OK, I have been trying for ages to get this to work and try as I might, I just can't get it.

I want to use my linux box as a gateway, initially just as a portal, eventually as a full NAT Firewall, but I'm still learning.

I have a Redhat 7.0 box, Kernel 2.4.5

eth0 is connected to the internet with a fixed IP, and a gateway of the router. ( I'm at work and have a leased line and a couple of free IP adresses to play with. )

eth1 is connected to the LAN, fixed IP

My client machine is an NT4.0, sp6 box, which can ping both eth1 and eth0, and whose gateway address is set to that of eth1.

I have been playing with iptables, but I just can't get the client to see the internet at all, not even ping to my DNS servers.

The redhat box can access the internet OK, and I can see it from outside OK. I have been happily turning bits of eth0 on and off with iptables. (ie ICMP or TCP )

I've set routed to export my default route, is this right?

I'm sorry if this is a stupid fault, but I'm going mad with this, hope you can help with a list of simple things I should already have done. I'm probably missing something really basic.

Cheers,
Mike

Have you enabled IP forwarding? Do your machines on the LAN side of the gateway all have valid external/internet IP addresses?

Just some thoughts.

Jamie...

Thanks for getting back to me,

IP forwarding would be
echo 1 > /proc/sys/net/ipv4/ip_forward
?
If so then yes.

Why would the client need external IP adresses? I thought that was the point of the gateway. The client can ping the internal card, but today, can't ping the external, although yesterday it could. I think that's something to do with all the messing I did yesterday.

Thats right on the IP forwarding. As for the external IP address being valid - think about it - your client will send a packet to your gateway, then your gateway will throw the packet out onto the internet. If the address isn't valid (say 192.168.1.1) how will it ever get back??? It sounds like you might be sending your packets out fine, but they never get back to you, as they don't have a valid IP so it looks like nothing is working. I think you need to get your NAT/IP Masquerading setup sooner than you had planned.

HTH

Jamie...

He's got "routed exporting the default route" - that don't sound right. Also I never use a default gateway on the internal (private) ip -- the masqurading / forwarding rules in the ipchains/iptables should do that for you. You still need to enable ip_forward, as I see you have already done.

Your defualt gw should just be the one used by your public/external ip. It could be me suffering from a cranial-rectal inversion, but it's what I use.

I see what you mean, I think I was trying to be too clever for my own good. I do need NAT/Masq right now.

I've reinstalled Redhat this morning, and recompiled the kernel (2.4.5) to make sure everything I need is in place, and everything is fresh with no legacy stuff hanging around.

The situation is this:
I have 'echo "1" > ...ip_forward'
From the client (10.10.10.5/16)I can ping eth1 (10.10.10.101/16) but not eth0 (213.130.129.xxx/16)

I can connect the client to a SAMBA share on the server.

The server can ping any machine on the LAN, and any machine on the Net.

A machine with net access can ping eth0, and access the Apache default web page on the server.


I have put this:

http://www.boingworld.com/workshops/...c.firewall.txt

suitably modified to agree with my settings in /etc/rc.d/init.d/

Still no joy,

sorry for being a pain.

Do the machines on 213.130.129.0/16 have a route back to 10.10.10.0/16?? If not there reply isn't going to get back. If their default gateway is the linux box (your server) then it shouldn't be a problem, but it its not then they may be sending their replies out the default route, and probably onto the Internet, which as we've shown won't end up in the right place.

As for the IPTables rules - I can't be much help there. I'm using 2.2.x with IPChains... I'd advise that for the time being you just enable the basic Masquerading, in IP chains you can do this in about 2 lines, then onces that is working build more on.

As for 'sorry for being a pain' - you're not... you're just learning... everyone on this forum started somewhere!

HTH

Jamie...

213.130.129.xxx is the address of eth0, and all it can see is its gateway ( cisco router)

How do I enable masquerading? As I understand, IPtables pretty much understands IPchains commands.

I mean, I have this rc.firewall file, but what calls it? How do I make it apply its rules? How do I make it run at startup?
If I try to ./rc.firewall, it tells me 'access denied' ( I am root ) There is something I am not doing.

Cheers

Mike,

Sorry to sound stupid but I'm confused what's what on your server... ie who's trying to talk to who.

Supply us this info. "remove some sensitive bits, but leave me enough to work out where it's connection to"

supply this info
# netstat -rn
# cat /proc/sys/net/ipv4/ip_forward
# ifconfig -a
also what's in your rc.firewall script.

+ supply this info
on client NT system, in DOS prompt
tracert 198.133.219.25

on client NT system, in DOS
ipconfig /all
route print


If you do this we can probably work out all the bits and help you more.

to make the rc.firewall script runable, type this in the same directory as it is:
#chown root rc.firewall
#chmod 700 rc.firewall

also add this to a line at the end of the /etc/rc.d/rc.local file
/directory_of_file/rc.firewall

Then on boot up it will fire the firewall script.

/Raz

OK, sorry I've been so long, but thanks for getting back to me.

To clarify, I want to use my redhat box as a gateway for microsoft clients.

Redhat has two network cards, one with a fixed, valid internet IP address, and a gateway address of our cisco router, the other card has a fixed, internal IP.

NT Client ( actually I have had to start using a Win98 laptop, as I need the NT box to do real work ) has a fixed internal address, and a gateway address of the internal card of the redhat box.



#netstat -rn

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
10.10.0.0 0.0.0.0 255.255.0.0 U 40 0 0
eth1
213.130.0.0 0.0.0.0 255.255.0.0 U 40 0 0
eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 213.130.129.<cisco router IP> 0.0.0.0 UG 40 0
0 eth00

--
#cat /proc/sys/net/ipv4/ip_forward

1

--

#ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:00:21:F8:30:FF
inet addr:213.130.129.<linux box IP> Bcast:213.130.255.255
Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6612 errors:0 dropped:0 overruns:0 frame:0
TX packets:143 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:11 Base address:0xf00

eth1 Link encap:Ethernet HWaddr 00:00:21:CC:FF:FF
inet addr:10.10.10.101 Bcast:10.10.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:141105 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:9 Base address:0x2e00

gre0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0




rc.firewall is copied straight from:
http://www.boingworld.com/workshops/...c.firewall.txt

with the following changes:

LAN_IP_RANGE="10.10.0.0/16"
LAN_IP="10.10.10.101/32"
LAN_BCAST_ADRESS="10.10.0.255/32"
LOCALHOST_IP="127.0.0.1/32"
STATIC_IP="213.130.129.<**redhat fixed IP**>/32"
INET_IFACE="eth0"
LAN_IFACE="eth1"
IPTABLES="/usr/local/sbin/iptables"

On Client, TRACERT gets to the first hop (10.10.10.101) and then times out after that.

If I move Client back into our 'proper' network, and do nothing other than give it a valid, fixed internal ip and 'proper' gateway address, ( our 'real' firewall address, ) it connects fine.

Client can ping both 10.10.10.101 and 213.130.129.xxx on Redhat.

ok it's defiantly something to do with iptables.
All the other settings are correct for routing etc.

Now I don't use iptables, but I seem to remember that the POSTROUTING is checked by the input and output chain after it's accepted

So as a test do this to see if it works.
If it does that's your problem, then go and set some rules so you have a Firewall up with your Natwall.

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPTABLES -A FORWARD -i eth1 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

/Raz

OK, those IPtables rules work if I type them in to a console, all except the last one, which complains
'No chain/target/match by that name'

but if I put them into rc.firewall, they don't get run.

I have commented out all the bits that look as though they conflict, but still nothing. ( I have CHOWN, CHMOD, on it BTW)

How can I check whether rc.firewall has run?

Thanks very much for your help so far, I really appreciate it.

Ok as I said before I don't use iptables but try this..

Get rid of the line that fires up rc.firewall in your /etc/rc.d/rc.local file and add the lines to the end of the file. "for the test only"


/usr/local/sbin/iptables -P INPUT ACCEPT
/usr/local/sbin/iptables -P OUTPUT ACCEPT
/usr/local/sbin/iptables -P FORWARD DROP
/usr/local/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/usr/local/sbin/iptables -A FORWARD -i eth1 -j ACCEPT
/usr/local/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

If anyone uses iptables they might be able to give you better advice.

Also you can run your /etc/rc.d/rc.local file again.
ignore the error
SIOCADDRT: File exists

Once it's run your client should be talking to the internet now.

/Raz

Do you have IP masquerading enabled?

At the risk of sounding like I'm saing RTFM, have you tried
http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html

I found it of imense help when i was going through my setup.

Ektoric,

That's the line that says
/usr/local/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

That url you gave is good if your using a system that's pre 2.4 Kernal otherwise you would look at http://www.boingworld.com/workshops/...c.firewall.txt

I find RTMF is a better term these days

cheers,
Raz