I'm new in this game and have come to the point where i have pulled most of my hair out... I am trying to setup a linux box on a small network, to do several jobs. The first of these jobs is to act as a firewall for the network.

I am running RH 7.0
eth0 is the internal network device 192.168.1.1
eth1 is the external network device 10.166.102.250
Windows 98 machine 192.168.1.10

After running the following script i can ping successfully from my windows machine both addresses of my linux box, and external web addresses. I can also ping web addresses (www.yahoo.com) from my windows machine so i know DNS is working. The problem is i can't seem to get my web broswer to work on my windows machine. it seems to e able to get the IP number, but doesn't load the web page.

The web browser on my linux box works fine.

Also when I run "firewall status" i recieve the following message: "firewall dead but subsys locked"

If anyone out there can help me that would be wonderful!



#!/bin/sh
# chkconfig: 2345 11 89
. /etc/rc.d/init.d/functions
. /etc/sysconfig/network
[ ${NETWORKING} = "no" ] && exit 0

EXTDEV=eth1
EXTERNALIP=`ifconfig $EXTDEV | grep "inet addr:" | \
awk -F: {'print $2'} | cut -d\ -f 1`
if [ -z "${EXTERNALIP}" ]; then
exit 1
fi

INTDEV=eth0
INTERNALIP=`ifconfig $INTDEV | grep "inet addr:" | \
awk -F: {'print $2'} | cut -d\ -f 1`
if [ -z "${INTERNALIP}" ]; then
exit 1
fi

INTNET="192.168.1.0"

echo "EXTDEV: ${EXTDEV} on ${EXTERNALIP}"
echo "INTDEV: ${INTDEV} on ${INTERNALIP}"

case "$1" in
start)
# Start firewall.
echo -n "Starting firewall: "

modprobe ip_masq_ftp
modprobe ip_masq_irc
modprobe ip_masq_raudio
echo "Setting masq timeouts"
ipchains -M -S 7200 10 60
echo "Setting new forward rules"
echo -n "forward..."
echo 1 > /proc/sys/net/ipv4/ip_forward
ipchains -F forward
ipchains -P forward DENY
ipchains -A forward -s $INTNET/255.255.255.0 -j MASQ
ipchains -A forward -i $EXTDEV -s $INTNET/24 -d 0.0.0.0/0 -j MASQ
ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j DENY
echo -n "input..."
echo "Setting new input rules"
ipchains -F input
ipchains -P input DENY

ipchains -A input -i $INTDEV -s $INTNET/24 -d 0.0.0.0/0 -j ACCEPT

ipchains -A input -i $EXTDEV -s $EXTERNALIP/32 -d 224.0.0.0/8 -j ACCEPT

ipchains -A input -i $EXTDEV -s $INTNET/24 -d 0.0.0.0/0 -j DENY

ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 617 -j DENY


ipchains -A input -p tcp -s 0.0.0.0/0 -d $EXTERNALIP 7777 -j DENY


ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 7 -j DENY


ipchains -A input -p udp -s 0.0.0.0/0 -d $EXTERNALIP 514 -j DENY


ipchains -A input -i $EXTDEV -s 0.0.0.0/0 -d $EXTERNALIP/32 -j ACCEPT




ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j DENY

echo "Setting new output rules"
echo -n "output..."

# Outgoing, flush and set default policy of deny.
ipchains -F output
ipchains -P output DENY

# local interface, any source going to local net is valid
#ipchains -A output -i $INTDEV -s 0.0.0.0/0 -d $INTNET/24 -j ACCEPT
ipchains -A output -i $INTDEV -s 0.0.0.0/0 -d $INTNET/24 -j ACCEPT

# loopback interface is valid.
# ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

# outgoing to local net on remote interface: stuffed routing, deny
ipchains -A output -i $EXTDEV -s 0.0.0.0/0 -d $INTNET/24 -j DENY


# outgoing from local net on remote interface: stuffed masq, deny
ipchains -A output -i $EXTDEV -s $INTNET/24 -d 0.0.0.0/0 -j DENY

# anything else outgoing on remote interface is valid
#ipchains -A output -i $EXTDEV -d 0.0.0.0/0 -j ACCEPT
ipchains -A output -i $EXTDEV -s $EXTERNALIP/32 -d 0.0.0.0/0 -j ACCEPT

ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j DENY

echo "Done with the firewall rulesets"
echo -n "acct..."

# Accounting, flush all entries
ipchains -N acctin
ipchains -N acctout
ipchains -N acctio
# Track traffic just to network, not individual hosts
ipchains -I input -j acctio
ipchains -I input -j acctin
ipchains -I output -j acctio
ipchains -I output -j acctout
ipchains -I forward -j acctout

echo "done"
touch /var/lock/subsys/firewall
;;

stop)
# Stop firewall.
echo -n "Shutting down firewall: "
ipchains -F input
ipchains -A input -j ACCEPT
ipchains -F output
ipchains -A output -j ACCEPT
ipchains -F forward
ipchains -A forward -j ACCEPT
ipchains -X acctio
ipchains -X acctin
ipchains -X acctout

rmmod ip_masq_raudio
rmmod ip_masq_irc
rmmod ip_masq_ftp

echo "done"
rm -f /var/lock/subsys/firewall
;;

restart)
$0 stop
$0 start
;;

status)
status firewall
;;

*)
echo "Usage: firewall {start|stop|restart|status}"
exit 1
esac

exit 0

Do you have any proxy settings on the Windows browser? (Hint - don't)

Don't know what 'firewall dead subsys locked' means. What's in the syslogs when you start the firewall?

"firewall dead but subsys locked" means it's DOA, but the process can't remove the PID at /var/lock/subsys/firewall.
Try to see if ipchains is running issue "pidof ipchains".
if it aint, check the binary first, then the startup part of the script itself.
if this script is in /etc/rc.d/init.d IMHO its dead wrong, it should only point to stuff to start/stop and the ipchains script itself should be detached from those routines; easier to maintain/test, harder to snafu the startup script :-]