Hello Everyone,
I'm trying to learn and practice about network in Linux, and I've bought the Linux Network - Cookbook (by the way, excellent book). But, I've found a issue (probably my own mistake) that I wasn't enable to find it or solve it.
I'm able to run the nat in iptable easly, and it works great. But, however i try, i can't make the changes persistent. When I boot the Virtual Machine, the nat service does not come back. I'll describe better what I've done.
Structure: The Gateway Machine runs fedora 18, in a VirtualBox environment. This virtual machine is connect with 2 virtual network interfaces - the eth0, that is connect directly to my real machine, and the eth1, that is connect to the virtual lan (with the other 2 VMs, the fedora 18 "client" and the windows xp "client").
1: I've installed successively the DHCPd in the gateway. This service works fine!
2: I've added a few parameters to /etc/sysctl.conf:
3: I've created the /usr/local/bin/fw_nat and fill it with (I've also changed it's permissions to: 0700):
4: I've run, as root:
And works great, my dhcp clients was able to access the internet without any problems. After that, I've add two more scripts, the fw_flush and fw_status, here they are (both had their permissions changed to 0700):
/usr/local/bin/fw_flush
5: Both of them work just fine, them, I've added the /etc/init.d/firewall :
6: Then, I've tried to add them to the boot with chkconfig :
#chkconfig --add firewall
#chkconfig firewall on
7: Then, I've checked the chkconfig --list, and here's the output:
[root@localhost admin]# chkconfig --list
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
8: But after the reboot, the forward nat does not work (only if I run the fw_nat again - manually).
Can anyone help-me?
I'm trying to learn and practice about network in Linux, and I've bought the Linux Network - Cookbook (by the way, excellent book). But, I've found a issue (probably my own mistake) that I wasn't enable to find it or solve it.
I'm able to run the nat in iptable easly, and it works great. But, however i try, i can't make the changes persistent. When I boot the Virtual Machine, the nat service does not come back. I'll describe better what I've done.
Structure: The Gateway Machine runs fedora 18, in a VirtualBox environment. This virtual machine is connect with 2 virtual network interfaces - the eth0, that is connect directly to my real machine, and the eth1, that is connect to the virtual lan (with the other 2 VMs, the fedora 18 "client" and the windows xp "client").
1: I've installed successively the DHCPd in the gateway. This service works fine!
2: I've added a few parameters to /etc/sysctl.conf:
Code:
net.ipv4.ip_foward = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 03: I've created the /usr/local/bin/fw_nat and fill it with (I've also changed it's permissions to: 0700):
Code:
#iptables firewall script for sharing
#broadband Internet, with no public services
#define variables
ipt="/sbin/iptables"
mod="/sbin/modprobe"
LAN_IFACE="eth1"
WAN_IFACE="eth0"
#basic set of kernel modules
$mod ip_tables
$mod ip_conntrack
$mod iptable_filter
$mod iptable_nat
$mod iptable_mangle
$mod ipt_LOG
$mod ipt_limit
$mod ipt_state
$mod ipt_MASQUERADE
#add these for IRC and FTP
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc
# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X
#Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
#this line is necessary for the loopback interface
#and internal socket-based services to work correctly
$ipt -A INPUT -i lo -j ACCEPT
#Enable IP masquerading
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
#Enable unrestricted outgoing traffic, incoming
#is restricted to locally-initiated sessions only
$ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
# Accept important ICMP messages
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
#Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp --syn -j DROP4: I've run, as root:
Code:
#/sbin/sysctl -p
#/usr/local/bin/fw_nat/usr/local/bin/fw_flush
Code:
#!/bin/sh
##/usr/local/bin/fw_flush
#flush script, which deletes all active rules
#and chains, and resets default policies to "accept"
#this is like having no firewall at all
#define variables
ipt="/sbin/iptables"
echo "The firewall is now being shut down. All policies are set to
ACCEPT, all rules and chains are deleted, all counters are set to zero."
#Set default policies to ACCEPT everything
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P INPUT ACCEPT
$ipt -t mangle -P OUTPUT ACCEPT
$ipt -t mangle -P FORWARD ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
#Zero out all counters
$ipt -Z
$ipt -t nat -Z
$ipt -t mangle -Z
# Flush all rules, delete all chains
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -XCode:
#!/bin/sh
##/usr/local/bin/fw_status script
#displays all active rules and chains
#define variables
ipt="/sbin/iptables"
echo "These are the currently active rules, chains, and packet and
bytecounts:"
$ipt -t filter -L -v --line-numbers
$ipt -t nat -L -v --line-numbers
$ipt -t mangle -L -v --line-numbersCode:
#!/bin/sh
##/etc.init.d/firewall
# simple start-stop init script for iptables
# start builds the firewall, stop flushes
# all rules and resets default policies to ACCEPT
# restart runs the start and stop commands
# status displays all active rules, and packet and byte counters
# chkconfig: 2345 01 99
startfile="/usr/local/bin/fw_nat"
stopfile="/usr/local/bin/fw_flush"
statusfile="/usr/local/bin/fw_status"
case "$1" in
start)
echo "Starting $startfile: iptables is now starting up"
/bin/sh $startfile start
;;
stop)
echo "Stopping $stopfile: iptables is now stopped, all rules and
chains are flushed, and default policies are set to ACCEPT"
/bin/sh $stopfile stop
;;
status)
/bin/sh $statusfile status
;;
restart)
/bin/sh $stopfile stop
echo "The firewall has stopped."
/bin/sh $startfile start
echo "The firewall has now restarted."
;;
esac#chkconfig --add firewall
#chkconfig firewall on
7: Then, I've checked the chkconfig --list, and here's the output:
[root@localhost admin]# chkconfig --list
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
Code:
ebtables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
firewall 0:off 1:off 2:on 3:on 4:on 5:on 6:off
iscsi 0:off 1:off 2:off 3:on 4:on 5:on 6:off
iscsid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
livesys 0:off 1:off 2:off 3:on 4:on 5:on 6:off
livesys-late 0:off 1:off 2:off 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:off 3:off 4:off 5:off 6:offCan anyone help-me?