Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
At the moment there is a script that runs when the computer starts up, which executes the iptables commands to set up the network etc. (they are the commands I posted). If I type the 'log_n_pass' line after this script has run, should it work? That is, if I ttype that line, will it replace the old 'log_n_drop' command?
What you really should do is configure the firewall script that came with your distro. e.g. shorewall? I think that's the one on Mandrake.
Or if you like the rule set and simply need to delete a rule. go `iptables -L --line-numbers` and the find the line you want to delete and do a 'iptables -D chain rulenum' chain being the chain name and rulenum being the numbered line on that chain. I hope this is clear.
took me some time to read all your posts
but I think I found something you all haven't looked at: -P DROP
This means each packet will be dropped, if there isn't a rule, which stops that.
My suggestion:
iptables -I INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
try this line instead of your 5th command ("iptables -A INPUT -i ppp0 -m state --state NEW -j log_n_pass
") explanation:
With --state NEW you are meaning all packets opening a new connection (see also: 3-way-handshake). After a client has opened a new connection, it send packets without the NEW flag. Now there is no rule matching, so the policy says DROP and the packet is lost.
If it's working please show us the output of 'iptables -L -n' again. thx
Thanks, I will try that. Just one thing though - as I have already entered the 5th command, will I have to restart the computer and type everything again, or will your command just replace the old one?
Suddenly I have a doubt, that this works. What I said shouldn't be wrong, but if PREROUTING is working correctly,
the chain INPUT shouldn't be used for these packets.
Anyway try my tip. If it doesn't work, I will write down the complete firewall configuration..
hoping that's it:
I've written a tiny script. Copy it to a new file an make it executable. Then run it.
This script is deleting all your firewall settings and making new ones. It's only for trying to make your server accessible.
Make sure there are no rules in iptables -t nat. You can do this with iptables -t nat -L.
If you want to reset your configuration, you should restart your computer - I think that is the easiest way, because
your firewall loads a script which (re-)creates all firewallsettings.
Code:
EXTINT=ppp0
#Delete all rules
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
#Set Policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#don't accept any new or invalid connections from outside, with one exception:
#only accept NEW packets on port 80 for forwarding
iptables -A INPUT -i "$EXTINT" -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i "$EXTINT" -p tcp --dport ! 80 -m state --state NEW -j DROP
iptables -A FORWARD -i "$EXTINT" -m state --state INVALID -j DROP
#Allow HTTP-connections from inside the firewall
iptables -A FORWARD -o "$EXTINT" -p tcp --sport 1024:65535 --dport 80 -j ACCEPT
iptables -A FORWARD -i "$EXTINT" -p tcp --dport 1024:65535 --sport 80 ! --syn -j ACCEPT
#Forward connections for your server
iptables -t nat -A PREROUTING -i "$EXTINT" -p tcp --dport 80 -j DNAT --to-destination 192.168.0.1
iptables -A FORWARD -i "$EXTINT" -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -o "$EXTINT" -p tcp --sport 80 -j ACCEPT
#Masquerading
iptables -t nat -A POSTROUTING -o "$EXTINT" -j MASQUERADE
It would be a lot tidier to just replace the "$EXTINT" variable with ppp0..
Makes it way more readable..
Also to consider..
The original problem of not connecting to a LAN based server using it's external ip number..
If you send packet from 192.168.0.20 to 222.333.444.555 and it's dnatted to 192.168.0.1,
the server will see a source address of 192.168.0.20, notice it's local, and send it directly back, from 192.168.0.1..
So the original pc sees a packet going to 222.333.444.555 but a reply from 192.168.0.1
and drops it as rubbish..
If you have lots of workstations, the quickest answer is to run a small dns caching server on the firewall that converts all the names possible for the server back to it's internal number.
dnsmasq and dnrd are common..
Otherwise, add this list to everyone's /etc/host file (or lmhosts.sam for M$ )
Originally posted by Fle><
I can not try it. I am only hoping that it works
Sorry, it still doesn't do it. It just stops me connecting to the internet...
Quote:
Originally posted by peter_robb
If you send packet from 192.168.0.20 to 222.333.444.555 and it's dnatted to 192.168.0.1,
the server will see a source address of 192.168.0.20, notice it's local, and send it directly back, from 192.168.0.1..
So the original pc sees a packet going to 222.333.444.555 but a reply from 192.168.0.1
and drops it as rubbish.
So this might not work anyway? At the moment I am trying it by going to the gateway's external IP from the web server, as it's the computer I can get to the easiest.
Quote:
Originally posted by peter_robb
If you have lots of workstations, the quickest answer is to run a small dns caching server on the firewall that converts all the names possible for the server back to it's internal number.
dnsmasq and dnrd are common..
Otherwise, add this list to everyone's /etc/host file (or lmhosts.sam for M$ )
Thanks for everyone's help, I'm not having a go at you... but is this normally so complicated? I thought that all I would have to do is forward packets coming in on port 80 to my web server, and packets from the server back out again!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.