Very Computer

[INTERNET]<-->(eth0)[PC1](eth1)<--->(eth0)[PC2]

On PC1:
       eth0: 192.168.0.1 (with a cable to the modem)
       eth1: 192.168.1.1 (with a crossed cable to PC2)

On PC2:
       eth0: 192.168.1.2 (with a crossed cable to PC1)

iptables is configured via the following script:

-------- START SCRIPT -----------
#!/bin/bash
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp ip_nat_ftp
modprobe iptable_nat
modprobe ipt_MASQUERADE
# Load the most important modules (NAT e MASQUERADE are mandatory!)
#.....
#.....

echo '0' > /proc/sys/net/ipv4/ip_forward
# No IP forward for now...

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Add a rule to the postrouting chain
# every packet going out through ppp0 must be masked

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept every packet that belongs to connections already
# established or related to them

iptables -A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
# accept the traffic generated by the local net

iptables -A FORWARD -j DROP
# anything else is dropped

echo '1' > /proc/sys/net/ipv4/ip_forward
# now we can forward the connection

---------- END SCRIPT -------------

this is the result of /sbin/ifconfig

------------ /sbin/ifconfig---------------
eth0      Link encap:Ethernet  HWaddr 00:40:F4:97:AD:B0
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::240:f4ff:fe97:adb0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5324543 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6272147 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3141935438 (2.9 GiB)  TX bytes:4170449394 (3.8 GiB)
          Interrupt:17 Base address:0xf00

eth1      Link encap:Ethernet  HWaddr 00:20:ED:28:F2:6A
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::220:edff:fe28:f26a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7435 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6390 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1263495 (1.2 MiB)  TX bytes:5152233 (4.9 MiB)
          Interrupt:17 Base address:0x2e00

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:11152 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11152 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:655844 (640.4 KiB)  TX bytes:655844 (640.4 KiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:XXX.XXX.XXX.XXX P-t-P:XXX.XXX.XXX.XXX
          Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST
          MTU:1492  Metric:1 RX packets:1494583 errors:0 dropped:0
          overruns:0 frame:0 TX packets:1686118 errors:0 dropped:0
          overruns:0 carrier:0 collisions:0 txqueuelen:3 RX
          bytes:988981980 (943.1 MiB)  TX bytes:825238709 (787.0 MiB)

-------------------- end /sbin/ifconfig ------------------

Why I can see only few sites and ping them all? It makes non sense to me.
I hope somebody can help me, thank you in advance,
Fabio

Quote:>I've got a strange problem with IP Masquerade:
>PC1 is connected to internet and PC2 uses PC1
>as the gateway.
>From PC2 i can ping and even traceroute any URL
>(for example ping and traceroute www.wikipedia.org
>works great) but i can open very few web pages.
>I only can see there 3 sites:
>www.mozilla.org www.beppegrillo.it www.google.com
>but I can't open for example www.yahoo.com and much more.
>More than that is I can use skype from PC2, so I absolutely
>don't have a clue about what to do.

        # clamp MTU for new TCP connections to world
        if [ -n "$MAX_MSS" ]
        then
                iptables -A egress -p tcp --tcp-flags SYN,RST SYN \
                                -j TCPMSS --set-mss $MAX_MSS
        else
                iptables -A egress -p tcp --tcp-flags SYN,RST SYN \
                                -j TCPMSS --clamp-mss-to-pmtu
        fi

Grant.
--
http://bugsplatter.mine.nu/

MASQUERADE  all opt -- in * out ppp0  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  state RELATED,ESTABLISHED
ACCEPT  all opt -- in * out *  192.168.1.0/24  -> 0.0.0.0/0
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
TCPMSS  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  tcp flags:0x06/0x02 TCPMSS set 1380

Anyway i get the same problem:
ping all, watch fews
I've tryied the bing the MTU values of the eth devices to 1380
and the valute of ppp0 (in /etc/ppp/options) to 1412
(1412 is suggested by pppoe-setup), but i didn't resolve
the problem, i really don't know what to do
thank you for your help
Fabio

You filter this shit on INPUT, *not* FORWARD.
In your situation, FORWARD is a trivial case, only interesting in and of
itself when PC1 is a *pure* router, which it isn't.

Assuming you have set DENY on INPUT and ACCEPT on OUTPUT, your effective
rules will now be:

INPUT all interfaces, *including* the internet from PC1, DENY ALL
OUTPUT all interfaces, ACCEPT ALL
FORWARD all interfaces, ACCEPT from 192.168.1.x, DENY the rest.

If you have set ACCEPT on INPUT, on the other hand, you have zero actual
security.

Your PC1 is wide open to the Intarweb in that case.

Change the FORWARD to INPUT in your ruleset and you should be good.

--
All your bits are belong to us.

---- START SCRIPT---------
#!/bin/sh
iptables="/sbin/iptables"
MAX_MSS="1380"

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp ip_nat_ftp
modprobe iptable_nat
modprobe ipt_MASQUERADE

iptables -v -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -v -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -v -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -v -A FORWARD -j DROP

# clamp MTU for new TCP connections to world
if [ -n "$MAX_MSS" ]
then
        iptables -v -A egress -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $MAX_MSS
else
        iptables -v -A egress -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi

echo '1' > /proc/sys/net/ipv4/ip_forward

------- END SCRIPT -----------

And here you can see the iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     all  --  10.0.0.0/24          0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain egress (0 references)
target     prot opt source               destination
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp \
                flags:0x06/0x02 TCPMSS set 1380

and this is iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I can't undestand why I can see, let say www.google.com from
the localnet, and i can't open www.yahoo.com

Hope You can help me,
thank you in advance
Fabio

Quote:> iptables is configured via the following script:
> -------- START SCRIPT -----------

---

#!/bin/bash
modprobe ip_tables
modprobe ipt_state
modprobe ip_conntrack
modprobe ip_conntrack_ftp ip_nat_ftp
modprobe iptable_nat
modprobe ipt_MASQUERADE
modprobe ipt_limit
modprobe ipt_LOG
#modprobe iptable_mangle

iptables -N no-conns-from-ppp0
iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A no-conns-from-ppp0 -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
#-j TCPMSS --clamp-mss-to-pmtu
iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix \
"Bad packet from ppp0:"
iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix \
"Bad packet not from ppp0:"
iptables -A no-conns-from-ppp0 -j DROP

iptables -A INPUT -j no-conns-from-ppp0
iptables -A FORWARD -j no-conns-from-ppp0

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

---

I've used the script but without mangle table PMTU clamping (commented
out) - so no guarantee on that.  Most sites should be accessible with the
PC2 MTU set to 1492 and no clamping.  And if you don't need/want pings
and ping-replies then the lines with icmp-type's 0 and 8 can be dropped.
The lines with other icmp-type's should remain as is.  If LOGging becomes
annoying then just truncate the lines with -m limit in them starting at
-j LOG.

Just for the record, the core of this script was taken from one written
by Rusty Russell.
http://help.phys.unsw.edu.au/doc/HOW-TO/packet-filtering-HOWTO.txt

--
Clifford Kite