← Back to team overview

sslug-teknik team mailing list archive

  1. sslug-teknik team
  2. Mailing list archive
  3. Message #94276

Iptables problem = Modem

  Thread PreviousDate PreviousThread Next 
Hey gruppe.
Jeg har fået et problem som jeg skal løse for en af mine venner. Som det ser ud: Nogle venner har anskaffet sig et 3modem som de ikke kan opsige førend til Maj måned. Derfor vil jeg bygge en router ud af min lexcom. Der har jeg installeret Ubuntu på. Jeg har sat en DHCP-server op på eth0 som fungerer. Derefter har jeg fået modemmet til at fungere - Og nu skal jeg så lave et IPtables script der skal kunne fungere. Men jeg har taget det lige ud af landevejen - men det fungerer bare ikke - dog har jeg nogle ting jeg ikke er klar over. Min route tabel ser således ud route -vn: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 172.16.7.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
Der regner jeg med dette er forkert - da der mangler en default Gateway. Hvordan kan jeg fixe dette ?? Mit IPTABLES script ser således ud. : 
######################################################################
# -------------------------------------------------------------------
# Setup the enviroment variables
# -------------------------------------------------------------------
# External Program
IPTABLES="/sbin/iptables"

# Setting up the interfaces
LO="lo"
WAN="ppp0"
LAN="eth0"

# The IP-addresses for the interfaces
LAN_IP="172.16.7.1"
WAN_IP="`ifconfig $WAN | grep \"inet addr\" | cut -f 2 -d \":\" | cut -f 1 -d \" \"`" LO_IP="127.0.0.1" 

#Networks
LAN_NET="172.16.7.0/24"
WAN_NET="$WAN_IP"
LO_NET="127.0.0.1/8"

# The machines on the net
MILO="172.16.7.1"

#-------------------------------------------------------------------
# Starting the scripts and write to syslog & Console
# ------------------------------------------------------------------
echo echo "Initializing firewall with these settings:" 
echo "- WAN IP-address:		$WAN ($WAN_IP)"
echo "- LAN IP-address:		$LAN ($LAN_IP)"
echo echo "Initiating script:" 
echo " Done"

# ---------------------------------------------------------------
# Start by loading IPTABLES modules
# ---------------------------------------------------------------
echo "Loading IPTABLES modules"
modprobe ip_tables
modprobe ip_conntrack

echo " Done"
# ---------------------------------------------------------------
# Flush existing Connections and removing rules
# ---------------------------------------------------------------
echo "Flashing and zeroing the chains"
$IPTABLES -F
$IPTABLES -Z
$IPTABLES -X
echo " Done"
echo
# ---------------------------------------------------------------
# Initialize and setup defaults rules
# ---------------------------------------------------------------
echo "Initialzing and setup defaults policies"
# Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward 
# IP spoofing
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
	echo 1 > $f
done

# Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

echo " Done"
echo
# --------------------------------------------------------------
# Create and flush chains
# --------------------------------------------------------------
echo "Creating and flushing the chains"
$IPTABLES -N wantolan
$IPTABLES -N lantowan
$IPTABLES -N lo
$IPTABLES -N lan
$IPTABLES -N wan
echo " Done. Chains are made"
echo
################################################################
# Setting up the INPUT chain
# --------------------------------------------------------------
## ICMP ##
$IPTABLES -t filter -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -t filter -A INPUT -i $LAN -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT $IPTABLES -t filter -A INPUT -i $WAN -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT 

echo " Done. INPUT chain is up and running"
echo

# --------------------------------------------------------------
# Setting up the OUTPUT chain
# --------------------------------------------------------------
# Accepting the different networks
$IPTABLES -t filter -A OUTPUT -p ALL -s $LAN_NET -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p ALL -s $WAN_NET -j ACCEPT

echo " Done. OUTPUT chain is up and running"
echo

################################################################
# Setting up rules for LO interface
# --------------------------------------------------------------
echo "Setting up LOCAL interface "
$IPTABLES -A lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $LO -j ACCEPT
$IPTABLES -A OUTPUT -o $LO -j ACCEPT

echo " Done. LO is up and running"
echo
# --------------------------------------------------------------
# Setting up the LAN interface # -------------------------------------------------------------- 
echo "Setting up the LAN interface"
$IPTABLES -t filter -A lan -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 

echo " Done. LAN is up and running"
echo # -------------------------------------------------------------- 
# Setting up the WAN interface
# --------------------------------------------------------------
echo "Setting up the WAN interface"
$IPTABLES -t filter -A wan -m state --state ESTABLISHED,RELATED -j ACCEPT

echo " Done. WAN is up and running"
echo 
################################################################
# Setting up rules for LANTOWAN chain
# --------------------------------------------------------------
echo "Setting up the LANTOWAN chain"
$IPTABLES -t filter -A lantowan -s $LAN_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 

echo " Done. LANTOWAN chain is up and running"
echo

################################################################
# Setting up rules for WANTOLAN interface
# --------------------------------------------------------------
echo "Setting up the WANTOLAN chains"

# Accepting only returntraffic to lan
$IPTABLES -A wantolan -m state --state ESTABLISHED,RELATED -j ACCEPT


echo " Done. WANTOLAN chain is up and running"
echo

################################################################
# Setting up Masquerading
# --------------------------------------------------------------
echo "Setting up MASQUERADING"
# From all interfaces - but not WAN $IPTABLES -t nat -A POSTROUTING -s ! $WAN_IP -j SNAT --to-source $WAN_IP 

echo " Done. MASQUERADING is up and running"
echo

##################################################################
# Activating the Chains
# ----------------------------------------------------------------
echo "Activating the chains"
$IPTABLES -A INPUT -i $WAN -j wan
$IPTABLES -A INPUT -i $LAN -j lan
$IPTABLES -A INPUT -i $LO -j lo
$IPTABLES -A FORWARD -i $WAN -o $LAN -j wantolan
$IPTABLES -A FORWARD -i $LAN -o $WAN -j lantowan

echo "Done. The chains are now activated"


##################################################################
Hvad skal jeg konkret gøre for at få dette til at fungere ? Med Venlig Hilsen Per Jørgensen

Follow ups

  Thread PreviousDate PreviousThread Next