HPE Community
Operating System - Linux
1828950 Members
2148 Online
109986 Solutions
New Discussion

allow the internet access from LAN using IPTABLES

 
SOLVED
Go to solution
'chris'
Super Advisor

‎03-24-2006 03:41 AM

‎03-24-2006 03:41 AM

allow the internet access from LAN using IPTABLES

hi

my network:

internet & ipsec gateway:
eth0 -> external interface (internet)
eth1 -> internal interface (LAN)

LAN:
LOCAL_LAN="192.168.115.0/24"

remote networks:
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="192.168.2.0/24"

ipsec works without problems and I can reach remote networks
from any LAN machine,
but cannot access the Internet from the LAN machines

what's wrong ?

I'm using this firewall script:

#!/bin/sh

EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.115.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="192.168.2.0/24"
IPTABLES="/sbin/iptables"

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT


$IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,53,80,443 -i eth0 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -i eth0 -j ACCEPT # DNS per udp


# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN

$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT

# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT


# iptables -V
iptables v1.2.11

# uname -a
Linux sarge.stable 2.6.8-2-686 #1 Tue Aug 16 13:22:48 UTC 2005 i686 GNU/Linux

kind regards
chris
0 Kudos
Reply
4 REPLIES 4
Ivan Ferreira
Honored Contributor

‎03-24-2006 06:02 AM

‎03-24-2006 06:02 AM

Solution

Re: allow the internet access from LAN using IPTABLES

Can you describe your topology a little better, how is connected? Where are REMOTE_LAN1 2 and 3?

Ensure that name resolution is working. Check your clients DNS configuration. I will also suggest the use of squid proxy server to enable access control, cache, and bandwith saving.

I assume that forwarding is enabled because you can reach remote networks.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
'chris'
Super Advisor

‎03-24-2006 06:16 AM

‎03-24-2006 06:16 AM

Re: allow the internet access from LAN using IPTABLES

REMOTE_LAN1 2 and 3 are networks on the remote site
connected via ipsec tunnels.

this machine is a dhcp / dns server as well.

anyway I've found out:

$IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to external_ip_address

greetings
chris
0 Kudos
Reply
'chris'
Super Advisor

‎03-24-2006 09:41 AM

‎03-24-2006 09:41 AM

Re: allow the internet access from LAN using IPTABLES

but I have a very strange problem with this script.

If I run it, my DNS server running on the same machine doesn't work anymore and the server is completely hanging.
I cannot shutdown the machine, because name server could not be stopped !

knows someone what's wrong and howto solve this problem ?
0 Kudos
Reply
'chris'
Super Advisor

‎08-16-2006 10:59 AM

‎08-16-2006 10:59 AM

Re: allow the internet access from LAN using IPTABLES

# Allow loopback-device
$IPTABLES -A INPUT -i lo -j ACCEPT

solved my problem !
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.