Per Jessen wrote:
No iptables rules are set.
Thank for your help everyone - there's something basic missing here, I suspect operator error.
---- This is a script that I use to setup and shutdown my ip masquerade on demand... It's a continual work in progress -- (i.e. I run into another need and add more to it..) It's structured as an 'RC' script so you can use it at start stop. It isn't respectful of firewalls or such.. (as I don't usually run one)... It's currently setup to deal with 2 inside ethernet ports that both will be forwarded to my outside port. Right now, you have to specify the ethernet ports -- planned to have it find them but not done yet... At least it does automatically try to pick up the right addresses... Any Q's I'll try to answer -- not guaranteeing perfection!!! It's not real long or complex, so it shouldn't be too hard to understand and modify to your needs.... I have never used ip6tables before, -- so there is only very basic support for it included...(trying to setup frame work as I write, for future needs)... -------------- /etc/rc.d/masquerade script... #!/bin/bash -eu #include standard template: # gvim=:noSetNumberAndWidth #rm 'no' to activate in gvim, '=:' is not error _prgpth="${0:?}"; _prg="${_prgpth##*}"; _prgdr="${_prgpth%/$_prg}" [[ -z $_prgdr || $_prg == $_prgdr ]] && $_prgdr="$PWD" export PATH="$_prgdr:$_prgdr/lib:$PATH" shopt -s expand_aliases extglob sourcepath ; set -o pipefail # # V 1.0 of masquerade -- based some other version... # a work in progress...(linda walsh) suse(at)tlinx(dot)org # source {errnos,stdlib}.shlib #full trace support: #export PS4='>>${BASH_SOURCE:+${BASH_SOURCE[0]}}#${LINENO}${FUNCNAME:+(${FUNCNAME[0]})}> ' ### BEGIN INIT INFO # Provides: masquerade # Required-Start: $network # Should-Start: # Required-Stop: # Should-Stop: # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: setup masquerade rules with fw drop rules for incoming traffic # Description: upnpd daemon a internet connection gateway # that creates temporary dhcpd-like reserved paths # through the firewall so applications can talk over # the internet; Mostly MS-based clients use this # Service. ### END INIT INFO # # Check for missing binaries (stale symlinks should not happen) # we use iptables to do our work, so check for it. Have_ip6tables=0 external_intf="eth2" internal_intf="eth0 eth1" test -x /usr/sbin/iptables || { echo "iptables4 not installed" exit 5 } test -x /usr/sbin/ip6tables && test -e /proc/sys/net/ipv6 || Have_ip6tables=0 function iptables { sudo /usr/sbin/iptables "$@" ((!$Have_ip6tables)) || sudo /usr/sbin/ip6tables "$@" } function ip_addr_parse { ## TBD - try to auto-determine what intfs to use local -A ip_addrs } sys_ipv4_fwd_file=/proc/sys/net/ipv4/ip_forward function ipf { if [[ $# > 0 ]]; then sudo bash -c "echo -n \"$1\" >\"$sys_ipv4_fwd_file\"" stat=$? if [[ $stat != 0 ]]; then echo "Error setting system ipv4 ip forwarding" return $stat fi fi cat "$sys_ipv4_fwd_file" } function ipi { intf_fwd_file="/proc/sys/net/ipv4/conf/$1/forwarding" shift if [[ $# > 0 ]]; then sudo bash -c "echo -n \"$1\" > \"$intf_fwd_file\"" stat=$? if [[ $stat != 0 ]]; then echo "Error setting interface forwarding" return $stat fi fi cat "$intf_fwd_file" } #external interfaces (could be multiple, but not well tested) declare -a ExtIntf=($external_intf) #internal declare -a IntIntf=($internal_intf) #IntNets="192.168.3.0" IntNets="$(ip route |grep eth0|grep kernel|cut -d\/ -f1)" ##help func's #iptables Forward In 2 out #sub ipt_AD_Fwd_IO_rule { # local ad="$1" i="$2" o="$3" ;shift 3 # iptables -$ad FORWARD ${i:+-i "$2"} ${o:+-o "$3"} "$@" #} # #sub iptFI2O { # ipt_AD_Fwd_IO_rule "A" i$iptables -A FORWARD -i $_"[0]" -o_"[1]" function set_forwarding_state { local -a ifs=( "${ExtIntf[@]}" "${IntIntf[@]}" ) if [[ $# -gt 0 && $1 != 0 && $1 != 1 ]]; then echo "Error: set_forwarding_state called with state=\"$1\". Must be 0 or 1." return 1 fi local -a forward_policy=(DROP ACCEPT) if [[ $# -gt 0 ]]; then echo IPV4 Forwarding: $(ipf $1) for ea in "${ifs[@]}"; do echo Interface fwd $ea: $(ipi $ea $1) done iptables --policy FORWARD ${forward_policy[$1]} iptables --list FORWARD|head -1 else echo IPV4 Forwarding: $(ipf) for ea in "${ifs[@]}" ; do echo Interface fwd $ea: $(ipi $ea ) done iptables --list FORWARD|head -1 fi return 0; } setlist="$sys_ipv4_fwd_file" # add fwding interfaces to setlist declare -a fwlist=("${ExtIntf[@]}" "${IntIntf[@]}") for expr in "${fwlist[@]}"; do var="/proc/sys/net/ipv4/conf/$expr/forwarding" setlist="$setlist $var" done saved_settings="/var/run/masquerade/saved_proc_settings" boot_time_file="/var/logboot.omsg" function restore_saved_settings { if [[ -e "$saved_settings" ]] ; then if [[ $saved_settings -ot $boot_time_file ]] ; then cat > "$saved_settings" return fi # restore 1st saved settings, so we can restore them later. . $saved_settings fi } function save_current_settings { echo "# Settings saved at $(date)">$saved_settings for proc_var in $setlist; do oval=$(<$proc_var); echo -n 1 >$proc_var printf "echo -n $oval >$proc_var\n" >>$saved_settings done } # Check for existence of config file and read it MASQUERADE_CONFIG="/etc/sysconfig/masquerade" test -r $MASQUERADE_CONFIG && . $MASQUERADE_CONFIG function start_masquerade { for net in "${IntNets[@]}"; do for ext in "${ExtIntf[@]}"; do iptables -A FORWARD -i $ext -s $net -j DROP done; done for extp1 in "${ExtIntf[@]}"; do for extp2 in "${ExtIntf[@]}"; do iptables -A FORWARD -i $extp1 -o $extp2 -j DROP done; done for extp1 in "${ExtIntf[@]}"; do for intp1 in "${IntIntf[@]}"; do iptables -A FORWARD -i $extp1 -o $intp1 -m state \ --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $intp1 -o $extp1 -j ACCEPT done done iptables -A FORWARD -j DROP for extp1 in "${ExtIntf[@]}"; do iptables -t nat -A POSTROUTING -o $extp1 -j MASQUERADE iptables -t nat -A POSTROUTING -j ACCEPT done set_forwarding_state 1 } function stop_masquerade { set_forwarding_state 0 for extp1 in "${ExtIntf[@]}"; do iptables -t nat -D POSTROUTING -o $extp1 -j MASQUERADE iptables -t nat -D POSTROUTING -j ACCEPT done iptables -D FORWARD -j DROP for extp1 in "${ExtIntf[@]}"; do for intp1 in "${IntIntf[@]}"; do iptables -D FORWARD -i $extp1 -o $intp1 -m state \ --state ESTABLISHED,RELATED -j ACCEPT iptables -D FORWARD -i $intp1 -o $extp1 -j ACCEPT done; done for extp1 in "${ExtIntf[@]}"; do for extp2 in "${ExtIntf[@]}"; do iptables -D FORWARD -i $extp1 -o $extp2 -j DROP done; done for net in "${IntNets[@]}"; do for ext in "${ExtIntf[@]}"; do iptables -D FORWARD -i $ext -s $net -j DROP done; done } function status_masquerade { iptables -t nat -L POSTROUTING iptables -L FORWARD echo "" set_forwarding_state } # Source LSB init functions # providing start_daemon, killproc, pidofproc, # log_success_msg, log_failure_msg and log_warning_msg. # This is currently not used by UnitedLinux based distributions and # not needed for init scripts for UnitedLinux only. If it is used, # the functions from rc.status should not be sourced or used. #. /lib/lsb/init-functions # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v be verbose in local rc status and clear it afterwards # rc_status -v -r ditto and clear both the local and overall rc status # rc_status -s display "skipped" and exit with status 3 # rc_status -u display "unused" and exit with status 3 # rc_failed set local and overall rc status to failed # rc_failed <num> set local and overall rc status to <num> # rc_reset clear both the local and overall rc status # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks set +eu . /etc/rc.status set -eu # Reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - user had insufficient privileges # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signaling is not supported) are # considered a success. #echo "Groups: (${!_GROUPS_[@]}) = (${_GROUPS_[@]})" #echo "EUID=$EUID" if [[ $EUID -ne 0 ]]; then if [[ -z ${_GROUPS_[wheel]:-""} && ${_GROUPS_[wheel]:-""} -ne 10 ]] ; then echo Please Rerun as root /bin/false rc_status -v exit fi fi shopt -s expand_aliases if ((EUID==0 )); then ##|| ${_GROUPS_[wheel]:-} != 10 )); then alias sudo=eval else alias sudo=$(type -p sudo) fi arg="${1:-"help"}" if [[ -z "$arg" ]]; then arg="?" fi case "$arg" in start) echo -n "Starting MASQUERADE " start_masquerade # Remember status and be verbose rc_status -v ;; stop) echo -n "Stopping MASQUERADE " stop_masquerade # Remember status and be verbose rc_status -v ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # Remember status and be quiet rc_status ;; status) echo -e "MASQUERADE relevant iptable rules:\n" status_masquerade rc_status -v ;; *) echo "Usage: $0 {start|stop|status|restart}" exit 1 ;; esac rc_exit # vim: ts=2 sw=2 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org