Re: Help with firewall/masquerading problem

From: Alex Meov (alex_me_ov_at_yahoo.com)
Date: 05/31/04

• Next message: Thomas B: "pop3 lock file"
• Previous message: Allan Adler: "Re: networking via cross cable"
• In reply to: Ian Northeast: "Re: Help with firewall/masquerading problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Sun, 30 May 2004 21:55:51 -0400

> On Fri, 28 May 2004 23:32:36 -0400, Alex Meov wrote:
>> My mini-network consists of a Linux firewall (Debian, 2.4.22 kernel,
>> masquerading with iptables) and the main workstation (Linux/Windows). The
>> firewall has 2 NICs: one (eth0, 10.11.1.119) connected to the ISP's
>> network through a cable modem; another NIC (eth1, 192.168.0.1) is
>> connected to the workstation. The workstation has one NIC (192.168.0.2).
>>
>> The firewall seems to be working, i.e. one cannot connect to 192.168.0.2
>> or ping it from the outside. However, one CAN see and ping 192.168.0.1
>> from the ISP's 10.11.X.X network.
>>
>> Can anyone suggest how I can stop 192.168.0.1 from being seen on
>> the outside (10.11.X.X) network?
On Sat, 29 May 2004 11:51:57 +0100, Ian Northeast suggested
modification of the firewall script (below).

Ian, thank you for the help! However I have received the
following information indicating that my 192.168.0.1 is
still visible from the ISP.

     From the ISP:
You are still showing up in the ARP table. Here is info from a router.
Someting is still actively leaking out.
Kimball_Court_R1#sh arp | include 192
Internet 192.168.0.1 0 0005.5dd0.6a27 ARPA Cable3/0

The firewall script now is
#########################
IPTABLES=/sbin/iptables
EXTIF="eth0"
INTIF="eth1"

$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo "Allow all connections out and only existing and related in"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m \
             state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

# Allow local traffic (!)
$IPTABLES -A INPUT -i lo -j ACCEPT
#
# Allow LAN traffic
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
#
# Allow responses from Internet
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED \
          -j ACCEPT

$IPTABLES -A INPUT -j LOG

echo "Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#########################

Any further help is appreciated!

Best regards,
Alex

---

• Next message: Thomas B: "pop3 lock file"
• Previous message: Allan Adler: "Re: networking via cross cable"
• In reply to: Ian Northeast: "Re: Help with firewall/masquerading problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: Ip tables and NAT ... Emacs and vi are more flexible but firestarter is more usual. ... it is not necesary for you to configure iptables. ... configure iptables on a personal workstation" ... Rule #1: NAT is not firewalling. ... (Ubuntu) Re: Firewall Help with Bittorrent ... I'm having a hard time getting the port forwarding for the ... > Bittorrent client working on my workstation. ... Meanwhile, if it's not too big, you could post the output of "iptables -L ... (Fedora) iptables - script generation ... I'm looking for a script generating tool on the web for iptables. ... a RH7.3 workstation with eth0 to the outside which is static. ... (comp.security.firewalls) Re: Help with firewall/masquerading problem ... > masquerading with iptables) and the main workstation. ... one CAN see and ping 192.168.0.1 ... > from the ISP's 10.11.X.X network. ... (comp.os.linux.networking) SUMMARY: SunFire4800: Ping Problem ... Subject: SunFire4800: Ping Problem ... I got a connection problem between my server and its workstation. ... IP Address ServerName: xxx.xxx.xxx.9 ... SC0> connections ... (SunManagers)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)