Find the answer to your Linux question:
Results 1 to 4 of 4
I've got a linux firewall connected to my cable modem with several computers inside the firewall. Most of the time, downloading files works just fine. However, there are some files ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2008
    Posts
    2

    Question Computers inside firewall sometimes having problems downloading


    I've got a linux firewall connected to my cable modem with several computers inside the firewall. Most of the time, downloading files works just fine. However, there are some files that just will not finish downloading. There's no problem with my connection, because if I take one of those boxes, connect it directly to the cable modem pulling the firewall completely out of the picture, the file downloads perfectly fine.

    My network is natted within 172.31.69.*... firewall on .1, my main windows box is .2 and my wife's is .3 ... other machines in the network but none directly mentioned in the script.

    So...I guess I'm hoping someone here will be able to tell me what is wrong with my firewall rules.

    Thanks in advance for any help!!!!

    -----------

    #!/bin/sh

    # This came from Multi-homed iptables firewall

    # Enable broadcast echo protection
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    # Disable source routed packets
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
    done

    # Enable TCP SYN cookie protection
    # (Commented because it doesn't exist in currently used kernel
    #echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    # Disable ICMP Redirect acceptance
    for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
    done

    # Don't send Redirect messages
    for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
    done

    # Drop spoofed packets coming in on an interface, which if replied to,
    # would result in the reply going out a different interface.
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
    done

    # Log packets with impossible addresses
    for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f
    done

    # Flush existing rules on INPUT, OUTPUT, FORWARD chains and nat table
    /usr/sbin/iptables --flush
    /usr/sbin/iptables -t nat --flush

    # Unlimited traffic on the loopback interface
    /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
    /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT

    # Set the default policy to drop
    /usr/sbin/iptables --policy INPUT DROP
    /usr/sbin/iptables --policy OUTPUT DROP
    /usr/sbin/iptables --policy FORWARD DROP
    /usr/sbin/iptables -t nat --policy PREROUTING ACCEPT
    /usr/sbin/iptables -t nat --policy OUTPUT ACCEPT
    /usr/sbin/iptables -t nat --policy POSTROUTING ACCEPT

    # Drop all invalid TCP state combinations
    # First list of TCP state flags lists the bits to be tested
    # Second list of TCP state flags lists the bits that must be set to match test

    # All of the bits are cleared
    /usr/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

    # SYN and FIN are both set
    /usr/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

    # SYN and RST are both set
    /usr/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

    # FIN and RST are both set
    /usr/sbin/iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

    # FIN is set without the expected accompanying ACK
    /usr/sbin/iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

    # PSH is set without the expected accompanying ACK
    /usr/sbin/iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP

    # URG is set without the expected accompanying ACK
    /usr/sbin/iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

    # Masquerade everything out eth0; used for dynamic IPs
    /usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    # Allow all outbound connections from LAN (eth1) to Internet (eth0)
    # Allow only return traffic from those connections
    /usr/sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    /usr/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Allow unlimited outbound and return traffic from firewall
    /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /usr/sbin/iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    /usr/sbin/iptables -A OUTPUT -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    # ADDED IMPORTANT RULE!! Allow inbound traffic from internal network
    /usr/sbin/iptables -A INPUT -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

    # Allow incoming FTP
    /usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 20 -m state --state NEW -j ACCEPT
    /usr/sbin/iptables -A INPUT -i eth0 -p udp --dport 20 -m state --state NEW -j ACCEPT
    /usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -j ACCEPT
    /usr/sbin/iptables -A INPUT -i eth0 -p udp --dport 21 -m state --state NEW -j ACCEPT

    # Allow incoming SSH
    /usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -j ACCEPT

    # Allow incoming WEB
    /usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -j ACCEPT

    # Allow incoming Rsync
    /usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 873 -m state --state NEW -j ACCEPT
    /usr/sbin/iptables -A INPUT -i eth0 -p udp --dport 873 -m state --state NEW -j ACCEPT

    # Allow incoming Bittorrent to MAIN
    /usr/sbin/iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 6881:6930 -j DNAT --to-destination 172.31.69.2
    /usr/sbin/iptables -A PREROUTING -t nat -p udp -i eth0 --dport 6881:6930 -j DNAT --to-destination 172.31.69.2
    /usr/sbin/iptables -A FORWARD -p tcp -d 172.31.69.2 --dport 6881:6930 -j ACCEPT
    /usr/sbin/iptables -A FORWARD -p udp -d 172.31.69.2 --dport 6881:6930 -j ACCEPT

    # Allow incoming Bittorrent to SANDYSCOMPUTER
    /usr/sbin/iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 6931:6999 -j DNAT --to-destination 172.31.69.3
    /usr/sbin/iptables -A PREROUTING -t nat -p udp -i eth0 --dport 6931:6999 -j DNAT --to-destination 172.31.69.3
    /usr/sbin/iptables -A FORWARD -p tcp -d 172.31.69.3 --dport 6931:6999 -j ACCEPT
    /usr/sbin/iptables -A FORWARD -p udp -d 172.31.69.3 --dport 6931:6999 -j ACCEPT

    # Allow incoming eDonkey to MAIN --- not sure why I have this in here any more...but doubt it's causing the problem
    /usr/sbin/iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 4662 -j DNAT --to-destination 172.31.69.2:4662
    /usr/sbin/iptables -A PREROUTING -t nat -p udp -i eth0 --dport 8719 -j DNAT --to-destination 172.31.69.2:8719

    # Activate IP forwarding
    /bin/echo 1 > /proc/sys/net/ipv4/ip_forward

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Couple of quick questions on your setup.

    1. What is the bit mask for the ip range you are using?
    2. What interface is connected to what network?
    3. Are you hosting anything and if so where?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Sep 2008
    Posts
    2
    Quote Originally Posted by Lazydog View Post
    Couple of quick questions on your setup.

    1. What is the bit mask for the ip range you are using?
    2. What interface is connected to what network?
    3. Are you hosting anything and if so where?
    1. I'm using 255.255.255.0, as I'm using IP's throughout the range.
    2. eth0 is connected to the outside world, eth1 the nat'ted internal network.
    3. The only thing I'm hosting is a web server on the firewall machine itself, although SSH and rsync access to that box (from the internet) is also required.

    Thanks for any assistance you can give me.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    I don't really see a reason why the downloads would stop.
    Have you tried to capture the packets and see what is going on?
    I would think something is timing out.
    Is it the MAIN or SANDY's computer that is stopping?

    Also for the following you can remove the UDP rules in your firewall. They do not use UDP

    Rsync
    Bittorrent
    eDonkey

    Here is a IPTABLES tutorial that can give you some insight on how the rules can be setup.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •