On Sunday 05 January 2003 10:19 am, Subba Rao wrote: > Hi > > My system is running kernel 2.4.20 with iptables compiled into the > kernel. The system has 2 interfaces. ETH0 is connected to the Internet > (via cablemodem) and ETH1 is connected to my home LAN which has only > one W2K laptop. > > My W2K is configured with the Linux system as the gateway. Both > systems can ping each other. > However my laptop is not able to go out to the Internet. > > I am desperately trying to make my W2K laptop connect to the Internet. > > Please let me know how to make this work. > > Thank you in advance. > > Subba Rao > subba3@cablespeed.com > > #!/bin/sh > > echo "Starting Firewall....." > > INTERNAL_NET="10.0.0.0/24" > > INTERNET=`ifconfig eth0 | grep inet | cut -d : -f 2 | cut -d \ -f 1` This is extracting the IP address of your external connection from the output of 'ifconfig eth0' - Are you on a dynamic IP with a long lease-time? If so you may get away with using this with SNAT. If you're on a static IP this is unnecessary, just use the actual IP in the script. If your IP changes fairly frequently, don't bother with this and just use MASQUERADE target. > # Flush the tables > /usr/sbin/iptables -F INPUT > /usr/sbin/iptables -F OUTPUT > /usr/sbin/iptables -F FORWARD > /usr/sbin/iptables -t nat -F > > # Set default policies for packet entering this box > > iptables -P INPUT DROP > iptables -P OUTPUT ACCEPT > iptables -P FORWARD ACCEPT Set FORWARD policy to DROP as well. The only things you want this box to forward are those you explicitly allow. Try using these rules for a start: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i eth1 -p udp --dport 53 -j ACCEPT these should allow the laptop to browse the web. For other services, like email, add appropriate rules for the needed ports. The first rule here accepts any packet that is part of and ESTABLISHED connection, or RELATED to one, regardless of it's source. The remainder allow explicitly defined connections from the LAN to be forwarded to the internet. With these three rules the laptop can connect out, but the internet cannot connect in, only respond to a connection initiated by the laptop. > # Allow some packets in but accept all those on the internal interface > /usr/sbin/iptables -A INPUT -i lo -j ACCEPT > /usr/sbin/iptables -A INPUT -i eth0 -j ACCEPT > /usr/sbin/iptables -A INPUT -i eth1 -j ACCEPT The second one means anyone on the internet can connect to your firewall box on any port, bypassing the DROP policy you set. Bad idea. The third means any connection from local network to the firewall machine directly is accepted, which is OK since only your laptop is on the local network, but is a bad idea for a large network. > # Masquerade internal system with the public IP address > > iptables -t nat -A POSTROUTING -d $INTERNAL_NET -o $INTERNET -j ACCEPT > iptables -t nat -A POSTROUTING -o $INTERNET -s $INTERNAL_NET -j > MASQUERADE First rule here is bad. A - Destination IP of local network should never be going out internet connection, so it should never match anything. B - If your intention is to ACCEPT anything from internet going TO local network, you shouldn't because: C - PREROUTING and POSTROUTING chains of NAT table are for NAT only, not filtering, so you should just rely on accept policy. Only time you should ACCEPT in a NAT chain rule is if you want to bypass a later rule, IE you can ACCEPT specific traffic, then NAT whatever remains. D - INTERNET is set to be the IP address of eth1, your external connection. "-o" and "-i" matches are for interfaces, not IPs, so you should use something like "-o eth1" or "-i eth0" here. Second rule here is bad as well, for reason D above. Also, you are using MASQUERADE target, which is fine if you have a dynamic IP, but you are going to the trouble of determining your public IP at the start, which leads me to think you intend to use it directly in a SNAT. If you are on dynamic IP stick with MASQUERADE, if static IP use "-j SNAT --to $INTERNET", based on your assignment above, or better yet just assign the IP in the script instead of extracting it from the output of 'ifconfig eth1' at the top. > # Block inbound connections > > /usr/sbin/iptables -A INPUT -i eth0 -p tcp --syn -j DROP > > echo 1 > /proc/sys/net/ipv4/ip_forward > echo 1 > /proc/sys/net/ipv4/tcp_syncookies The first one here turns on forwarding, but if you're using MASQUERADE target you need to enable dynamic IP tracking as well, with: echo "1" > /proc/sys/net/ipv4/ip_dynaddr j
