Operating System - Linux
1828867 Members
2368 Online
109985 Solutions
New Discussion

Re: allow the internet access from LAN using IPTABLES

 
SOLVED
Go to solution
'chris'
Super Advisor

allow the internet access from LAN using IPTABLES

hi

my network:

internet & ipsec gateway:
eth0 -> external interface (internet)
eth1 -> internal interface (LAN)

LAN:
LOCAL_LAN="192.168.115.0/24"

remote networks:
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="192.168.2.0/24"

ipsec works without problems and I can reach remote networks
from any LAN machine,
but cannot access the Internet from the LAN machines

what's wrong ?

I'm using this firewall script:

#!/bin/sh

EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.115.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="192.168.2.0/24"
IPTABLES="/sbin/iptables"

$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT


$IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,53,80,443 -i eth0 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -i eth0 -j ACCEPT # DNS per udp


# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN

$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT

# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT


# iptables -V
iptables v1.2.11

# uname -a
Linux sarge.stable 2.6.8-2-686 #1 Tue Aug 16 13:22:48 UTC 2005 i686 GNU/Linux

kind regards
chris
4 REPLIES 4
Ivan Ferreira
Honored Contributor
Solution

Re: allow the internet access from LAN using IPTABLES

Can you describe your topology a little better, how is connected? Where are REMOTE_LAN1 2 and 3?

Ensure that name resolution is working. Check your clients DNS configuration. I will also suggest the use of squid proxy server to enable access control, cache, and bandwith saving.

I assume that forwarding is enabled because you can reach remote networks.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
'chris'
Super Advisor

Re: allow the internet access from LAN using IPTABLES

REMOTE_LAN1 2 and 3 are networks on the remote site
connected via ipsec tunnels.

this machine is a dhcp / dns server as well.

anyway I've found out:

$IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to external_ip_address

greetings
chris
'chris'
Super Advisor

Re: allow the internet access from LAN using IPTABLES

but I have a very strange problem with this script.

If I run it, my DNS server running on the same machine doesn't work anymore and the server is completely hanging.
I cannot shutdown the machine, because name server could not be stopped !

knows someone what's wrong and howto solve this problem ?
'chris'
Super Advisor

Re: allow the internet access from LAN using IPTABLES

# Allow loopback-device
$IPTABLES -A INPUT -i lo -j ACCEPT

solved my problem !