Scenario:

I have a RH72 machine acting as a firewall for between a cable modem and an internal network at home. It is running DNS and DHCP. It services ip requests for a Windows 2000 network (2 workstations). I am going to begin setting up my firewall? The two networks that I have are 192.168.0.0 (internal) and 192.168.1.0 (external). Would you guys/gals recommend using ip chains or ip tables? If ip tables, could you please give me sample script or something to work off of. I find that these how-to's are a little over my head. Any help would be great. Please give examples of both if you can (ex. like the syntax for ip masq, etc)

I have a RH72 machine acting as a firewall for between a cable modem and an internal network at home. It is running DNS and DHCP. It services ip requests for a Windows 2000 network (2 workstations). I am going to begin setting up my firewall? The two networks that I have are 192.168.0.0 (internal) and 192.168.1.0 (external). Would you guys/gals recommend using ip chains or ip tables? If ip tables, could you please give me sample script or something to work off of. I find that these how-to's are a little over my head. Any help would be great. Please give examples of both if you can (ex. like the syntax for ip masq, etc)

I would suggest iptables. If your are running redhat 7.0 and up, do the following in order and this will get you going

1. Hopefully you have eth0 as your wan network interface card and eth1 and your lan network interface card. If you have a cable modem, eth0 should receive a dynamic IP from you provider. Your eth1 interface will receive a static IP assigned by you such as 192.168.0.1 with a subnet mask of 255.255.255.0
During the setup of your redhat firewall do not set any GATEWAY ip on either of your interfaces. Only set your Gateway on your internal clients. When finish with the installation of your firewall, make sure that you can ping a wan ip or perhaps www.yahoo.com

2. When linux boots up do the following at the shell prompt. type the following
ntsysv
3. Disbable ipchains and if you see a iptables6 disable that also. Make sure that you leave iptables check. Iptables6 might not be on your version of redhat, so great you do not need it anyway. REBOOT

PAY CLOSE ATTENTION TO YOUR COMMANDS WHEN YOU TYPE THEM IN. MAKE SURE THAT THERE IS A SPACE BEFORE EACH DASH. FOR EXAMPLE THIS WOULD BE INCORRECT.
iptables-t nat-A

THIS WOULD BE A CORRECT EXAMPLE
iptables -t nat -A



4. Get back to the shell and make sure you are logged in as root. Type the following.
THIS WILL FLUSH ANY PRE-EXISTING RULES

iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

THIS WILL ALLOW TRAFFIC FROM YOUR LAN

iptables -P INPUT ACCEPT
iptables -A INPUT -i eth0 -d 192.168.0.0 -j ACCEPT
iptables -A INPUT -i lo -d 127.0.0.1 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-destination "your wan IP"
FOR EXAMPLE:
ptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-destination 65.21.3.78

THIS WILL ENABLE PORT FORWARDING AND WALAH!! YOU SHOULD BE ABLE TO GO TO ANOTHER INTERNAL COMPUTER AND PING OR ACCESS THE WEB. MAKE SURE THAT YOUR OTHER COMPUTER HAVE AN IP AND A SUBNET MASK. MAKE SURE THEY HAVE A GATWAY IP CONFIGURED ON THEM. IT SHOULD BE THE SAME IP WHICH IS ON YOUR ETH1 INTERFACE ON YOUR FIREWALL.

echo 1 > /proc/sys/net/ipv4/ip_forward



NOTE: THIS WILL JUST GET YOU GOING, IF YOU NEED MORE HELP WITH SECURITY LET ME KNOW. PAY CLOSE ATTENTION TO YOUR COMMANDS WHEN YOU TYPE THEM IN. MAKE SURE THAT THERE IS A SPACE BEFORE EACH DASH. FOR EXAMPLE THIS WOULD BE INCORRECT.
iptables-t nat-A

THIS WOULD BE A CORRECT EXAMPLE
iptables -t nat -A


SAVE YOUR RULES WITH THIS COMMAND

/sbin/service iptables save

IF YOU REBOOT AND YOU CAN NOT GET OUT THE DOOR RETYPE THIS AT THE SHELL PROMP

echo 1 > /proc/sys/net/ipv4/ip_forward


I HOPE STORMPROOF WAS ABLE TO HELP!!

Thanks for the feed...I will definitely try this...ipchains is what I am currently running and I know iptables is the new best way to go. Thanks again.

I tried this, but it did not work.

The only difference between setups is that I'm using ppp0 as my network interface, rather than eth1, but since nothing in the code referenced eth1, I didn't think that would matter much.

I also did not issue

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-destination "your wan IP"

because my wan IP, which I assume is my GATEWAY, is not static, and is assigned when I dial in.

I'm still lost in all of this...

is there a reason why eth0 should be the wan connection and eth1 the lan?

i ask because my system is like that eth0=wan eth1=lan

i also have problems sharing my wan connection

Hi
I have treid this as well:
in answere to:
I also did not issue

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-destination "your wan IP"

because my wan IP, which I assume is my GATEWAY, is not static, and is assigned when I dial in.

try
iptables -t nat -A POSTROUTING -o eth1 -j SNAT -i eth0
Mine works but not very secure!
Laters
Kedman

if the ip is assigned to the device in -o parameter of the line you are using try
-j MASQUERADE
instead of -j SNAT --to ip.add.ress.

-- Note please ..that this will (likley) not work if you have a router/modem that keeps the outside or routable IP and you connect to that using a non routable ip. -- i.e your router has the ip 64.112.32.115 from your isp and you see it from the inside as 192.168.0.1

if the 64.112.32.115 address is actually assigned to the device on your linux box the -j MASQUERADE will work.

You need to make sure that
/proc/sys/net/ipv4/ip_forward is set before this all will take.

Any further questions please post your full ruleset, and any or all errors you see.+

Originally posted by kedman_200

try
iptables -t nat -A POSTROUTING -o eth1 -j SNAT -i eth0


Thanks, but this does not work.

I get the error:

iptables v1.2.5: You must specify --to-source

Using -j MASQUERADE didn't work either...

Here's my iptables rules file...

==========
# Generated by iptables-save v1.2.5 on Sat Oct 5 00:34:50 2002
*mangle
:PREROUTING ACCEPT [180:15910]
:INPUT ACCEPT [174:15622]
:FORWARD ACCEPT [6:288]
:OUTPUT ACCEPT [92:7112]
:POSTROUTING ACCEPT [98:7400]
COMMIT
# Completed on Sat Oct 5 00:34:50 2002
# Generated by iptables-save v1.2.5 on Sat Oct 5 00:34:50 2002
*nat
:PREROUTING ACCEPT [53:3830]
:POSTROUTING ACCEPT [5:252]
:OUTPUT ACCEPT [3:156]
COMMIT
# Completed on Sat Oct 5 00:34:50 2002
# Generated by iptables-save v1.2.5 on Sat Oct 5 00:34:50 2002
*filter
:INPUT ACCEPT [174:15622]
:FORWARD ACCEPT [6:288]
:OUTPUT ACCEPT [100:7528]
COMMIT
# Completed on Sat Oct 5 00:34:50 2002
==========

I'm not getting any errors, but the other computer on my LAN has no internet access.

ppp0 is my external network interface, IP is dynamically assigned.

eth0 is my internal network interface, IP is 192.168.1.1

- ipchains is disabled
- /etc/sysconfig/network states GATEWAYDEV=ppp0
- /etc/sysctl.conf states net.ipv4.ip_forward = 1
- /etc/rc.d/init.d/iptables is unaltered
- The other computer on my LAN can ping me

HI
Can you ping the Net with an IP (instead of www.name.com)
from the client?
I had this prod with my cable modem.
;)

No, I can't.

I wish it were just a DNS resolution issue!