Help with firewall/masquerading problem

From: Alex Meov (alex_me_ov_at_yahoo.com)
Date: 05/29/04 

Date: Fri, 28 May 2004 23:32:36 -0400

Hello! I am looking for help fixing the following problem
on my home network.

My mini-network consists of a Linux firewall (Debian,
2.4.22 kernel, masquerading with iptables) and the main
workstation (Linux/Windows). The firewall has 2 NICs:
one (eth0, 10.11.1.119) connected to the ISP's network through
a cable modem; another NIC (eth1, 192.168.0.1) is connected to
the workstation. The workstation has one NIC (192.168.0.2).

The firewall seems to be working, i.e. one cannot connect
to 192.168.0.2 or ping it from the outside. However, one CAN see
and ping 192.168.0.1 from the ISP's 10.11.X.X network. This,
understandably, makes the ISP unhappy (they did check that they
are pinging my box and not someone else's 192.168.0.1 by looking
at MAC addresses).

Can anyone suggest how I can stop 192.168.0.1 from being seen on
the outside (10.11.X.X) network or point me to the relevant
manpages/documentation/FAQ?

Any help is greatly appreciated!
-- Alex

This is the firewall script that runs on startup on the firewall:

##################################################
[skip: load modules...]
IPTABLES=/sbin/iptables
EXTIF="eth0"
INTIF="eth1"
echo "External interface $EXTIF, internal interface $INTIF"

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "Clearing existing rules and setting default policy"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo "Allow all connections out and only existing and related in"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

###### This is the output of /sbin/route on the firewall ######
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
10.11.0.0 * 255.255.0.0 U 0 0 0 eth0
default 10.11.1.5 0.0.0.0 UG 0 0 0 eth0

Relevant Pages

  • Re: Questions on some wierd /var/log entries
    ... How do I find out if I'm on an ipv6 network? ... That is because I prefer using iptables directly. ... then you should start learning about its firewall ... Another important restriction for ssh is to authenticate by certificate ...
    (comp.os.linux.misc)
  • Re: Linux firewall on P166
    ... Which is it, ipchains or iptables? ... gives you a much stronger firewall. ... It's difficult to do much with 4MB RAM, ... > of a specially-tailored kernel. ...
    (comp.os.linux.networking)
  • Re: Linux firewall on P166
    ... Which is it, ipchains or iptables? ... gives you a much stronger firewall. ... It's difficult to do much with 4MB RAM, ... > of a specially-tailored kernel. ...
    (comp.security.firewalls)
  • Re: Cable Modem, DHCP and IP Tables
    ... >> Any pointers on setting up RH 7.3 as a firewall between my ... > As far as the iptables coding, I have the iptables kick off ... Not that their is anything wrong with useing RH as the a router between your ... internal and the external network. ...
    (comp.os.linux.security)
  • Re: possible problem with iptables/ip_conntrack in 2.6.9-22 kernel
    ... It works fine with the firewall off. ... I have no problems with the 2.4.21-40 kernel ... I assume that you omited part of your iptables script. ... before packets are dropped. ...
    (RedHat)