This is the old SliTaz forum - Please use the main forum.slitaz.org

generic iptables firewall.conf?
  • foxsamfoxsam January 2011
    I am having two troubles involving, I think, firewall and NAT etc...
    one. I cannot access the internet via ppp0 (usb modem) while eth0 (LAN network, no internet) is up. I am assuming that the problem is a routing table problem that is causing it to look on the LAN for internet addresses.
    two. I am trying to get the computer to share (masquerade) the internet connection out through the ethernet into my (real, wireless) router's WAN port so i can use my modem as wifi.

    The question here is, is there a generic firewall.conf that i can just copy? I am having trouble getting past step one. I installed iptables and dependencies and tried setting the rules but I really don't know what I am doing.

    Stage 2 will be to get this modem working over bluetooth but for now usb is good :)

    thanks.
  • OldGuyOldGuy January 2011
    Howdy,

    is this the setup you would like to achive?

    Internet -> mobile device -> [ ppp0 -> PC -> eth0 ] -> [eth0 -> router -> wlan0] --wireless-- [wlan0 -> hostPC] ?

    Does your router have a internal DSL/cabel modem?
    Does it need to be connected to an external DSL/cable modem and ttherefore uses PPPoE?
    Does it really use straight IP on the WAN port?

    Your first problem indeed sounds like a routing table issue.
    Pls. post the result of "route -n" while the ppp0 is up and connected

    The following "BASIC!!!" script should help you to use your PC as a NAT-router:
    -----------------------------------------------------------------------------------------------------------------
    #'/bin/sh
    INET_IFACE="ppp0"
    LAN_IFACE="eth0"
    IPTABLES="/sbin/iptables"

    $IPTABLES -t raw -F
    $IPTABLES -t mangle -F
    $IPTABLES -t nat -F
    $IPTABLES -t filter -F
    $IPTABLES -X
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P INPUT ACCEPT

    $IPTABLES -P OUTPUT ACCEPT

    $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

    $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
    $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


    echo "1" > /proc/sys/net/ipv4/ip_forward
    -----------------------------------------------------------------------------------------------------------------

    Edit: Inserted the missing 'state' in the last line.

    Pls. be aware that this is NO FIREWALL but masquerading only!!!!

    Cheers,
    OldGuy
  • foxsamfoxsam January 2011
    this is without ethernet cable plugged in:
    it works and connects to the internet.

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    68.28.113.71    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
    127.0.0.1       0.0.0.0         255.255.255.255 UH    0      0        0 lo
    0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0


    this is after i connected ethernet:
    I had to start dhcp to listen by clicking start in netbox dhcp tab.

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    68.28.113.71    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
    127.0.0.1       0.0.0.0         255.255.255.255 UH    0      0        0 lo
    192.168.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
    0.0.0.0         192.168.0.11    0.0.0.0         UG    0      0        0 eth0
    0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0


    I get an error running the script (if I did it right)

    iptables v1.4.5: Couldn't load match `--state':/usr/lib/iptables/xtables/libipt_--state.so: cannot open shared object file: No such file or directory

    Try `iptables -h' or 'iptables --help' for more information.


  • Trixar_zaTrixar_za January 2011
    @OldGuy Last time I checked iptables was part of Linux's firewall :-/

    @foxsam What kind of connection are you trying to use with ppp0?
  • foxsamfoxsam January 2011
    @Trxar_za If i understand your question:

    I am trying to get what OldGuy said above:
     
    Internet -> mobile device (USB 3g modem)-> [ ppp0 -> PC -> eth0 ]
    -> [eth0 -> router (WAN port) -> wlan0] --wireless-- [wlan0 -> hostPC]

    But I am really stuck before that:

    Internet -> mobile device (USB 3g modem)-> [ ppp0 -> PC -> eth0 ]
    -> [eth0 -> LAN(via router LAN port)]

    When ethernet is connected it (i think) looks on the LAN segment for internet IPs.
  • OldGuyOldGuy January 2011
    @Trxar_za - Indeed "part of". Just because one uses some software, which usually is used to setup a firewall, doesn't mean that you'll have a firewall at the end of it. To my understanding a firewall does a lot more than 'only' masqerading. The script I put up doesn't provide much more then NAT and foxsam should be aware of that he will not get a real firewall with this script. ;-)

    @foxsam - It seems there is a 'Default Gateway' (192.168.0.11) configured in your eth0-Interface setup. There can be only one (where did I hear that one before :-) ) 'Default Gateway' in a router. Therefore check your eth0 setup and delete the gateway entry.

    As for the problem with the library: it seems there are some unsolved dependencies with your iptables installation.
  • foxsamfoxsam January 2011
    where do i remove the default gateway from? I don't think is is set anywhere. Can it be geetting it from dhcp?

    what to do about iptables to fix it?
  • GokhlayehGokhlayeh January 2011
    Hi,

    when iptables is installed SliTaz setup the firewall using /etc/firewall.conf - which already contains some basic rules. Note it also drops all forward by default.
    This file can be useful to setup you're own configuration, including masquering etc...
    And by default it doesn't prevent any direct connection to the net, or direct local connection, just drop input from unknown senders.
  • erniaernia January 2011
    if i don't get it wrong in route -n output you have two destination 0.0.0.0 fields, so packets go away through the first catch, that in your case is eth0, which i suppose is not what you want.
    route del default gw eth0 should del the wrong route : http://linux.die.net/man/8/route
    if i understood what you are trying to do i think that if you want use your box as a ppp nat server for your network you should not start dhcp but start eth0 with a fixed address and without a default gw, then configure the default gw in the wlan-lan router to point to your box.
    oldguy's iptables rules should do the forwarding job
  • OldGuyOldGuy January 2011
    @foxsam - Just to make sure: We are talking abozt Slitaz (whaz version?) on your routing-PC, right?

    Also, could you pls. describe in more detail how your networks are setup?
    It seems that your eth0 interface still gets an IP address asigned by a DHCP-server.
    As we are talking about a multi network setup, it is crucial to understand your physikal and locial network setup.
    Can you therefore pls. fill in the missing information?

    net1:
    Internet -> (USB 3g modem) -> usb-cable -> (ppp0 [routing PC])

    net2:
    ([routing PC] eth0) -> crossover cable/hub/switch?? -> (wan0 [Router])
    Which other devices are physically connected to this network? (DHCP-server?)
    If this is connected through a hub/switch, is this the multiport LAN side of your wifi-router?
    What is the wan0-interface IP-setting on the wifi-router? Staic or DHCP?

    net3:
    ([Router] eth0) -> crossover cable/hub/switch?? -> (eth0 [local PC])
    Which IP-address/Netmask combinations are used in this network?
    Which other devices are physically connected to this network? (DHCP-server?)

    If this is connected through a hub/switch, is this the multiport LAN side of your wifi-router?


    net4:
    ([Router] wlan0) -> wireless -> (wlan0 [mobile PC])

    Which IP-address/Netmask combinations are used in this network?


    Cheers
  • OldGuyOldGuy January 2011
    Sorry, there was something missing in the script I provided. :-(

    Pls. change
    $IPTABLES -A FORWARD -m --state ESTABLISHED,RELATED -j ACCEPT

    to
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    This should fix the "... /libipt_--state.so: cannot open shared object file ..." problem. ;-)

    Cheers
  • foxsamfoxsam January 2011
    thanks for all the help :) I am too new to realise that I was going to confuse so many people with missing info.

    First of all I am using slitaz 3.0

    Here is what you wanted to know (i probably will still miss something but it is not intentional)

    net1:
     i think is clear. usb modem connected using wvdial.

    net2:
     is really 2 seperate problems in different scenarios. the one i want to keep is B.

    net2A:
     ([routing PC] eth0) -> link port of wireless router getting assigned ip via dhcp. connected to the router is another computer wirelessly. I can only use net1 OR net2A in this setting. not both at the same time.

    net2B:
     I want to connect ([routing PC] eth0) -> WAN port which is set as static. (I am pretty sure it can work if masqurade works, It has a setting for the port to be "IP Routing", and get its IP from dhcp which i think means that it works as a regular client and connects it to the other ports.) and hope to be able to connect to both net1 and net2.
     the router has busybox and i can telnet in and post what some commands return like the route -n ifconfig etc.. if it will help..


    net3:
    none (if I understand...)

    net4:
    wifi to other computers that i want to be able to access internet and servers running on [router PC] and [router] not sure how they are setup. how should i check?
  • OldGuyOldGuy January 2011
    Hmm...,
    I'm still a bit confused.

    Are you using anything (hub/switch), besides your wifi-router, to interconnect PC's within your local network?

    Can you provide more information on the wifi-router. (Brand, Modell)?

    Is the 3g modem the only access to the internet or is it just an alternative to some DSL/cabel?
  • foxsamfoxsam January 2011
    ok. thanks for helping me get this straight.

    the router is *it*

    the router is a verizon/westel 7501
    very robust capabilities
    https://sites.google.com/a/tds.net/unlock-your-verizon-westell-7501-wireless-g-router/

    it looks like it can do what i want from another wireless router as a wireless client too.
    http://www.dd-wrt.com/phpBB2/viewtopic.php?t=65443&postdays=0&postorder=asc&start=750&sid=b993125f92a15c97526ef0b71035bb83

    3g is the *only* way I connect to the internet.
  • foxsamfoxsam January 2011