I’m trying to put a new computer equipped with two ethernet interfaces in order to set a "linux boxé in the local network.
this linuxbox aims to serve DHCP, DNS for the local network.
the first interface eth0 is 192.168.1.0/24 network (with static ip 192.168.1.254)
the second interface eth1 172.16.0.0/24 network (with static ip 172.16.0.254)
there is an existing network for now and I want to bypass it… the existing “router” has the 192.168.1.1 address but it is impossible to have a correct DHCP service.
so i want to put it on the basket and directly talking to the main school server located on 172.16.0.1.
for now the dhcp server is running ok, all the reserved mac addresses receive the correct ip address just as wanted.
the name resolution works on each client machines, nslookup delivers the correct ip address and the dns server is the correct one.
each client computers receives by the dhcp server the default route as 192.168.1.254 and the dns server as 192.168.1.254
concerning the routing I have tested with each client of the local network if I could join by ping (icmp echo) each interfaces of the linuxbox: it works from each client I can ping 192.168.1.254 and 172.16.0.254.
the problem is, because of my lack of practice/understandings of iptables: when I try to reach a web site or simply ping a computer I got “destination protocol unreachable” from 192.168.1.254 to the requesting. interface
I really don’t know how to be sure to route from network 192.168.1.0/24 all paquets from all ports and reversely from 172.16.0.0/24 to 192.168.1.0/24…
Looking at wireshark it seems the forward feature is up but when the packets are coming from 0.0.0.0 (outside) they are not routed “inside” from 172.16.0.0/24 to 192.168.1.254/24 :{
From your description, you set up your new machine as a router between two networks.
When you do this, you can also set up that machine as the Default Gateway for your own private network which appears to be what you’ve done.
But, a “Default Gateway” is not the same as a a simple “Gateway” to another network… In other words, “Default” only works in one direction.
You need to inform Hosts in the upstream network (closer to the Internet in most cases) how and where to access Hosts in the other direction, and this is where you set up a new entry in the routing table of each Host… In layman’s words, your routing table will more or less say “For all traffic destined for an IP address not in this routing table, send it to the Default Gateway where it’ll eventually find its way… But, if you want to send traffic to this specific private network, then don’t send to the Default Gateway, send it to this address (your new router) where the Host is on the other side”
Only after you’ve done this on any machine in the “old” network 172.16.0.0/24 can it communicate with a Host in your 192.168.1.0/24 network.
If your upstream DHCP is capable, like many other configurations this modification to local routing tables can be pushed to every Host in your network easily, otherwise you will have to manually modify each individually.
The network is running ok but, doing so I saw using iptraf (console) that our network is no more protected by the udp 137 flood coming from windows network outside.
I have not yet dug further but I tried something like: “drop all udp and tcp packets from 172.16.0.0/16 which source port is 137” in my INPUT chain before I accept the packets.
Such:
#ne pas permettre aux interfaces d'adresser des requêtes DHCP sur l'interface eth1 à destination du réseau 172.16.0.0
iptables -A INPUT -i eth1 -p tcp --sport 67:68 --destination 172.16.0.0/16 -j DROP
# logger les requêtes correspondant à la règle juste ci-dessus
iptables -A INPUT -i eth1 -p tcp --sport 67:68 --destination 172.16.0.0/16 -j LOG --log-prefix "[dhcp to eth1]"
# ne pas permettre à l'interface eth1 de laisser les paquets netbios en provenance de 172.16.0.0/16
iptables -A INPUT -i eth1 -p tcp --sport 137 --source 172.16.0.0/16 -j DROP
iptables -A INPUT -i eth1 -p udp --sport 137 --source 172.16.0.0/16 -j DROP
# permettre le fonctionnement d'au moins un service
#ACCEPT udp -- anywhere anywhere udp dpt:xdmcp
iptables -A INPUT -p tcp -s 192.168.1.16 --dport 177 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -i eth0 -j ACCEPT
iptables -A INPUT -p udp -s 192.168.1.16 --dport 177 -i eth0 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.16 --dport 890 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.16 --dport 6000 -i eth0 -j ACCEPT
# mettre mes règles d'entrée
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
I think I understood a little of the iptables chains: first INPUT then if packets accepted → FORWARD then if packets accepted → OUTPUT.
each rules are a filter that drops or let the packets be filtered by the next rule in each chains…
If I don’t want the packets from 172.16.0.0/16 to come thru the eth1 interface I have to drop them at INPUT chain. But I’m not sure the rule translates the meaning of what I really want to do.
iptables -A INPUT -i eth1 -p tcp --sport 137 --source 172.16.0.0/16 -j DROP
iptables -A INPUT -i eth1 -p udp --sport 137 --source 172.16.0.0/16 -j DROP
Maybe I missed something… I saw in the standard opensuse firewall set up that this is possible to drop all broadcast packets at a point in a chain… is that correct ? Should I copy/paste those rules in this case ?
it works… I didn’t take the time to check the cables… the cable which is linked to the other networks was put in a slot of the hub… I put it in the eth1 card and, of course, it worked !!
In general,
port 137 (Windows NBT) is generally ignored, I don’t know that blocking it will have much effect on your overall network performance.
If I was in charge of that network generating those packets though, I’d question whether it’s set up properly… Windows hasn’t required that traffic even in Workgroups since… NT4 days (pre-2007?). You’d likely have to find very old Windows (eg XP) and/or NetBIOS Nameservers (WINS) which today is rather archaic since everyone including Windows OS since even XP supports Hosts name resolution which is also the method used by the Internet.