# Share dsl with 3 NICs to 2 windows machines

## Boombox

Hi, 

I have a DSL connection on eth0. eth1 and eth2 are connected to windows machines. How can I share my dsl connection to those win machines? I compiled the kernel (2.6.7) with all needed modules, but I just cant find the proper config or anything. Please help.

Thanks.

----------

## pmjdebruijn

Well ...

http://www.shorewall.net/

Has some good tutorials...

I think it's in portage too, try 'emerge -vp shorewall'.

Good luck,

Pascal de Bruijn

----------

## Boombox

Which one should I use?

Two-interface Linux System acting as a firewall/router for a small local network

Three-interface Linux System acting as a firewall/router for a small local network and a DMZ..

DMZ?

Thanks.

----------

## pmjdebruijn

Well if you don't know what a DMZ is, you don't need it...

btw, DMZ = DeMilitarized Zone... 

Go with the two interface thing...

Regards,

Pascal de Bruijn

----------

## Boombox

Ok I will. Thanks.

----------

## Boombox

At first i just left eth0 and eth1 in to see if I can make it work just like that. But it wornt work. I have no idea what I have done wrong.

I have few questions. 

What should I put to /etc/conf.d/net for iface_eth1="" ?

And I know that for win box the gateway is my IP but what is the IP then?

Anything that I shoudl definetly check or anything that I must have that I dont. Help is welcome. Thanks!

BTW: Shorewall version is 1.4 - emerge shorewall

----------

## pmjdebruijn

For now I'll just assume some things...

WAN = eth0

LAN = eth1

So eth0 should be on ISP settings, generally this means dhcp...

now eth1 should be a RFC1918 address:

10.0.0.0 - 10.255.255.255  (10/8 prefix)

172.16.0.0 - 172.31.255.255  (172.16/12 prefix)

192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Generally router and the likes are put on the first address in any range...

So I would suggest you put eth1 on 192.168.0.1 or 172.16.0.1 or 10.0.0.1 depending on what range you use...

I use 10.0.0.1/255.255.255.0 at home, simply because it's easy to remember...

Regards,

Pascal de Bruijn

----------

## Boombox

Thanks. But any default gateway in /etc/conf.d/net for eth1?

----------

## pmjdebruijn

Uhm, I don't think so...

The default gateway should be set automatically by your DHCP client, to your ISPs router...

Regards,

Pascal de Bruijn

----------

## Boombox

Still dosent work.

 And I have to set up my own net setup with ip to eth0. Not DHCP. I have stable ip.

----------

## pmjdebruijn

Then point your gateway to your ISPs router...

the ISPs router IP should be in your ISPs documentation.

Regards,

Pascal de Bruijn

----------

## Boombox

Still dosent work. Anything I could check or test to see what could be wrong?

----------

## Boombox

My /etc/conf.d/net:

```

iface_eth0="194.204.12.21 broadcast 194.204.12.255 netmask 255.255.255.0"

gateway="eth0/194.204.12.254"

iface_eth1="10.0.0.1 broadcast 10.0.0.255 netmask 255.255.255.0"

gateway="eth1/194.204.12.254"

```

Any other good ways to share connection? But I really want this to work. I feel bumed.

----------

## psylo

Can you do the following test:

1/ Testing the internet connectivity of your gateway:

try the following command:

```
ping 194.7.1.4
```

2/ Testing the name resolution of your gateway:

try the following command:

```
ping www.google.be
```

3/ Testing the network connection between your PC's and the gateway:

try the following command:

```
ping IP_OF_YOUR_GATEWAY
```

4/ Testing the internet connectivity of your PC's:

try the following command:

```
ping 194.7.1.4
```

5/ Testing thename resolution of your PC's:

try the following command:

```
ping www.google.be
```

Can you tell me which point are OK and which are not?

P.S.: Can you also post all the ifconfig command's results of your PC's and gateway.

----------

## pmjdebruijn

```
iface_eth0="194.204.12.21 broadcast 194.204.12.255 netmask 255.255.255.0"

gateway="eth0/194.204.12.254"

iface_eth1="10.0.0.1 broadcast 10.0.0.255 netmask 255.255.255.0"

gateway="eth1/194.204.12.254" 
```

This is wrong!

You're setting a default gateway twice... there's no logic in that... You can have only one default gateway anyway...

And since you're assigning the variable 'gateway' twice it will maintain it's last assigned value:

eth1/194.204.12.254

You're telling it that it should send packets to 194.204.12.254 which should be available on eth1...

eth1 is your internal network!

So remove that line!

Regards,

Pascal de Bruijn

----------

## jspeybro

I used this howto to share my internet connection and it works perfectly. It even adds a firewall to the computer! here's the link:

http://tldp.org/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples.html#RC.FIREWALL-2.4.X-STRONGER

start from the beginning if you don't understand what you need to do.

Johan

----------

## Boombox

I was away for a while. Still in trouble. ifconfig:

```

eth0      Link encap:Ethernet  HWaddr 00:50:8B:4E:FF:80  

          inet addr:xxxx  Bcast:xxxx  Mask:255.255.255.0

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:12 errors:0 dropped:0 overruns:12 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:0 (0.0 b)  TX bytes:504 (504.0 b)

          Interrupt:11 Base address:0xf000 

eth1      Link encap:Ethernet  HWaddr 00:80:AD:50:3F:B0  

          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

          Interrupt:11 Base address:0x2060 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:12 errors:0 dropped:0 overruns:0 frame:0

          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:1008 (1008.0 b)  TX bytes:1008 (1008.0 b)

```

Last edited by Boombox on Sun Aug 15, 2004 12:46 pm; edited 1 time in total

----------

## jspeybro

You say that there is a windows-pc connected to eth2, but it doesn't show up in your ifconfig! so you'll need to install/configure that networkcard.

try this script (IPTABLES needed!)

it's based on my config that I got from the link that I posted above. save it as a file in /etc/init.d and make it executable.

```
#!/bin/sh

#

# rc.firewall-2.4-stronger

#

FWVER=0.79s

#          An example of a stronger IPTABLES firewall with IP Masquerade 

#          support for 2.4.x kernels.  

#

# Log:

#

#   0.79s - ruleset now uses modprobe instead of insmod

#   0.78s - REJECT is not a legal policy yet; back to DROP

#   0.77s - Changed the default block behavior to REJECT not DROP

#   0.76s - Added a comment about the OPTIONAL WWW ruleset and a comment

#           where to put optional PORTFW commands

#   0.75s - Added clarification that PPPoE users need to use

#           "ppp0" instead of "eth0" for their external interface

#   0.74s - Changed the EXTIP command to work on NON-English distros

#   0.73s - Added comments in the output section that DHCPd is optional

#           and changed the default settings to disabled

#   0.72s - Changed the filter from the INTNET to the INTIP to be

#           stateful; moved the command VARs to the top and made the

#           rest of the script to use them

#   0.70s - Added a disabled examples for allowing internal DHCP  

#           and external WWW access to the server

#   0.63s - Added support for the IRC module

#   0.62s - Initial version based upon the basic 2.4.x rc.firewall

echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"

# The location of various iptables and other shell programs

#

#   If your Linux distribution came with a copy of iptables, most

#   likely it is located in /sbin.  If you manually compiled 

#   iptables, the default location is in /usr/local/sbin

#

# ** Please use the "whereis iptables" command to figure out 

# ** where your copy is and change the path below to reflect 

# ** your setup

#

#IPTABLES=/sbin/iptables

IPTABLES=/usr/sbin/iptables

#

LSMOD=/sbin/lsmod

DEPMOD=/sbin/depmod

MODPROBE=/sbin/modprobe

GREP=/bin/grep

AWK=/bin/awk

SED=/bin/sed

IFCONFIG=/sbin/ifconfig

#Setting the EXTERNAL and INTERNAL interfaces for the network

#

#  Each IP Masquerade network needs to have at least one

#  external and one internal network.  The external network

#  is where the natting will occur and the internal network

#  should preferably be addressed with a RFC1918 private address

#  scheme.

#

#  For this example, "eth0" is external and "eth1" is internal"

#

#  NOTE:  If this doesnt EXACTLY fit your configuration, you must 

#         change the EXTIF or INTIF variables above. For example: 

#

#            If you are a PPPoE or analog modem user:

#

#               EXTIF="ppp0" 

#

EXTIF="eth0"

INTIF="eth1"

echo "  External Interface:  $EXTIF"

echo "  Internal Interface:  $INTIF"

echo "  ---"

# Specify your Static IP address here or let the script take care of it 

# for you.

#

#   If you prefer to use STATIC addresses in your firewalls, un-# out the

#   static example below and # out the dynamic line.  If you don't care,

#   just leave this section alone.

#

#   If you have a DYNAMIC IP address, the ruleset already takes care of

#   this for you.  Please note that the different single and double quote 

#   characters and the script MATTER.

#

#

#   DHCP users:

#   -----------

#   If you get your TCP/IP address via DHCP, **you will need ** to enable the 

#   #ed out command below underneath the PPP section AND replace the word 

#   "eth0" with the name of your EXTERNAL Internet connection (ppp0, ippp0, 

#   etc) on the lines for "ppp-ip" and "extip".  You should also note that the 

#   DHCP server can and will change IP addresses on you.  To deal with this, 

#   users should configure their DHCP client to re-run the rc.firewall ruleset 

#   everytime the DHCP lease is renewed.

#

#     NOTE #1:  Some DHCP clients like the original "pump" (the newer

#               versions have been fixed) did NOT have the ability to run 

#               scripts after a lease-renew.  Because of this, you need to 

#               replace it with something like "dhcpcd" or "dhclient".

#

#     NOTE #2:  The syntax for "dhcpcd" has changed in recent versions.

#

#               Older versions used syntax like:

#                         dhcpcd -c /etc/rc.d/rc.firewall eth0

#

#               Newer versions execute a file called /etc/dhcpc/dhcpcd-eth0.exe

#

#     NOTE #3:  For Pump users, put the following line in /etc/pump.conf:

#

#                   script /etc/rc.d/rc.firewall

#

#   PPP users:

#   ----------

#   If you aren't already aware, the /etc/ppp/ip-up script is always run when 

#   a PPP connection comes up.  Because of this, we can make the ruleset go and 

#   get the new PPP IP address and update the strong firewall ruleset.

#

#   If the /etc/ppp/ip-up file already exists, you should edit it and add a line

#   containing "/etc/rc.d/rc.firewall" near the end of the file.

#

#   If you don't already have a /etc/ppp/ip-up sccript, you need to create the 

#   following link to run the /etc/rc.d/rc.firewall script.

#

#       ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up

#

#   * You then want to enable the #ed out shell command below *

#

#

# Determine the external IP automatically:

# ----------------------------------------

#

#  The following line will determine your external IP address.  This

#  line is somewhat complex and confusing but it will also work for

#  all NON-English Linux distributions:

#

EXTIP="`$IFCONFIG $EXTIF | $AWK \

 /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

# For users who wish to use STATIC IP addresses:

#

#  # out the EXTIP line above and un-# out the EXTIP line below

#

#EXTIP="your.static.PPP.address"

echo "  External IP: $EXTIP"

echo "  ---"

# Assign the internal TCP/IP network and IP address

INTNET="10.0.0.0/24"

INTIP="10.0.0.1/24"

echo "  Internal Network: $INTNET"

echo "  Internal IP:      $INTIP"

echo "  ---"

# Setting a few other local variables

#

UNIVERSE="0.0.0.0/0"

#======================================================================

#== No editing beyond this line is required for initial MASQ testing ==

# Need to verify that all modules have all required dependencies

#

echo "  - Verifying that all kernel modules are ok"

$DEPMOD -a

echo -en "    Loading kernel modules: "

# With the new IPTABLES code, the core MASQ functionality is now either

# modular or compiled into the kernel.  This HOWTO shows ALL IPTABLES

# options as MODULES.  If your kernel is compiled correctly, there is

# NO need to load the kernel modules manually.  

#

#  NOTE: The following items are listed ONLY for informational reasons.

#        There is no reason to manual load these modules unless your

#        kernel is either mis-configured or you intentionally disabled

#        the kernel module autoloader.

#

# Upon the commands of starting up IP Masq on the server, the

# following kernel modules will be automatically loaded:

#

# NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ 

#        modules are shown below but are commented out from loading.

# ===============================================================

#Load the main body of the IPTABLES module - "ip_tables"

#  - Loaded automatically when the "iptables" command is invoked

#

#  - Loaded manually to clean up kernel auto-loading timing issues

#

echo -en "ip_tables, "

#

#Verify the module isn't loaded.  If it is, skip it

#

if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then

   $MODPROBE ip_tables

fi

#Load the IPTABLES filtering module - "iptable_filter" 

#

#  - Loaded automatically when filter policies are activated

#Load the stateful connection tracking framework - "ip_conntrack"

#

# The conntrack  module in itself does nothing without other specific 

# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"

# module

#

#  - This module is loaded automatically when MASQ functionality is 

#    enabled 

#

#  - Loaded manually to clean up kernel auto-loading timing issues

#

echo -en "ip_conntrack, "

#

#Verify the module isn't loaded.  If it is, skip it

#

if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then

   $MODPROBE ip_conntrack

fi

#Load the FTP tracking mechanism for full FTP tracking

#

# Enabled by default -- insert a "#" on the next line to deactivate

#

echo -e "ip_conntrack_ftp, "

#

#Verify the module isn't loaded.  If it is, skip it

#

if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then

   $MODPROBE ip_conntrack_ftp

fi

#Load the IRC tracking mechanism for full IRC tracking

#

# Enabled by default -- insert a "#" on the next line to deactivate

#

echo -en "                             ip_conntrack_irc, "

#

#Verify the module isn't loaded.  If it is, skip it

#

if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then

   $MODPROBE ip_conntrack_irc

fi

#Load the general IPTABLES NAT code - "iptable_nat"

#  - Loaded automatically when MASQ functionality is turned on

# 

#  - Loaded manually to clean up kernel auto-loading timing issues

#

echo -en "iptable_nat, "

#

#Verify the module isn't loaded.  If it is, skip it

#

if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then

   $MODPROBE iptable_nat

fi

#Loads the FTP NAT functionality into the core IPTABLES code

# Required to support non-PASV FTP.

#

# Enabled by default -- insert a "#" on the next line to deactivate

#

echo -e "ip_nat_ftp"

#

#Verify the module isn't loaded.  If it is, skip it

#

if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then

   $MODPROBE ip_nat_ftp

fi

echo "  ---"

# Just to be complete, here is a list of the remaining kernel modules 

# and their function.  Please note that several modules should be only

# loaded by the correct master kernel module for proper operation.

# --------------------------------------------------------------------

#

#    ipt_mark       - this target marks a given packet for future action.

#                     This automatically loads the ipt_MARK module

#

#    ipt_tcpmss     - this target allows to manipulate the TCP MSS

#                     option for braindead remote firewalls.

#                     This automatically loads the ipt_TCPMSS module

#

#    ipt_limit      - this target allows for packets to be limited to

#                     to many hits per sec/min/hr

#

#    ipt_multiport  - this match allows for targets within a range

#                     of port numbers vs. listing each port individually

#

#    ipt_state      - this match allows to catch packets with various

#                     IP and TCP flags set/unset

#

#    ipt_unclean    - this match allows to catch packets that have invalid

#                     IP/TCP flags set

#

#    iptable_filter - this module allows for packets to be DROPped, 

#                     REJECTed, or LOGged.  This module automatically 

#                     loads the following modules:

#

#                     ipt_LOG - this target allows for packets to be 

#                               logged

#

#                     ipt_REJECT - this target DROPs the packet and returns 

#                                  a configurable ICMP packet back to the 

#                                  sender.

# 

#    iptable_mangle - this target allows for packets to be manipulated

#                     for things like the TCPMSS option, etc.

#CRITICAL:  Enable IP forwarding since it is disabled by default since

#

#           Redhat Users:  you may try changing the options in

#                          /etc/sysconfig/network from:

#

#                       FORWARD_IPV4=false

#                             to

#                       FORWARD_IPV4=true

#

echo "  Enabling forwarding.."

echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users:

#

#   If you get your IP address dynamically from SLIP, PPP, or DHCP, 

#   enable the following option.  This enables dynamic-address hacking

#   which makes the life with Diald and similar programs much easier.

#

#echo "  Enabling DynamicAddr.."

#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "  ---"

#############################################################################

#

# Enable Stronger IP forwarding and Masquerading

#

#  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.

#

#  NOTE #2:  The following is an example for an internal LAN address in the

#            192.168.1.x network with a 255.255.255.0 or a "24" bit subnet 

#            mask connecting to the Internet on external interface "eth0".  

#            This example will MASQ internal traffic out to the Internet 

#            but not allow non-initiated traffic into your internal network.

#

#            

#         ** Please change the above network numbers, subnet mask, and your 

#         *** Internet connection interface name to match your setup

#         

#Clearing any previous configuration

#

#  Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP

#

#    You CANNOT change this to REJECT as it isn't a vaild policy setting.

#    If you want REJECT, you must explictly REJECT at the end of a giving 

#    INPUT, OUTPUT, or FORWARD chain

#

echo "  Clearing any existing rules and setting default policy to DROP.."

$IPTABLES -P INPUT DROP

$IPTABLES -F INPUT 

$IPTABLES -P OUTPUT DROP

$IPTABLES -F OUTPUT 

$IPTABLES -P FORWARD DROP

$IPTABLES -F FORWARD 

$IPTABLES -F -t nat

#Not needed and it will only load the unneeded kernel module

#$IPTABLES -F -t mangle

#

# Flush the user chain.. if it exists

if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then

   $IPTABLES -F drop-and-log-it

fi

#

# Delete all User-specified chains

$IPTABLES -X

#

# Reset all IPTABLES counters

$IPTABLES -Z

#Configuring specific CHAINS for later use in the ruleset

#

#  NOTE:  Some users prefer to have their firewall silently

#         "DROP" packets while others prefer to use "REJECT"

#         to send ICMP error messages back to the remote 

#         machine.  The default is "REJECT" but feel free to

#         change this below.

#

# NOTE: Without the --log-level set to "info", every single

#       firewall hit will goto ALL vtys.  This is a very big

#       pain.

#

echo "  Creating a DROP chain.."

$IPTABLES -N drop-and-log-it

$IPTABLES -A drop-and-log-it -j LOG --log-level info 

$IPTABLES -A drop-and-log-it -j DROP

echo -e "\n   - Loading INPUT rulesets"

#######################################################################

# INPUT: Incoming traffic from various interfaces.  All rulesets are 

#        already flushed and set to a default policy of DROP. 

#

# loopback interfaces are valid.

#

$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interface, local machines, going anywhere is valid

#

$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost

#

$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

# external interface, from any source, for ICMP traffic is valid

#

#  If you would like your machine to "ping" from the Internet, 

#  enable this next line

#

#$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT

# remote interface, any source, going to permanent PPP address is valid

#

#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

# Allow any related traffic coming back to the MASQ server in

#

$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \

 ESTABLISHED,RELATED -j ACCEPT

# ----- Begin OPTIONAL INPUT Section -----

#

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server

#

#$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT

#$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT

# HTTPd - Enable the following lines if you run an EXTERNAL WWW server

#

#    NOTE:  This is NOT needed for simply enabling PORTFW.  This is ONLY 

#           for users that plan on running Apache on the MASQ server itself

#

#echo -e "      - Allowing INTERNAL access to the WWW server"

#$IPTABLES -A INPUT -i $INTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $INTIP --dport 80 -j ACCEPT

 

#echo -e "      - Allowing EXTERNAL access to the WWW server"

#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT

#echo -e "      - Allowing INTERNAL access to the HTTPS port"

#$IPTABLES -A INPUT -i $INTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $INTIP --dport 443 -j ACCEPT

 

#echo -e "      - Allowing EXTERNAL access to the HTTPS port"

#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT

echo -e "      - Allowing EXTERNAL access to the SSH server"

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \

 -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT

echo -e "      - Allowing INTERNAL access to the SSH server"

$IPTABLES -A INPUT -i $INTIF -m state --state NEW,ESTABLISHED,RELATED \

 -p tcp -s $UNIVERSE -d $INTIP --dport 22 -j ACCEPT

# echo -e "      - Allowing EXTERNAL access to the FTP server"

# $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \

#  -p tcp -s $UNIVERSE -d $EXTIP --dport 21 -j ACCEPT

#echo -e "      - Allowing INTERNAL access to the FTP server"

#$IPTABLES -A INPUT -i $INTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $INTIP --dport 21 -j ACCEPT

#echo -e "      - Allowing EXTERNAL access to the SMTP server"

#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $EXTIP --dport 25 -j ACCEPT

#echo -e "      - Allowing INTERNAL access to the SMTP server"

#$IPTABLES -A INPUT -i $INTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $INTIP --dport 25 -j ACCEPT

#echo -e "      - Allowing EXTERNAL access to the IMAP Mail server"

#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $EXTIP --dport 143 -j ACCEPT

#echo -e "      - Allowing INTERNAL access to the IMAP Mail server"

#$IPTABLES -A INPUT -i $INTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $INTIP --dport 143 -j ACCEPT

#echo -e "      - Allowing EXTERNAL access to the Webmin server"

#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $EXTIP --dport 10000 -j ACCEPT

#echo -e "      - Allowing INTERNAL access to the Webmin server"

#$IPTABLES -A INPUT -i $INTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $INTIP --dport 10000 -j ACCEPT

#echo -e "      - Allowing EXTERNAL access to the Usermin service"

#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $EXTIP --dport 20000 -j ACCEPT

#echo -e "      - Allowing INTERNAL access to the Usermin service"

#$IPTABLES -A INPUT -i $INTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $INTIP --dport 20000 -j ACCEPT

#echo -e "      - Allowing EXTERNAL access to the MySQL server"

#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $EXTIP --dport 3306 -j ACCEPT

#echo -e "      - Allowing INTERNAL access to the MySQL server"

#$IPTABLES -A INPUT -i $INTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $INTIP --dport 3306 -j ACCEPT

#echo -e "      - Allowing INTERNAL access to the Samba server"

#$IPTABLES -A INPUT -i $INTIF -m state --state NEW,ESTABLISHED,RELATED \

# -p tcp -s $UNIVERSE -d $INTIP --dport 139  -j ACCEPT

#

# Log anything that looks strange

#

$IPTABLES -A INPUT -i $INTIF -m state --state INVALID -j LOG --log-prefix "INVALID Packet: "

$IPTABLES -A INPUT -i $INTIF -p tcp -j LOG --log-prefix "UNMATCHED TCP Packet: "

$IPTABLES -A INPUT -i $INTIF -p udp -j LOG --log-prefix "UNMATCHED udp Packet: "

#

# ----- End OPTIONAL INPUT Section -----

# Catch all rule, all other incoming is denied and logged. 

#

$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP

echo -e "   - Loading OUTPUT rulesets"

#######################################################################

# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are 

#         already flushed and set to a default policy of DROP. 

#

# loopback interface is valid.

#

$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interfaces, any source going to local net is valid

#

$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

# local interface, any source going to local net is valid

#

$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny

#

$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

# anything else outgoing on remote interface is valid

#

$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

# ----- Begin OPTIONAL OUTPUT Section -----

#

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server

#         - Remove BOTH #s all the #s if you need this functionality.

#

#$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \

# -d 255.255.255.255 --dport 68 -j ACCEPT

#$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \

# -d 255.255.255.255 --dport 68 -j ACCEPT

#

# ----- End OPTIONAL OUTPUT Section -----

# Catch all rule, all other outgoing is denied and logged. 

#

$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo -e "   - Loading FORWARD rulesets"

#######################################################################

# FORWARD: Enable Forwarding and thus IPMASQ

#

# ----- Begin OPTIONAL FORWARD Section -----

#

# ----- End OPTIONAL FORWARD Section -----

echo "     - FWD: Allow all connections OUT and only existing/related IN"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \

 -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Catch all rule, all other forwarding is denied and logged. 

#

$IPTABLES -A FORWARD -j drop-and-log-it

echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"

#

#More liberal form

#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

#

#Stricter form

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

#######################################################################

echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"

```

I think this should work for your existing situation.

If you configure your eth2, you'll need the change the FORWARD-rules and add a second $INTIP2.

----------

## Boombox

I disabled eth2. Just wanted to make it work with one nic first. That script dosent work. Maybe because I have 2.6 kernel. Or I'm totally dumb.

----------

## jspeybro

could be the kernel, I'm using it on a 2.4.?-kernel

did you try to load only the forward rules at the end?

you might try this: http://firewall-jay.sourceforge.net/

or the website from IPTables:

http://netfilter.org/documentation/index.html#documentation-howto

----------

## Boombox

 :Crying or Very sad:  Could anyone help me via ssh?   :Rolling Eyes: 

----------

## jspeybro

Try this, if this doesn't work, I can't help you because that's as far as I understand iptables.

type the following commands in a shell:

```

echo "1" > /proc/sys/net/ipv4/ip_forward 

```

if your external IP is dynamic, type this too:

```
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
```

This was to enable forwarding. Now the iptables-rules:

first, clear all existing rules and set default policy to DROP:

(each line is a command!)

```
IPTABLES -P INPUT DROP 

IPTABLES -F INPUT 

IPTABLES -P OUTPUT DROP 

IPTABLES -F OUTPUT 

IPTABLES -P FORWARD DROP 

IPTABLES -F FORWARD 

IPTABLES -F -t nat 
```

Now the forward-rules:

```
IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT 

IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT 

IPTABLES -A FORWARD -j drop-and-log-it 

IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to 194.204.56.127
```

in the last rule, I wrote your external IP that showed up in the ifconfig that you posted. change this if needed.

If this works, you are forwarding things, but your linuxbox will not be protected by a firewall.

Hope this works, if it doesn't, post the errormessage please

once this is done, you need to configure your windows pc like this:

ip: 10.0.0.x where x is 1<x<255 (x=1 is used for the linux box, so use x=2 or something)

subnet: same as configured for eth1

gateway: 10.0.0.1 (internal ip of the linux box)

now try to connect to the internet.

Johan

----------

## jspeybro

this is something that I found and seems to be the easiest way:

```
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT

iptables -P INPUT DROP

service iptables save
```

The first four commands enter the masquerading firewall rules, while the last one saves those rules to the configuration file.

----------

## Boombox

Thanks everyone I finally got it to work! Man i feel so good and gald that there are people who are willing to help. Much thanks again.

----------

## jspeybro

Glad to help someone out.

and what was the final solution? it may help others to post it here!

Johan

----------

## Boombox

I got it working thanks to your last scripts and thanks to this

----------

## jspeybro

Now that you got the masquerading working, you'll need to add a firewall, if you haven't done that yet using the howto that you mentioned

Johan

----------

