- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: allow the internet access from LAN using IPTAB...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2006 03:41 AM
03-24-2006 03:41 AM
my network:
internet & ipsec gateway:
eth0 -> external interface (internet)
eth1 -> internal interface (LAN)
LAN:
LOCAL_LAN="192.168.115.0/24"
remote networks:
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="192.168.2.0/24"
ipsec works without problems and I can reach remote networks
from any LAN machine,
but cannot access the Internet from the LAN machines
what's wrong ?
I'm using this firewall script:
#!/bin/sh
EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.115.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="192.168.2.0/24"
IPTABLES="/sbin/iptables"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A INPUT -p tcp -m multiport --dport 21,22,53,80,443 -i eth0 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -i eth0 -j ACCEPT # DNS per udp
# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN
$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT
# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT
# iptables -V
iptables v1.2.11
# uname -a
Linux sarge.stable 2.6.8-2-686 #1 Tue Aug 16 13:22:48 UTC 2005 i686 GNU/Linux
kind regards
chris
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2006 06:02 AM
03-24-2006 06:02 AM
SolutionEnsure that name resolution is working. Check your clients DNS configuration. I will also suggest the use of squid proxy server to enable access control, cache, and bandwith saving.
I assume that forwarding is enabled because you can reach remote networks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2006 06:16 AM
03-24-2006 06:16 AM
Re: allow the internet access from LAN using IPTABLES
connected via ipsec tunnels.
this machine is a dhcp / dns server as well.
anyway I've found out:
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to external_ip_address
greetings
chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2006 09:41 AM
03-24-2006 09:41 AM
Re: allow the internet access from LAN using IPTABLES
If I run it, my DNS server running on the same machine doesn't work anymore and the server is completely hanging.
I cannot shutdown the machine, because name server could not be stopped !
knows someone what's wrong and howto solve this problem ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2006 10:59 AM
08-16-2006 10:59 AM
Re: allow the internet access from LAN using IPTABLES
$IPTABLES -A INPUT -i lo -j ACCEPT
solved my problem !