Re: Lan to Wan reprise

From: Claude Jones (claude_jones_at_levitjames.com)
Date: 03/14/05

  • Next message: a a: "Re: Dual Boot with FC3-partitioning, how ?" 
    Date: Sun, 13 Mar 2005 18:02:22 -0500
To: For users of Fedora Core releases <fedora-list@redhat.com>

    Claude Jones wrote:

    > The web server works.
    > The box has internet access.
    > Machines on the Lan are getting DHCP assigned IP addresses. They are
    > also able to see my lone web page.
    > However, the machines on the Lan can't get past the firewall. It's not
    > a DNS problem because it doesn't go away if you put an IP address in.
    > I can ping the Wan NIC from the LAN but nothing further than that.
    > I've reviewed the procedures over and over that I used successfully,
    > and I can't find the problem.
    > DHCPD loads without errors.
    > I've checked and rechecked the firewall and SELinux settings, and they
    > appear to be the same as at the office.
    > I've reviewed the network settings for my NICs twenty times.
    > IP forwarding and masquerade have been set up.
    >

    I add the following detail in case someone has the time to pore through
    it. I continue to be stuck. The above conditions still hold.
    The following is my firewall script:

    #!/bin/bash
    # An enhanced stateful firewall for a workstation, laptop or router that
    isn't
    # running any network services like a web server, SMTP server, ftp
    server, etc.
    #change this to the name of the interface that provides your "WAN"
    #(connection to the Internet)
    WAN="eth0"
    #if you're a router (and thus should forward IP packets between interfaces),
    #you want ROUTER="yes"; otherwise, ROUTER="no"
    ROUTER="yes"
    #change this next line to the static IP of your WAN interface for static
    SNAT,
    #"dynamic" if you have a dynamic IP. If you don't need any NAT, set NAT
    to ""
    #disable it.
    NAT="66.225.207.87"
    #change this next line so it lists all your network interfaces, including lo
    INTERFACES="lo eth0 eth1"
    if [ "$1" = "start" ]
    then
    echo "Starting firewall..."
    iptables -P INPUT DROP
    iptables -A INPUT -i ! ${WAN} -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport http -m state --state NEW -j ACCEPT
    iptables -A INPUT -p tcp -i ${WAN} -j REJECT --reject-with tcp-reset
    iptables -A INPUT -p udp -i ${WAN} -j REJECT --reject-with
    icmp-port-unreachable
    #explicitly disable ECN
    if [ -e /proc/sys/net/ipv4/tcp_ecn ]
    then
    echo 0 > /proc/sys/net/ipv4/tcp_ecn
    fi
    #disable spoofing on all interfaces
    for x in ${INTERFACES}
    do
    echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
    done
    if [ "$ROUTER" = "yes" ]
    then
    #we're a router of some kind, enable IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    #static IP, use SNAT
    echo "Enabling SNAT (static ip)..."
    iptables -t nat -A POSTROUTING -o ${WAN} -j SNAT --to 66.225.207.87
    fi
    elif [ "$1" = "stop" ]
    then
    echo "Stopping firewall..."
    iptables -F INPUT
    iptables -P INPUT ACCEPT
    #turn off NAT/masquerading, if any
    iptables -t nat -F POSTROUTING
    fi

    This is my dhcpd.conf:

    ddns-update-style interim;
    ignore client-updates;

    subnet 192.168.2.0 netmask 255.255.255.0 {
       
    # --- default gateway
        option routers 192.168.2.1;
        option subnet-mask 255.255.255.0;

    # option nis-domain "domain.org";
        option domain-name viewridgeproductions;
        option domain-name-servers 64.202.97.2, 69.31.31.2;

        option time-offset -18000; # Eastern Standard Time
    # option ntp-servers 192.168.1.1;
    # option netbios-name-servers 192.168.1.1;
    # --- Selects point-to-point node (default is hybrid). Don't change this
    unless
    # -- you understand Netbios very well
    # option netbios-node-type 2;

        range dynamic-bootp 192.168.2.128 192.168.2.254;
        default-lease-time 21600;
        max-lease-time 43200;

        # we want the lan router to appear at a fixed address
        host viewridgeproductions {
            hardware ethernet 00:C0:F0:49:79:31;
            fixed-address 192.168.2.1;
        }
    }

    Both of these can be started and stopped without error messages. I've
    visited and revisited NIC configurations, and they are fine. I'm
    mystified. If one of you has the time to pour through all this and see a
    problem, thanks in advance. 

    -- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: a a: "Re: Dual Boot with FC3-partitioning, how ?"

    Relevant Pages

    • RE: Advice on which FreeBSD firewall package to choose.
      ... I have not used iptables or ipfw. ... Advice on which FreeBSD firewall package to choose. ... Software-based VPN connections out from both the Inside LAN and Wireless ...
      (freebsd-questions)
    • Re: Lan to Wan reprise
      ... the machines on the Lan can't get past the firewall. ... >> I've reviewed the network settings for my NICs twenty times. ... > #change this next line so it lists all your network interfaces, ...
      (Fedora)
    • Re: IPTABLES
      ... > I need to setup the firewall IPTABLES on CentOS. ... You set up the firewall using command line commands. ... > allow to acces FROM the LAN only to a computer with MAC ADRESS xxxxxx. ...
      (comp.os.linux.setup)
    • Re: cant ping LAN machine, NET pings fine
      ... >> via DHCP and eth1 which serves ip's for the lan and has ip ... >> besides the firewall machine in the network. ... >> ping from firewall to net ... >Can you post iptables -L just after a ping fails? ...
      (Debian-User)
    • IPTables rules ...
      ... default kernel - 2.4.7-10) and IPTables as a firewall (I have removed the ... lan. ... firewall has full internet access, the lan has full internet access through ... I was hoping some IPTables guru ...
      (comp.security.firewalls)