This is the old SliTaz forum - Please use the main forum.slitaz.org

generic iptables firewall.conf?
  • foxsamfoxsam January 2011
    I am having two troubles involving, I think, firewall and NAT etc...
    one. I cannot access the internet via ppp0 (usb modem) while eth0 (LAN network, no internet) is up. I am assuming that the problem is a routing table problem that is causing it to look on the LAN for internet addresses.
    two. I am trying to get the computer to share (masquerade) the internet connection out through the ethernet into my (real, wireless) router's WAN port so i can use my modem as wifi.

    The question here is, is there a generic firewall.conf that i can just copy? I am having trouble getting past step one. I installed iptables and dependencies and tried setting the rules but I really don't know what I am doing.

    Stage 2 will be to get this modem working over bluetooth but for now usb is good :)

    thanks.
  • OldGuyOldGuy January 2011
    Howdy,

    is this the setup you would like to achive?

    Internet -> mobile device -> [ ppp0 -> PC -> eth0 ] -> [eth0 -> router -> wlan0] --wireless-- [wlan0 -> hostPC] ?

    Does your router have a internal DSL/cabel modem?
    Does it need to be connected to an external DSL/cable modem and ttherefore uses PPPoE?
    Does it really use straight IP on the WAN port?

    Your first problem indeed sounds like a routing table issue.
    Pls. post the result of "route -n" while the ppp0 is up and connected

    The following "BASIC!!!" script should help you to use your PC as a NAT-router:
    -----------------------------------------------------------------------------------------------------------------
    #'/bin/sh
    INET_IFACE="ppp0"
    LAN_IFACE="eth0"
    IPTABLES="/sbin/iptables"

    $IPTABLES -t raw -F
    $IPTABLES -t mangle -F
    $IPTABLES -t nat -F
    $IPTABLES -t filter -F
    $IPTABLES -X
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P INPUT ACCEPT

    $IPTABLES -P OUTPUT ACCEPT

    $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

    $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
    $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


    echo "1" > /proc/sys/net/ipv4/ip_forward
    -----------------------------------------------------------------------------------------------------------------

    Edit: Inserted the missing 'state' in the last line.

    Pls. be aware that this is NO FIREWALL but masquerading only!!!!

    Cheers,
    OldGuy
  • foxsamfoxsam January 2011
    this is without ethernet cable plugged in:
    it works and connects to the internet.

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    68.28.113.71    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
    127.0.0.1       0.0.0.0         255.255.255.255 UH    0      0        0 lo
    0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0


    this is after i connected ethernet:
    I had to start dhcp to listen by clicking start in netbox dhcp tab.

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    68.28.113.71    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
    127.0.0.1       0.0.0.0         255.255.255.255 UH    0      0        0 lo
    192.168.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
    0.0.0.0         192.168.0.11    0.0.0.0         UG    0      0        0 eth0
    0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0


    I get an error running the script (if I did it right)

    iptables v1.4.5: Couldn't load match `--state':/usr/lib/iptables/xtables/libipt_--state.so: cannot open shared object file: No such file or directory

    Try `iptables -h' or 'iptables --help' for more information.


  • Trixar_zaTrixar_za January 2011
    @OldGuy Last time I checked iptables was part of Linux's firewall :-/

    @foxsam What kind of connection are you trying to use with ppp0?
  • foxsamfoxsam January 2011
    @Trxar_za If i understand your question:

    I am trying to get what OldGuy said above:
     
    Internet -> mobile device (USB 3g modem)-> [ ppp0 -> PC -> eth0 ]
    -> [eth0 -> router (WAN port) -> wlan0] --wireless-- [wlan0 -> hostPC]

    But I am really stuck before that:

    Internet -> mobile device (USB 3g modem)-> [ ppp0 -> PC -> eth0 ]
    -> [eth0 -> LAN(via router LAN port)]

    When ethernet is connected it (i think) looks on the LAN segment for internet IPs.
  • OldGuyOldGuy January 2011
    @Trxar_za - Indeed "part of". Just because one uses some software, which usually is used to setup a firewall, doesn't mean that you'll have a firewall at the end of it. To my understanding a firewall does a lot more than 'only' masqerading. The script I put up doesn't provide much more then NAT and foxsam should be aware of that he will not get a real firewall with this script. ;-)

    @foxsam - It seems there is a 'Default Gateway' (192.168.0.11) configured in your eth0-Interface setup. There can be only one (where did I hear that one before :-) ) 'Default Gateway' in a router. Therefore check your eth0 setup and delete the gateway entry.

    As for the problem with the library: it seems there are some unsolved dependencies with your iptables installation.
  • foxsamfoxsam January 2011
    where do i remove the default gateway from? I don't think is is set anywhere. Can it be geetting it from dhcp?

    what to do about iptables to fix it?
  • GokhlayehGokhlayeh January 2011
    Hi,

    when iptables is installed SliTaz setup the firewall using /etc/firewall.conf - which already contains some basic rules. Note it also drops all forward by default.
    This file can be useful to setup you're own configuration, including masquering etc...
    And by default it doesn't prevent any direct connection to the net, or direct local connection, just drop input from unknown senders.
  • erniaernia January 2011
    if i don't get it wrong in route -n output you have two destination 0.0.0.0 fields, so packets go away through the first catch, that in your case is eth0, which i suppose is not what you want.
    route del default gw eth0 should del the wrong route : http://linux.die.net/man/8/route
    if i understood what you are trying to do i think that if you want use your box as a ppp nat server for your network you should not start dhcp but start eth0 with a fixed address and without a default gw, then configure the default gw in the wlan-lan router to point to your box.
    oldguy's iptables rules should do the forwarding job
  • OldGuyOldGuy January 2011
    @foxsam - Just to make sure: We are talking abozt Slitaz (whaz version?) on your routing-PC, right?

    Also, could you pls. describe in more detail how your networks are setup?
    It seems that your eth0 interface still gets an IP address asigned by a DHCP-server.
    As we are talking about a multi network setup, it is crucial to understand your physikal and locial network setup.
    Can you therefore pls. fill in the missing information?

    net1:
    Internet -> (USB 3g modem) -> usb-cable -> (ppp0 [routing PC])

    net2:
    ([routing PC] eth0) -> crossover cable/hub/switch?? -> (wan0 [Router])
    Which other devices are physically connected to this network? (DHCP-server?)
    If this is connected through a hub/switch, is this the multiport LAN side of your wifi-router?
    What is the wan0-interface IP-setting on the wifi-router? Staic or DHCP?

    net3:
    ([Router] eth0) -> crossover cable/hub/switch?? -> (eth0 [local PC])
    Which IP-address/Netmask combinations are used in this network?
    Which other devices are physically connected to this network? (DHCP-server?)

    If this is connected through a hub/switch, is this the multiport LAN side of your wifi-router?


    net4:
    ([Router] wlan0) -> wireless -> (wlan0 [mobile PC])

    Which IP-address/Netmask combinations are used in this network?


    Cheers
  • OldGuyOldGuy January 2011
    Sorry, there was something missing in the script I provided. :-(

    Pls. change
    $IPTABLES -A FORWARD -m --state ESTABLISHED,RELATED -j ACCEPT

    to
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    This should fix the "... /libipt_--state.so: cannot open shared object file ..." problem. ;-)

    Cheers
  • foxsamfoxsam January 2011
    thanks for all the help :) I am too new to realise that I was going to confuse so many people with missing info.

    First of all I am using slitaz 3.0

    Here is what you wanted to know (i probably will still miss something but it is not intentional)

    net1:
     i think is clear. usb modem connected using wvdial.

    net2:
     is really 2 seperate problems in different scenarios. the one i want to keep is B.

    net2A:
     ([routing PC] eth0) -> link port of wireless router getting assigned ip via dhcp. connected to the router is another computer wirelessly. I can only use net1 OR net2A in this setting. not both at the same time.

    net2B:
     I want to connect ([routing PC] eth0) -> WAN port which is set as static. (I am pretty sure it can work if masqurade works, It has a setting for the port to be "IP Routing", and get its IP from dhcp which i think means that it works as a regular client and connects it to the other ports.) and hope to be able to connect to both net1 and net2.
     the router has busybox and i can telnet in and post what some commands return like the route -n ifconfig etc.. if it will help..


    net3:
    none (if I understand...)

    net4:
    wifi to other computers that i want to be able to access internet and servers running on [router PC] and [router] not sure how they are setup. how should i check?
  • OldGuyOldGuy January 2011
    Hmm...,
    I'm still a bit confused.

    Are you using anything (hub/switch), besides your wifi-router, to interconnect PC's within your local network?

    Can you provide more information on the wifi-router. (Brand, Modell)?

    Is the 3g modem the only access to the internet or is it just an alternative to some DSL/cabel?
  • foxsamfoxsam January 2011
    ok. thanks for helping me get this straight.

    the router is *it*

    the router is a verizon/westel 7501
    very robust capabilities
    https://sites.google.com/a/tds.net/unlock-your-verizon-westell-7501-wireless-g-router/

    it looks like it can do what i want from another wireless router as a wireless client too.
    http://www.dd-wrt.com/phpBB2/viewtopic.php?t=65443&postdays=0&postorder=asc&start=750&sid=b993125f92a15c97526ef0b71035bb83

    3g is the *only* way I connect to the internet.
  • foxsamfoxsam January 2011
    I *think* if If I can get it to the stage that if I skip the router in the middle and use a crossover to another pc and it works, then I can get it working via the router. At least that will be a router issue not a slitaz issue.

    btw I *love* slitaz for what it is. small and light.
  • OldGuyOldGuy January 2011
    Ok, then let's approach this step by step.

    Modify your /etc/network.conf as follows:
    INTERFACE="eth0"
    DHCP="no"
    STATIC="yes"
    IP="172.16.0.1"
    NETMASK="255.240.0.0"
    GATEWAY=""
    DNS_SERVER=""
    WIFI="no"

    Restart networking "#>/etc/init.d/network restart"

    Run the script I priviously provided to enable NAT and forwarding.

    Thereafter, pls. configurate a PC with the following fixed IP configuration:
       ip = 172.16.0.10
       netmask = 255.240.0.0
       default gateway = 172.16.0.1
       dns server = (use the IP address of the dns-server provided from your ISP via the ppp0 Interface of the Slitaz PC)
    and connect it with a cross-over cable to eth0 of the Slitaz PC.
    (Instead of using a cross-over cable you now also could connect both PC's to the LAN side of the 7501 and use this as a switch between the PC's)

    You should now be able to browse througt the Internet at the same time from both PC's

    Keep us updated on how things are going.
  • foxsamfoxsam January 2011
    I am now writing this post from my laptop connected via crossover from the slitaz router PC which is connected via modem. if you can read this that means that masquerading is working.

    I am a little stuck tho bec on slitaz i can ping google.com but midori does not work. it cannot resolve addresses. I will need to look into it later.

    thanks for all the help and support. I will keep you posted on stage 2, getting the routerr working, i did not get a chance to try yet.

    :) :)
  • OldGuyOldGuy January 2011
    Ok, first step done. :-)

    As for the wifi-router, ould you pls. check in your manual what kind of options for the WAN side you have with the 7501?
    I think it would be best to configurate it as a 'standard' router without NAT.
    If possible give the WAN interface a fixed/static IP-address (i.e 172.16.0.100 NM 255.240.0.0 GW 172.16.0.1), disable NAT and directly connect it to the eht0-interface of your Slitaz PC.
    Configure the LAN side of the router to your needs (e.g. Network 192.168.0.1 NM 255.255.255.0 )
    Let the DHCP-server of the wifi router distribute the according IP-address range
    (e.g. 192.168.0.10 to 192.168.0.30 NM 255.255.255.0 DG 192.168.0.1 DNS xxx.xxx.xxx.xxx)
    For the DNSserver you got tu use the Information provided by your ISP!!

    The final step would be to add a static route on your Slitaz PC
    #> route add -net 192.168.0.0 netmask 255.255.255.0 gw 172.16.0.100

    Now everyone 'behind' the wifi-router should be able to access the Internet if the 3g-modem is connected.
    Everyone behind your wifi-router should now also be able to communicate with your Slitaz PC and the Slitaz PC should be able to reach each host 'behind' the wifi-router.

    Happy routing ... :-)
  • foxsamfoxsam January 2011
    i am not sure exactly where i am up to :)
    the current setup is working nicely like this:
    modem -> slitaz pc -> LAN port router -> wireless -> laptops/wifi clients

    the router does work as if it was connected to the internet as far as the wireless clients connecting are concerned. meaning i can connect wirelessly to the router and the internet. i can also connect to the ssh server on the slitaz pc which is serving the internet to the router.

    the only part i want to fix is to get the router to give out dhcp so i dont need to set static ip for the computers connecting to wifi. I think if the slitaz was connected to the wan port this would be able to work.

    also it seems that something somewhere in what we changed makes it that I need to manually set dns server in slitaz or else i cannot connect to the internet. i think that may be part of the static IP?

  • OldGuyOldGuy January 2011
    Hmm ..., the DNS-server should be set when the ppp0 dialup is completed.
    Nevertheless, as an interrim solution you could set the IP-address of your providers DNS-server in the DNS entry of /etc/network.conf.

    As for the static IPs of your hosts, this will be fixed when the router is correctly setup.

    Couls you pls. reseach the 'static IP' config of the WAN side of the wifi-router and let us know what possibilities there are?

    If possible test the configuration I mentioned before:

    If possible give the WAN interface a fixed/static IP-address (i.e
    172.16.0.100 NM 255.240.0.0 GW 172.16.0.1), disable NAT and directly
    connect it to the eht0-interface of your Slitaz PC.
    Configure the LAN side of the router to your needs (e.g. Network 192.168.0.1 NM 255.255.255.0 )
    Let the DHCP-server of the wifi router distribute the according IP-address range
    (e.g. 192.168.0.10 to 192.168.0.30 NM 255.255.255.0 DG 192.168.0.1 DNS xxx.xxx.xxx.xxx)
    For the DNS-server you got to use the Information provided by your ISP!!

    BTW, do you have a pdf-manual for your router ?
  • foxsamfoxsam January 2011
    I tried that configuration to connect 2 pcs using a crossover cable. it worked fine.

    I am working on the router side of things to get this working. I am sure that it can be done. the router is very flexible.
    a very interesting guide to getting the router to be a print server and ftp. it has a script to put in the firewall that starts the servers. I can porbably get it done in the firewall setting page.

    pdf guide:
    download
    view
  • foxsamfoxsam January 2011
    maybe i can keep this setup and setup a dhcp server on slitaz. i think it may make more sense to have all in one place.
    don't worry i'll be around for a while i am still stuck on a few other unrelated points.

    i am trying to get my printer setup and trying to get the modem to connect with bluetooth.