Find the answer to your Linux question:
Results 1 to 3 of 3
Hey there, I'm pretty new to the whole linux world. Most of it was rather easy, but now I've gotten to a point were I'm gonna need some help. I ...
  1. 04-12-2009 #1
    BenInJapan
    BenInJapan is offline
    Just Joined!
    Join Date
    Apr 2009
    Posts
    4

    [Debian] iptables and forwarding problem

    Hey there,

    I'm pretty new to the whole linux world. Most of it was rather easy, but now I've gotten to a point were I'm gonna need some help. I have the following setup:

    Internet ---> DSL Modem ---> Linux Box ---> Wireless Router

    The Debian Box establishes a PPPoE connection to the Internet on the first NIC. The second NIC is connected to the WAN Port of the Linksys WRT54GL. Now the router is running several services: squid, havp, dansguardian, bind9, etc. When connecting directly to the machine by entering the proxy information in the browser everything works just fine. But when attaching the router back to the WAN port websites are not reachable. I can successfully ping the websites IP from the router (name resolutions do not work), but that's pretty much it. I have found a kinda iptable script on the internet, but it seems to not be forwarding all necessary parts:

    Code:
    #! /bin/bash

IF_INET="eth1"
IF_LAN="eth0"
IF_LAN_NET="192.168.1.120/24"

#         (SMB)    (NFS)     (X11)
BAD_TCP="135:139 1433 2049 5999:6063"
BAD_UDP="135:139 1433 2049 5999:6063"


case "$1" in
  start)
        echo "Cleaning up..."
        echo 0 > /proc/sys/net/ipv4/ip_forward
        iptables -F
        iptables -t nat -F
        iptables -t mangle -F

        echo -n "Determinating IP-Address of Internet Interface... "
        IF_INET_IP="`ifconfig $IF_INET | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
        echo $IF_INET_IP

        echo "Creating IPTABLES rules:"
        echo "  Masquerading..."
        iptables -t nat -A POSTROUTING -o $IF_INET -j MASQUERADE

        echo "  Protecting well-known ports..."
        for i in $BAD_TCP; do
          iptables -A INPUT -p tcp --dport $i -j DROP
          iptables -A INPUT -p tcp --sport $i -j DROP
          iptables -A OUTPUT -p tcp --dport $i -j DROP
          iptables -A OUTPUT -p tcp --sport $i -j DROP
          iptables -A FORWARD -p tcp --dport $i -j DROP
          iptables -A FORWARD -p tcp --sport $i -j DROP
        done
        for i in $BAD_UDP; do
          iptables -A INPUT -p udp --dport $i -j DROP
          iptables -A INPUT -p udp --sport $i -j DROP
          iptables -A OUTPUT -p udp --dport $i -j DROP
          iptables -A OUTPUT -p udp --sport $i -j DROP
          iptables -A FORWARD -p udp --dport $i -j DROP
          iptables -A FORWARD -p udp --sport $i -j DROP
        done

        echo "  Rules for ICMP..."
        #   0: echo reply
        #   3: destination unreachable
        #   4: source quench
        #   5: redirect
        #   8: echo request
        #   9: router advertisement
        #  10: router solicitation
        #  11: time exceeded
        #  12: parameter-problem
        #  13: timestamp request
        #  14: timestamp reply
        #  15: information request
        #  16: information reply
        #  17: address mask request
        #  18: address mask reply

        iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
        iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
        iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT
        iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
        iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
        iptables -A INPUT -p icmp --icmp-type 14 -j ACCEPT
        iptables -A INPUT -p icmp --icmp-type 16 -j ACCEPT
        iptables -A INPUT -p icmp --icmp-type 18 -j ACCEPT
        iptables -A INPUT -p icmp -j LOG -m limit --log-prefix "FILTER ICMP-BAD-TYPE-IN:"
        iptables -A INPUT -p icmp -j DROP

        iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
        iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
        iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
        iptables -A OUTPUT -p icmp --icmp-type 13 -j ACCEPT
        iptables -A OUTPUT -p icmp --icmp-type 15 -j ACCEPT
        iptables -A OUTPUT -p icmp --icmp-type 17 -j ACCEPT
        iptables -A OUTPUT -p icmp -j LOG -m limit --log-prefix "FILTER ICMP-BAD-TYPE-OUT:"
        iptables -A OUTPUT -p icmp -j DROP

        iptables -A FORWARD -p icmp -j ACCEPT

        echo "  Stateful inspection..."
        iptables -A INPUT -m state --state ESTABLISHED,RELATED -i $IF_INET -j ACCEPT
        iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $IF_INET -j ACCEPT

        echo "  Rules for Loopback Interface..."
        iptables -A INPUT -i lo -j ACCEPT
        iptables -A OUTPUT -o lo -j ACCEPT

        echo "  Rules for local LAN..."
        iptables -A INPUT -i $IF_LAN -j ACCEPT
        iptables -A FORWARD -i $IF_LAN -j ACCEPT

        echo "  Local public services (all interfaces):"
        echo "    SSH..."
        iptables -A INPUT -p tcp --dport 22 -j ACCEPT

        #echo "  Forwarding:"
        #echo "    SSH..."
        #iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 22 -j ACCEPT
        #iptables -t nat -A PREROUTING -i $IF_INET -p tcp -d $IF_INET_IP --dport 2222 -j DNAT --to 192.168.0.100:22

        echo "  Logging & Dropping..."
        #iptables -A INPUT -p tcp -j LOG -m limit --log-prefix "FILTER TCP-BAD-IN:"
        #iptables -A INPUT -p tcp -j DROP
        #iptables -A INPUT -p udp -j LOG -m limit --log-prefix "FILTER UDP-BAD-IN:"
        #iptables -A INPUT -p udp -j DROP
        #iptables -A INPUT -j LOG -m limit --log-prefix "FILTER UNKNOWN-BAD-IN:"
        #iptables -A INPUT -j DROP
        #iptables -A FORWARD -p tcp -j LOG -m limit --log-prefix "FILTER TCP-BAD-FWD:"
        #iptables -A FORWARD -p tcp -j DROP
        #iptables -A FORWARD -p udp -j LOG -m limit --log-prefix "FILTER UDP-BAD-FWD:"
        #iptables -A FORWARD -p udp -j DROP
        #iptables -A FORWARD -j LOG -m limit --log-prefix "FILTER UNKNOWN-BAD-FWD:"
        #iptables -A FORWARD -j DROP

        echo "Setting up spoofing protection..."
        for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
          echo 1 > $i
        done
        
        # disable source routed packets
        echo "Disabling source routed packets..."
        for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
          echo 0 > $i
        done

        echo "Setting default policy..."
        iptables -P INPUT DROP
        iptables -P OUTPUT ACCEPT
        iptables -P FORWARD DROP

        echo "Starting up routing..."
        echo 1 > /proc/sys/net/ipv4/ip_forward
        ;;
  stop)
        echo "Shutting down routing..."
        echo 0 > /proc/sys/net/ipv4/ip_forward
        iptables -P INPUT ACCEPT
        iptables -P OUTPUT ACCEPT
        iptables -F
        iptables -t nat -F
        iptables -t mangle -F
        ;;
  *)
        echo "Usage: ./filter {start|stop}"
        exit 1
        ;;
esac

exit 0
    I deactivated the logging and dropping part, because I found these entries in my syslog:

    Code:
    Apr 10 21:55:23 avalon kernel: [ 8702.196179] FILTER ICMP-BAD-TYPE-OUT:IN= OUT=lo SRC=192.168.1.120 DST=192.168.1.120 LEN=68 TOS=0x10 PREC=0xC0 TTL=64 ID=18591 PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.1.120 DST=192.168.1.133 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=26022 DF PROTO=TCP SPT=22 DPT=49965 WINDOW=15048 RES=0x00 ACK URGP=0 ] 
Apr 10 21:56:38 avalon kernel: [ 8777.196112] FILTER ICMP-BAD-TYPE-OUT:IN= OUT=lo SRC=192.168.1.120 DST=192.168.1.120 LEN=68 TOS=0x10 PREC=0xC0 TTL=64 ID=18592 PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.1.120 DST=192.168.1.133 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=26023 DF PROTO=TCP SPT=22 DPT=49965 WINDOW=15048 RES=0x00 ACK URGP=0 ] 
Apr 10 21:57:53 avalon kernel: [ 8852.196128] FILTER ICMP-BAD-TYPE-OUT:IN= OUT=lo SRC=192.168.1.120 DST=192.168.1.120 LEN=68 TOS=0x10 PREC=0xC0 TTL=64 ID=18593 PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.1.120 DST=192.168.1.133 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=26024 DF PROTO=TCP SPT=22 DPT=49965 WINDOW=15048 RES=0x00 ACK URGP=0 ] 
Apr 10 21:59:08 avalon kernel: [ 8927.196105] FILTER ICMP-BAD-TYPE-OUT:IN= OUT=lo SRC=192.168.1.120 DST=192.168.1.120 LEN=68 TOS=0x10 PREC=0xC0 TTL=64 ID=18594 PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.1.120 DST=192.168.1.133 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=26025 DF PROTO=TCP SPT=22 DPT=49965 WINDOW=15048 RES=0x00 ACK URGP=0 ] 
Apr 10 22:00:23 avalon kernel: [ 9002.196116] FILTER ICMP-BAD-TYPE-OUT:IN= OUT=lo SRC=192.168.1.120 DST=192.168.1.120 LEN=68 TOS=0x10 PREC=0xC0 TTL=64 ID=18595 PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.1.120 DST=192.168.1.133 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=26026 DF PROTO=TCP SPT=22 DPT=49965 WINDOW=15048 RES=0x00 ACK URGP=0 ]
    Any clues, ideas or hints?


    Ben
    Reply With Quote Reply With Quote
  2. 04-14-2009 #2
    BenInJapan
    BenInJapan is offline
    Just Joined!
    Join Date
    Apr 2009
    Posts
    4
    Any ideas? Or would it be better to move it to the Debian Forum?
    Reply With Quote Reply With Quote
  3. 04-21-2009 #3
    betoguardini
    betoguardini is offline
    Just Joined!
    Join Date
    Apr 2009
    Location
    Houston, TX
    Posts
    1
    That happened once to me...
    I was not using iptables at that time, but it was a similar problem. I could ping the ip of the websites but couldn't ping the URL itself. To solve the problem I had to change the nameserver on the /etc/resolv.conf file.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

...