Debian Sarge masq problem
Hello,
I have just installed Debian 3.1 stable on a machine I
have used previously as a route/firewall soho server
under an ancient version of redhat.
This machine has two nics, one connected to the adsl
using pppoe and one connected to the internal lan.
After installing and setting up NAT/PAT firewall only
one machine on the internal lan can reliably access
the internet through the debian machine, (there are 4
machines on the local lan).
When running tracert from the problem windows machines
on the internal net there are timeouts tracing routes
to different internet servers after 6 or 7 jumps,
sometimes on the first jump. Strangely I can reliably
ping these same hosts no problem.
The debian machine is running dnsmasq as well which
seems to run fine since ping works.
I originally moved a gShield script over from the
redhat installation but switched to the simple
firewall.sh script I found on one of the debian howto
sites trying to debug this problem.
Help!!!!!!! ;-)
------ below is the firewall.sh script ------
#!/bin/sh
# IPTABLES FIREWALL script for the Linux 2.4
kernel.
# This script is a derivitive of the script presented
in
# the IP Masquerade HOWTO page at:
#
www.tldp.org/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples.html
# It was simplified to coincide with the
configuration of
# the sample system presented in the Guides section
of
# www.aboutdebian.com
#
# This script is presented as an example for testing
ONLY
# and should not be used on a production firewall
server.
#
# PLEASE SET THE USER VARIABLES
# IN SECTIONS A AND B OR C
echo -e "\n\nSETTING UP IPTABLES FIREWALL..."
# === SECTION A
# ----------- FOR EVERYONE
# SET THE INTERFACE DESIGNATION AND ADDRESS AND
NETWORK ADDRESS
# FOR THE NIC CONNECTED TO YOUR _INTERNAL_ NETWORK
# The default value below is for "eth0". This value
# could also be "eth1" if you have TWO NICs in your
system.
# You can use the ifconfig command to list the
interfaces
# on your system. The internal interface will
likely have
# have an address that is in one of the private IP
address
# ranges.
# Note that this is an interface DESIGNATION -
not
# the IP address of the interface.
# Enter the designation for the Internal Interface's
INTIF="eth1"
# Enter the NETWORK address the Internal Interface is
on
INTNET="192.168.0.0/24"
# Enter the IP address of the Internal Interface
INTIP="192.168.0.50/24"
# SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL"
(INTERNET) CONNECTION
# The default value below is "ppp0" which is
appropriate
# for a MODEM connection.
# If you have two NICs in your system change this
value
# to "eth0" or "eth1" (whichever is opposite of the
value
# set for INTIF above). This would be the NIC
connected
# to your cable or DSL modem (WITHOUT a cable/DSL
router).
# Note that this is an interface DESIGNATION -
not
# the IP address of the interface.
# Enter the external interface's designation for the
# EXTIF variable:
EXTIF="ppp0"
# ! ! ! ! ! Use ONLY Section B *OR* Section C
depending on
# ! ! ! ! the type of Internet connection you have.
# ! ! ! ! ! Uncomment ONLY ONE of the EXTIP
statements.
# === SECTION B
# ----------- FOR THOSE WITH STATIC PUBLIC IP
ADDRESSES
# SET YOUR EXTERNAL IP ADDRESS
# If you specified a NIC (i.e. "eth0" or "eth1"
for
# the external interface (EXTIF) variable above,
# AND if that external NIC is configured with a
# static, public IP address (assigned by your
ISP),
# UNCOMMENT the following EXTIP line and enter
the
# IP address for the EXTIP variable:
#EXTIP="your.static.IP.address"
# === SECTION C
# ---------- DIAL-UP MODEM, AND RESIDENTIAL
CABLE-MODEM/DSL (Dynamic IP) USERS
# SET YOUR EXTERNAL INTERFACE FOR DYNAMIC IP
ADDRESSING
# If you get your IP address dynamically from SLIP,
PPP,
# BOOTP, or DHCP, UNCOMMENT the command below.
# (No values have to be entered.)
# Note that if you are uncommenting these
lines then
# the EXTIP line in Section B must be
commented out.
EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk
'{print $2}' | sed -e 's/.*://'`"
# -------- No more variable setting beyond this point
--------
echo "Loading required stateful/NAT kernel modules..."
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo " Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " External interface: $EXTIF"
echo " External interface IP address is: $EXTIP"
echo " Loading firewall server rules..."
UNIVERSE="0.0.0.0/0"
# Clear any existing rules and setting default policy
to DROP
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat
# Flush the user chain.. if it exists
if [ "`iptables -L | grep drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi
# Delete all User-specified chains
iptables -X
# Reset all IPTABLES counters
iptables -Z
# Creating a DROP chain
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j REJECT
echo -e " - Loading INPUT rulesets"
#######################################################################
# INPUT: Incoming traffic from various interfaces.
All rulesets are
# already flushed and set to a default policy
of DROP.
#
# loopback interfaces are valid.
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j
ACCEPT
# local interface, local machines, going anywhere is
valid
iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j
ACCEPT
# remote interface, claiming to be local machines, IP
spoofing, get lost
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j
drop-and-log-it
# remote interface, any source, going to permanent PPP
address is valid
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j
ACCEPT
# Allow any related traffic coming back to the MASQ
server in
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m
state --state ESTABLISHED,RELATED -j ACCEPT
# OPTIONAL: Uncomment the following two commands if
plan on running
# an Apache Web site on the firewall
server itself
#
#echo -e " - Allowing EXTERNAL access to the WWW
server"
#iptables -A INPUT -i $EXTIF -m state --state
NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP
--dport 80 -j ACCEPT
# Catch all rule, all other incoming is denied and
logged.
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j
drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.
All rulesets are
# already flushed and set to a default policy
of DROP.
#
# loopback interface is valid.
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j
ACCEPT
# local interfaces, any source going to local net is
valid
iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j
ACCEPT
# local interface, any source going to local net is
valid
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j
ACCEPT
# outgoing to local net on remote interface, stuffed
routing, deny
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET
-j drop-and-log-it
# anything else outgoing on remote interface is valid
iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j
ACCEPT
# Catch all rule, all other outgoing is denied and
logged.
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j
drop-and-log-it
echo -e " - Loading FORWARD rulesets"
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
# Allow all connections OUT and only
existing/related IN
iptables -A FORWARD -i $EXTIF -o $INTIF -m state
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and
logged.
iptables -A FORWARD -j drop-and-log-it
# Enable SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to
$EXTIP
echo -e " Firewall server rule loading
complete\n\n"
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Reply to: