Bridging interfaces and the internet
Guillermo Garron
ggarron at alketech.com
Tue Nov 1 14:25:54 UTC 2005
Paul Howarth wrote:
> Justin Willmert wrote:
>
>> Paul Howarth wrote:
>>
>>> Nigel Wade wrote:
>>>
>>>> Justin Willmert wrote:
>>>>
>>>>> I just set up a desktop with two network cards and have got a
>>>>> bridge working between the two. That is not what my problem lies
>>>>> in though. I would like for the box to be able to connect to the
>>>>> internet also, but if I understand what I've set up correctly, I
>>>>> can't do that with my current setup. When I've tried to give one
>>>>> of the network cards an IP address, nothing but lo works, so I
>>>>> know there's something missing. I'll add my configuration at the
>>>>> bottom, but shortly, br0 is configured with an IP address, and
>>>>> eth0 and eth1 have none. Now, I know br0 is capable of at least a
>>>>> network connection because as I type this, I'm currently SSHed
>>>>> into into the box, but if I try to ping anything, all the packets
>>>>> are lost.
>>>>
>>>
>>>
>>>
>>> What IP address are you ssh'ed into the box from? Can you ssh back
>>> to that IP from the bridge machine? Might the ping issue be due to
>>> firewall rules (e.g. blocking ICMP packets)?
>>>
>>
>> OK, I thought I had my firewall set up correctly, because I had a
>> default policy to accept on the OUTPUT and FORWARD chains so I never
>> thought that'd be a problem, but when I shut it off, it does work. So
>> now I guess my question would be, what special rules do I need to
>> create to allow this bridge setup to work with a firewall? Here is my
>> firewall script.
>>
>>
>> ===================== setup-firewall-rules =====================
>> #!/bin/sh
>>
>> # Delete all rules
>> iptables -F
>> iptables -X
>> iptables -t nat -F
>> iptables -t nat -X
>> iptables -t mangle -F
>> iptables -t mangle -X
>>
>> # Setup policies
>> iptables --policy INPUT DROP
>> iptables --policy OUTPUT ACCEPT
>> iptables --policy FORWARD ACCEPT
>>
>> # Always trust the loopback interface
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A OUTPUT -o lo -j ACCEPT
>>
>> # Enable packet forwarding
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>
>> # Allow already opened connections
>> # (Only need INPUT right now 'cause it's the only one with DROP policy)
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> # Accept SSH connections
>> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
>>
>> # Accept VNC connections
>> iptables -A INPUT -p tcp --dport 5801 -m state --state NEW -j ACCEPT
>> iptables -A INPUT -p tcp --dport 5901 -m state --state NEW -j ACCEPT
>
>
> I'm not an iptables or firewall expert so I may be wrong but it looks
> to me like the default DROP policy for the INPUT chain may be the
> issue. I think connection tracking may only work with TCP-based
> protocols such as ssh, which means that ICMP (e.g. ping) and UDP (e.g.
> DNS) may be problematic with this configuration. You may have to add
> rules to allow these types of traffic in.
>
>> The 10 second pause in the ouput also has to do with the firewall.
>> When I shut down the firewall, it shows up immediately.
>
>
> That's probably a DNS issue. Try using the "-n" option to "route" to
> turn off DNS lookups and see if you still get the delay with the
> firewall on.
>
> Paul.
>
Dear friend
I have a box with two NICs one with Internet and the other internal set
as a firewall and doing NAT
this is my IPTABLES configuration and really works
# Delete and flush. Default table is "filter". Others like "nat" must be
explicitly stated.
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
# Set up IP FORWARDing and Masquerading
#iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT
--to-source 200.87.61.88
#iptables --table nat --append POSTROUTING --out-interface eth2 -j SNAT
--to-source 200.105.201.226
iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT
--to-source 200.87.61.88
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
######################
iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
###uncomment this!!!!
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
####
##Permite SSH desde la red 1
iptables -A INPUT -s 10.1.1.0/24 -i eth1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.1.1.0/24 -i eth1 -p udp --dport 22 -j ACCEPT
##
##Permite acceso al puerto 80 solo desde la intranet
iptables -A INPUT -p tcp -i eth1 -s 10.1.1.0/24 --dport 80 -j ACCEPT
##
# Proxy Transparente Squid
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -p udp --dport 3128 -j ACCEPT
iptables -A INPUT -p tcp --sport 3128 -j ACCEPT
iptables -A INPUT -p udp --sport 3128 -j ACCEPT
##
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT
--to-port 3128
## fin nuevo metodo
##
#iptables -A INPUT -p tcp --syn -s 10.1.1.0/24 --destination-port 139 -j
ACCEPT
#iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
iptables -P INPUT DROP
########
# routing table
####
More information about the fedora-list
mailing list