Setting up a simple Debian gateway

Posted by Steve on Wed 6 Oct 2004 at 12:12

Many people want to use a dedicated Debian machine as a gateway for a LAN, this has many benefits compared to using a dedicated hardware firewall. For a start it's a lot more flexible, but in addition to this it allows you to offer a lot of extra services to your machines.

To run a Debian gateway you'll need a machine with two network cards, and you'll need to be able to setup the external one to route to your ISP properly.

I tend to use eth0 to be the internal network card, this is the one which has an IP address like 192.168.1.1 and is used as the default gateway for your internal machines.

This leaves eth1 as the external address for your machine.

In order for your machine to work as a gateway and route packets from your LAN to the world and back it needs to have 'IP forwarding' enabled, and some rules on how to route packets. This can be done with iptables.

We basically need to have three sets of rules:

  • Disallow incoming connections to eth1 (the external network interface)
  • Allow outgoing packets from the LAN (via eth0)
  • Allow established connections to return.

This leaves us with a script something like this:

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

If you save this script upon your system you'll want it to run as soon as your network interfaces come up. To do that you can save it in the directory /etc/network/if-up.d/. Everything inside that directory is executed when an interface comes up, so long as it's executable.

As the directory contents are executed in order I call my script 00-firewall.

This should give you a basic gateway now. Any machine on your internal LAN should be able to access the internet whilst your gateway is kept nice and secure.

Now you can look at adding extra services for your LAN, from the gateway.

There are a couple of interesting things that you can add to make your life easier, for example rather than giving each of your LAN machines a fixed IP address you can allow them to be dynamic using DHCP.

You can also install a local nameserver to cache DNS lookups and allow you to recognise your internal machines.

A great package for this is dnsmasq. This can be installed via apt-get and is configured via a simple readable file /etc/dnsmasq.conf.

Once this is running you will find that client machines can lookup any host which is included in the /etc/hosts file on the server - so you can start giving machines aliases which can be resolved easily.

For example if you install a proxy server to cache HTTP downloads on your gateway you can create the name proxy for it:

#
# /etc/hosts
#
127.0.0.1       localhost

#
# Local machines.
#
192.168.1.1     gateway         gateway.my.flat       proxy   proxy.my.flat

This creates a new name 'proxy' for the machine normally known as 'gateway'.

 

 


Posted by Anonymous (127.0.xx.xx) on Fri 22 Oct 2004 at 22:55

Um, don't you know about the "ipmasq" package? It does all that automatically for you (but is also completely reconfigurable).

Just setup the two network interfaces with the first one as the "outside" one, install ipmasq and you're done!

[ Parent | Reply to this comment ]

Posted by Anonymous (198.54.xx.xx) on Thu 2 Jun 2005 at 19:08
superfluous..

[ Parent | Reply to this comment ]

Posted by Anonymous (62.252.xx.xx) on Tue 6 Sep 2005 at 14:15
I tried ipmasq, my second card is the one connected to the outside world and caused all sorts of errors that I couldn't stop!

This artical was easy to do and worked first time. Just needed to change the eth numbers around in the script. For me as a newbie running the system as described in the artical this was excelent.
Bob

[ Parent | Reply to this comment ]

Posted by Anonymous (213.253.xx.xx) on Wed 14 Dec 2005 at 08:15
Um, what about setting up everything with a huge InstallShield Wizard ?

I think Steve did a good job, he made this small howto easily understandable for newbies, yet a bit more detailed so newbies are able to think about, what's going on behind the scenes.

With ipmasq and its 2-minutes "that's it!" idea, I won't even try to use Debian.

Go for SuSe if you like complete pre-set packages which don't say much just do their work - either well or not.

Newbies will never learn firewalling-networking-nating concepts with a 'just-use-it'-like ipmasq and that may not be the goal of howtos - for me especially never. They have to think, they have to 'suffer' a bit, not much, but this way they will be able to do something more complicated later by themselves.

Self thinking -> Debian powa.
Let the system control you -> SuSe, RedHat, Mandrake (omg)
(although I really respect SuSe too, the best beginner linux I think)

[ Parent | Reply to this comment ]

Posted by Anonymous (69.251.xx.xx) on Fri 22 Feb 2008 at 18:14
ok, so i'm a newb at linux... (i'm using Debian BTW) i was looking for a gui version to configure it as a gateway but i guess i'll need to set it up command line style. i've followed the tutorials on a few different pages now, completely reversing them when I've given up and moved onto the next... so now I'm on to this and I tried the ipmasq utility... so far, no luck at all. I am using debian to replace my winbloze machine as my gateway/firewall and I haven't yet been able to make the debian machine even talk to my network as the dns.

I have ipmasq installed (while my eth0 is my internet connection and eth1 is my internal network) and I have the 00-firewall script in the if-up.d directory as the following:




#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth0 -o eth1 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward





When I first installed Debian on this machine, it was routed through my Win. gateway and was set up on the network and connected fine, I did all of my setup and install and then swapped the machines (so the Debian is the gateway), changing my IP for internal to static 192.168.0.1 and the external to DHCP and tried a few means that i found online to get it to work - nope - set everything back the way it was, then followed the original steps on this page with dnsmasq and some other pages on configuring that with no avail, then uninstalled the dnsmasq and tried the ipmasq... again, no success.
Does anyone have any idea on what I should do from here? Maybe i missed something, or some settings i was unaware of changed throughout the process?
I am growing to really like Debian, but it's def. different to get used to the configuration process.

Any help would be greatly appreciated. -thanks.

Joe

[ Parent | Reply to this comment ]

Posted by Anonymous (87.58.xx.xx) on Mon 30 Jun 2008 at 06:48
You need to run the script, min is also inif-up.d but it dont stat up run it manually with sudo sh /etc/network/if-up.d/00-firewall
provided that 00-firewall is your script file.

[ Parent | Reply to this comment ]

Posted by Anonymous (204.126.xx.xx) on Fri 10 Jun 2005 at 19:18
I really like FireHOL for setting up simple firewalls / gateways. FireHOL is a bash script that makes it easy to create complex iptables configurations. There isn't a package for Sarge, but it is easy enough to set up.

http://firehol.sourceforge.net/

[ Parent | Reply to this comment ]

Posted by Anonymous (61.229.xx.xx) on Thu 8 Sep 2005 at 06:55
Why should you need two ethernet cards?
You can multi-home one single card.
Set up the interfaces as first one eth0
second one eth0:0 etc.

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Thu 8 Sep 2005 at 06:59
[ View Steve's Scratchpad | View Weblogs ]

There are many things you cannot do with multi-homing, which means that in practise a gateway must have two NICs.

Steve
--

[ Parent | Reply to this comment ]

Posted by Anonymous (129.13.xx.xx) on Fri 9 Sep 2005 at 10:20
do not forget to load default policies,
or your gateway will be completely open after the flush!


# Set Default policy (important)
iptables -P INPUT DROP
iptables -P FORWARD DROP

I would change the script above

[ Parent | Reply to this comment ]

Posted by rpetre (83.166.xx.xx) on Fri 30 Sep 2005 at 22:09
Never, EVER, use DROP as a default policy on the INPUT chain!

Use ACCEPT and insert a blank "iptables -A INPUT -j DROP" if you like to have the same effect.

You'll notice why as soon as you flush the firewall rules over ssh :)

[ Parent | Reply to this comment ]

Posted by Anonymous (198.54.xx.xx) on Sat 8 Oct 2005 at 10:55
Coming from FreeBSD i was looking for a simple gateway howto. I haven't tried the setup mentioned above as yet, but it sounds straight forward and is very informative.

Thanks to the author.
Garethn be installed via apt-get and is configured via a simple readable file /etc/dnsmasq.conf.

[ Parent | Reply to this comment ]

Posted by Anonymous (74.196.xx.xx) on Thu 14 May 2009 at 00:38
Sorry to hijack a dead thread; but your comment is asinine. I manage hundreds of servers in various datacenters and have DROP policies on all of them. You're better off without connectivity and having to call in a reboot and fifteen minutes of labor than with a compromise permitted by a firewall failure.

[ Parent | Reply to this comment ]

Posted by Anonymous (213.114.xx.xx) on Sat 7 Jan 2006 at 15:25
How come I can't run the script (when I try the command below it spits error) but I can manually type each line in terminal and execute fine???

# sh /etc/network/if-up.d/00-firewall

: command not found:
: command not found:
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: Table does not exist (do you need to insmod?)
: command not found2:
'ptables v1.2.11: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
: command not found5:
: command not found6:
'ptables v1.2.11: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.11: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.2.11: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
: command not found1:
'ptables v1.2.11: Invalid target name `ACCEPT
Try `iptables -h' or 'iptables --help' for more information.
: command not found4:
'ptables v1.2.11: Invalid target name `MASQUERADE
Try `iptables -h' or 'iptables --help' for more information.
: command not found7:
'ptables v1.2.11: Invalid target name `REJECT
Try `iptables -h' or 'iptables --help' for more information.
: command not found0:

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Sat 7 Jan 2006 at 16:32
[ View Steve's Scratchpad | View Weblogs ]

Probably line ending issues .. make sure it is not a DOS file.

Run:

perl -pi.bak -e 's/\r\n/\n/' /etc/network/if-up.d/00-firewall

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (213.114.xx.xx) on Sat 7 Jan 2006 at 16:53
hahahah great call man! It certainly was those extra carriage returns (would never have guessed it). I expect thats the price one pays for transferring via windoze. Many thanks mate!

[ Parent | Reply to this comment ]

Posted by GecKo (222.154.xx.xx) on Wed 18 Jan 2006 at 07:22
How do you do port forwarding/open certain ports with this iptables setup?

I've done a search and found alot of examples, but none of them seem to work properly, if at all.

[ Parent | Reply to this comment ]

Posted by Anonymous (212.42.xx.xx) on Mon 23 Jan 2006 at 07:22
Hi! You could do port forwarding with Shorewall!

[ Parent | Reply to this comment ]

Posted by Anonymous (212.42.xx.xx) on Mon 23 Jan 2006 at 07:21
How about shorewall?!
It's a user-friednly!!!

[ Parent | Reply to this comment ]

Posted by Anonymous (12.169.xx.xx) on Wed 1 Feb 2006 at 19:52
Thanks Steve, very nice article. The bit about Debian's new way of starting iptables from /etc/network/if-up.d instead of /etc/init.d alone is pure gold. As usual, Debian made this radical change without bothering to document it in any easily findable way.

This is a good site, thanks again.

[ Parent | Reply to this comment ]

Posted by Anonymous (69.19.xx.xx) on Thu 2 Mar 2006 at 06:32
I try to run the script and get an error
iptables v1.2.11: Unknown arg `-j'

[ Parent | Reply to this comment ]

Posted by Anonymous (71.216.xx.xx) on Tue 11 Apr 2006 at 04:31
Thanks for the awesome article. Unfortunately I'm still having trouble setting up the gateway. I can access my local network, but not the internet.

The gateway is configured as such:

auto lo eth0 eth1
iface lo inet loopback

iface eth1 inet static
address 192.168.0.4
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

iface eth0 inet static
address 192.168.0.50
netmask 255.255.255.0
network 192.168.0.0
gateway 192.168.0.1

and eth1 is my internet connection, eth0 my lan.

This is the config of the PC i'm trying to connect to the internet with:

auto lo lan0
iface lo inet loopback

iface lan0 inet static
address 192.168.0.40
netmask 255.255.255.0
network 192.168.0.0
gateway 192.168.0.1

Any thoughts? Thanks

[ Parent | Reply to this comment ]

Posted by Anonymous (213.73.xx.xx) on Thu 1 Jun 2006 at 12:05
You should not use the same network in both interfaces...

[ Parent | Reply to this comment ]

Posted by Anonymous (147.8.xx.xx) on Mon 1 May 2006 at 07:39
Hi,

I am wondering will it make a difference if I change

iptables -A FORWARD -i eth1 -o eth1 -j REJECT

to

iptables -A FORWARD -i eth1 -o eth0 -j REJECT

Thanks very much.

[ Parent | Reply to this comment ]

Posted by Anonymous (200.68.xx.xx) on Mon 8 May 2006 at 18:47
yes :)

[ Parent | Reply to this comment ]

Posted by Anonymous (195.137.xx.xx) on Tue 18 Dec 2007 at 09:28
Hi,

The difference that i found when changing the -o paramater to eth0, that you will nog be able to ping machines on the eth0 network from the eth1 network anymore.

Nico

[ Parent | Reply to this comment ]

Posted by Anonymous (200.125.xx.xx) on Wed 31 May 2006 at 09:15
Hello i just did eevrything , and its working like a charm instead of using eth1 i used ppp0 since its a pppoe conection. Anyway from the outside with this set up im exposed. So how do i block exverthing from the outside ? and only open maybe ssh . I have read others how tos but i how no idea how to "update" this script to bloack everthing in ppp0, thanks.

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Wed 31 May 2006 at 09:46
[ View Steve's Scratchpad | View Weblogs ]

Change every occurance of eth1 to ppp0 in the script and you should be fine.

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (200.125.xx.xx) on Wed 31 May 2006 at 21:51
It is what i did, but i still can access any open port from the outside. so its not blocking outside connections, what im doing wrong ?

btw The nating works flawlessly :)

[ Parent | Reply to this comment ]

Posted by Anonymous (90.155.xx.xx) on Sat 21 Apr 2007 at 11:25
You probably want to add

iptables -A INPUT -i eth1 -j DROP

right before the Masquerade line. This will drop anything that gets to the bottom of the INPUT chain without being explicitly ACCEPT'd. Or change the eth1 to ppp0 as you're on PPPOE.

HTH.

[ Parent | Reply to this comment ]

Posted by alexbodn (87.68.xx.xx) on Wed 7 Jun 2006 at 06:46
hello,

there are debian packaged iptables nat/firewall, like ipmasq, ipkunkfu etc.

i am personally using arno-iptables-firewall.

good luck,

alex

[ Parent | Reply to this comment ]

Posted by debianex (195.222.xx.xx) on Tue 20 Jun 2006 at 13:20
Steve, thank you very much for this site.

Regards

[ Parent | Reply to this comment ]

Posted by GecKo (222.154.xx.xx) on Thu 22 Jun 2006 at 09:33
Hi - I've now got two WAN interfaces, how do I make it load share over the two?

[ Parent | Reply to this comment ]

Posted by mkb (62.56.xx.xx) on Thu 22 Jun 2006 at 22:30
[ View Weblogs ]
I'm being a bit thick here but what do I need to do on the LAN machines to use
the gateway? I've got the following in /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1


I can ping the gateway (192.168.1.1) but not the outside world.

ta M

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Thu 22 Jun 2006 at 22:33
[ View Steve's Scratchpad | View Weblogs ]

That should be sufficient if the gateway is setup correctly - are you sure that IP forwarding is enabled upon the gateway?

Steve

[ Parent | Reply to this comment ]

Posted by mkb (62.56.xx.xx) on Thu 22 Jun 2006 at 22:36
[ View Weblogs ]
Maybe I have messed up 'route' on the LAN machine:
$ sudo route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 192.168.1.1 255.255.255.0 UG 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

And on the gateway, i have:
$ sudo iptables -L
Password:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

My connection from the gateway to my ISP is using a USB modem:
etc$ sudo ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:D0:09:FC:3E:E6
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::2d0:9ff:fefc:3ee6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1206 errors:0 dropped:0 overruns:0 frame:0
TX packets:1825 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:161246 (157.4 KiB) TX bytes:174103 (170.0 KiB)
Interrupt:11 Base address:0xd400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1975 errors:0 dropped:0 overruns:0 frame:0
TX packets:1975 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:179106 (174.9 KiB) TX bytes:179106 (174.9 KiB)

ppp0 Link encap:Point-to-Point Protocol
inet addr:62.56.74.135 P-t-P:194.159.161.32 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:638485 errors:0 dropped:0 overruns:0 frame:0
TX packets:650691 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:250029448 (238.4 MiB) TX bytes:153278414 (146.1 MiB)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

etc$

Thanks for an excellent resource/site

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Thu 22 Jun 2006 at 22:41
[ View Steve's Scratchpad | View Weblogs ]

Since you're using ppp0 for the outgoing device on the gateway I'd definitely double-check that you changed things appropriately from the example in this article.

It might be useful to flush the firewall and enter the rules manually whilst you're dialled out. The following will do the flush:

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

Once you've done that check the routes. I'd expect something like:

skx@desktop:~$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0

You can drop any routes and recreate them on the LAN machine(s) to see if that helps.

Steve

[ Parent | Reply to this comment ]

Posted by mkb (62.56.xx.xx) on Thu 22 Jun 2006 at 23:06
[ View Weblogs ]
Fantastic! Cleared it all, used your script double checking had ppp0 as appropriate et voila it all works nicely... No router required now ;)

Ta, M

[ Parent | Reply to this comment ]

Posted by yousuf87 (202.83.xx.xx) on Sat 16 Sep 2006 at 00:01
I get the following errors when I start the networking daemon:
ultra1:~#/etc/init.d/networking restart
Setting up IP spoofing protection: rp_filter.
Reconfiguring network interfaces...ifup: interface lo already configured
run-parts: failed to exec /etc/network/if-up.d/00-firewall: Exec format error
run-parts: /etc/network/if-up.d/00-firewall exited with return code 1
run-parts: failed to exec /etc/network/if-up.d/00-firewall: Exec format error
run-parts: /etc/network/if-up.d/00-firewall exited with return code 1
done.
ultra1:~#
But it works flawlessly when I run the script manually:
ultra1:~#/etc/network/if-up.d/00-firewall
ultra1:~#
What could the problem be?

Also, I want to be able to "ssh" onto my gateway computer from a remote location; currently, I get "No route to host" when I try to do that. I think the problem lies with the gateway my gateway is connected to (where I'll need to request the administrator to enable port forwarding for port 22), but is it possible that I also need to modify the script on my gateway?

Is using a an IP like 10.0.1.0 preferable over using something like 192.168.100.0 for my internal subnet? My professor seems to think so.



A very nice site.

Regards.

[ Parent | Reply to this comment ]

Posted by Steve (62.30.xx.xx) on Sat 16 Sep 2006 at 12:31
[ View Steve's Scratchpad | View Weblogs ]

Make sure that the first line of the script is "#!/bin/sh".

As for the IP address range you use it doesn't much matter. There are several ranges which are set aside for "local" use this guide shows you them.

I use 192.168 exclusively, the only reason not to is if you run into problems with a VPN sharing the same space on the far side. Also many common household routers will assume 192.168.1.x which can be handy.

Using the 10.x.x.x prefix I guess gives you a much bigger pool of addresses - but that isn't likely to be a good enough reason for preferring it in the home setting. I'd ask your professor why he has a preference?

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (68.179.xx.xx) on Tue 14 Nov 2006 at 16:42
Hi guys,

Great little setup. The /etc/network/if-up.d directory is very handy to know about.

I'm running into one little issue though, https authentication through the gateway.

It eventually works but seems to hang for quite a while whenever anyone authenticates this way.

Any ideas how I can stop this?

[ Parent | Reply to this comment ]

Posted by Steve (80.68.xx.xx) on Tue 14 Nov 2006 at 16:44
[ View Steve's Scratchpad | View Weblogs ]

I'd suggest this is probably not something that will be easy to solve. If it works at all then the gateway is working, and realistically the gateway shouldn't care what type of traffic is passing over it.

I'd suggest you look at DNS configuration, and see what server-side messages you can get from the remote SSL server(s) to see if there is something else misconfigured..

Steve

[ Parent | Reply to this comment ]

Posted by Zingaro2002 (85.18.xx.xx) on Fri 16 Feb 2007 at 16:35
Many Many Many Thanks for this article!!!

I used it on an ubuntu server linux box and it worked perfectly!

Now I only need to put some limitations (but I don't know iptables rules...) in 00-firewall script.

I want that machines behind the gateway can access only certain ports (say ONLY 80) and estabilish connections only on some subdomains (say ####.google.com and maps.google.it)

Well, my users should use Google earth (that makes connections to various ####.google.com domains) and http://maps.google.it

No other internet connection should be available through the gateway (no ssh, no smtp, no pop, no emule, and so on...).

Can you help me to implement the right iptables rules (without using any proxy)?

Thanks in advance for any suggestion.

[ Parent | Reply to this comment ]

Posted by Anonymous (81.180.xx.xx) on Wed 8 Aug 2007 at 17:44
Ok, i quit. I`ve tried all the posible ways and didn`t manage to get trough. I realy need some tips here.

Bellow are my interface config and the firewall script.
My problem is that with my laptop i can connect to the wireless (ra0) and i even get a reply from the external interface`s DNS (193.230.240.16), but i can`t get passwd it. I`ve tried many things, but no success.
Please help!
And btw, ip_forward is 1.
Thanks!

############################ interface
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 81.180.170.185
netmask 255.255.255.0
network 81.180.170.0
broadcast 81.180.170.255
gateway 81.180.170.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 193.230.240.16
dns-search com

auto ra0
iface ra0 inet static
address 192.168.0.1
netmask 255.255.255.0
wireless_key 868f840926
wireless_ssid KlarsDev


############################ 00-firewall

############################
#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

iwconfig ra0 mode Ad-Hoc

#
# Delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o ra0 -m state --state ESTABLISHED,RELATED -j ACCE$

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i ra0 -o eth0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Don't forward from the outside to the inside.
#iptables -A FORWARD -i eth0 -o eth0 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

[ Parent | Reply to this comment ]

Posted by oguzy (193.140.xx.xx) on Tue 21 Aug 2007 at 13:33
I tried this configuration on a machine that has 3 ethernet cards: eth1 and eth2 is for local area networks and eth0 is to internet.

Here is the interfaces file

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth2 eth1 eth0

iface eth0 inet static
address 10.10.15.79
netmask 255.255.240.0
network 10.10.0.0
broadcast 10.10.15.255
gateway 10.10.1.1

iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
gateway 192.168.1.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 192.168.1.1

iface eth2 inet static
address 10.0.0.1
netmask 255.255.255.0
gateway 10.0.0.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 10.0.0.1


So i have two more machines connected to the same switch:


# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0


iface eth0 inet static
address 10.0.0.2
netmask 255.255.255.0
gateway 10.0.0.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 10.0.0.1


# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
gateway 192.168.1.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 192.168.1.1


What i do is to add a rule first to the ipchains:
/sbin/iptables -I INPUT 1 -p tcp --sport 4000 --dport 4000 -s 192.168.1.2 -d 10.0.0.2 -j ACCEPT

Then at the machine with ip 192.168.1.2 i created a traffic with hping2 as

hping2 -a 192.168.1.2 10.0.0.2 -p 4000

and check the eth2 of the centered machine whether there is a traffic:

tcpdump -i eth2 dst 10.0.0.2 and port 4000

I didnt see any output, but tcpdump -i eth1 src 192.168.1.2 and port 4000
shows a traffic

So the problem seems the packages going from 192.168.1.2 to 10.0.0.2 are not transmitted from one ip to another. I tried pinging with INPUT and FORWARD default policies as ACCEPT. Pinging from 192.168 to 10.0. worked. But after i wrote the above iptables rules there was not a reply. Something is wrong with the rules i think. What is it?


[ Parent | Reply to this comment ]

Posted by oguzy (88.244.xx.xx) on Tue 21 Aug 2007 at 17:41
After adding those two lines to the ipchains rule set everything was fine for me:

ipchains -A FORWARD -s 192.168.1.2 -d 10.0.0.2 -j ACCEPT
ipchains -A FORWARD -s 10.0.0.2 -d 192.168.1.2 -j ACCEPT

And one more point, when i change the INPUT chain to FORWARD /sbin/iptables -I INPUT 1 -p tcp --sport 4000 --dport 4000 -s 192.168.1.2 -d 10.0.0.2 -j ACCEPT
worked correctly.

[ Parent | Reply to this comment ]

Posted by Anonymous (70.240.xx.xx) on Wed 31 Oct 2007 at 05:01
No one knows how to set Debian up as a Load Balancing Dual WAN router? I am attempting to do this for a non-profit title 1 school (pre-k thru 6th grade) and my server is Debian based (ubuntu 7.10) with Dansguardian and Squid - have 3 NICs in it, want one to connect to T1 line, one for the DSL line, and the other to be the router/DHCP/firewall/proxy/content-filter... the only free solution I see is Vyatta or Pfsense... but there HAS to be a way to do this using debian... I am trying to avoid complicating the issue by running vyatta or pfsense as a vmware virtual appliance.... any suggestions???

[ Parent | Reply to this comment ]

Posted by Anonymous (85.0.xx.xx) on Sat 13 Oct 2007 at 17:12
great script. works like a charm. However, I was swearing for sometime because at first it would not work. Then tried to start it manually and I got a permission denied error. So what I want to say and maybe safe some more newbies the frustrations, after making the script, enter this as su

chmod 755 /etc/network/if-up.d/00-firewall


[ Parent | Reply to this comment ]

Posted by Anonymous (128.2.xx.xx) on Thu 14 Feb 2008 at 18:53
Thank you for the very informative article, but I am having trouble getting this working on my machine. I am using eth0 as my uplink and eth1 as my LAN connection. I don't have a modem, I connect directly to a university connection. I set up my /etc/network/interfaces file as follows:
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface (Uplink)
auto eth0
iface eth0 inet dhcp

# The secondary network interface (LAN interface)
auto eth1
iface eth1 inet static
   address 192.168.0.1
   netmask 255.255.255.0
I also created a basic (less secure) script to see if my error was in miking up interfaces in your script.
#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s 192.168.0.1/24 -o eth0 -j MASQUERADE
I have a windows machine that I am trying to connect to the gateway and I cannot get a valid local IP address or ping the gateway. I have tried both using a static IP and DHCP requests on the windows machine. What am I missing? I cant imagine it is an IP conflict because there is only 2 NICs on the local network, eth1 and my second computer. Thanks.

[ Parent | Reply to this comment ]

Posted by Steve (82.32.xx.xx) on Thu 14 Feb 2008 at 18:56
[ View Steve's Scratchpad | View Weblogs ]

Sounds to me like there is something strange going on. The setup you've described should work just fine.

If you give the windows machine the following details what happens? Can it ping the gateway, or the outside world?

ip: 192.168.0.10
netmask: 255.255.255.0
broadcast: 192.168.0.255
gateway: 192.168.0.1

Steve

[ Parent | Reply to this comment ]

Posted by alucard-- (128.2.xx.xx) on Thu 14 Feb 2008 at 20:10
I tried using those settings and I was able to ping the gateway from the windows machine and the windows machine from the gateway. I think I might have just put them in wrong the first time or not flushed my settings completely before.

Using the gateway, I can ping computers outside my local network from the windows machine, but I cannot resolve addresses.

Directly connected:
~#ping google.com
Pinging google.com [72.14.207.99] with 32 bytes of data:
Ping statistics for 72.14.207.99:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Connected through gateway:
~#ping google.com
Ping request could not find host google.com. Please check the name and try again.

~#ping google.comping 72.14.207.99
Pinging 72.14.207.99 with 32 bytes of data:
Ping statistics for 72.14.207.99:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
I have a modded xbox (running XBMC) on my network as well, but I cant seem to get it working with the gateway. The setting on it all work fine if I set a windows machine up as a gateway using ICS so I would imagine I wouldn't have to change anything on it if I am using the debian gateway instead (both gateways are set to be 198.168.0.1 and I only have one or the other running at a time during this testing). I wouldnt imagine that you would know what could cause that, but do you have any suggestion about the why I cannot resolve DNS addresses? I have dnsmasq running on my gateway, but would that forward DNS look-up requests as well as checking the gateway's host file? Thank you for your help and your quick response.

[ Parent | Reply to this comment ]

Posted by Steve (82.32.xx.xx) on Thu 14 Feb 2008 at 20:14
[ View Steve's Scratchpad | View Weblogs ]

So, with the settings updated the windows machine can ping the gateway, and it can ping the outside world - but only by IP.

That suggests that either the Windows machine has no DNS servers setup, or they are unreachable. I'd suggest you compare them with what the Linux gateway has ("cat /etc/resolv.conf" should tell you).

It could just be that they are bogus .. if not I'd be a little confused.

(I know nothing about xboxes, but buy me one and I'll look into it for you ;) For the moment I'd assume that if DNS isn't working for the windows machine that suggests it isn't working for that either, and that could be the only problem.)

Steve

[ Parent | Reply to this comment ]

Posted by alucard-- (128.2.xx.xx) on Thu 14 Feb 2008 at 20:25
When I connect directly using DHCP, two nameservers are given to me, 128.2.1.10 & 128.2.1.11. Should I specify these as the nameservers on the LAN machines behind the gateway? Shouldn't the gateway be able to forward requests to those nameservers?

Thanks again!

[ Parent | Reply to this comment ]

Posted by Steve (82.32.xx.xx) on Thu 14 Feb 2008 at 20:37
[ View Steve's Scratchpad | View Weblogs ]

The gateway should be able to forward UDP traffic to those machines from the LAN. If you set them up for the windows machine it should work - I'm trying to ask you if there are any entries present. Because if there are and they are invalid, or not working, then it seems like the forwarding isn't coping with UDP traffic - or similar.

Steve

[ Parent | Reply to this comment ]

Posted by alucard-- (128.2.xx.xx) on Thu 14 Feb 2008 at 21:09
There are the two valid entries present. I can properly resolve addresses from the gateway, just not from the windows machine connected too the gateway.

[ Parent | Reply to this comment ]

Posted by Steve (82.32.xx.xx) on Thu 14 Feb 2008 at 21:20
[ View Steve's Scratchpad | View Weblogs ]

Update your script to include this:

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Does that help?

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (24.13.xx.xx) on Mon 18 Feb 2008 at 04:34
I have dnsmasq and dhcp3server installed. DHCP works just fine. dnsmasq is not forwarding my requests. Not sure if my gateway is blocking it or what.

Gateway setup
ath0 (my gateway NIC) is on dhcp to my router
the internal device eth0 is:
iface eth0 inet static
address 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
gateway

DHCP is giving the client machine this setup:
ip 192.168.0.1
netmask 255.255.255.0
nameserver 192.168.0.0

and this ip as the route: 192.168.0.0

port forwarding is on in /etc/sysctl.conf and i also left it in the firewall script from this page. Here is what it looks like:

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

echo "Running Gateway Firewall Script"

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o ath0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
echo "Enabling IPV4 Port Forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward


SO: gateway external: ath0 internal: eth0

Did i cross the NIC's in the firewall?
Is dns just not set up correctly?

I can ping all machines on the lan, but not outside the lan under my gateway. And ipv4 forwarding is enabled too.

Any ideas?

[ Parent | Reply to this comment ]

Posted by kkjaergaard (87.56.xx.xx) on Sat 17 May 2008 at 20:03
I cannot SSH into the gateway. I get "ssh: connect to host gateway port 22: Connection refused". The gateway is running a web server and FTP server, and I can access both of them.

There are no flash or java applets in my browser. Why not?

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Sat 17 May 2008 at 20:26
[ View Steve's Scratchpad | View Weblogs ]

Have you tried restarting the ssh server, or verified it is running? Is this on the internal address, or the external one?

Steve

[ Parent | Reply to this comment ]

Posted by kkjaergaard (87.56.xx.xx) on Sat 17 May 2008 at 23:10
(shh, it wasn't installed... it must have gone missing during an upgrade or something...) I can connect using user@ip but not user@host - I get the same message: "ssh: connect to host gateway port 22: Connection refused"

All of this is done from the inside of the firewall.

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Sat 17 May 2008 at 23:58
[ View Steve's Scratchpad | View Weblogs ]

If you can connect via the IP address, but not by the hostname, then that means things are working fine - but your DNS/name lookup is broken.

I guess thats a whole other topic..

Try checking /etc/hosts, or /etc/resolv.conf on the machine from which you're making the connection to look for errors/oddities..

Steve

[ Parent | Reply to this comment ]

Posted by kkjaergaard (87.56.xx.xx) on Sun 18 May 2008 at 00:47
But the domain name lookup works in other circumstances: "ping <host>" works (as "ping <ip>"). "host <host> localhost" works on the gateway.

[ Parent | Reply to this comment ]

Posted by ptolomaeus (78.152.xx.xx) on Wed 9 Jul 2008 at 17:01
Hi.
I have 2 interfaces eth1(LAN) & eth2(INET)
When I am add iptables rule

iptables -t nat -I POSTROUNTING -i eth1 -o eth2 -j SNAT --to-source INET_IP

not all of LAN packets was translated to INET_IP
and when I run command

tcpdump -i eth2

I see source address of LAN computers

What is the problem? Thanks!


[ Parent | Reply to this comment ]

Posted by Anonymous (188.24.xx.xx) on Tue 16 Mar 2010 at 02:00
Hello, i followed this tutorial and good news is that it works, BAD NEWS: it somehow limitate even dissalow most of the sites to load to my windows xp browser (IE). I`m using DEBIAN5. please give me a reply how to bypass this problem. mai e-mail: sebby.curta@yahoo.com & sebby.curta@gmail.com

[ Parent | Reply to this comment ]

Posted by Anonymous (188.24.xx.xx) on Tue 16 Mar 2010 at 02:04
I came back with some info to be able to help me: i have a pppoe connection the external network card is eth0 and private is eth1 and ppp0 is the internet (has a public ip address

[ Parent | Reply to this comment ]

Posted by Anonymous (130.235.xx.xx) on Mon 22 Mar 2010 at 18:28
I used your firewall script and it works partly..
I have one debian PC as a gateway between my local network and Internet. I am able to ping IP addresses on Internet from my local network, but it doesn't work if I use host names.
Seems to me like no DNS server is reachable from my local network, so host names are unknown.

Can someone give me a hint on how to fix this?

Thanks

/Sofie

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Mon 22 Mar 2010 at 18:39
[ View Steve's Scratchpad | View Weblogs ]

You probably need to update /etc/resolv.conf upon the machines on the LAN to match the contents on the gateway machine - which is presumably working?

Failing that more details would be useful..

Steve

[ Parent | Reply to this comment ]

Posted by Sofie (130.235.xx.xx) on Tue 23 Mar 2010 at 09:48
Thanks a lot for you fast response! It works :-)

Just wonder a few more things..
In the top of my /etc/resolve.conf file it says "generated by NetworkManager, do not edit!" I edited it anyway and as you said it worked, do I have to care about this comment?

I also tried to add the dns-nameservers directly in the /etc/network/interfaces script, like this:
iface eth0 inet static
address 192.168.0.2
netmask 255.255.255.0
gateway 192.168.0.1
dns-search xxxx (same as in in /etc/resolve.conf at gateway machine)
dne-nameservers xx.xx.xx.xx (same as in in /etc/resolve.conf at gateway machine)

But from what I could see those last two lines had no effect, do you have a clue why?

And.. my last question I have chosen 192.168.0.1 as the IP of my gateway machine, but normally the standard is that the gateway IP ends with 254, does it matter?

Thanks a lot again :-)

/Sofie

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Tue 23 Mar 2010 at 09:55
[ View Steve's Scratchpad | View Weblogs ]

Cool, glad it works. I'm hazy on Network manager, and how it works so I'm not sure if your changes will get overwritten (as it threatens) or not. It might be worth a quick google search to see what others say?

I think that the dns-search lines you've added are only going to be used by some DHCP clients, rather than globally. So if they're ignored that might be why.

Finally the IP of the gateway? There is no real standard and you're safe to pick any working IP. (Most of my gateways are the "first" IP rather than the "last" FWIW.)

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (89.250.xx.xx) on Thu 24 Feb 2011 at 14:57
very nice

[ Parent | Reply to this comment ]

Posted by kapastratos (188.26.xx.xx) on Sat 9 Apr 2011 at 16:02
well for me it is not working:
root@optimus:/etc/network/if-up.d# ./00-firewall
Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`).


also:
root@optimus:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state NEW

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination



/etc/network/interfaces:
root@optimus:~# cat /etc/network/interfaces
#NETWORK

auto lo
iface lo inet loopback

#WAN
allow-hotplug eth0
iface eth0 inet dhcp
 hostname "optimus"

#LAN
auto eth1
iface eth1 inet static
    address 192.168.0.1
    netmask 255.255.255.0


00-firewall
root@optimus:~# cat /etc/network/if-up.d/00-firewall
#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth0 -o eth0 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

[ Parent | Reply to this comment ]

Posted by kapastratos (188.26.xx.xx) on Sun 10 Apr 2011 at 00:31
I managed to fix it! it is working great, but...how safe is it? can I use it instead of my wireless router (I prefer using it because I can use apache/php/mysql, samba and ftp, but again..how safe is it?

[ Parent | Reply to this comment ]

Posted by Anonymous (216.105.xx.xx) on Fri 13 May 2011 at 20:14
How did you fix it? I keep getting 'Destination Host Unreachable' trying to ping the outside world from the natted machines.

[ Parent | Reply to this comment ]

Posted by kapastratos (188.27.xx.xx) on Fri 13 May 2011 at 20:46
hi, I am not guru, I still have some problems but I will try to help:

this is what I have in /etc/network/interfaces
eth0 is outside
eth1 is inside

#eth0
  auto eth0
  iface eth0 inet manual
  auto dsl-provider
  iface dsl-provider inet ppp
  pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf
  provider dsl-provider

#eth1
  auto eth1
  iface eth1 inet static
  address 10.10.10.254
  netmask 255.255.255.0
  network 10.10.10.0
  broadcast 10.10.10.255


this is what I have in /etc/network/if-up.d/00-firewall

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i ppp0 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o ppp0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT



NOTE: I have a PPPOE connection so if you don`t have pppoe and you have dinamic ip address...you need change the ppp0 to eth0 from the file above and to adjust the /etc/network/interfaces file to:

#eth0
  auto eth0
  iface eth0 inet dhcp

#eth1
  auto eth1
  iface eth1 inet static
  address 10.10.10.254
  netmask 255.255.255.0
  network 10.10.10.0
  broadcast 10.10.10.255



also in /etc/sysctl.conf i uncommented this line:

#net.ipv4.ip_forward=1

to

net.ipv4.ip_forward=1

[ Parent | Reply to this comment ]

Posted by Anonymous (92.42.xx.xx) on Wed 27 Jul 2011 at 15:06
Even though this was posted SEVEN years ago!!!
After reading loads and loads of other posts, came acorss this thread.

Just droped it on an Ubuntu 10.04 box, but placed the script contents (no #!/bin/sh) in the "/etc/rc.local" file, rebooted the system - BAM!!
ran with no problems :D

Easy, Simple, Effective - Nice work Steve...

[ Parent | Reply to this comment ]

Posted by Anonymous (80.139.xx.xx) on Mon 26 Sep 2011 at 21:33
The article has some flaws:
1. no default rules (should probably be DROP)
2. no handling of UDP

Otherwise it's nice.

[ Parent | Reply to this comment ]

Posted by Anonymous (80.139.xx.xx) on Mon 26 Sep 2011 at 23:08
I used:

#ppp0 = WAN
#rest = LAN
#delete all existing rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

#NOTE on debugging: if you try to run nmap -sS <your external IP here> from inside your network, you will see all ports of your router being open, because the router seems to recognise it comes from an internal port and directly responds?!

############ TCP #############
# Always accept loopback traffic
iptables -t filter -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -t filter -A FORWARD -i ppp0 -o ! ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -t filter -A FORWARD -i ! ppp0 -o ppp0 -j ACCEPT

# Don't forward from the outside to the outside.
#iptables -t filter -A FORWARD -i ppp0 -o ppp0 -j DROP #handled by default policy

############ UDP #############
#accept incoming udp DNS packets for the router (UDP is a stateless protocol, so no tricks as with tcp possible)
iptables -t filter -I INPUT 3 -p udp --sport 53 -j ACCEPT

#we have to allow UDP forwarding to make services behind the router work, we can't do tricks as with TCP
iptables -t filter -A FORWARD -i ppp0 -o ! ppp0 -p udp -j ACCEPT

########### ICMP #############
#make sure we can receive ping responses
iptables -t filter -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

############ other stuff ##############
# Masquerade. (NAT)
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

#set default policies, this should take care of ALL other stuff such as dropping incoming ICMP messages and so on
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP

# Enable routing.
#echo 1 > /proc/sys/net/ipv4/ip_forward

No guarantee on it though. ^^

[ Parent | Reply to this comment ]

Posted by Anonymous (146.52.xx.xx) on Mon 28 May 2012 at 12:03
Yey - thank you. After 4 days of trying to get my virtual machine connected to the internet (they are running on a virtual bridge) those lines helped me to find a solution.
You made my day!!

[ Parent | Reply to this comment ]

Posted by rautamiekka (87.93.xx.xx) on Tue 18 Sep 2012 at 19:57
I've tried many and not even this works regardless of being designed for Debian !

Posted on SuperUser: http://superuser.com/questions/473573/debian-6-internet-connectio n-sharing-aka-ip-masquerade-not-working

[ Parent | Reply to this comment ]

Posted by Anonymous (80.201.xx.xx) on Tue 28 May 2013 at 12:28
Thank you, works great, I'm a newbie in iptables and needed a simple nat router on debian 7 for connecting my machines to an isp router in other subnet (to replace a windows machine with the same function.)
Just one question, the line
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
gave an error (bad argument).
I replaced it with
iptables -A INPUT -m state --state NEW ! -i eth1 -j ACCEPT
No more error with that.
My nat-router seems to work well now, but I'm wondering if "-i !" and "! -i" have the same meaning?

[ Parent | Reply to this comment ]

Posted by Anonymous (90.163.xx.xx) on Tue 27 Aug 2013 at 13:54
Thank you for such a nice tutorial.

I just wrote a different kind of tutorial on how to set up Arno IPTABLES firewall.
May be it may help someone to setup his own firewall based on IPTABLES.
You can find some examples for a mail server and for a Proxy server using SNAT and port forwarding.
The location of my tutorial is here:

cosmolinux.no-ip.org/raconetlinux2/arno_iptables_firewall.html

I wish it is useful to someone.

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 462 votes ~ 5 comments )

 

 

Related Links