PDA

View Full Version : Gateway won't let client out



hamstar
02-01-2006, 01:37 PM
hey guys,

got my dialup connection working right, but now I can't gateway to it from my main box.

The gateway box is a fc3 console, and the main box is an opensuse 10 desktop.

Routing tables are as follows:

fc3 gateway box (192.168.0.1):


202.89.136.1 * 255.255.255.255 UG ppp0
192.168.0.0 * 255.255.255.0 U eth0
169.254.0.0 * 255.255.0.0 U eth0
0.0.0.0 202.89.136.1 0.0.0.0 UH ppp0


os10 main box (192.168.0.11):


192.168.0.1 0.0.0.0 255.255.255.255 UH eth0
192.168.0.0 0.0.0.0 255.255.255.0 U eth0
169.254.0.0 0.0.0.0 255.255.0.0 U eth0
127.0.0.0 0.0.0.0 255.0.0.0 U lo
0.0.0.0 192.168.0.1 0.0.0.0 UG eth0


network: 192.168.0.0
quicksilver: 202.89.136.1
domain: site

Can ping everything locally, can ping externally from gateway but can't ping externally from desktop box...

192.168.0.1 => 192.168.0.11
192.168.0.11 => 192.168.0.1
192.168.0.1 => 202.89.136.1
192.168.0.11 =X 202.89.136.1

ipforwarding is enabled in /etc/sysctl.conf
eth0 is set to trusted device in system-config-securitylevel

Anyone know whats going on?

cheers

hamstar
02-01-2006, 03:56 PM
umm... help?

Chilling_Silence
02-01-2006, 06:51 PM
What are your iptables rules?

Do a search by my name, i posted a short .sh script you can run which will FWD the connections for you... I believe it was in reply to Personthingy's post... Have a look through my history anyways :)

hamstar
03-01-2006, 03:45 PM
can't find it anywhere dude...

neither the vbulletin or google search finds it...

and you have a ****eload of posts....

hamstar
04-01-2006, 01:18 PM
nevermind... on the right track now :D

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-firewall-ipt-fwd.html

hamstar
05-01-2006, 08:57 AM
For future reference to anyone:
Save this as a script or run the commands by hand.


#!/bin/bash

# Block all traffic by default
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow all traffic on eth0
iptables -A INPUT -i etho -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT

# Allow the server to route packets externally (activate NAT)
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Allow http and https
iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

# Save settings to file
service iptables save


If you want to allow other services such as pop3 (port 110), smtp (25), and ftp (21) you'll have to add sport and dport like the others are with their respective ports.

service iptables save will only work with fedora core (and redhat?) that i've seen. I think the generic command would be /etc/init.d/iptables save.

hope this helps someone.

Growly
05-01-2006, 09:12 AM
My debian router doesn't need to masquerade because it's behind an ADSL modem, which itself provides NAT functionality. Hence I only need it to a) block all ports and b) forward ones I like.

So if you want to forward ports, use this syntax:

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 49995:50000 -j DNAT --to 192.168.0.100:49995-50000 Here I have forwarded all incoming traffic on ports in the range 49995 to 50000 from interface eth1 (internet side) to local machine 192.168.0.100's corresponding ports.

vinref
05-01-2006, 12:28 PM
Not using stateful capabilities of iptables? Tsk tsk...

hamstar
05-01-2006, 01:23 PM
stateful capabilities? i think i touched on that but it looked very complicated... will look again soon...