Tiny Core Linux
General TC => General TC Talk => Topic started by: Ellus on February 06, 2012, 05:05:08 PM
-
Hello there,
I created IPtables (including MASQUERADE) rules and saved it in a script to get it executed on startup by adding its record to bootlocal.sh.
Now the Internet interface eth0 is not getting up until I execute : sudo ifconfig eth0 up, only then all works fine.
P.S: eth0 getting up ok when I start the machine without the IPtables rules script.
I think IPtables script execution should be delayed until etho is up ( something like putting it in /etc/network/if-up.d/ in Debian ).
Please, let me know how to do that in TLC?
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
-
Put a sleep before it in bootlocal.sh, or poll for the network state, many other ways.
-
Thank you
-
CentOS starts iptables before starting the network.
This is to ensure that there is no period during startup that there is no firewall in effect.
I would recommend you do the same.
-
Can anybody explain why the NIC is not getting up after these rules (I use the same on my router btw ;)) ?
-
Can anybody explain why the NIC is not getting up after these rules (I use the same on my router btw ;)) ?
Hi Hiro,
As you can see from the code below I've changed the place of (echo 1 > /proc/sys/net/ipv4/ip_forward) to be before IPtables rules.
It's working now just fine, I don't know whether this could be the reason or something else.
Let me know please once you try it.
#!/bin/sh
# Begin basic-firewall
#
# This is a very basic firewall for normal users.
# It blocks all incoming traffic, allows all outgoing,
# and only allows incoming stuff when you started it (ie browsing)
# Insert connection-tracking modules
modprobe -q iptable_nat
modprobe -q nf_conntrack_ipv4
modprobe -q nf_conntrack_ftp
modprobe -q ipt_LOG
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr
# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth0 -o eth1 -j REJECT
-
I'm just interested, not affected.
It could be a bug in tinycore.
Would you please look at the /etc/init.d/dhcp.sh file and try it one line at a time, especially the ifconfig $DEVICE | grep -q "inet addr" line.
-
I'm just interested, not affected.
It could be a bug in tinycore.
Would you please look at the /etc/init.d/dhcp.sh file and try it one line at a time, especially the ifconfig $DEVICE | grep -q "inet addr" line.
Out of about 18 reboots 4 times eth0 did not get up, but if you wait for 2-3 minutes it gets up on its own and then gets an IP.
The dhcpc part of dhcp.sh keeps pending until eth0 gets up then it gets an IP as ifconfig $DEVICE | grep -q "inet addr" returns 1..
I hope my interpretation of the whole process is correct
-
Then I still don't understand why the place of echo 1 > /proc/sys/net/ipv4/ip_forward should be in any way related to that problem.
-
Then I still don't understand why the place of echo 1 > /proc/sys/net/ipv4/ip_forward should be in any way related to that problem.
If we both understand my last post then obviously it has nothing to do with it ;)