Debian/Ubuntu Tips and Tricks

Debuntu

Debian/Ubuntu Tips and Tricks

Iptables: How-to Share your internet connection

Posted by chantra on December 10th, 2006

This entry is part 1 of 4 in the series Iptables: How-to Share your internet connection

iptables is a command line tool which allow system administrators to configure Linux packet filtering ruleset.

Using iptables, you are able to tweak packet filtering, Network Address Translation (NAT) and packet mangling which in the end are going to allow you to secure your server, share your Internet connection and log unwanted traffic.

iptables is not really what we could call an easy to get with tool, but once you know the basis, it won't be that scary :).

This tutorial will provide a sample script you can use to share your Internet access and will give an overview on how to use iptables

1. Introduction

Most people will be freaked out when you pronounce the name iptables because it is not much of an easy to understand software, man page is huge as well as iptables capabilities.
To be able to set up a home router, you don't actually need to spend nights and nights going through iptables man page, a grasp of the basis is enough to get your firewall up and running.

This tutorial provides a sample script you should be able to use out of the box or at most, changing 2 parameters will be able to get you running.

2. Iptables

To be able to understand what the firewall do, there is some basis you need to know. Here I'm going to go over what make iptables handle network packets.

2.1. Chain Rules

Iptables use a set of chain rules to check weather or not a packet should be accepted. By default, there is 3 chains:

  • INPUT: packet is destinate to the machine running iptables
  • FORWARD: packet needs to be forwarded to another machine
  • OUTPUT: packet going out of the machine running iptables

So when a packet reaches the firewall, the first thing the kernel is going to do is to determine where the packet is going. According to the destination, the kernel will check the packet against the rules of the appropriate chain.

2.2. Actions (TARGET)

For each chain we define a list of rules and actions (called targets in iptables'jargon) to take when a packet match a rule. Main actions are:

  • ACCEPT: accept the packet :)
  • REJECT: discard the packet and inform the source
  • DROP: discard the packet but don't say anything to the source

As soon as a packet has matched a rule, the kernel will apply the action it is said to do and won't go further. If the packet did not match any rules, the kernel will use the default policy defined for that chain.

This beeing said, we can now get into the script.

Series NavigationIptables: How-to Share your internet connection — page 2 >>

22 Responses to “Iptables: How-to Share your internet connection”

  1. hi thanks for your great article.

    i have adapted your script to my ubuntu server. it's my firewall. it's a pc only for that.

    right now my firewall can ping my local network. but the local network is not surfing the net. these pcs cannot go out.

    do you have an idea? i do not have anymore my dmz and webserver. so only a local network and a pc-firewall.

    firewall eth2 ping local network eth1
    local network eth1 not go out on the web

    thanks

    Nadia

  2. yes it's done, i have done this at the begining. i will look at it another time, because i have flush 2-3 times the iptables script and rebegin maybe it's affected the sysclt... do i need to put this enabling in the iptable script of firewall?

  3. there is no need to have the sysctl settings in your iptables script. If set it /etc/sysctl.conf, it will be set at boot time.

    There might be something wrong in your firewall settings then.
    If all you need is to share your internet connectin, you can use a 1 liner:
    iptables -t nat -A POSTROUTING -o eth0 -m comment --comment "LAN to Internet" -j MASQUERADE

    (replace eth0 by whichever interface is connected to internet)

  4. everything is ok for the ip forwarding (=1)

    also i have these lines of my iptable :

    $ipt -P INPUT DROP
    $ipt -P FORWARD ACCEPT
    $ipt -P OUTPUT ACCEPT
    $ipt -t nat -A POSTROUTING -o $WAN -j MASQUERADE
    $ipt -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.1.1:80
    $ipt -A FORWARD -i $WAN -m state --state NEW,INVALID -j DROP
    $ipt -A INPUT -i lo -j ACCEPT
    $ipt -A INPUT -i $LAN -j ACCEPT

    my LAN eth1 can ping my static ip (i have adsl with ip static)
    but the LAN cannot go out on the net

    my firewall eth2 can ping the LAN 192.168.1.0/24
    and the firewall go out on the web

    ???? it's probably something very easy that i cannot see....like always!

    thanks to help me!

  5. something weird happen since yesterday. i wanted to add a rules that i forget :

    $ipt -A FORWARD -i $WAN -p tcp --dport 80 -m state --state NEW -j ACCEPT

    and i get the answer : -A command not found.

    whatever i do even if i redo a rules :
    $ipt -A INPUT ...
    $ipt -A INPUT ...

    i received the error : -A command not found.

    what's wrong? i didn't get this error before. since last night i get it and i reboot twices. a bug?

  6. the reason why you are getting '-A command not found' is because $ipt is not set (this get define in the script attached in page 4).
    supposing your external interface is eth0, you might want to
    * run the rescue script (page 4)
    * run the command:
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    and work it out from there.

  7. that's weird because all my iptables script was made with $ipt and set like at the page 4. and 2 days after iptables didn't reconized $ipt anymore.

    yes the $WAN and $LAN are set at the beginning. the other problem, is each time that i reboot my pc i need to do ifup eth1 for the LAN interface. i never had this problem before. my eth1 and eth2 are set in /etc/network/interfaces.

    i may not try this tonight, and friday until synday i will be able to work on my firewall, so probably monday i will give news about that.

    until last night, the LAN can ping my statif ip, but cannot go out on the web. and the firewall ping the LAN.

    thansk for everything

  8. hi i'm come back

    well i have flush everything on the firewall and start everything from the beginning
    i re-do my iptables rules
    everything now is ok on the side of the firewall. the eth2 and eth1 are set and up after a reboot
    the firewall ping my switch LAN 192.168.1.1
    the firewall ping pc on my LAN 192.168.1.5 and others
    i have done also to check : nmap -sP 192.168.1.5
    Nmap scan report for 192.168.1.5
    Host is up (0.0012s latency).
    Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

    LAN 192.168.1.5 ping my ip static (firewall have a ip static)
    LAN 192.168.1.5 ping also the switch LAN 192.168.1.1
    LAN 192.168.1.5 cannot ping http://www.google.com (host unknown)

    the ipforwarding = 1

    and yes i have a rule for the nat :
    iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
    which :

    WAN="eth2"
    LAN="eth1"

    i don't know what to do next

    thanks chantra

  9. i try another thing...which i forgot before. on my pc from the LAN, i have insert dns-nameserver .... in /etc/network/interfaces.... now when i do a ping from the LAN i have a ping, but received the answer destination host unreachable. at least i got something!

  10. i was validating the dns and some errors were in my configuration. so now the dns are ok on each configuration of interfaces LAN and WAN

    so now between pc from the LAN they can ping each others.
    192.168.1.4 ping 192.168.1.2 ....

    but both received destination unreachable when they do ping http://www.google.com or ping ip_google
    both cannot ping dns1 of my firewall, but can ping my ip_static

    my firewall can ping all pcs from my LAN
    everything is ok for my firewall

    maybe a rules?

    nadia

  11. i also had an error on my netmask (before it was LAN : 192.168.1.1... and 255.255.255.0 i changed for 255.255.255.0 but 192.168.0.1)

    still have destination host unreachable from my LAN to out...

    keep working....

  12. today i had change the cable to see if it's ok between the switch and the firewall and still get the same dest. host unreachable error. so it's not the rj45 cable the problem.

    keep working

  13. still working on that but now i think i will take a break, still get the host destination unreachable error from the LAN trying to ping outside the world

    and also i saw that nobody help me since 10 days so i will take a break.

  14. Hi Nadia,

    There could be thousand reason why your settings are not working. Did you try to use the 1 simple iptables rule to share your connection?
    iptables -t nat -A POSTROUTING -o -j MASQUERADE

    Your host unreacheable issue sound like a routing issue. Do you give a default route to your LAN devices?

    Have you tried to traceroute do a known destination like 8.8.8.8 (google dns).

  15. hi

    if i do only this rule iptables -t nat -A POSTROUTING -o -j MASQUERADE nothing work the lan don't go outside

    the 2 interfaces on my firewall when i do ethtool or mii-tool ... respond link ok
    i have change cable from the switch to firewall same error

    yes here is my config from my LAN pc in /etc/network/interfaces

    ip 192.168.0.1/24
    gateway 192.168.0.1
    netmask 255.255.255.0
    dns-nameserver my_dns
    and the usual network broadcast settings

    when i do traceroute 8.8.8.8 goes nowhere * * * *.... all the 30 hops

    thanks for your help

  16. hi well i never thaught that a gateway will be 192.168.0.254! not from website like https://help.ubuntu.com/12.10/serverguide/network-configuration.html

    so right now on pc from my LAN the basic settings are :
    ip 192.168.0.4
    netmask 255.255.255.0
    gateway 192.168.0.254

    and on my firewall
    the eth2 is my adsl interfaces
    and
    the LAN interfaces :

    auto eth1
    iface eth1 inet static
    address 192.168.0.1
    netmask 255.255.255.0
    gateway 192.168.0.254
    dns-nameservers my_dns_ip

    my LAN still not ping google.com

  17. i well i do not know what to do now

    my settings of my firewall :

    # The loopback network interface
    auto lo
    iface lo inet loopback

    # ADSL eth2

    # Local Network eth1 ....interfaces for my LAN switch
    auto eth1
    iface eth1 inet static
    address 192.168.0.1
    netmask 255.255.255.0
    network 192.168.0.0
    broadcast 192.168.0.255
    gateway 192.168.0.254
    dns-nameservers my_dns

    on the pc of my LAN :

    # The loopback network interface
    auto lo
    iface lo inet loopback

    # Local Network eth0
    auto eth0
    iface eth0 inet static
    address 192.168.0.2
    netmask 255.255.255.0
    network 192.168.0.0
    broadcast 192.168.0.255
    gateway 192.168.0.254
    dns-nameservers my_dns

    for the last test i have only do :
    iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

    thanks

  18. Nadia, You router is most likely getting its gateway/dns from your ADSL provider with dhcp.
    On you router, your eth1 should look like:

    auto eth1
    iface eth1 inet static
    address 192.168.0.1
    netmask 255.255.255.0

    Your PC on your LAN has to use your router as a gateway, its eth0 config should look like:

    # Local Network eth0
    auto eth0
    iface eth0 inet static
    address 192.168.0.2
    netmask 255.255.255.0
    gateway 192.168.0.1
    dns-nameservers my_dns

  19. hi thanks

    so here it goes for my firewall

    # ADSL eth2
    ...

    # Local Network eth1
    auto eth1
    iface eth1 inet static
    address 192.168.0.1
    netmask 255.255.255.0

    and my pc for the LAN

    # Local Network eth0
    auto eth0
    iface eth0 inet static
    address 192.168.0.2
    netmask 255.255.255.0
    gateway 192.168.0.1
    dns-nameservers my_dns .....i have an ip static and 2 dns so usual i put there my dns1

    right now as like before:
    the pc from the lan ping the gateway
    the firewall ping the gateway and the pc LAN
    but the LAN cannot ping google.com ....

    damn it

    root@cyberdark-firewall:~# route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
    my_static_ip 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
    192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

    root@cyberdark-firewall:~# route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    default * 0.0.0.0 U 0 0 0 ppp0
    my_ISP * 255.255.255.255 UH 0 0 0 ppp0
    192.168.0.0 * 255.255.255.0 U 0 0 0 eth1

    root@cyberdark-firewall:~# ifconfig
    eth1 Link encap:Ethernet HWaddr 00:10:5a:01:f7:b2
    inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
    inet6 addr: fe80::210:5aff:fe01:f7b2/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:636 errors:0 dropped:0 overruns:0 frame:0
    TX packets:158 errors:0 dropped:0 overruns:0 carrier:5
    collisions:5 txqueuelen:1000
    RX bytes:67726 (67.7 KB) TX bytes:22903 (22.9 KB)
    Interrupt:11 Base address:0xa000

    eth2 Link encap:Ethernet HWaddr 00:c0:26:7d:68:2a
    inet6 addr: fe80::2c0:26ff:fe7d:682a/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:11212 errors:0 dropped:0 overruns:0 frame:0
    TX packets:9506 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:11456113 (11.4 MB) TX bytes:1301082 (1.3 MB)
    Interrupt:5 Base address:0xd400

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:42 errors:0 dropped:0 overruns:0 frame:0
    TX packets:42 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:3316 (3.3 KB) TX bytes:3316 (3.3 KB)

    ppp0 Link encap:Point-to-Point Protocol
    inet addr:my_local_ip P-t-P:my_remote_ip Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
    RX packets:10581 errors:0 dropped:0 overruns:0 frame:0
    TX packets:9074 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:3

    root@cyberdark-firewall:~# cat /etc/resolv.conf
    nameserver my_dns1
    nameserver my_dns2

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>