Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Problem setting up iptables

  1. #1
    Join Date
    Jul 2013
    Beans
    46

    Problem setting up iptables

    I'm trying to set up iptables using this guide "Ubuntu Internet Gateway Method (iptables)" found here https://help.ubuntu.com/community/In...nectionSharing when trying to save the changes a couple things are being rejected (see below)

    Code:
    tld@us1:~$ sudo ip addr add 192.168.0.1/24 dev eth1
    [sudo] password for tld: 
    RTNETLINK answers: File exists
    tld@us1:~$ sudo iptables -A FORWARD -o eth0 -i eth1 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
    tld@us1:~$ sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    tld@us1:~$ sudo iptables -t nat -F POSTROUTING
    tld@us1:~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    tld@us1:~$ sudo iptables-save | sudo tee /etc/iptables.sav
    # Generated by iptables-save v1.4.12 on Thu Aug  1 09:49:57 2013
    *nat
    :PREROUTING ACCEPT [3:340]
    :INPUT ACCEPT [3:340]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT
    # Completed on Thu Aug  1 09:49:57 2013
    # Generated by iptables-save v1.4.12 on Thu Aug  1 09:49:57 2013
    *filter
    :INPUT ACCEPT [4052:193976]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [2562:2290722]
    -A INPUT -i eth1 -p udp -m udp --dport 67 -j ACCEPT
    -A INPUT -i eth1 -p tcp -m tcp --dport 67 -j ACCEPT
    -A INPUT -i eth1 -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -i eth1 -p tcp -m tcp --dport 53 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 67 -j ACCEPT
    -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
    -A FORWARD -d 10.42.0.0/24 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 10.42.0.0/24 -i eth1 -j ACCEPT
    -A FORWARD -i eth1 -o eth1 -j ACCEPT
    -A FORWARD -o eth1 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -i eth1 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -d 10.42.0.0/24 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 10.42.0.0/24 -i eth0 -j ACCEPT
    -A FORWARD -i eth0 -o eth0 -j ACCEPT
    -A FORWARD -o eth0 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -i eth0 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -s 192.168.0.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
    -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 192.168.0.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
    -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 192.168.0.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
    -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    COMMIT
    # Completed on Thu Aug  1 09:49:57 2013
    tld@us1:~$
    I don't know much about this, any help would be appreciated.

  2. #2
    Join Date
    Jul 2013
    Beans
    190

    Re: Problem setting up iptables

    Hi,

    i hope sooner or later some real iptables professional can help you, i think someof of the rules like tcp --dport 53 - j accept should not be.
    I dont understand your problem right. If you only want connection sharing you only need (i think)

    sudo echo 1 > /proc/sys/net/ipv4/ip_forward
    sudo iptables -o yourinterfave -t nat -A POSTROUTING -j MASQUERADE

    If you deny anything it's possible that something like that is needed

    iptables -A INPUT -p tcp -m multiport --dports 80,443,22 -i $LAN_IF -s $LAN_RANGE -j ACCEPT
    iptables -A INPUT -p udp --dport 53 -i $LAN_IF -s $LAN_RANGE -j ACCEPT
    iptables -A FORWARD -p udp --dport 53 -i $LAN_IF -o $WWW_IF -m state --state NEW -j ACCEPT
    iptables -A FORWARD -o $WWW_IF -i $LAN_IF -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
    iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

    Hope it brings you further.

  3. #3
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    6,189
    Distro
    Xubuntu

    Re: Problem setting up iptables

    The only command I see being rejected is "sudo ip addr add 192.168.0.1/24 dev eth1", and the response "file exists" means that eth1 already has that address that you are trying to add.

    All the -j ACCEPT lines you have added are a waste of time because your default policies are ACCEPT anyway, and you don't have a single REJECT or DROP anywhere. So nothing is being blocked, and no need to list any exceptions that should be accepted.

    If you intend to do any IP forwarding, you need to enable IP forwarding in the Linux kernel. A command to enable this (that gets lost when you reboot) is:
    Code:
    sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
    and to configure the PC to resume IP forwarding after reboot, edit the file /etc/sysctl.conf and remove the leading # from this line (line 28):
    Code:
    #net.ipv4.ip_forward=1
    What exactly are you trying to achieve (other than the masquerading)?

  4. #4
    Join Date
    Jul 2013
    Beans
    46

    Re: Problem setting up iptables

    What i'm trying to do is set a static ip for eth1 (the Ethernet NIC connected to the LAN) to 192.168.0.1. I have internet connection sharing set up already by editing the IPV4 settings to "shared to other computers" on eth1 but i can't change the ip range it is using (10.42.0.x) the Network Manager wont let me change the ip without changing the IPV4 settings to "Manual" but when i do that i lose internet connection sharing, and when i change it back to "shared to other computers" the ip address is changed back to the 10.42.0.x range again.

  5. #5
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    6,189
    Distro
    Xubuntu

    Re: Problem setting up iptables

    Why do you want to change the IP address of eth1?
    Are all the other computers on the eth1 LAN in the 10.42.0.x range?
    All the computers on that LAN have to agree what network number that LAN is.

    Do the other computers connected to eth1 have yours as their default gateway?
    You will need to arrange that (or have their existing defautl gateway forward to you).
    You may have to reconfigure the DHCP server or the existing router to use your PC as the internet router.

    What commands do you think are being rejected?

  6. #6
    Join Date
    Jul 2013
    Beans
    190

    Re: Problem setting up iptables

    Hi there,

    my english isnt very good, therefore im sorry if i understand something wrong.

    If eth1 ist your internet connection you cant change it's adress to static in NetworkManager, you have to do
    that in your router first, i think.
    I removed the NetworkManager completely and use /etc/network/interfaces to configure my interfaces.
    If you dont know which commands are being rejected you should deny everything an implement first some
    logging. So you can view the /var/log/syslog to see which ports and services are are being rejected. Then you
    can ask the internet if the rejected are necessary for you.

    # iptables logging
    iptables -A INPUT -j LOG --log-level debug --log-prefix "LOG_IN: "
    iptables -A OUTPUT -j LOG --log-level debug --log-prefix "LOG_OUT: "
    iptables -A FORWARD -j LOG --log-level debug --log-prefix "LOG_FOR: "

    use something like cat /var/log/syslog | grep LOG_IN:
    to view the loggings
    Last edited by GwL3eNC; August 3rd, 2013 at 12:18 PM.

  7. #7
    Join Date
    Jul 2013
    Beans
    46

    Re: Problem setting up iptables

    Quote Originally Posted by The Cog View Post
    Why do you want to change the IP address of eth1?
    The computer i'm trying to change the ip address on has 2 NICs, 1 (eth0) goes to the modem and internet and 1 (eth1) goes to a switch that the other computers attach to, It is a shared internet connection so the computer is acting as a router assigning ip addresses to the other computers. If the other computers have a ip that is out of the range of eth1 then the computers can't see each other.
    If the computers can't see each other the computer i'm trying to change the ip address on can't share it internet connection with the other computers also it is a HTPC with hundreds of movies on it that it shares with the other computers in the house, it also has media software that allows you to watch and record live TV, the signal for the live TV comes from 1 of the windows computers attached to the computer that i'm trying to change the ip range on.
    In other words the live TV and media file sharing along with the internet sharing don't work if the computers don't see each other, so i want to set static ip's for all the computers in the LAN.

    The computer i'm trying to change the ip address on is a duel boot computer with Ubuntu and windows vista and this is where the problem arises, when the computer is booted to Linux the ip range is in 10.42.0.x range and if it is booted to vista the ip range is 192.168.0.x, so if i need to boot to vista to defrag the media files or some other reason, no one in the house can watch any live TV, recorded series, movies or access the internet, as you can imagine it makes me very unpopular when this is necessary.

    Quote Originally Posted by The Cog View Post
    Are all the other computers on the eth1 LAN in the 10.42.0.x range?
    They are right now as I have Ubuntu running on the media server and all the other computers and media software ip's set to the 10.42.0.x range.

    Quote Originally Posted by The Cog View Post
    All the computers on that LAN have to agree what network number that LAN is.
    Sorry but this is incorrect. It is a shared internet connection so the computer with the shared internet connection is acting as a router assigning ip addresses to the other computers.

    Quote Originally Posted by The Cog View Post
    Do the other computers connected to eth1 have yours as their default gateway?
    Yes the computer i'm that i'm trying to change the ip range on is the default gateway. They are all my computers just in different parts of the house.

    Quote Originally Posted by The Cog View Post
    You will need to arrange that (or have their existing defautl gateway forward to you).
    You may have to reconfigure the DHCP server or the existing router to use your PC as the internet router.
    Everything works, the computer i'm that i'm trying to change the ip range on is the default gateway and it all works until i need to boot to vista then the complaining starts as it takes hours to defrag 4 TBs (and growing) of media files, but it's a big hassle to change all the ip address to the 192.168.0.x range while it's booted to vista then back to the 10.42.0.x range when i'm done.

    Quote Originally Posted by The Cog View Post
    What commands do you think are being rejected?
    Code:
    sudo ip addr add 192.168.0.1/24 dev eth1
    


    This isn't working because it doesn't change the ip of eth1

    Code:
    -A FORWARD -o eth1 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -i eth1 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -d 10.42.0.0/24 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 10.42.0.0/24 -i eth0 -j ACCEPT
    -A FORWARD -i eth0 -o eth0 -j ACCEPT
    -A FORWARD -o eth0 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -i eth0 -j REJECT --reject-with icmp-port-unreachable
    This section appears to have several lines rejected.

  8. #8
    Join Date
    Jul 2013
    Beans
    46

    Re: Problem setting up iptables

    Quote Originally Posted by GwL3eNC View Post
    Hi there,
    If eth1 ist your internet connection you cant change it's adress to static in NetworkManager, you have to do
    that in your router first, i think.
    eth0 is the internet connection, eth1 goes to a switch that the other computers attach to (the LAN) it has a static ip already 10.42.0.1.
    It is a shared internet connection so the computer is acting as a router assigning ip addresses to the other computers.

    Quote Originally Posted by GwL3eNC View Post
    I removed the NetworkManager completely and use /etc/network/interfaces to configure my interfaces.
    Yes this is what i was trying to do when i followed this guide- "Ubuntu Internet Gateway Method (iptables)" found here https://help.ubuntu.com/community/In...nectionSharing

    Quote Originally Posted by GwL3eNC View Post
    If you dont know which commands are being rejected you should deny everything an implement first some
    logging.
    Code:
    sudo ip addr add 192.168.0.1/24 dev eth1
    


    This isn't working because it doesn't change the ip of eth1



    Code:
    -A FORWARD -o eth1 -j REJECT --reject-with icmp-port-unreachable-A FORWARD -i eth1 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -d 10.42.0.0/24 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 10.42.0.0/24 -i eth0 -j ACCEPT
    -A FORWARD -i eth0 -o eth0 -j ACCEPT
    -A FORWARD -o eth0 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -i eth0 -j REJECT --reject-with icmp-port-unreachable
    This section appears to have several lines rejected. If you think logging will help i'm willing to try that but i wouldn't be able to understand what is going on as i don't know much about this stuff. This is way above my head that's why i'm here.

    If you like i will do this and post the results here?

    This setup is working the problem is the computer i'm trying to change the ip address on is a duel boot computer with Ubuntu and windows vista and this is where the problem arises, when the computer is booted to Linux the ip range is in 10.42.0.x range and if it is booted to vista the ip range is 192.168.0.x, so if i need to boot to vista to defrag the media files or some other reason, no one in the house can watch any live TV, recorded series, movies or access the internet, as you can imagine it makes me very unpopular when this is necessary.

    Quote Originally Posted by GwL3eNC View Post
    So you can view the /var/log/syslog to see which ports and services are are being rejected. Then you
    can ask the internet if the rejected are necessary for you.

    # iptables logging
    iptables -A INPUT -j LOG --log-level debug --log-prefix "LOG_IN: "
    iptables -A OUTPUT -j LOG --log-level debug --log-prefix "LOG_OUT: "
    iptables -A FORWARD -j LOG --log-level debug --log-prefix "LOG_FOR: "

    use something like cat /var/log/syslog | grep LOG_IN:
    to view the loggings

  9. #9
    Join Date
    Jul 2013
    Beans
    190

    Re: Problem setting up iptables

    Hallo!

    I realy want to help you. The problem is that i'am also not a genius. I have never used a switch nor seen one. I only have some
    Laptops and they got no wlan. On a little aspire which got wlan and downloads my movies i've installed an isc-dhcp server (view ubuntu server
    manual) and configured it, so every other computer conneted to it's LAN interface gets automaticly an IP adress out of the same range.

    This is my /etc/network/interfaces
    # The loopback network interface
    auto lo
    iface lo inet loopback

    # The primary network interface. dynamic DHCP
    auto wlan0
    iface wlan0 inet dhcp
    wpa-ssid xxxxxxxxxxxxxxxx
    wpa-psk xxxxxxxxxxxxxxxxx
    pre-up iptables-restore < /etc/iptables.rules

    auto eth0
    iface eth0 inet static
    address 192.168.0.1
    netmask 255.255.255.0

    As you can see, my wlan get it's ip automaticly from my router. There i've selectes that the aspire device always gets
    the same adress.

    At this point no other computer connecte to aspire's LAN could go to the internet because of the connection sharing. I remember that only two
    things are important. Enable of ipforwarding. The Cog showed both possible ways to do. The other thing is one iptables
    command . i'm not shure about that command but i think i show the right in my first reply above. The minimal script i
    think is

    #!/bin/bash

    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -o eth0 -t nat -A POSTROUTING -j MASQUERADE

    And, why dont you change the windows settings to 10.42.0.x. You can give the adapter the same range as in ubuntu. Then
    you also have to configure windows to share it's connection, install a dhcp or so. Then all other can watch things
    Last edited by GwL3eNC; August 3rd, 2013 at 08:38 PM.

  10. #10
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    6,189
    Distro
    Xubuntu

    Re: Problem setting up iptables

    So if I understand you right, everything works when you boot Ubuntu, and all your friends can access the internet through your PC (on 10.42.x.x).
    But when you boot into Vista to defrag, vista boots with 192.168.x.x so all your friends stop working.
    So you want to reconfigure Ubuntu so that it matches Vista and uses 192.168.x.x instead of the current 10.42.x.x
    Is this right?

    The command "ip addr add 192.168.0.1/24 dev eth1" adds an address to eth1 - it does not remove the old address.
    You should be able to see this by running the command "ip addr list" before and after the "ip addr add...". That should also confirm that the "ip add" is actually working.

    I would guess that if all the other computers get a 10 address if Ubuntu is running, but a 192 address if vista is running, then both vista and ubuntu are running DHCP servers. I have no idea how to configure Ubuntu to run a dhcp server or how to change the address pool that it allocates from. I did find this however, which may help: http://www.ubuntugeek.com/how-to-ins...tu-server.html

    To confirm that Ubuntu is running a DHCP server, please can you post the output of this command:
    Code:
    sudo netstat -lntup
    I don't see in that linked article anywhere that sets the IP address of the local interface, so I wonder where your existing Ubuntu gets 10.42. from.
    Can you post the contents of /etc/network/interfaces and /etc/default/dhcp3-server ?

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •