Re: rules for 2nd inteface on gateway
Hi Daniel and thanks for your answers!
Le mardi 05 avr 2005 à 18 h 36, Daniel a dit:
> On 5 Apr 2005, Steve wrote:
> > I'm new to this list and new to firewall so please be kind if any
> > question seem obvious.
> >
> > Here is my problem. I have a little home lan with one interface
> > connected to my modem/router (eth0), another for the lan (ath0,
> > wireless) and a third one (eth1) which I use to repair thing when
> > the wireless doesn't work (very rarely):
> >
> > eth0 : 192.168.1.35 fixed
> > ath0: 192.168.20.1 fixed (and two boxes on that network, *.20.2 et
> > *.20.3)
> > eth1: 192.168.2.2 fixe
> >
> > and I defined two ip aliases on eth1, eth1:1 and eth1:2 as
> >
> > eth1:1 : 192.168.10.1
> > eth1:2 : 192.168.10.2
> >
> > in order to run ntp on them and have my lan get the time from it.
>
> You shouldn't need to create false interfaces addresses in order to
> run NTP, or for other machines to sync to that system.
>
well I did that long time ago and it work fine, but I don't remember
exactly why I did that at that time ;)
> If you read the instructions that said you should have three sources,
> and took that to mean you should do this, you missed the point - the
> three sources makes sure that if one goes bad, your system can tell.
Following your remarks, I deleted the ip aliases and just put the
address of my gateway as the sync server; will see if it's alright.
>
> Having one time source, but pretending it is actually three different
> sources, isn't really a good idea.
>
> > Everything work fine until I decided to activate on the gateway the
> > iptables. Now, from the internet all of my ports are blocked, as
> > desired, I can surf without any problem from any of the
> > 192.168.20.0/24 boxes, but they cannot access the 192.168.10.0
> > network and this is were my question arises. Which rules do I have
> > to put to get things working?
>
> You need to add rules to your 'FORWARD' table, permitting those
> networks to talk to each other. Something akin to this:
>
> iptables -A FORWARD -i ath0 -o eth1 -s 192.168.20.0/24 \
> -d 192.160.10.0/24 -j ACCEPT
>
ok; noted them in somewhere in my mind for later one, when I decided to
buy another box and create a dmz on eth1..
> You also need the reverse rules - swap the '-i' and '-o', and '-s' and
> '-d' options, but otherwise repeat that.
>
ok.
> This will permit traffic that matches those rules to pass through.
>
>
> You might want to consider using some sort of helper script to do this
> work for you, though, since they generally give you things like
> logging of blocked packets for "free".
>
well, in fact I'd better understand and learn those rules once for all;
I'm not too comfortable with those kind of scripts, prefer doing things
myself and understanding what's underneath.
I found some iptables ruleset that I arranged to my configuration et it
seems ok: here is 'iptables -L -n -v':
Chain INPUT (policy DROP 5 packets, 240 bytes)
pkts bytes target prot opt in out source
destination 0 0 ACCEPT all -- lo *
0.0.0.0/0 0.0.0.0/0
131 12333 ACCEPT all -- ath0 * 192.168.20.0/24
192.168.20.1
0 0 ACCEPT all -- ath0 * 192.168.20.255
192.168.20.1
0 0 ACCEPT all -- eth0 * 0.0.0.0/0
192.168.1.35 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80 5 240 ULOG all -- * *
0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1
prefix `Netfilter' queue_threshold 1
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination 0 0 ACCEPT all -- ath0 eth0
192.168.20.0/24 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED,UNTRACKED 0 0 ACCEPT all -- eth0
ath0 0.0.0.0/0 192.168.20.0/24 state
RELATED,ESTABLISHED
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination 0 0 ACCEPT all -- * lo
0.0.0.0/0 0.0.0.0/0 82 17913 ACCEPT all --
* ath0 192.168.20.1 192.168.20.0/24 0 0
ACCEPT all -- * ath0 192.168.20.1 192.168.20.255
1 76 ACCEPT all -- * eth0 192.168.1.35
0.0.0.0/0 state NEW,RELATED,ESTABLISHED,UNTRACKED 0 0
ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Netfilter' queue_threshold 1
(sorry for the 72 characters long output ;)
> Then you could see from those logs what was going on, and why the
> connection was failing.
>
> I recommend 'firehol', which takes the hard work out of building
> iptables rules, without taking away the flexibility.
I like the "hard work" ;-)
> It reduces the
> above code to two lines, for most systems, with a good deal more
> capability and functionality.
That my next challenge: let my webserver be accessed from the big evil
internet ;-)
Tried these rules
iptables -t filter -A OUTPUT -o $WAN_INTERFACE -s $WAN_IP -d
$WAN_NETWORK -p all -m state --state ! INVALID -j ACCEPT
iptables -t filter -A INPUT -i $WAN_INTERFACE -s $WAN_NETWORK -d
$WAN_IP -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
and this one two (not at the same time though):
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
which opens my port #80, but my web server still can't be accessed from
outside; but this can be a problem comming from my modem/router and th
so-called'pinholes' ... I am investigating this right now and reading a
lot too on iptables rules.. Tough reading for a beginner ;-)
>
> Daniel
>
Once more, thanks a lot for you rapid and detailed answer!
have a nice day
steve
Reply to: