topic Re: allow the internet access from LAN using IPTABLES in Operating System - Linux

allow the internet access from LAN using IPTABLES

'chris' — Fri, 24 Mar 2006 11:41:22 GMT

hi

my network:

internet & ipsec gateway:
eth0 -> external interface (internet)
eth1 -> internal interface (LAN)

LAN:
LOCAL_LAN="192.168.115.0/24"

remote networks:
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="192.168.2.0/24"

ipsec works without problems and I can reach remote networks
from any LAN machine,
but cannot access the Internet from the LAN machines

what's wrong ?

I'm using this firewall script:

#!/bin/sh

EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.115.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="192.168.2.0/24"
IPTABLES="/sbin/iptables"

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,53,80,443 -i eth0 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -i eth0 -j ACCEPT # DNS per udp

# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN

$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT

# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT

# iptables -V
iptables v1.2.11

# uname -a
Linux sarge.stable 2.6.8-2-686 #1 Tue Aug 16 13:22:48 UTC 2005 i686 GNU/Linux

kind regards
chris

Re: allow the internet access from LAN using IPTABLES

Ivan Ferreira — Fri, 24 Mar 2006 14:02:38 GMT

Can you describe your topology a little better, how is connected? Where are REMOTE_LAN1 2 and 3?

Ensure that name resolution is working. Check your clients DNS configuration. I will also suggest the use of squid proxy server to enable access control, cache, and bandwith saving.

I assume that forwarding is enabled because you can reach remote networks.

Re: allow the internet access from LAN using IPTABLES

'chris' — Fri, 24 Mar 2006 14:16:38 GMT

REMOTE_LAN1 2 and 3 are networks on the remote site
connected via ipsec tunnels.

this machine is a dhcp / dns server as well.

anyway I've found out:

$IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to external_ip_address

greetings
chris

Re: allow the internet access from LAN using IPTABLES

'chris' — Fri, 24 Mar 2006 17:41:46 GMT

but I have a very strange problem with this script.

If I run it, my DNS server running on the same machine doesn't work anymore and the server is completely hanging.
I cannot shutdown the machine, because name server could not be stopped !

knows someone what's wrong and howto solve this problem ?

Re: allow the internet access from LAN using IPTABLES

'chris' — Wed, 16 Aug 2006 17:59:09 GMT

# Allow loopback-device
$IPTABLES -A INPUT -i lo -j ACCEPT

solved my problem !