Topic: masq-manager and/or iptables

[brookes]

muzo,

Is it possible to use masq-manager to put holes through the firewall for a different NIC? In my case a satellite card that needs UDP:9205? I've tried tons of different iptables commands and while I can see the data hitting the satellite interface it does not seem to be passed across to the proxy software on the server. Here is a sample of the script I have been using.

/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -I INPUT 1 -v -p udp -m udp -m state -i sm200d --dport 9205 --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT 1 -v -p tcp -m tcp -m state -o ppp0 --dport 9200 --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 1 -v -p tcp -m tcp -m state -i eth0 --dport 9202:9203 --state NEW,ESTABLISHED -j ACCEPT

Could anybody give me some ideas where I'm going wrong.

Stephan.

[Muzo]

Hi brookes,

yes you can use masq-manager to put hole through your firewall  

iptables -I INPUT 1 -v -p udp -m udp -m state -i sm200d --dport 9205 --state NEW,ESTABLISHED -j ACCEPT

I never hear talking about this interface.

[briank]

Stephan - I was about to wrestle with installing my sm200D satellite card. Do you have drivers that will work with 6.0.1 kernel and if so can I have them please. Email me at brian@ihugREMOVETHIS.co.nz
Regards
brian

[brookes]

Brian,

E-mailed as requested. I have asked for a bit of space on contribs but suspect it's still being processed.

Muzo,

The sm200d is a satellite card that acts like another NIC. I have tried entering all the exclusions (holes) using masq-manager but to no avail. Would you say that the iptable commands I used should work? When I watch the rules and watch data hitting the interface (sm200d) no data is hitting the rule. How do I go about making sure the data coming from the sm200d is being forwarded to the eth0 or even to the proxy software running on the SME box?

Stephan.

[Muzo]

I'm not sure that line with sm200d should work, but the others should work.

But a question, is SME installed on your satellite?
If yes, it must be recognize as a NIC, so appears as eth0 or eth1 or ppp0.

So, i think "sm200d" must not appears.

What say "ifconfig" command line?

[brookes]

The sm200d appears as another NIC just called something different. Here is the ifconfig :

Welcome to SME Server 6.0.1-01
[root@gateway root]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:A0:C9:84:64:C1
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
          EtherTalk Phase 2 addr:65280/67
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:427651 errors:0 dropped:0 overruns:0 frame:0
          TX packets:459529 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:32279587 (30.7 Mb)  TX bytes:491200919 (468.4 Mb)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          EtherTalk Phase 2 addr:0/0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:588843 errors:0 dropped:0 overruns:0 frame:0
          TX packets:588843 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:67915089 (64.7 Mb)  TX bytes:67915089 (64.7 Mb)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:203.173.37.116  P-t-P:203.173.37.4  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3593 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3989 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:3420762 (3.2 Mb)  TX bytes:408742 (399.1 Kb)

sl0       Link encap:Serial Line IP
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2060 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2587 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:131938 (128.8 Kb)  TX bytes:169578 (165.6 Kb)

sm200d    Link encap:Ethernet  HWaddr 00:90:BC:01:36:05
          inet addr:10.10.10.10  Bcast:10.255.255.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3010 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          RX bytes:843776 (824.0 Kb)  TX bytes:0 (0.0 b)

As you can see it is as a NIC and even gets traffic. What do you reckon?

[Muzo]

OK, i never see this, but i'm still a linux noob.

I can't help you, sorry.  

But i'm interested. Just to be sure, it seem your SME boax has 3 interface?

[brookes]

Thats right 1xppp 1xeth and 1xsat now to get the routing and firewall sorted?

[Muzo]

Ok,

I understand the problem now (informations just found my brain). So to answer your first question, no you can't use masq-manager, because i add opening and deny rule on   ethX or ppp0 in your case. I didn't add a feature to choose interface.

I just understand iptables script with 2 interfaces, so 3 is new to me.

iptables -I INPUT 1 -v -p udp -m udp -m state -i sm200d --dport 9205 --state NEW,ESTABLISHED -j ACCEPT

This line say : incoming transmition from interface sm200d on port 9205 is accepted on SME (but not transmitted to internet). Is that what you want?

[brookes]

Satellite is only one way so traffic will only come down never up but the traffic coming down must be available to the software running on the server. I assume the software monitors 10.10.10.10 and forwards traffic from that ip address appropriatly. Perhaps I need to be allowing the ip address in some way?

[Muzo]

I don't know