problematic in iptables

**high_density** · 02-08-2011

Hello,

I have finished reconfiguring my 1st PC Centos 5.5 with Squid and Dansguarian. Works fine the configuration is basic.

lets name it to 1st PC
eth0 - modem ip (public)
eth1 - 172.16.1.1 (LAN)

Then I've decided to change and add another Centos 5.5 for Firewall Service that is directly connected to the modem and then
shares internet connection and some ports to 1st PC.

lets name it to 2nd PC, it also has two NICS
eth0 - modem ip (public)
eth1 - 10.0.0.1 (ip to connect to the 1st pc with squid services)

so I changed the ip of the 1st PC with these
eth0 - 10.0.0.2
eth1 - 172.16.1.1 (LAN)

and connects the eth0 (10.0.0.2) of the 1st PC to the eth2 (10.0.0.1) of the 2nd PC

then I've tried browsing on the network but it does not work...

is there a simple iptables command for the 1st PC and 2nd PC?

please help...

here are the iptables script and lists of my 1st and 2nd PC

2nd PC (firewall to be)

#vi /home/user1/fw.sh

#!/bin/sh

123=/sbin/iptables
pc1=00-11-22-33-44-55
$123 -F

$123 -P INPUT DROP
$123 -P OUTPUT DROP
$123 -P FORWARD DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe iptable_nat

$123 -t nat -A POSTROUTING -o eth0 -j MASQUERADE

$123 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$123 -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$123 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#loopback
$123 -A INPUT -i lo -m comment --comment "LOOPBACK" -j ACCEPT

#ETH0 (Public IP)
$123 -A INPUT -i eth0 -s 10.0.0.2 -p icmp --icmp-type echo-request -m comment --comment "ping from squid" -j ACCEPT
$123 -A INPUT -i eth0 -p icmp --icmp-type echo-request -m mac --mac-source $pc1 -m comment --comment "pc1" -j ACCEPT
$123 -A INPUT -i eth0 -p tcp --dport 22 -m mac --mac-source $pc1 -m comment --comment "pc1" -j ACCEPT

#ETH1 (10.0.0.1)
$123 -A INPUT -i eth1 -p icmp --icmp-type echo-request -m mac --mac-source $pc1 -j ACCEPT
$123 -A INPUT -i eth1 -p tcp --dport 22 -m mac --mac-source $pc1 -j ACCEPT
$123 -A INPUT -i eth1 -s 10.0.0.2 -p icmp --icmp-type echo-request -j ACCEPT
$123 -A INPUT -i eth1 -s 10.0.0.2 -p tcp --dport 22 -j ACCEPT
$123 -A INPUT -i eth1 -s 10.0.0.2 -p tcp --dport 80 -j ACCEPT
$123 -A INPUT -i eth1 -s 10.0.0.2 -p tcp --dport 443 -j ACCEPT
$123 -A INPUT -i eth1 -s 10.0.0.2 -p tcp --dport 21 -j ACCEPT
$123 -A INPUT -i eth1 -s 10.0.0.2 -p tcp --dport 25 -j ACCEPT
$123 -A INPUT -i eth1 -s 10.0.0.2 -p tcp --dport 5901 -j ACCEPT

$123 -A OUTPUT -d 10.0.0.2 -p icmp --icmp-type echo-request -j ACCEPT
$123 -A OUTPUT -d 10.0.0.2 -p tcp --dport 5901 -j ACCEPT
$123 -A OUTPUT -d 10.0.0.2 -p tcp --dport 22 -j ACCEPT

$123 -A FORWARD -i eth0 -o eth1 -m comment --comment "FORWARD eth0 ---> eth1 ---> eth0" -j ACCEPT

$123 -A INPUT -j DROP
$123 -A OUTPUT -j DROP
$123 -A FORWARD -j DROP

#/sbin/iptables -L

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere /* LOOPBACK */
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- 10.0.0.2 anywhere icmp echo-request /* ping from squid */
ACCEPT icmp -- anywhere anywhere icmp echo-request MAC 00:13:8F:20:1F:CD /* pc1 */
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh MAC 00:11:22:33:44:55 /* pc1 */
ACCEPT all -- 10.0.0.2 anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request MAC 00:11:22:33:44:55
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh MAC 00:11:22:33:44:55
ACCEPT icmp -- 10.0.0.2 anywhere icmp echo-request
ACCEPT tcp -- 10.0.0.2 anywhere tcp dpt:ssh
ACCEPT tcp -- 10.0.0.2 anywhere tcp dpt:http
ACCEPT tcp -- 10.0.0.2 anywhere tcp dpt:https
ACCEPT tcp -- 10.0.0.2 anywhere tcp dpt:ftp
ACCEPT tcp -- 10.0.0.2 anywhere tcp dpt:smtp
ACCEPT tcp -- 10.0.0.2 anywhere tcp dpt:5901
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere /* FORWARD eth0 ---> eth1 ---> eth0 */
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

#netstat -ant

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:604 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN

1st PC (Squid and Dansguardian)

#vi /home/user1/squid.sh

#IPTABLES script generated by lomeng for squid proxy

#!/bin/sh

123=/sbin/iptables
pc1=00-11-22-33-44-55
all_dept=172.16.1.50-172.16.1.100
comp_dept=172.16.1.90-172.16.1.100
eth0=10.0.0.2
fwall=10.0.0.1

#FLUSH

$123 -F

#POLICY

$123 -P INPUT DROP
$123 -P OUTPUT DROP
$123 -P FORWARD DROP

$123 -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
$123 -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# RESPOSNSES

$123 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$123 -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$123 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# ETH0 Connected to Firewall (10.0.0.1)

# INPUT

$123 -A INPUT -i lo -m comment --comment "INCOMING LOOPBACK INTERFACE" -j ACCEPT

$123 -A INPUT -i eth0 -p icmp --icmp-type echo-request -s $fwall -m comment --comment "ping from firewall" -j ACCEPT

$123 -A INPUT -i eth0 -p tcp --dport 22 -s $fwall -m comment --comment "ssh from firewall" -j ACCEPT

$123-A INPUT -i eth0 -p tcp --dport 5901 -s $fwall -m comment --comment "vnc from firewall" -j ACCEPT

#OUTPUT

$123 -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -d $fwall -j ACCEPT

$123 -A OUTPUT -o eth0 -p icmp --icmp-type echo-request -d $fwall -j ACCEPT

$123 -A OUTPUT -o eth0 -p tcp --dport 80 -d $fwall -j ACCEPT

$123 -A OUTPUT -o eth0 -p tcp --dport 443 -d $fwall -j ACCEPT

$123 -A OUTPUT -o eth0 -p tcp --dport 21 -d $fwall -j ACCEPT

$123 -A OUTPUT -o eth0 -p tcp --dport 3128 -d $fwall -j ACCEPT

$123 -A OUTPUT -o eth0 -p tcp --dport 22 -d $fwall -j ACCEPT

$123 -A OUTPUT -o eth0 -p tcp --dport 5901 -d $fwall -j ACCEPT

# ETH1 Connected to LAN IP 172.16.1.50 - 172.16.1.100

# INPUT

$123 -A INPUT -i lo -m comment --comment "INCOMING LOOPBACK INTERFACE" -j ACCEPT

$123 -A INPUT -i eth1 -p tcp --dport 22 -m mac --mac-source $pc1 -j ACCEPT

$123 -A INPUT -i eth1 -p icmp --icmp-type echo-request -m iprange --src-range $comp_dept -j ACCEPT

$123 -A INPUT -i eth1 -p tcp --dport 8080 -m iprange --src-range $all_dept -j ACCEPT

$123 -A INPUT -i eth1 -p tcp --dport 5901 -m mac --mac-source $pc1 -j ACCEPT

# OUTPUT

$123 -A OUTPUT -o lo -m comment --comment "OUTGOING LOOPBACK INTERFACE" -j ACCEPT

$123 -A OUTPUT -o eth1 -p icmp --icmp-type echo-request -m iprange --dst-range $comp_dept -j ACCEPT

$123-A OUTPUT -o eth1 -p tcp --dport 8080 -m iprange --dst-range $all_dept -j ACCEPT

$123 -A OUTPUT -o eth1 -p tcp --dport 25 -m iprange --dst-range $all_dept -j ACCEPT

$123 -A OUTPUT -o eth1 -p tcp --dport 5901 -m iprange --dst-range $comp_dept -j ACCEPT

$123 -A OUTPUT -o eth1 -p tcp --dport 80 -m iprange --dst-range $comp_dept -j ACCEPT

$123 -A OUTPUT -o eth1 -p tcp --dport 443 -m iprange --dst-range $comp_dept -j ACCEPT

$123 -A OUTPUT -o eth1 -p tcp --dport 21 -m iprange --dst-range $comp_dept -j ACCEPT

# FORWARDING

$123 -A FORWARD -i eth0 -o eth1 -m comment --comment "FORWARD eth0 ---> eth1 ---> eth0" -j ACCEPT

$123 -A FORWARD -i eth1 -o eth0 -m comment --comment "FORWARD eth1---> eth0 ---> eth1" -j ACCEPT

$123 -A INPUT -j DROP
$123 -A OUTPUT -j DROP
$123 -A FORWARD -j DROP

#/sbin/iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere /* INCOMING LOOPBACK INTERFACE */
ACCEPT icmp -- 10.0.0.1 anywhere icmp echo-request /* ping from firewall */
ACCEPT tcp -- 10.0.0.1 anywhere tcp dpt:ssh /* ssh from firewall */
ACCEPT tcp -- 10.0.0.1 anywhere tcp dpt:5901 /* vnc from firewall */
ACCEPT all -- anywhere anywhere /* INCOMING LOOPBACK INTERFACE */
ACCEPT icmp -- anywhere anywhere icmp echo-request source IP range 172.16.1.90-172.16.1.100
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache source IP range 172.16.1.50-172.16.1.100
ACCEPT tcp -- anywhere anywhere tcp dpt:5901 MAC 00:11:22:33:44:55
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere /* FORWARD eth0 ---> eth1 ---> eth0 */
ACCEPT all -- anywhere anywhere /* FORWARD eth1---> eth0 ---> eth1 */
DROP all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere 10.0.0.1 icmp echo-request
ACCEPT icmp -- anywhere 254.232.99.100 icmp echo-request
ACCEPT tcp -- anywhere 10.0.0.1 tcp dpt:http
ACCEPT tcp -- anywhere 10.0.0.1 tcp dpt:https
ACCEPT tcp -- anywhere 10.0.0.1 tcp dpt:ftp
ACCEPT tcp -- anywhere 10.0.0.1 tcp dpt:squid
ACCEPT tcp -- anywhere 10.0.0.1 tcp dpt:ssh
ACCEPT tcp -- anywhere 10.0.0.1 tcp dpt:5901
ACCEPT all -- anywhere anywhere /* OUTGOING LOOPBACK INTERFACE */
ACCEPT icmp -- anywhere anywhere icmp echo-request destination IP range 172.16.1.90-172.16.1.100
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache destination IP range 172.16.1.50-172.16.1.100
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp destination IP range 172.16.1.50-172.16.1.100
ACCEPT tcp -- anywhere anywhere tcp dpt:5901 destination IP range 172.16.1.90-172.16.1.100
ACCEPT tcp -- anywhere anywhere tcp dpt:http destination IP range 172.16.1.90-172.16.1.100
ACCEPT tcp -- anywhere anywhere tcp dpt:https destination IP range 172.16.1.90-172.16.1.100
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp destination IP range 172.16.1.90-172.16.1.100
DROP all -- anywhere anywhere

#netstat -ant

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:869 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3128 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN

if there would be any basic solution please help me

**rafatmb** · 02-08-2011

Hi.

First, what you want to do that's not working?

**Lazydog** · 02-08-2011

Originally Posted by high_density

Hello,

I have finished reconfiguring my 1st PC Centos 5.5 with Squid and Dansguarian. Works fine the configuration is basic.

lets name it to 1st PC
eth0 - modem ip (public)
eth1 - 172.16.1.1 (LAN)

Then I've decided to change and add another Centos 5.5 for Firewall Service that is directly connected to the modem and then
shares internet connection and some ports to 1st PC.

lets name it to 2nd PC, it also has two NICS
eth0 - modem ip (public)
eth1 - 10.0.0.1 (ip to connect to the 1st pc with squid services)

so I changed the ip of the 1st PC with these
eth0 - 10.0.0.2
eth1 - 172.16.1.1 (LAN)

and connects the eth0 (10.0.0.2) of the 1st PC to the eth2 (10.0.0.1) of the 2nd PC

then I've tried browsing on the network but it does not work...

is there a simple iptables command for the 1st PC and 2nd PC?

please help...

Can PC1 ping PC2 ip address of 10.0.0.1?

When connecting 2 PC's together you need a crossover cable to connect them. It has been said that modern hardware is aware of this and will make the corrections on the fly. I don't trust any software to do this for me and only use crossover cables when connecting PC's together.

Is FORWARDing turned on in PC2? You can check this by looking at /etc/sysctl.conf for the line;

Code:

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

If yours does not have a '1' at the end like above then change it to a '1' and run the following command after you save it:

Code:

sysctl -p

to re-read the config file and apply the new settings.

I haven't read all of your firewall rules but this is normally what the holdup is when connecting 2 PC's together.

If you are still having issues after the above have been checked and are working run the following command;

Code:

service iptables save

on both machines and then post the contents of the file /etc/sysconfig/iptbales in between CODE tags. CODE tags make reading a lot easier and it keeps the format. The easiest way to get the CODE tags is to click on the '#' in the posting window.

**high_density** · 02-08-2011

sir Lazydog

yes, I used crossover cable that connects 10.0.0.1 and 10.0.0.2 and both pc can reply icmp 10.0.0.1 - 10.0.0.2 I also changed the values from 0 to 1 in /etc/sysctl.conf on both pc's

**high_density** · 02-08-2011

Sir rafatmb

yes it doesent work, I just want to try that iptables (PC2) would be the main gateway that shares internet connection directly to squid server (PC1) that also shares internet connection to the LAN

**high_density** · 02-09-2011

Sir's

I'll lets make the question simple,

How will I share internet connection using iptables from a linux box to another linux box

sorry but really this is bugging me.

**rafatmb** · 02-09-2011

Well, there are a lot of possibilities to make that. Using very efficient scripts, or even a specific linux distro, like smothwall or ipcop.

I'm sending to you a very simple script, that will do what you need, without advanced features:

PC2 (the firewall that is directly connected to the internet):

# enable forwarding packets
echo 1 > /proc/sys/net/ipv4/ip_forward
# cleaning tables
iptables -F
iptables -t nat -F
iptables -t mangle -F
# setting default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

##
# INPUT
##
# Accept ESTABLISHED and RELATED
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept packets from inside (from PC1)
iptables -A INPUT -s 10.0.0.0/24 -i eth1 -m state --state NEW,ESTABLISHED -j ACCEPT

# Accept from loopback
iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW,ESTABLISHED -j ACCEPT

##
#FORWARD
##
# Accept ESTABLISHED and RELATED
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept packets from inside to internet (from PC1)
iptables -A FORWARD -s 10.0.0.0/24 -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT

# Finally, NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PC1 - Proxy (connected on PC1 and LAN)

# enable forwarding packets
echo 1 > /proc/sys/net/ipv4/ip_forward
# cleaning tables
iptables -F
iptables -t nat -F
iptables -t mangle -F
# setting default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

##
# INPUT
##
# Accept ESTABLISHED and RELATED
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept packets from inside (LAN)
iptables -A INPUT -s 172.16.1.0/24 -i eth1 -m state --state NEW,ESTABLISHED -j ACCEPT

# Accept from loopback
iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW,ESTABLISHED -j ACCEPT

##
#FORWARD
##
# Accept ESTABLISHED and RELATED
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept packets from inside to internet (LAN)
iptables -A FORWARD -s 172.16.1.0/24 -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT

# Finally, NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Try this, probably will work.

**high_density** · 02-09-2011

Sir rafatmb

I'll make try of this sir,

thanks for the help

Thread Tools

Display

problematic in iptables

Posting Permissions