[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rules for 2nd inteface on gateway

Hi Daniel and thanks for your answers!

Le mardi 05 avr 2005 à 18 h 36, Daniel a dit:

> On 5 Apr 2005, Steve wrote:
> > I'm new to this list and new to firewall so please be kind if any
> > question seem obvious.
> >
> > Here is my problem. I have a little home lan with one interface
> > connected to my modem/router (eth0), another for the lan (ath0,
> > wireless) and a third one (eth1) which I use to repair thing when
> > the wireless doesn't work (very rarely):
> >
> > eth0 : fixed
> > ath0: fixed (and two boxes on that network, *.20.2 et
> > *.20.3) 
> > eth1: fixe
> >
> > and I defined two ip aliases on eth1, eth1:1 and eth1:2 as
> >
> > eth1:1 :
> > eth1:2 :
> >
> > in order to run ntp on them and have my lan get the time from it.
> You shouldn't need to create false interfaces addresses in order to
> run NTP, or for other machines to sync to that system.

well I did that  long time ago and it work fine, but I don't remember
exactly why I did that at that time ;)

> If you read the instructions that said you should have three sources,
> and took that to mean you should do this, you missed the point - the
> three sources makes sure that if one goes bad, your system can tell.

Following your remarks, I deleted the ip aliases and just put the
address of my gateway as the sync server; will see if it's alright.

> Having one time source, but pretending it is actually three different
> sources, isn't really a good idea.
> > Everything work fine until I decided to activate on the gateway  the
> > iptables. Now, from the internet all of my ports are blocked, as
> > desired, I can surf without any problem from any of the
> > boxes, but they cannot access the
> > network and this is were my question arises. Which rules do I have
> > to put to get things working?
> You need to add rules to your 'FORWARD' table, permitting those
> networks to talk to each other.  Something akin to this:
>   iptables -A FORWARD -i ath0 -o eth1 -s \
>       -d -j ACCEPT

ok; noted them in somewhere in my mind for later one, when I decided to
buy another box and create a dmz on eth1..

> You also need the reverse rules - swap the '-i' and '-o', and '-s' and
> '-d' options, but otherwise repeat that.


> This will permit traffic that matches those rules to pass through.
> You might want to consider using some sort of helper script to do this
> work for you, though, since they generally give you things like
> logging of blocked packets for "free".  

well, in fact I'd better understand and learn those rules once for all;
I'm not too comfortable with those kind of scripts, prefer doing things
myself and understanding what's underneath.

I found some iptables ruleset that I arranged to my configuration et it
seems ok: here is 'iptables -L -n -v':

Chain INPUT (policy DROP 5 packets, 240 bytes)
 pkts bytes target     prot opt in     out     source              
destination             0     0 ACCEPT     all  --  lo     *  

131 12333 ACCEPT     all  -- ath0   *
 0     0 ACCEPT     all  --  ath0   * 
0     0 ACCEPT     all  --  eth0   *         state RELATED,ESTABLISHED 
0 0 ACCEPT     tcp --  *      *     
       tcp dpt:80     5   240 ULOG       all  --  *      *            ULOG copy_range 0 nlgroup 1
prefix `Netfilter' queue_threshold 1 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination             0     0 ACCEPT     all  --  ath0   eth0           state
NEW,RELATED,ESTABLISHED,UNTRACKED     0     0 ACCEPT     all  --  eth0  
ath0       state

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination             0     0 ACCEPT     all  --  *      lo                82 17913 ACCEPT     all  -- 
*      ath0         0     0
ACCEPT     all  --  *      ath0  
       1    76 ACCEPT     all  --  *      eth0           state NEW,RELATED,ESTABLISHED,UNTRACKED     0     0
ULOG       all  --  *      *         
   ULOG copy_range 0 nlgroup 1 prefix `Netfilter' queue_threshold 1 

(sorry for the 72 characters long output ;)

> Then you could see from those logs what was going on, and why the
> connection was failing.
> I recommend 'firehol', which takes the hard work out of building
> iptables rules, without taking away the flexibility. 

I like the "hard work" ;-)

> It reduces the
> above code to two lines, for most systems, with a good deal more
> capability and functionality.

That my next challenge: let my webserver be accessed from the big evil
internet ;-)

Tried these rules

iptables -t filter -A OUTPUT -o $WAN_INTERFACE -s $WAN_IP -d
$WAN_NETWORK -p all -m state --state ! INVALID           -j ACCEPT

iptables -t filter -A INPUT  -i $WAN_INTERFACE -s $WAN_NETWORK -d
$WAN_IP -p all -m state --state RELATED,ESTABLISHED -j ACCEPT

and this one two (not at the same time though):

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

which opens my port #80, but my web server still can't be accessed from
outside; but this can be a problem comming from my modem/router and th
so-called'pinholes' ... I am investigating this right now and reading a
lot too on iptables rules.. Tough reading for a beginner ;-)

>            Daniel

Once more, thanks a lot for you rapid and detailed answer!

have a nice day 


Reply to: