debian gateway using iptables

1

1

I am having problems setting up a debian gateway server. My goal:

  • Having eth1 the WAN interface.
  • Having eth0 the LAN interface.
  • Allow both ports 22 (SSH) and 80 (HTTP) accessed from the outside world on the gateway (SSH and HTTP run on this server).

What I did was the following:

  • Create a file /etc/iptables.rules with contents:

/etc/iptables.rules:

*nat
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT

*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -j DROP
COMMIT
  • edit /etc/network/interfaces as follows:

/etc/network/interfaces:

# The loopback network interface
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.rules

auto eth0
allow-hotplug eth0
iface eth0 inet dhcp

#auto eth1
#allow-hotplug eth1
#iface eth1 inet dhcp

allow-hotplug eth1
iface eth1 inet static
address 217.119.224.51
netmask 255.255.255.248
gateway 217.119.224.49
dns-nameservers 217.119.226.67 217.119.226.68
  • Uncomment the rule net.ipv4.ip_forward=1 in /etc/sysctl.conf to allow packet forwarding.

The static settings for eth1 such as the ip address I got from my router (which I want to replace); I simply copied these.

  • I have a (windows) DNS + DHCP server on ip address 10.180.1.10, which assigns ip address 10.180.1.44 to eth0. What this server does is not really interesting it only maps domain names on our local network and assigns one static ip to the gateway.

  • What works: on the gateway itself I can ping 8.8.8.8 and google.nl. So that is okey.

  • What does not work: (1) Every machine connected to eth0 (indirectly via a switch) can not ping an ip or a domain. So I guess the gateway can not be found. (2) Also when I configure my linux machine (a laptop) to use a static ip 10.180.1.41, a mask and a gateway (10.180.1.44) I can not ping an ip or domain either.

This means that maybe my iptables is incorrect of not loaded correctly. Or I maybe have to configure my DNS/DHCP on my windows machine. I have not reset the windows machine net, restart the DNS/DHCP services, should I do this?

meijuh

Posted 2013-10-31T13:11:17.790

Reputation: 111

1How do the routing and DNS settings look like on the machines on your LAN network? If they get their IP addresses from the DHCP server at 10.180.1.10 I wouldn't be surprised if they get assigned that as their gateway, not 10.180.1.44 (the 'real' gateway). – JvO – 2013-10-31T13:44:37.773

Hmm the DHCP server indeed says the 'router' is at 10.180.1.254. – meijuh – 2013-10-31T14:10:29.957

Strange this, when I run the DHCP server on the gateway the setup works. Why would this be? Why can't I run a DHCP server on another host? – meijuh – 2013-11-17T08:34:23.743

You should be able to run the DHCP server on any host on your network. I think you need to plow through the documentation and find the correct options... OTOH, is it a problem if the DHCP server runs on your gateway? – JvO – 2013-11-19T14:17:37.963

Answers

1

You must also allow FORWARD traffic in your firewall rules, that is allow packets from eth0 to go to eth1 and back. Something like

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

And remember: traceroute is your friend for troubleshooting routes...

JvO

Posted 2013-10-31T13:11:17.790

Reputation: 883

I added this rule and looked at some more examples online, but still does not work. I can not even ping 8.8.8.8 on the gateway itself... – meijuh – 2013-11-03T20:54:18.617

Asked: 2013-10-31T13:11:17.790

Viewed: 2 597 times

Active: 2013-10-31T15:29:17.827