# NAT'ing issue [SOLVED]

## Roi

Hi,

I'm having NAT trouble with my new linux router.

This is my connection scheme:

 [ADSL modem] ------ {Wire LAN (eth0)}[Gentoo Box]{Wireless LAN {ath0}}   <-/\/\/\/\->    [Laptop WinXP]

I followed vapiers doc here: 

[url] http://www.gentoo.org/doc/en/home-router-howto.xml [/url]

and also the AP configuration guide:

[url] http://gentoo-wiki.com/HOWTO_Building_a_Wireless_Access_Point_With_Gentoo [/url]

I'm failing in the NATing phase with iptables definition.

I can ping from my laptop to the AP and vice versa, also I can ping from the AP to the outside world,

but I just cannot ping from my laptop to the internet. 

There must be something I'm doing wrong  :Sad: 

can you please help me? here is something to start with:

```

roi@zakif ~ $ sudo iwconfig

eth0      no wireless extensions.

eth1      no wireless extensions.

lo        no wireless extensions.

wifi0     no wireless extensions.

ath0      IEEE 802.11g  ESSID:"HomePAN"

          Mode:Master  Frequency:2.412 GHz  Access Point: 00:0F:B5:84:DE:27

          Bit Rate:0 kb/s   Tx-Power:16 dBm   Sensitivity=0/3

          Retry:off   RTS thr:off   Fragment thr:off

          Encryption key:off

          Power Management:off

          Link Quality=49/94  Signal level=-46 dBm  Noise level=-95 dBm

          Rx invalid nwid:84  Rx invalid crypt:0  Rx invalid frag:0

          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

roi@zakif ~ $ sudo ifconfig

ath0      Link encap:Ethernet  HWaddr 00:0F:B5:84:DE:27

          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:475 errors:0 dropped:0 overruns:0 frame:0

          TX packets:163 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:24774 (24.1 Kb)  TX bytes:23610 (23.0 Kb)

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

wifi0     Link encap:UNSPEC  HWaddr 00-0F-B5-84-DE-27-4C-B2-00-00-00-00-00-00-00-00

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:699 errors:0 dropped:0 overruns:0 frame:23844

          TX packets:325 errors:12 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:199

          RX bytes:45061 (44.0 Kb)  TX bytes:45592 (44.5 Kb)

          Interrupt:20 Memory:ccaa0000-ccab0000

```

(When I'm connected to the web I also see PPP0)

```

roi@zakif ~ $ sudo /usr/sbin/lspci

00:00.0 Host bridge: VIA Technologies, Inc. CN400/PM880 Host Bridge

00:00.1 Host bridge: VIA Technologies, Inc. CN400/PM880 Host Bridge

00:00.2 Host bridge: VIA Technologies, Inc. CN400/PM880 Host Bridge

00:00.3 Host bridge: VIA Technologies, Inc. CN400/PM880 Host Bridge

00:00.4 Host bridge: VIA Technologies, Inc. CN400/PM880 Host Bridge

00:00.7 Host bridge: VIA Technologies, Inc. CN400/PM880 Host Bridge

00:01.0 PCI bridge: VIA Technologies, Inc. VT8237 PCI Bridge

00:0d.0 Ethernet controller: VIA Technologies, Inc. VT6102 [Rhine-II] (rev 8d)

00:0f.0 IDE interface: VIA Technologies, Inc. VT82C586A/B/VT82C686/A/B/VT823x/A/C PIPC Bus Master IDE (rev 06)

00:10.0 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81)

00:10.1 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81)

00:10.2 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81)

00:10.3 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81)

00:10.4 USB Controller: VIA Technologies, Inc. USB 2.0 (rev 86)

00:11.0 ISA bridge: VIA Technologies, Inc. VT8237 ISA bridge [KT600/K8T800/K8T890 South]

00:11.5 Multimedia audio controller: VIA Technologies, Inc. VT8233/A/8235/8237 AC97 Audio Controller (rev 60)

00:12.0 Ethernet controller: VIA Technologies, Inc. VT6102 [Rhine-II] (rev 78)

00:14.0 Ethernet controller: Atheros Communications, Inc. AR5212 802.11abg NIC (rev 01)

01:00.0 VGA compatible controller: VIA Technologies, Inc. S3 Unichrome Pro VGA Adapter (rev 02)

```

I'll be more than happy to share with you any info you need.

Thanks!Last edited by Roi on Sat Jan 27, 2007 5:01 pm; edited 1 time in total

----------

## elgato319

my guess is that iptales on the gentoo box is blocking the traffic or isn´t allow to route the traffic.

Did you do:

 *Quote:*   

> 
> 
> Tell the kernel that ip forwarding is OK
> 
> # echo 1 > /proc/sys/net/ipv4/ip_forward
> ...

 

Did you use the script shown under http://www.gentoo.org/doc/en/home-router-howto.xml#doc_chap5 - NAT (a.k.a. IP-masquerading)?

WAN should be your eth0

LAN your ath0

 *Quote:*   

> 
> 
> Copy and paste these examples ...
> 
> # export LAN=eth0
> ...

 

----------

## Roi

 *Quote:*   

> 
> 
> Did you use the script shown under http://www.gentoo.org/doc/en/home-router-howto.xml#doc_chap5 - NAT (a.k.a. IP-masquerading)? 
> 
> 

 

Of course. I even tried  a sript of minimal firewall setting just to see that I can ping to the web,

but it didn't work. http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

 *Quote:*   

> 
> 
> Did you do:
> 
> Quote:
> ...

 

Yes I did that. No joy.

 *Quote:*   

> 
> 
> WAN should be your eth0
> 
> LAN your ath0
> ...

 

I know, but I also tried:

(i)   # export LAN=ath0

      # export WAN=PPP0 

(ii)  # export LAN=wifi0

      # export WAN=PPP0 

(iii) # export LAN=wifi0

      # export WAN=eth0 

I had no luck    :Rolling Eyes: 

----------

## Rob1n

I think you'll need to give us some idea of your iptables setup - either the commands you've run, or the current iptables config output from:

```

iptables -t filter -L -v

iptables -t nat -L -v

iptables -t mangle -L -v

```

That should allow us to check where the connection is being blocked.

----------

## Roi

This is what I've got:

```

roi@zakif ~ $ iptables -t filter -L -v

Chain INPUT (policy ACCEPT 4329 packets, 1484K bytes)

 pkts bytes target     prot opt in     out     source               destination

   12   596 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http

    0     0 DROP       all  --  ppp0   any     anywhere             anywhere            state INVALID,NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  ath0   ppp0    anywhere             anywhere            state NEW,ESTABLISHED

    0     0 DROP       all  --  ppp0   any     anywhere             anywhere            state INVALID,NEW

Chain OUTPUT (policy ACCEPT 4125 packets, 441K bytes)

 pkts bytes target     prot opt in     out     source               destination

roi@zakif ~ $ iptables -t nat -L -v

Chain PREROUTING (policy ACCEPT 272 packets, 44802 bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 20 packets, 1644 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 MASQUERADE  all  --  any    ppp0    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 29 packets, 2335 bytes)

 pkts bytes target     prot opt in     out     source               destination

roi@zakif ~ $ iptables -t mangle -L -v

iptables v1.3.5: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

```

This is the MINIMAL configuration (I know - not very safe) so I can check the

ip masquerading.

----------

## Rob1n

Well, for a starter you're not allowing the ping responses (or any other incoming responses) to be forwarded to your wireless network.  From the looks of you're rules, try changing the FORWARD policy to ACCEPT.  Alternately add a forward rule to accept established/related traffic from ppp0 to ath0.

----------

## Roi

Could you please be more specifice?

Here is the iptable script that i'm running - what should I change here?

```

roi@zakif ~ $ cat firewall.sh

#!/bin/bash

IPTABLES='/sbin/iptables'

# Set interface values

EXTIF='ppp0'

INTIF1='ath0'

# enable ip forwarding in the kernel

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush rules and delete chains

$IPTABLES -F

$IPTABLES -t nat -F

$IPTABLES -X

# enable masquerading to allow LAN internet access

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# forward LAN traffic from $INTIF1 to Internet interface $EXTIF

$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT

#echo -e "       - Allowing access to the SSH server"

$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT

#echo -e "       - Allowing access to the HTTP server"

$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT

# block out all other Internet access on $EXTIF

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP

$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP

```

----------

## Rob1n

I'd say the easiest option will be, after

```

# forward LAN traffic from $INTIF1 to Internet interface $EXTIF

$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT

```

to add

```

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -m state --state RELATED,ESTABLISHED -j ACCEPT

```

----------

## Roi

Well Rob1n, I've got some live signs...

After adding this line, and bringing up eth0(ppp0),

I was able to ping to the web from my laptop, but only

using explicit ip address, and only after running the script each(!) and every

time after I bring up eth0.

```

C:\Documents and Settings\Roi>ping 64.233.187.99

Pinging 64.233.187.99 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 64.233.187.99:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\Roi>ping 64.233.187.99

Pinging 64.233.187.99 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 64.233.187.99:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

```

Then at the AP I did:

```

roi@zakif ~ $ sudo ./firewall.sh

roi@zakif ~ $ sudo /etc/init.d/net.eth0 restart

```

and like magic...

```

C:\Documents and Settings\Roi>ping 64.233.187.99

Pinging 64.233.187.99 with 32 bytes of data:

Reply from 64.233.187.99: bytes=32 time=298ms TTL=238

Reply from 64.233.187.99: bytes=32 time=306ms TTL=238

Reply from 64.233.187.99: bytes=32 time=303ms TTL=238

Reply from 64.233.187.99: bytes=32 time=320ms TTL=238

Ping statistics for 64.233.187.99:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 298ms, Maximum = 320ms, Average = 306ms

```

It seems I'm heading in the right direction - what is my next move?

----------

## Rob1n

 *Roi wrote:*   

> 
> 
> I was able to ping to the web from my laptop, but .... only after running the script each(!) and every time after I bring up eth0.
> 
> 

 

Not sure I follow this - are you dropping the eth0 connection while the system's running?  And then it's not keeping the iptables config?  Or do you mean across reboots?  Your subsequent example seems to show you restarting eth0 without it losing the settings anyway.  If you mean across reboots then yes, you'll need to reload the iptables config each time - the /etc/init.d/iptables script should take care of this I think.

As for needing to use IP addresses - how is your laptop configured for DNS resolution (ipconfig /all should show you this)?

----------

## Roi

 *Quote:*   

> Not sure I follow this - are you dropping the eth0 connection while the system's running? And then it's not keeping the iptables config? Or do you mean across reboots?

 

I'm dropping the eth0 connection while the system's running.

 *Quote:*   

> Your subsequent example seems to show you restarting eth0 without it losing the settings anyway.

 

This is why I find it strange.

 *Quote:*   

> As for needing to use IP addresses - how is your laptop configured for DNS resolution (ipconfig /all should show you this)?

 

```
C:\Documents and Settings\Roi>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : NOTEBOOK

        Primary Dns Suffix  . . . . . . . :

        Node Type . . . . . . . . . . . . : Hybrid

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : Marvell Yukon 88E8036 PCI-E Fast Eth

ernet Controller

        Physical Address. . . . . . . . . : 00-E0-91-05-24-EB

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 10.0.0.2

        Subnet Mask . . . . . . . . . . . : 255.0.0.0

        Default Gateway . . . . . . . . . : 10.0.0.138

        DHCP Server . . . . . . . . . . . : 10.0.0.138

        DNS Servers . . . . . . . . . . . : 10.0.0.138

        Lease Obtained. . . . . . . . . . : Thursday, January 25, 2007 6:45:30 AM

        Lease Expires . . . . . . . . . . : Thursday, January 25, 2007 7:45:30 AM

Ethernet adapter Wireless Network Connection:

        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : Intel(R) PRO/Wireless 2200BG Network

 Connection

        Physical Address. . . . . . . . . : 00-0E-35-F4-E5-6B

        Dhcp Enabled. . . . . . . . . . . : No

        IP Address. . . . . . . . . . . . : 192.168.0.10

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . :

```

----------

## Rob1n

Okay then - I'm not sure how iptables stores the rules or what it does when the interface is dropped.  Can you check the output of 'iptables -L -v' before dropping the connection, after dropping it, and after restarting it.  If there's a difference then that may give some pointers on where to go from there.  You could also try replacing ppp0 with ppp+, which may force iptables to handle the interfaces differently.

As for the DNS issue - your laptop is set up to use the gentoo box as a DNS server.  Are you running a DNS server on there?  If not then you'll need to change your DHCP server setup to hand out your ISP's DNS server instead.

----------

## Roi

 *Quote:*   

> 
> 
> Can you check the output of 'iptables -L -v' before dropping the connection, after dropping it, and after restarting it. If there's a difference then that may give some pointers on where to go from there
> 
> 

 

NOTE:

-------

The output below is for EXTIF='ppp+' but the results are the same for EXTIF='ppp0',

namely - I need to do

```
roi@zakif ~ $ sudo ./firewall.sh
```

 AFTER I bring up eth0 in order for me to ping the web

In the example below I couldn't ping the web, since I didn't do the above comment.

output:

```
roi@zakif ~ $ sudo ./firewall.sh

roi@zakif ~ $ iptables -L -v

Chain INPUT (policy ACCEPT 4 packets, 779 bytes)

 pkts bytes target     prot opt in     out     source               destination 

   43  2968 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh

    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http

    0     0 DROP       all  --  ppp+   any     anywhere             anywhere            state INVALID,NEW

Chain FORWARD (policy DROP 6 packets, 360 bytes)

 pkts bytes target     prot opt in     out     source               destination 

    0     0 ACCEPT     all  --  ath0   ppp+    anywhere             anywhere            state NEW,ESTABLISHED

    0     0 ACCEPT     all  --  ppp+   ath0    anywhere             anywhere            state RELATED,ESTABLISHED

    0     0 DROP       all  --  ppp+   any     anywhere             anywhere            state INVALID,NEW

Chain OUTPUT (policy ACCEPT 118 packets, 12844 bytes)

 pkts bytes target     prot opt in     out     source               destination 

roi@zakif ~ $ sudo /etc/init.d/net.eth0 start

 * Starting eth0

 *   Bringing up eth0

 *     adsl

 *       Starting ADSL for eth0                                           [ ok ]

roi@zakif ~ $ iptables -L -v

Chain INPUT (policy ACCEPT 7 packets, 436 bytes)

 pkts bytes target     prot opt in     out     source               destination 

    0     0 LOG        udp  --  ppp+   any     anywhere             anywhere            udp dpts:0:1023 LOG level warning

    0     0 LOG        tcp  --  ppp+   any     anywhere             anywhere            tcp dpts:0:1023 LOG level warning

    0     0 DROP       udp  --  ppp+   any     anywhere             anywhere            udp dpts:0:1023

    0     0 DROP       tcp  --  ppp+   any     anywhere             anywhere            tcp dpts:0:1023

    0     0 LOG        tcp  --  ppp+   any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning

    0     0 DROP       tcp  --  ppp+   any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN

    0     0 DROP       icmp --  ppp+   any     anywhere             anywhere            icmp echo-request

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 6 packets, 712 bytes)

 pkts bytes target     prot opt in     out     source               destination 

roi@zakif ~ $ sudo /etc/init.d/net.eth0 restart

 * Stopping eth0

 *   Bringing down eth0

 *     Stopping ADSL for eth0                                             [ ok ]

 *     Shutting down eth0 ...                                             [ ok ]

 * Starting eth0

 *   Bringing up eth0

 *     adsl

 *       Starting ADSL for eth0                                           [ ok ]

roi@zakif ~ $ iptables -L -v

Chain INPUT (policy ACCEPT 7 packets, 436 bytes)

 pkts bytes target     prot opt in     out     source               destination 

    0     0 LOG        udp  --  ppp+   any     anywhere             anywhere            udp dpts:0:1023 LOG level warning

    0     0 LOG        tcp  --  ppp+   any     anywhere             anywhere            tcp dpts:0:1023 LOG level warning

    0     0 DROP       udp  --  ppp+   any     anywhere             anywhere            udp dpts:0:1023

    0     0 DROP       tcp  --  ppp+   any     anywhere             anywhere            tcp dpts:0:1023

    0     0 LOG        tcp  --  ppp+   any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning

    0     0 DROP       tcp  --  ppp+   any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN

    0     0 DROP       icmp --  ppp+   any     anywhere             anywhere            icmp echo-request

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 6 packets, 712 bytes)

 pkts bytes target     prot opt in     out     source               destination 

```

If I'm using EXTIF='ppp0', then only the first table before bringing up eth0, contain ppp0, and the

other two change to ppp+.

(I hope this was clear for you)

(BTW I've installed dnsmasq, and I was able to ping google.com instead the explicit ip address,

so thank you Rob1n for your comment)

----------

## Rob1n

Okay - the ADSL startup script is obviously wiping the iptables config and installing its own.  Check /etc/ppp/pppoe.conf and make sure the entry in there says FIREWALL=NONE.

----------

## Roi

 *Quote:*   

> Okay - the ADSL startup script is obviously wiping the iptables config and installing its own. Check /etc/ppp/pppoe.conf and make sure the entry in there says FIREWALL=NONE

 

Thank you very much Rob1n!!!

That was the problem!   :Very Happy: 

BTW- I don't want to bother you too much, but I wonder if you can you please give me

some comments about the init script I've prepared according to 

http://gentoo-wiki.com/HOWTO_Iptables_for_newbies ?

(please see below after the script for my question first)

and again - thank you very much for your help !!!   :Wink: 

```

#!/bin/sh

#

# ********** VARIABLE DEFINITIONS **********

#

# External interface

EXTIF="ppp0"

# Internal interface

INTIF1="ath0"

INTIF2="eth1"

# Loop device/localhost

LPDIF="lo"

LPDIP="127.0.0.1"

LPDMSK="255.0.0.0"

LPDNET="$LPDIP/$LPDMSK"

# Text tools variables

IPT="/sbin/iptables"

IFC="/sbin/ifconfig"

G="/bin/grep"

SED="/bin/sed"

AWK="/usr/bin/awk"

ECHO="/bin/echo"

# Deny than accept: this keeps holes from opening up

# while we close ports and such

$IPT        -P INPUT       ACCEPT             <----------------------(1)

$IPT        -P OUTPUT      DROP

$IPT        -P FORWARD     DROP

# Flush all existing chains and erase personal chains

  CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`

  for i in $CHAINS

  do

   $IPT -t $i -F

  done

  for i in $CHAINS

  do

   $IPT -t $i -X

  done

$IPT -A INPUT   -i $INTIF1 -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Source Address Verification

for f in /proc/sys/net/ipv4/conf/*/rp_filter;

do

 echo 1 > $f

done

# Disable IP source routing and ICMP redirects

for f in /proc/sys/net/ipv4/conf/*/accept_source_route;

do

 echo 0 > $f

done

for f in /proc/sys/net/ipv4/conf/*/accept_redirects;

do

 echo 0 > $f

done

echo 1 > /proc/sys/net/ipv4/ip_forward

# Setting up external interface environment variables

# Set LC_ALL to "en" to avoid problems when awk-ing the IPs etc.

export LC_ALL="en"

EXTIP="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

EXTBC="255.255.255.255"

EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"

EXTMSK="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"

EXTNET="$EXTIP/$EXTMSK"

$ECHO "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"

# Due to absence of EXTBC I manually set it to 255.255.255.255

# this (hopefully) will serve the same purpose

# Setting up environment variables for internal interface one

INTIP1="`$IFC $INTIF1|$AWK /$INTIF1/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

INTBC1="`$IFC $INTIF1|$AWK /$INTIF1/'{next}//{split($0,a,":");split(a[3],a," ");print a[1];exit}'`"

INTMSK1="`$IFC $INTIF1|$AWK /$INTIF1/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"

INTNET1="$INTIP1/$INTMSK1"

$ECHO "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"

# Setting up environment variables for internal interface two

INTIP2="`$IFC $INTIF2|$AWK /$INTIF2/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

INTBC2="`$IFC $INTIF2|$AWK /$INTIF2/'{next}//{split($0,a,":");split(a[3],a," ");print a[1];exit}'`"

INTMSK2="`$IFC $INTIF2|$AWK /$INTIF2/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"

INTNET2="$INTIP2/$INTMSK2"

$ECHO "INTIP2=$INTIP2 INTBC2=$INTBC2 INTMSK2=$INTMSK2 INTNET2=$INTNET2"

# ********** LOGGING CHAINS **********

#

# We are now going to create a few custom chains that will result in

# logging of dropped packets. This will enable us to avoid having to

# enter a log command prior to every drop we wish to log. The

# first will be first log drops the other will log rejects.

# Do not complain if chain already exists (so restart is clean)

$IPT -N DROPl   2> /dev/null

$IPT -A DROPl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP BLOCKED:'

$IPT -A DROPl   -j DROP

$IPT -N REJECTl 2> /dev/null

$IPT -A REJECTl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT BLOCKED:'

$IPT -A REJECTl -j REJECT

$IPT -N DROP2   2> /dev/null

$IPT -A DROP2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP UNKNOWN:'

$IPT -A DROP2   -j DROP

$IPT -N REJECT2 2> /dev/null

$IPT -A REJECT2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT UNKNOWN:'

$IPT -A REJECT2 -j REJECT

# For testing, a logging ACCEPT chain

$IPT -N ACCEPTl   2> /dev/null

$IPT -A ACCEPTl -m limit --limit 10/second --limit-burst 50 -j LOG --log-prefix 'FIREWALL ACCEPT:'

$IPT -A ACCEPTl   -j ACCEPT

# Local Interfaces

$IPT -A INPUT   -i $LPDIF -s   $LPDIP   -j ACCEPT

$IPT -A INPUT   -i $LPDIF -s   $EXTIP   -j ACCEPT

$IPT -A INPUT   -i $LPDIF -s   $INTIP1  -j ACCEPT

$IPT -A INPUT   -i $LPDIF -s   $INTIP2  -j ACCEPT

# Blocking Broadcasts

$IPT -A INPUT   -i $EXTIF  -d  $EXTBC   -j DROPl

$IPT -A INPUT   -i $INTIF1 -d  $INTBC1  -j DROPl

$IPT -A INPUT   -i $INTIF2 -d  $INTBC2  -j DROPl

$IPT -A OUTPUT  -o $EXTIF  -d  $EXTBC   -j DROPl

$IPT -A OUTPUT  -o $INTIF1 -d  $INTBC1  -j DROPl

$IPT -A OUTPUT  -o $INTIF2 -d  $INTBC2  -j DROPl

$IPT -A FORWARD -o $EXTIF  -d  $EXTBC   -j DROPl

$IPT -A FORWARD -o $INTIF1 -d  $INTBC1  -j DROPl

$IPT -A FORWARD -o $INTIF2 -d  $INTBC2  -j DROPl

# Block WAN access to internal network

# This also stops nefarious crackers from using our network as a

# launching point to attack other people

# iptables translation:

# "if input going into our external interface isn't being sent to our isp assigned

# ip address, drop it like a hot potato"

 $IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl

# Now we will block internal addresses originating from anything but our

# two predefined interfaces.....just remember that if you jack your

# your laptop or another pc into one of these NIC's directly, you'll need

# to ensure that they either have the same ip or that you add a line explicitly

# that IP as well

# Interface one/internal net one

 $IPT -A INPUT   -i $INTIF1 -s ! $INTNET1 -j DROPl

 $IPT -A OUTPUT  -o $INTIF1 -d ! $INTNET1 -j DROPl

 $IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl

 $IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl

# Interface two/internal net two

 $IPT -A INPUT   -i $INTIF2 -s ! $INTNET2 -j DROPl

 $IPT -A OUTPUT  -o $INTIF2 -d ! $INTNET2 -j DROPl

 $IPT -A FORWARD -i $INTIF2 -s ! $INTNET2 -j DROPl

 $IPT -A FORWARD -o $INTIF2 -d ! $INTNET2 -j DROPl

# An additional Egress check

 $IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl

# Block outbound ICMP (except for PING)

 $IPT -A OUTPUT  -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl

 $IPT -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl

# COMmon ports:

# 0 is tcpmux; SGI had vulnerability, 1 is common attack

# 13 is daytime

# 98 is Linuxconf

# 111 is sunrpc (portmap)

# 137:139, 445 is Microsoft

# SNMP: 161,2

# Squid flotilla: 3128, 8000, 8008, 8080

# 1214 is Morpheus or KaZaA

# 2049 is NFS

# 3049 is very virulent Linux Trojan, mistakable for NFS

# Common attacks: 1999, 4329, 6346

# Common Trojans 12345 65535

 COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"

# TCP ports:

# 98 is Linuxconf

# 512-515 is rexec, rlogin, rsh, printer(lpd)

#   [very serious vulnerabilities; attacks continue daily]

# 1080 is Socks proxy server

# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)

# Block 6112 (Sun's/HP's CDE)

 TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"

# UDP ports:

# 161:162 is SNMP

# 520=RIP, 9000 is Sangoma

# 517:518 are talk and ntalk (more annoying than anything)

 UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000 9 6346 3128 8000 8008 8080 12345 65535"

echo -n "FW: Blocking attacks to TCP port"

for i in $TCPBLOCK;

do

 echo -n "$i "

  $IPT -A INPUT   -p tcp --dport $i  -j DROPl

  $IPT -A OUTPUT  -p tcp --dport $i  -j DROPl

  $IPT -A FORWARD -p tcp --dport $i  -j DROPl

done

echo ""

echo -n "FW: Blocking attacks to UDP port "

for i in $UDPBLOCK;

do

 echo -n "$i "

   $IPT -A INPUT   -p udp --dport $i  -j DROPl

   $IPT -A OUTPUT  -p udp --dport $i  -j DROPl

   $IPT -A FORWARD -p udp --dport $i  -j DROPl

done

echo ""

# Opening up ftp connection tracking

#MODULES="ip_nat_ftp ip_conntrack_ftp"

#for i in $MODULES;

#do

# echo "Inserting module $i"

# modprobe $i

#done

# Defining some common chat clients. Remove these from your accepted list for better security.

# ICQ and AOL are 5190

# MSN is 1863

# Y! is 5050

# Jabber is 5222

# Y! and Jabber ports not added by author and therefore left out of the script

IRC='ircd'

MSN=1863

ICQ=5190

NFS='sunrpc'

# We have to sync!!

PORTAGE='rsync'

OpenPGP_HTTP_Keyserver=11371

# All services ports are read from /etc/services

TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE $IRC $OpenPGP_HTTP_Keyserver"

UDPSERV="domain time"

echo -n "FW: Allowing inside systems to use service:"

for i in $TCPSERV;

do

 echo -n "$i "

 $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT

 $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 --dport $i --syn -m state --state NEW -j ACCEPT

 $IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET1 --dport $i --syn -m state --state NEW -j ACCEPT

done

echo ""

# $IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET1 --dport $i --syn -m state --state NEW -m mac --mac-source 00:E0:91:05:24:EB -j ACCEPT

echo -n "FW: Allowing inside systems to use service:"

for i in $UDPSERV;

do

 echo -n "$i "

 $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT

 $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 --dport $i -m state --state NEW -j ACCEPT

 $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET2 --dport $i -m state --state NEW -j ACCEPT

done

echo ""

# Allow to ping out

$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -i $INTIF2 -p icmp -s $INTNET2 --icmp-type 8 -m state --state NEW -j ACCEPT

# Allow firewall to ping internal systems

$IPT -A OUTPUT  -o $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT  -o $INTIF2 -p icmp -s $INTNET2 --icmp-type 8 -m state --state NEW -j ACCEPT

$IPT -t nat -A PREROUTING -j ACCEPT

### $IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j SNAT --to $EXTIP

### Comment out next line (that has "MASQUERADE") to not NAT internal network

$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE

$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j MASQUERADE

$IPT -t nat -A POSTROUTING                       -j ACCEPT

$IPT -t nat -A OUTPUT                            -j ACCEPT

$IPT -A INPUT   -p tcp --dport auth --syn -m state --state NEW -j ACCEPT

$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -i $INTIF1 -o $EXTIF  -m state --state NEW,ESTABLISHED -j ACCEPT <-----------(2)

$IPT -A FORWARD -i $EXTIF  -o $INTIF1 -m state --state RELATED,ESTABLISHED -j ACCEPT<------(2)

# Log & block whatever is left

#$IPT -A INPUT             -j DROPl       <----------------------(1)

$IPT -A OUTPUT            -j REJECTl

$IPT -A FORWARD           -j DROPl

```

look closely at comment (2) : this is what I added according to your advise above.

comment (1) : When I uncomment 

```
$IPT -A INPUT             -j DROPl 
```

and/or setting the INPUT policy to DROP 

```
$IPT        -P INPUT       DROP
```

the connection to web is lost (after some delay of about 20 sec)

----------

## Rob1n

I can't see any obvious problems.  You'll have to check the logs to see which packets that rule is causing to be dropped.

----------

