No Internet Connection

Jason Opperisano opie at 817west.com
Fri Sep 10 17:33:19 CEST 2004


On Fri, 2004-09-10 at 10:49, Giancarlo Boaron wrote:
> So, here goes my script:
> 
> INET_IP=`ifconfig eth0 | grep inet | cut -d : -f 2 |
> cut -d ' ' -f 2`

maybe this is an ifconfig quirk, but that does not produce an IP address
on my machine here (FC1).  it actually produces nothing.  the working
version here is:

ifconfig eth0 | grep inet | cut -d : -f 2 | cut -d ' ' -f 1

however, might i suggest:

ip -4 -o addr sh eth0 | awk 'NR==1 {print $4}' | cut -d/ -f1

> $IPTABLES -N tcp_invalidos
> 
> $IPTABLES -A tcp_invalidos -p tcp --tcp-flags SYN,ACK
> SYN,ACK \
> -m state --state NEW -j REJECT --reject-with tcp-reset
> $IPTABLES -A tcp_invalidos -p tcp ! --syn -m state
> --state NEW -j LOG \
> --log-prefix "Novo nao SYN:"
> $IPTABLES -A tcp_invalidos -p tcp ! --syn -m state
> --state NEW -j DROP

there's a state called INVALID ("-m state --state INVALID") that could
probably do most of the work for you here...

> $IPTABLES -A OUTPUT -p tcp -j tcp_invalidos
> 
> $IPTABLES -A OUTPUT -p udp --sport 68 --dport 67 -j
> ACCEPT
> 
> $IPTABLES -A OUTPUT -p all -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> 
> $IPTABLES -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
> 
> $IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
> 
> $IPTABLES -A OUTPUT -p tcp --dport 80 -s $INET_IP -o
> $INET_IFACE -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 443 -s $INET_IP -o
> $INET_IFACE -j ACCEPT
> $IPTABLES -A OUTPUT -p tcp --dport 21 -s $INET_IP -o
> $INET_IFACE -j ACCEPT
> 
> # ICQ:
> $IPTABLES -A OUTPUT -p tcp -d 64.12.163.197 -o
> $INET_IFACE -j ACCEPT

are you running an ICQ client on your firewall?  the above rule implies
that you are.  i can't say i recommend this at all.  if your intention
is to allow ICQ *through* the firewall--this rule belongs in FORWARD.

> $IPTABLES -A INPUT -p tcp -j tcp_invalidos
> 
> $IPTABLES -A INPUT -p udp --sport 67 --dport 68 -j
> ACCEPT
> 
> $IPTABLES -A INPUT -p ALL -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> 
> $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
> $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
> 
> # SQUID:
> $IPTABLES -A INPUT -i $LAN_IFACE -p tcp --dport 80 -j
> ACCEPT
> 
> $IPTABLES -A FORWARD -p tcp -j tcp_invalidos
> 
> $IPTABLES -A FORWARD -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> 
> $IPTABLES -A FORWARD -m mac --mac-source $Mac1 -j
> ACCEPT
> 
> $IPTABLES -A FORWARD -m mac --mac-source $Mac2 -j
> ACCEPT
> 
> $IPTABLES -A FORWARD -m mac --mac-source $Mac3 -j
> ACCEPT
> 
> $IPTABLES -A FORWARD -m mac --mac-source $Mac4 -j
> ACCEPT
> 
> $IPTABLES -A FORWARD -p tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -p udp --dport 53 -j ACCEPT
> 
> $IPTABLES -A FORWARD -d <my pop server> -p tcp --dport
> 110 \
> -i $LAN_IFACE -j ACCEPT
> 
> $IPTABLES -A FORWARD -d <my smtp server> -p tcp
> --dport 25 \
> -i $LAN_IFACE -j ACCEPT
> 
> $IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE
> -j ACCEPT
> $IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE
> -j ACCEPT
> $IPTABLES -A FORWARD -p tcp --dport 443 -i $LAN_IFACE
> -j ACCEPT
> 
> $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT
> --to-source $INET_IP
> 
> That's it. Another question: When I configure this
> script to run automatically after rebooting the
> server, I receive this error message (3 times): "Bad
> argument eth0" so the script doesn't work, neither my
> Internet access from my LAN and I can't find where is
> the error.

it's probably related to the fact that your $INET_IP variable expands to
a text string, not an IP address.

> However, after rebooting the server and loggin in as
> root, I can run the script from command line. It works
> and my LAN can access the Internet during that short
> time (about 20 minutes. However, I didn't test the
> DHCP rules to ckeck if it continues to happen).

are you running your firewall script before your external interface has
an IP address?  if so--this would explain it.  your DHCP client is most
likely being spawned by your /etc/init.d/network script, which usually
kicks off pretty early in rc2.

i cannot explain the "20 minute" phenomenon you refer to.

-j

-- 
Jason Opperisano <opie at 817west.com>




More information about the netfilter mailing list