Bridging interfaces and the internet

Guillermo Garron ggarron at alketech.com
Tue Nov 1 14:25:54 UTC 2005 

Paul Howarth wrote:

> Justin Willmert wrote:
>
>> Paul Howarth wrote:
>>
>>> Nigel Wade wrote:
>>>
>>>> Justin Willmert wrote:
>>>>
>>>>> I just set up a desktop with two network cards and have got a 
>>>>> bridge working between the two. That is not what my problem lies 
>>>>> in though. I would like for the box to be able to connect to the 
>>>>> internet also, but if I understand what I've set up correctly, I 
>>>>> can't do that with my current setup. When I've tried to give one 
>>>>> of the network cards an IP address, nothing but lo works, so I 
>>>>> know there's something missing. I'll add my configuration at the 
>>>>> bottom, but shortly, br0 is configured with an IP address, and 
>>>>> eth0 and eth1 have none. Now, I know br0 is capable of at least a 
>>>>> network connection because as I type this, I'm currently SSHed 
>>>>> into into the box, but if I try to ping anything, all the packets 
>>>>> are lost.
>>>>
>>>
>>>
>>>
>>> What IP address are you ssh'ed into the box from? Can you ssh back 
>>> to that IP from the bridge machine? Might the ping issue be due to 
>>> firewall rules (e.g. blocking ICMP packets)?
>>>
>>
>> OK, I thought I had my firewall set up correctly, because I had a 
>> default policy to accept on the OUTPUT and FORWARD chains so I never 
>> thought that'd be a problem, but when I shut it off, it does work. So 
>> now I guess my question would be, what special rules do I need to 
>> create to allow this bridge setup to work with a firewall? Here is my 
>> firewall script.
>>
>>
>> ===================== setup-firewall-rules =====================
>> #!/bin/sh
>>
>> # Delete all rules
>> iptables -F
>> iptables -X
>> iptables -t nat -F
>> iptables -t nat -X
>> iptables -t mangle -F
>> iptables -t mangle -X
>>
>> # Setup policies
>> iptables --policy INPUT DROP
>> iptables --policy OUTPUT ACCEPT
>> iptables --policy FORWARD ACCEPT
>>
>> # Always trust the loopback interface
>> iptables -A INPUT  -i lo -j ACCEPT
>> iptables -A OUTPUT -o lo -j ACCEPT
>>
>> # Enable packet forwarding
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>
>> # Allow already opened connections
>> # (Only need INPUT right now 'cause it's the only one with DROP policy)
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> # Accept SSH connections
>> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
>>
>> # Accept VNC connections
>> iptables -A INPUT -p tcp --dport 5801 -m state --state NEW -j ACCEPT
>> iptables -A INPUT -p tcp --dport 5901 -m state --state NEW -j ACCEPT
>
>
> I'm not an iptables or firewall expert so I may be wrong but it looks 
> to me like the default DROP policy for the INPUT chain may be the 
> issue. I think connection tracking may only work with TCP-based 
> protocols such as ssh, which means that ICMP (e.g. ping) and UDP (e.g. 
> DNS) may be problematic with this configuration. You may have to add 
> rules to allow these types of traffic in.
>
>> The 10 second pause in the ouput also has to do with the firewall. 
>> When I shut down the firewall, it shows up immediately.
>
>
> That's probably a DNS issue. Try using the "-n" option to "route" to 
> turn off DNS lookups and see if you still get the delay with the 
> firewall on.
>
> Paul.
>
Dear friend
I have a box with two NICs one with Internet and the other internal set 
as a firewall and doing NAT
this is my IPTABLES configuration and really works
# Delete and flush. Default table is "filter". Others like "nat" must be 
explicitly stated.
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
# Set up IP FORWARDing and Masquerading
#iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT 
--to-source 200.87.61.88
#iptables --table nat --append POSTROUTING --out-interface eth2 -j SNAT 
--to-source 200.105.201.226

iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT 
--to-source 200.87.61.88
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

######################
iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
###uncomment this!!!!
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
####
##Permite SSH desde la red 1
iptables -A INPUT -s 10.1.1.0/24 -i eth1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.1.1.0/24 -i eth1 -p udp --dport 22 -j ACCEPT
##
##Permite acceso al puerto 80 solo desde la intranet
iptables -A INPUT -p tcp -i eth1 -s 10.1.1.0/24 --dport 80 -j ACCEPT
##
# Proxy Transparente Squid
iptables -A INPUT  -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT  -p udp --dport 3128 -j ACCEPT
iptables -A INPUT  -p tcp --sport 3128 -j ACCEPT
iptables -A INPUT  -p udp --sport 3128 -j ACCEPT
##

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT 
--to-port 3128

## fin nuevo metodo
##
#iptables -A INPUT -p tcp --syn -s 10.1.1.0/24 --destination-port 139 -j 
ACCEPT
#iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT

iptables -P INPUT DROP

########
# routing table
####

More information about the users mailing list