing *myscript_name*
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
krunk
Guru
Guru


Joined: 27 Jul 2003
Posts: 316

PostPosted: Fri Jun 18, 2004 3:07 pm    Post subject: Reply with quote

BlinkEye wrote:
i prefer to put any script into either /usr/bin or /usr/sbin for superuser scripts so your script gets recognized with tabcompletion. of course you may export another path to PATH (within your .bashrc) but i don't like that alternative. to see which paths are exporteted execute
Code:
echo $PATH

you may save your file in any of these paths and it will be recognized simply by typing *myscript_name*


Yes, I add a path to the root/scripts directory. My reasoning for throwing it there is I have all to often written a script, than forgot what I named it......silly, I know, but it keeps me from "losing" scripts amongst the /sbin/
_________________
G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone :)]

Dual G5
iPod 3rd generation
Back to top
View user's profile Send private message
CompiledMonkey
n00b
n00b


Joined: 05 Dec 2002
Posts: 68
Location: Richmond, VA

PostPosted: Fri Jun 18, 2004 3:30 pm    Post subject: Reply with quote

krunk wrote:

Anywhere you want. :D

I personally put it in /root/scripts.

All you do is make it executeable and than ./firewall_script. :)


Awesome, thanks for the help! I'm only trying to harden a firewall on my gentoo system, so I edited the config file you provided. Can you tell me if this is correct? All I want to allow is ssh to the machine, reject everything else.

Code:

#!/bin/bash
IPTABLES='/sbin/iptables'

# Set interface values
INTIF='eth0'

# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
                                                                               
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
                                                                               
#echo -e "       - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
                                                                               
# block out all other Internet access on $INTIF
$IPTABLES -A INPUT -i $INTIF -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW,INVALID -j DROP
Back to top
View user's profile Send private message
CompiledMonkey
n00b
n00b


Joined: 05 Dec 2002
Posts: 68
Location: Richmond, VA

PostPosted: Fri Jun 18, 2004 6:54 pm    Post subject: Reply with quote

I've noticed I cannot get out on port 80 anymore. Could anybody help me out in understanding these rules. I assume I just need a rule to let outgoing traffic through on port 80. Only I don't know the syntax for the rule.
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Fri Jun 18, 2004 7:04 pm    Post subject: Reply with quote

add these lines after you flush the chains and rules
Code:
###  set default rules (DENY, ACCEPT)  ###
        ${IPTABLES} -P INPUT DROP
        ${IPTABLES} -P FORWARD ACCEPT
        ${IPTABLES} -P OUTPUT ACCEPT

and everything else afterwards
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
CompiledMonkey
n00b
n00b


Joined: 05 Dec 2002
Posts: 68
Location: Richmond, VA

PostPosted: Fri Jun 18, 2004 7:25 pm    Post subject: Reply with quote

I'm still not able to get out with wget or ping. I've tried just running the "iptables save" command and running the script myself. Neither seems to yield any different results.

Code:

#!/bin/bash
IPTABLES='/sbin/iptables'

# Set interface values
INTIF='eth0'

# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

# set default rules (DENY, ACCEPT)
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#echo -e "      - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT

# block out all other Internet access on $INTIF
$IPTABLES -A INPUT -i $INTIF -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW,INVALID -j DROP


Here is the output when I run "iptables --list":

Code:

zion bin # iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       all  --  anywhere             anywhere            state INVALID,NEW

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID,NEW

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Fri Jun 18, 2004 7:37 pm    Post subject: Reply with quote

i do have the same output of
Code:
iptabels --list

for the output chain. i don't know yet what's wrong but have a look at this thread as my current iptables script is the last but two posted post.
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
CompiledMonkey
n00b
n00b


Joined: 05 Dec 2002
Posts: 68
Location: Richmond, VA

PostPosted: Fri Jun 18, 2004 10:19 pm    Post subject: Reply with quote

Can I get some more replies... :D
Back to top
View user's profile Send private message
BlinkEye
Veteran
Veteran


Joined: 21 Oct 2003
Posts: 1046
Location: Gentoo Forums

PostPosted: Fri Jun 18, 2004 10:48 pm    Post subject: Reply with quote

stupid me, i forgot to post the link! i think with these information and my script (posted there) you should get it going https://forums.gentoo.org/viewtopic.php?t=175914&highlight=
_________________
Easily backup up your system? klick
Get rid of SSH Brute Force Attempts / Script Kiddies klick
Back to top
View user's profile Send private message
CompiledMonkey
n00b
n00b


Joined: 05 Dec 2002
Posts: 68
Location: Richmond, VA

PostPosted: Sun Jun 20, 2004 4:58 am    Post subject: Reply with quote

I trimmed that script down some, but it got me working. Thanks a lot! I think what I was missed was this part:

Code:

 echo "* enabling masquerading of internal hosts"
   # enable masquerading to allow LAN internet access   
   ${IPTABLES} -t nat -A POSTROUTING -o ${EXT_NIC} -j MASQUERADE
   
   ${IPTABLES} -t nat -P PREROUTING ACCEPT
   ${IPTABLES} -t nat -P POSTROUTING ACCEPT
   ${IPTABLES} -t nat -P OUTPUT ACCEPT
Back to top
View user's profile Send private message
Joe Kinley
n00b
n00b


Joined: 31 May 2003
Posts: 74
Location: Germany

PostPosted: Wed Aug 04, 2004 9:38 pm    Post subject: Reply with quote

Well, my script routes, but if i restart, i have to rerun the script for routing again.
It does not save the ruleset..... in this thread there stood, i have tu check the ENABLE_FORWARDING_IPv4="yes" in the /etc/conf.d/iptables.
But for me this file looked like

# Location in which iptables initscript will save set rules on
# service shutdown
IPTABLES_SAVE="/var/lib/iptables/rules-save"

#Options to pass to iptables-save and iptables-restore
SAVE_RESTORE_OPTIONS="-c"

now i just typed this variable in, but it does not route either.

Is my file corrupted ??
_________________
No matter what, always follow your heart
Back to top
View user's profile Send private message
mudrii
l33t
l33t


Joined: 26 Jun 2003
Posts: 789
Location: Singapore

PostPosted: Mon Aug 23, 2004 5:25 am    Post subject: Reply with quote

Very good HOWTO, BIG THX
_________________
www.gentoo.ro
Back to top
View user's profile Send private message
hjnenc
Veteran
Veteran


Joined: 15 Aug 2004
Posts: 1599
Location: Vienna, Austria

PostPosted: Thu Aug 26, 2004 3:30 pm    Post subject: Reply with quote

@Joe Kinley

Your file is OK, this was taken out in iptables-1.2.9-r1 (not exactly sure about the version). The ebuild prints these warnings:
Code:
!!! ipforwarding is now not a part of the iptables initscripts.
Until a more permanent solution is implemented adding the following
to /etc/conf.d/local.start will enable ipforwarding at bootup:
  echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
Back to top
View user's profile Send private message
BlackCat73
n00b
n00b


Joined: 11 Sep 2004
Posts: 15
Location: VIC, Australia

PostPosted: Thu Sep 16, 2004 11:22 am    Post subject: Reply with quote

Hi,
This is a newbie question so please bear with me, I'm trying to install iptables in my newly compiled gentoo, here what I've done,
- I set the necessary option in the kernel and recompiled.
- I emerged iptables
- After reading this thread, I didn't know where to write my script so I typed
Code:
/etc/init.d/iptables save

- This resulted in a file called /var/lib/iptables/rules-save
- I opened it using nano and wrote the script
- Here's what I wrote inside(this box will be an e-mail server behind a router,)
Code:

#!/bin/bash
IPTABLES='/sbin/iptables'

# Define shortcut values
NIC='eth0'

# Enable IP forwarding in the kernel
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

# Flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

# Enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $NIC -j MASQUERADE

# Block out ALL incoming traffic by default
$IPTABLES -A INPUT -i $NIC -m state --state NEW,INVALID -j DROP
# Block out ALL forwading traffic by default
$IPTABLES -A FORWARD -i $NIC -m state --state NEW,INVALID -j DROP

# Allow ALL outgoing traffic
$IPTABLES -P OUTPUT ACCEPT

#echo -e "       - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT

- Once saved I typed
Code:
/etc/init/d/iptables start

- then I get this error
Code:

root@usagi / # /etc/init.d/iptables start
 * Loading iptables state and starting firewall...
 * Restoring iptables ruleset
iptables-restore: line 2 failed


What have I done wrong? Is this what I suppose to do or am I suppose to compile/run this script and then do?
Code:
/etc/init/d/iptables save


Help is much appreciated. Thanks
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3  Next
Page 2 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum