l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
August 5: Social gathering
Next Installfest:
TBD
Latest News:
Jul. 4: July, August and September: Security, Photography and Programming for Kids
Page last updated:
2002 Mar 15 20:24

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Re: Masquerading
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Re: Masquerading



Hmmm... Looks right (not very robust, but right). Can 
you get to the inet from that box without messing with 
the iptables? If you don't know, then issue the 
following: (Caution this is opening up your box 
completly)
#
# Fulsh all entries and set all policies to ACCEPT
iptables -F 
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#
# Check to make sure everything took
iptables -L
iptables -t nat -L

The output from the last 2 should show:
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)

then (from the second one):
Chain PREROUTING (policy ACCEPT)
Chain POSTROUTING (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)

Then try to ping/ftp/browswe to something on the inet 
(that you can get to from a working machine). There's no 
use in trying to service clients if you can't service 
yourself. If this doesn't work, stop. There is a problem 
with your network setup and we should be looking 
elseware.

If it does work, then try issuing the following:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Double check that eth0 is indeed your interface to the 
outside world (don't be embarrassed if it isn't, happens 
to all of us).

Then list them again just to make sure
iptables -L
iptables -t nat -L

you should get output like:
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)

then (from the second one):
Chain PREROUTING (policy ACCEPT)
Chain POSTROUTING (policy ACCEPT)
target     prot opt source destination         
MASQUERADE  all  --  anywhere anywhere           
Chain OUTPUT (policy ACCEPT)

you may see the colum headers (target, prot, opt, etc) 
in between each chain listing, as long as it's empty 
(except the MASQURADE entry) your ok.

If your still hosed, send the output from the iptables -
L commands and lsmod

-doug

> Thanks.
> 
> Yes, you are right, I'm using iptables - and it seems 
to be working - but
> not sharing the internet with my clients.  I tried a 
real simple script to
> start with:
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
>    iptables --flush
>    iptables --table nat --flush
>    iptables --delete-chain
>    iptables --table nat --delete-chain
> 
>    iptables --table nat --append POSTROUTING --out-
interface eth0 -j
> MASQUERADE
>    iptables --append FORWARD --in-interface eth1 -j 
ACCEPT
> 
> Which didn't seem to help.  I then downloaded a far 
more complex one from
> the Internet from someone with almost the same config 
as me - still no luck.
> 
> My cards seem to be okay - all I can think is that my 
routing is wrong - or
> there is soe other conf files tucked away that I need 
to set.
> 
> Thanks for your feedback.
> 
> Regards
> 
> Martyn R. Whittaker
> 317 Encina Ave., Davis, CA 95616 USA
> p. +1 530 756 2867  f. +1 253 498 9591  m. +1 916 813 
7061
> ----- Original Message -----
> From: <mrdoug@attbi.com>
> To: <vox-tech@lists.lugod.org>
> Cc: "Martyn R Whittaker" <martyn.whittaker@virgin.net>
> Sent: Friday, March 15, 2002 5:44 AM
> Subject: Re: [vox-tech] Re: Masquerading
> 
> 
> > whoa, whoa, whoa....
> >
> > If he's using RedHat 7.2, then he's using the 2.4 
kernel
> > so the firewall solutions listed below may not work.
> > With the 2.4 kernel there is an option to quit using 
the
> > ipchains and move on to the new and improved 
iptables.
> >
> > First step, type "iptables -L" then "ipchains -L" 
one of
> > these will work and one will return an error. This 
will
> > determine how to setup the firewall. Iptables has a
> > completly differant flow than ipchains. You set up
> > Nat/masq in a differant place.
> >
> > Also with newer distro's it is not necessary to use
> > ifconfig commands in the scripts. Simply set up the
> > network to point to the appropriate places. This will
> > eliminate future confussion when dealing with network
> > settings (hmm... the /etc/sysconfig/networking/ifup-
eth0
> > file has the correct config but nothing's working... 
I
> > wonder where else I might have messed with the 
settings.
> > Let's start grepping through all my scripts to figure
> > out what's up).
> >
> > Martyn, If you can tell me which of the above 
commands
> > work, I'll show you a script.
> >
> > BTW I agree with all other points below. You should 
set
> > up the firewall that blocks all traffic then start
> > allowing specific traffic. Being on DSL and/or Cable
> > broadband with no firewall is asking for trouble.
> > > On Thu, 14 Mar 2002, Peter Jay Salzman wrote:
> > >
> > > > martyn,
> > > >
> > > > it's been a long while since i've done 
masquerading by hand (how
> > > > embarrasing!) but off the top of my head, do 
this:
> > >
> > > Been awhile for me too... :)  scripts spoil me.... 
even ones I have
> > > written.
> > >
> > > > on linux:
> > > >
> > > > point your DNS to your ISP's DNS servers 
(/etc/resolv.conf)
> > > >
> > > > # bring up the interfaces
> > > > ifconfig eth0 external-ip up
> > > > ifconfig eth1 192.168.0.1 up
> > > > # set up routing
> > > > route add default gateway your-ISP-gateway
> > > > # set a default policy for the forwarding chain
> > > > /sbin/ipchains -P forward DENY
> > > > # enable the masquerading
> > > > echo "1" > /proc/sys/net/ipv4/ip_forward
> > >
> > > > # do the masquerading
> > > > /sbin/ipchains -A forward -s 192.168.0.2 -j 
MASQ -i eth0
> > > > /sbin/ipchains -A forward -s 192.168.0.3 -j 
MASQ -i eth0
> > >
> > > This looks like it will work, but I'll throw in 
some comments
> > > anyway:
> > >
> > > a) this masquerades exactly two internal machines 
out the door. To masq
> > >    all computers on your internal network, use
> > >      /sbin/ipchains -A forward -s 192.168.0.0/24 -
j MASQ -i eth0
> > >    which says any ip beginning with 192.168.0 can 
get out.
> > >
> > > b) note that each ipchains command is 
incremental... if you don't
> > >    get it right the first time, you will need to 
remove your
> > >    mistake from the ruleset.  I find the easiest 
way is to edit
> > >    a script that clears the whole thing and builds 
the whole
> > >    ruleset from scratch, so you know every rule is 
in the right
> > >    place.
> > >
> > > In a more general vein...
> > >
> > > c) I highly recommend the use of a firewall 
script.  ADSL means
> > >    you are subject to continuous bombardment.  I 
don't know
> > >    anything about "Firestarter", but you need 
something.
> > >    Seawall (kernel 2.2), Shorewall (kernel 2.3), 
and rcf (I think
> > >    2.2) seem to be well regarded.  I use a custom 
one I modified off the
> > >    net.
> > >
> > > d) Don't ever let anyone telnet into your 
machine... disable
> > >    all external access via telnet, because it can 
be
> > >    sniffed.  Use ssh instead... preferably 
protocol version
> > >    2 or better (OpenSSH 3.1p1 or better).  I 
actually think
> > >    the telnet daemon should be turned off... ssh 
is more convenient
> > >    even within your LAN.
> > >
> > > e) Be sure to understand every service you allow 
the outside
> > >    world to use.  In particular, be careful of any 
CGIs you
> > >    allow to be enabled in a web server.
> > >
> > > >
> > > > on windows:
> > > > point your DNS at your ISP's DNS servers
> > > > use 192.168.0.1 as your gateway.
> > > > (i don't use windows, so i don't know how you do 
this)
> > > >
> > > > i've cc'd vox-tech just in case i screwed up.  
i'm sure someone will
> > > > correct me in minutes.   :-)
> > > >
> > > > btw, vox-techers, please cc this guy since he's 
not on the mailing
> list.
> > > >
> > > > if you use linux, please consider coming to our 
meetings.
> > > > www.lugod.org.  we gladly accept donations to 
help fund demos,
> > > > installfests and our lending library.
> > > >
> > > > pete
> > > >
> > > > begin Martyn R Whittaker 
<martyn.whittaker@virgin.net>
> > > > > Dear Root,
> > > > >
> > > > > I wonder if any of your members would like to 
do a one or two hours
> > > > > of consulting for me?
> > > > >
> > > > > I have set up RedHat Linux 7.2 on my qateway 
machine at home which
> > > > > contains 2 ethernet cards that seem to be 
loading up and working
> fine.
> > > > > Eth0 is connected to static IP address (ADSL) 
and Eth1(192.168.0.1)
> is
> > > > > connected to my home network of 2 Windows PCS 
(192.168.0.2 and
> > > > > 192.168.0.3)
> > > > >
> > > > > I have tried using the Firestarter firewall 
and also setting up a
> > > > > simple forwarding and masquerading firewall so 
that I can access the
> > > > > Internet, email etc from my client PCs but 
without success.  Pinging
> > > > > works fine.
> > > > >
> > > > > I suspect someone who knows what they are 
doing could telnet on to
> > > > > my machine or come round and sort this really 
quickly.
> > > > >
> > > > > I wonder if you could ask your members if 
anyone would be
> interested?
> > > > >
> > > > > Regards
> > > > >
> > > > > Martyn R. Whittaker
> > > > > 317 Encina Ave., Davis, CA 95616 USA
> > > > > p. +1 530 756 2867  f. +1 253 498 9591  m. +1 
916 813 7061
> > >
> >
> > -----------------------------------------------------
---------------------
> -
> > > Jeff Newmiller                        
The     .....       .....  Go
> Live...
> > > DCN:<jdnewmil@dcn.davis.ca.us>        Basics: 
##.#.       ##.#.  Live
> Go...
> > >                                       Live:   
OO#.. Dead: OO#..  Playing
> > > Research Engineer (Solar/Batteries            
O.O#.       #.O#.  with
> > > /Software/Embedded 
Controllers)               .OO#.       .OO#.
> rocks...2k
> >
> > -----------------------------------------------------
---------------------
> -
> > >
> > >
> > >
> > > _______________________________________________
> > > vox-tech mailing list
> > > vox-tech@lists.lugod.org
> > > http://lists.lugod.org/mailman/listinfo/vox-tech
> 
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.