Sie sind auf Seite 1von 5

4/4/2019 routing - How to set up iptables for local router machine?

- Server Fault

Server Fault is a question and answer site for system and


network administrators. Join them; it only takes a minute:

Sign up

Here's how it works:


Anybody can ask a question
Anybody can answer
The best answers are voted up and rise to the top

How to set up iptables for local router machine? Ask Question

I have set up a local linux (14.0.4


Ubuntu) machine as a router and can
0 do the following:

ping server/router from the


clients
ping clients from server/router
ping one client from the other
ping the modem/router behind
the server/router

But I can't ping google or 8.8.8.8. I


get the following errors:

ping: unknown host www.google.com


connect: network is unreachable

But I can issue both of those


commands on the server/router,
without problem, which leads me to
believe it is an iptables related
issue. Can someone have a look at
the below code, which I use to
initialize iptables, and tell me if there
are any glaring mistakes.
By using our site, you acknowledge that you have read and understand our Cookie Policy, Privacy Policy, and our
Terms of Service.

https://serverfault.com/questions/706462/how-to-set-up-iptables-for-local-router-machine 1/5
4/4/2019 routing - How to set up iptables for local router machine? - Server Fault

#!/bin/bash

ethInternal=eth1
ethExternal=eth0

sudo iptables --flush


sudo iptables --table nat --flush
sudo iptables --delete-chain
sudo iptables --table nat --delete-chain

sudo iptables -t nat -A POSTROUTING -o $ethExternal -j MASQUERADE


sudo iptables -A FORWARD -i $ethExternal -o $ethInternal -m state --state
RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i $ethInternal -o $ethExternal -j ACCEPT

EDIT 1

client: netstat -rn


Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
192.168.66.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

EDIT 2

client: route add -net default gw 192.168.66.254


client: netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.66.254 0.0.0.0 UG 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
192.168.66.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

EDIT 3

SV-01: vi /var/log/kern.log

Relevant section of log file can be


found here.

iptables routing ubuntu-14.04

edited Aug 10 '15 at 15:43


peterh
4,411 9 24 42

asked Jul 17 '15 at 6:43


puk
175 3 14

What's the output of cat


/proc/sys/net/ipv4/ip_forward ? –
MadHatter Jul 17 '15 at 7:15

@MadHatter on server/router it is 1 .
on the client it is 0 – puk Jul 17 '15
at 7:18

And on the client, could we see the


By using our site, you acknowledge
output that-rn
of netstat you? have
You'llread
needand understand our Cookie Policy, Privacy Policy, and our
Terms of Service. to edit that into your question. –
MadHatter Jul 17 '15 at 7:48
https://serverfault.com/questions/706462/how-to-set-up-iptables-for-local-router-machine 2/5
4/4/2019 routing - How to set up iptables for local router machine? - Server Fault

2 Answers

Well, you configuration seems to be


a bit short. I'm attaching the
2 configuration of my router as a
working example.

Also, you are using '-m state' to track


related and established connections,
while I usually utilise '-m conntrack'.

What you can try - to log dropped


packets and see what and why is
getting dropped by iptables. I'm
writing my configuration (with logging
and also including default ACCEPT
policy for OUTPUT chain) below. To
enable it, save it to file (e.g.,
'iptables_test_rules.txt') and apply
them using 'iptables-restore
iptables_test_rules.txt'. See 'iptables
-L -v' for rules overview and your
syslog for dropped connections
(attention: you syslog could grow
very fast!).

*filter

# 1. Logging.
# 1.1. logdrop chain
-N logdrop
-A logdrop -j LOG --log-prefix "dropp
-A logdrop -j DROP

# 2. Set default policies for INPUT,


-P INPUT DROP
-P OUTPUT ACCEPT
-P FORWARD DROP

# 3. INPUT CHAIN
# 3.0. Allow loopback
-A INPUT -i lo -j ACCEPT
# 3.1. Allow already established conn
-A INPUT -m conntrack --ctstate RELAT
# 3.2. log and drop invalid packets
-A INPUT -m conntrack --ctstate INVAL
# 3.3. Allow DHCP renew on eth0
-A INPUT -p udp -m udp --dport 68 -i
# 3.4. Allow any connections from lan
-A INPUT -i eth1 -j ACCEPT
# 3.5. Log and drop the rest
-A INPUT -j logdrop

# 4. Forwarding
# 4.0. Allow forwarding from lan to w
-A FORWARD -i eth1 -o eth0 -j ACCEPT
# 4.1. Allow forwarding from lan to l
-A FORWARD -i eth1 -o eth1 -j ACCEPT
# 4.2. Allow forwarding from wan to l
By using our site, you acknowledge
-A FORWARD that-oyou
-i eth0 have
eth1 -mread and- understand our Cookie Policy, Privacy Policy, and our
state
# 4.4. log and drop the rest in FORWA
Terms of Service.
-A FORWARD -j logdrop

https://serverfault.com/questions/706462/how-to-set-up-iptables-for-local-router-machine 3/5
4/4/2019 routing - How to set up iptables for local router machine? - Server Fault

COMMIT

*nat

# Set default NAT policies to accept


-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT

# 5. NAT
# 5.1. Enable NAT
-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

*raw
COMMIT

edited Jul 17 '15 at 10:12

answered Jul 17 '15 at 10:04


Andrey Sapegin
1,085 1 11 25

1 The OUTPUT chain on the firewall


won't affect forwarded traffic. –
MadHatter Jul 17 '15 at 10:06

I agree, still the main idea in my


answer is to see what is being
dropped. I will fix the answer now.
And the config attached is the
working configuration example as I
have it on my router. –
Andrey Sapegin Jul 17 '15 at 10:11

Now that I applied your version, I


can't ping or ssh SV-01, but the open
ssh connection still works for some
reason. – puk Jul 17 '15 at 16:46

Appologies, that was my mistake. I


mixed up eth0 with eth1. I know,
rookie mistake. Thanks Andrey.
Thanks MadHatter – puk Jul 17 '15
at 17:32

The client has no default route via


your router box. Try
5
By using our site,route
you acknowledge that yougwhave
add -net default read and understand our Cookie Policy, Privacy Policy, and our
a.b.c.d
Terms of Service.

https://serverfault.com/questions/706462/how-to-set-up-iptables-for-local-router-machine 4/5
4/4/2019 routing - How to set up iptables for local router machine? - Server Fault

on the client, where a.b.c.d is the


client-facing address of the firewall.

answered Jul 17 '15 at 8:03


MadHatter
70.5k 11 146 207

That made some progress (in a


moment I will update question to show
new netstat -rn output), now it at
least tries to ping google.com, but fails
after a few seconds – puk Jul 17 '15
at 8:07

Can you show us that, too? The


nature of the failure is important. –
MadHatter Jul 17 '15 at 9:48

ping www.google.com tries for 10-


15s then outputs ping: unknown
host www.google.com . ping
8.8.8.8 outputs PING 8.8.8.8
(8.8.8.8) 56 (84) bytes of data
then just hangs and I have to issue a
CTL+C and for ping statistics it
outputs 163 packets transmitted,
0 received, 100% packet loss,
time 163294 ms – puk Jul 17 '15 at
16:04

What settings do I have to change on


the server such that I don't have to
issue this command on every client?
For example, on one of my windows
machines I can't access the internet
because this default gateway is not
set (strangely, it is setting it to
192.158.66.254) – puk Jul 17 '15 at
22:50

By using our site, you acknowledge that you have read and understand our Cookie Policy, Privacy Policy, and our
Terms of Service.

https://serverfault.com/questions/706462/how-to-set-up-iptables-for-local-router-machine 5/5

Das könnte Ihnen auch gefallen