Can't connect to firewall

From: disciple (disciple_at_exis.net)
Date: 09/07/04

  • Next message: John Summerfield: "Re: Addusers and domains ?" 
    Date: Tue, 07 Sep 2004 17:45:31 -0400
To: debian-user@lists.debian.org

    I have a basic proxy/firewall script:

    I got this from aboutdebian.com

    #!/bin/sh

    # IPCHAINS FIREWALL script for the Linux 2.2 kernel.
    # This script is a derivitive of the script presented in
    # the IP Masquerade HOWTO page at:
    # www.tldp.org/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples.html
    # It was simplified to coincide with the configuration of
    # the sample system presented in the Guides section of
    # www.aboutdebian.com
    #
    # PLEASE SET THE USER VARIABLES
    # IN SECTIONS A AND B OR C

    echo -e "\n\nSETTING UP IPCHAINS FIREWALL..."

    # === SECTION A
    # ----------- FOR EVERYONE

    # SET THE _NETWORK_ ADDRESS OF YOUR INTERNAL NETWORK
    # The default value below is for a 192.168.0.0 network.
    # Note that the "/24" is a network mask of 255.255.255.0
    # (meaning 24 bits - three octets - set to 1s). Similarly,
    # a network mask of 255.255.0.0 would be "/16".
    # Note that this is a NETWORK address - not the
    # IP address of a specific device on the network.
    # Enter the internal network's (or subnet's) network
    # address for the INTLAN variable:

    INTLAN="192.168.0.0/24"

    # SET THE INTERFACE DESIGNATION FOR THE NIC CONNECTED TO YOUR INTERNAL NETWORK
    # The default value below is for "eth0". This value
    # could also be "eth1" if you have TWO NICs in your system.
    # You can use the ifconfig command to list the interfaces
    # on your system. The internal interface will likely have
    # have an address that is in one of the private IP address
    # ranges.
    # Note that this is an interface DESIGNATION - not
    # the IP address of the interface.
    # Enter the internal interface's designation for the
    # INTIF variable:

    INTIF="eth0"

    # SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION
    # The default value below is "ppp0" which is appropriate
    # for a MODEM connection.
    # If you have two NICs in your system change this value
    # to "eth0" or "eth1" (whichever is opposite of the value
    # set for INTIF above).
    # Note that this is an interface DESIGNATION - not
    # the IP address of the interface.
    # Enter the external interface's designation for the
    # EXTIF variable:

    EXTIF="ppp0"

    # ! ! ! ! ! Use ONLY Section B *OR* Section C depending on
    # ! ! ! ! the type of Internet connection you have.

    # === SECTION B
    # ----------- FOR THOSE WITH STATIC PUBLIC IP ADDRESSES

       # SET YOUR EXTERNAL IP ADDRESS
       # If you specified a NIC (i.e. "eth0" or "eth1" for
       # the external interface (EXTIF) variable above,
       # AND if that external NIC is configured with a
       # static, public IP address (assigned by your ISP),
       # UNCOMMENT the following EXTIP line and enter the
       # IP address for the EXTIP variable:

    # EXTIP="your.static.IP.address"

    # === SECTION C
    # ---------- DIAL-UP MODEM, AND RESIDENTIAL CABLE-MODEM/DSL (Dynamic IP) USERS

    # SET YOUR EXTERNAL INTERFACE FOR DYNAMIC IP ADDRESSING
    # If you get your IP address dynamically from SLIP, PPP,
    # BOOTP, or DHCP, UNCOMMENT the FOUR commands below.
    # (No values have to be entered.)
    # Note that if you are uncommenting these lines then
    # the EXTIP line in Section B must be commented out.

    # echo " Enabling Dynamic IP Addressing..."
    # echo "1" > /proc/sys/net/ipv4/ip_dynaddr
    # /sbin/ipchains -A input -j ACCEPT -i $EXTIF -s 0/0 67 -d 0/0 68 -p udp
    # EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

    # -------- No more user variables beyond this point ------------------

    echo " Loading required IPMASQ kernel modules..."

    /sbin/depmod -a
    /sbin/modprobe ip_masq_ftp
    /sbin/modprobe ip_masq_raudio

    echo " Enabling IP forwarding..."
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo " Enabling IP Defragmentation..."
    echo "1" > /proc/sys/net/ipv4/ip_always_defrag

    # MASQ timeouts
    #
    # 2 hrs timeout for TCP session timeouts
    # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
    # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)

    echo " Setting default timers..."
    /sbin/ipchains -M -S 7200 10 160

    echo " Internal interface: $INTIF"
    echo " Internal network IP address is: $INTLAN"
    echo " External interface: $EXTIF"
    echo " External interface IP address is: $EXTIP"

    echo " Setting up firewall rules..."

    # INPUT RULES
    #############################################################################
    # Incoming, flush and set default policy of reject.
    #
    ipchains -F input
    ipchains -P input REJECT
    ipchains -A input -i $INTIF -s $INTLAN -d 0.0.0.0/0 -j ACCEPT
    ipchains -A input -i $EXTIF -s $INTLAN -d 0.0.0.0/0 -l -j REJECT
    ipchains -A input -i $EXTIF -s 0.0.0.0/0 -d $EXTIP/32 -j ACCEPT
    ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

    # OUTPUT RULES
    #############################################################################
    # Outgoing, flush and set default policy of reject.
    #
    ipchains -F output
    ipchains -P output REJECT
    ipchains -A output -i $INTIF -s 0.0.0.0/0 -d $INTLAN -j ACCEPT
    ipchains -A output -i $EXTIF -s 0.0.0.0/0 -d $INTLAN -l -j REJECT
    ipchains -A output -i $EXTIF -s $INTLAN -d 0.0.0.0/0 -l -j REJECT
    ipchains -A output -i $EXTIF -s $EXTIP/32 -d 0.0.0.0/0 -j ACCEPT
    ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

    # FORWARD RULES
    #############################################################################
    # Forwarding, flush and set default policy of deny.
    #
    ipchains -F forward
    ipchains -P forward DENY
    ipchains -A forward -i $EXTIF -s $INTLAN -d 0.0.0.0/0 -j MASQ

    echo " Firewall rule loading complete\n\n"

    *************************************************
    The proxy server dials automatically.
    I can ping the proxy/firewall machine.

    How do I get my machines windows/linux to connect to it???
    I tried changing the gateway and filling in the proxy settings info in the browser.
    DNS settings on debian proxy/firewall are correct.

    What am I missing??? 

    -- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: John Summerfield: "Re: Addusers and domains ?"

    Relevant Pages

    • [PATCH 1/1] IPN: Inter Process Networking
      ... +IPN is an Inter Process Communication service. ... +interface and protocols used for networking. ... +to a "network". ... +creates a communication socket. ...
      (Linux-Kernel)
    • Re: [PATCH 1/1] IPN: Inter Process Networking
      ... +IPN is an Inter Process Communication service. ... +interface and protocols used for networking. ... +to a "network". ... +creates a communication socket. ...
      (Linux-Kernel)
    • Re: Publish Web Server behind SBS 2003 Standard
      ... Microsoft CSS Online Newsgroup Support ... When opening a new thread via the web interface, ... |> Method 2: Different ports ... |> "Network Connection". ...
      (microsoft.public.windows.server.sbs)
    • RE: VPN Error 800
      ... In SBS network, we only support one or two interfaces. ... We have a workaround for your condition: disable perimeter interface, ... then enable perimeter interface. ...
      (microsoft.public.windows.server.sbs)
    • Re: "Windows cannot access the file gpt.ini for GPO" - Events 1058 and 1030 on XP client o
      ... by going into network properties Control ... :: the blank records for the external interface for both the domain ... :: Kevin D4 Dad Goodknecht Sr. ... Did you create the Blank Host for the private IP of the NIC that has file ...
      (microsoft.public.win2000.dns)