* forward packets directly to net?
@ 2005-05-05 9:53 Chadley Wilson
2005-05-05 10:23 ` Alistair Tonner
2005-05-05 14:24 ` Mariusz Kruk
0 siblings, 2 replies; 4+ messages in thread
From: Chadley Wilson @ 2005-05-05 9:53 UTC (permalink / raw)
To: netfilter
Greetings friends
I hope I explain this correctly, Please try and help me here, I am seriously
stuck
I have two interfaces on a linux router {int} {ext}
I have two PCs on either side of the router {chad} on {int} and {xxx}on {ext}
{xxx} is my gw to the net, but {chad} needs to be the only PC that can access
the internet fron the {int} side.
The problem I am faced with is how do I do it, Here is what I have got so far:
pt="/usr/sbin/iptables"
ext="eth0"
int="bond0"
chad="192.168.2.5"
etel="196.25.100.28"
#Enable IP Forwarding
echo "1" >> /proc/sys/net/ipv4/ip_forward
#Clear All Tables
${ipt} -t filter -F
${ipt} -t nat -F
## allow all from local interfaces [localhost]
${ipt} -t filter -A INPUT -s 127.0.0.1 -j ACCEPT
##Allow {chad} to etel internet direct
${ipt} -t nat -A POSTROUTING -o ${ext} -s ${chad} -d ${etel} -p tcp -m tcp
--dport 80 --state NEW,ESTABLISHED,RELATED -j ACCEPT
${ipt} -t filter -A FORWARD -p tcp -m tcp -s ${chad} -d ${etel} -o ${ext}
--dport 80 -j MASQUERADE
Please could someone help me with a simpler rule?
--
Chadley Wilson
Redhat Certified Technician
Cert Number: 603004708291270
Pinnacle Micro
Manufacturers of Proline Computers
====================================
Exercise freedom, Use LINUX
=====================================
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: forward packets directly to net?
2005-05-05 9:53 forward packets directly to net? Chadley Wilson
@ 2005-05-05 10:23 ` Alistair Tonner
2005-05-05 10:33 ` Chadley Wilson
2005-05-05 14:24 ` Mariusz Kruk
1 sibling, 1 reply; 4+ messages in thread
From: Alistair Tonner @ 2005-05-05 10:23 UTC (permalink / raw)
To: netfilter
On May 5, 2005 05:53 am, Chadley Wilson wrote:
> Greetings friends
>
> I hope I explain this correctly, Please try and help me here, I am
> seriously stuck
>
> I have two interfaces on a linux router {int} {ext}
> I have two PCs on either side of the router {chad} on {int} and {xxx}on
> {ext}
>
> {xxx} is my gw to the net, but {chad} needs to be the only PC that can
> access the internet fron the {int} side.
>
> The problem I am faced with is how do I do it, Here is what I have got so
> far:
>
>
>
> pt="/usr/sbin/iptables"
> ext="eth0"
> int="bond0"
> chad="192.168.2.5"
> etel="196.25.100.28"
>
>
>
> #Enable IP Forwarding
> echo "1" >> /proc/sys/net/ipv4/ip_forward
>
>
> #Clear All Tables
> ${ipt} -t filter -F
> ${ipt} -t nat -F
>
>
> ## allow all from local interfaces [localhost]
> ${ipt} -t filter -A INPUT -s 127.0.0.1 -j ACCEPT
>
>
> ##Allow {chad} to etel internet direct
> ${ipt} -t nat -A POSTROUTING -o ${ext} -s ${chad} -d ${etel} -p tcp -m tcp
> --dport 80 --state NEW,ESTABLISHED,RELATED -j ACCEPT
> ${ipt} -t filter -A FORWARD -p tcp -m tcp -s ${chad} -d ${etel} -o ${ext}
> --dport 80 -j MASQUERADE
>
Hmm. okay
1) You don't appear to be setting chain POLICY anywhere -- and likely they
are all ACCEPT. I suspect you want to set them to DROP, otherwise everyone
can get out.
2) You have these rules backwards as to which table they are in. The
MASQUERADE rule should be in POSTROUTING -t nat, the ESTABLISHED,RELATED rule
should be in -t filter FORWARD.
3) You then need one more rule to let initial connections OUT through -t
filter FORWARD - This should filter by source IP and what dports you want to
let out, then you can drop said filtering on the MASQUERADE rule.
4) if you do set all POLICY to drop, you need to let loopback OUT as well.
>
> Please could someone help me with a simpler rule?
I suspect it could be simpler, but it wouldn't nessesarily do what you want.
Alistair Tonner
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: forward packets directly to net?
2005-05-05 10:23 ` Alistair Tonner
@ 2005-05-05 10:33 ` Chadley Wilson
0 siblings, 0 replies; 4+ messages in thread
From: Chadley Wilson @ 2005-05-05 10:33 UTC (permalink / raw)
To: netfilter
On Thursday 05 May 2005 12:23, Alistair Tonner wrote:
> On May 5, 2005 05:53 am, Chadley Wilson wrote:
> > Greetings friends
> >
> > I hope I explain this correctly, Please try and help me here, I am
> > seriously stuck
Thanks Alistair
here is the whole file, there are no external Inet ips so it should be fine
### Firewall Setup #####
##config
set -x
ipt="/usr/sbin/iptables"
ext="eth0"
int="bond0"
chad="192.168.2.5"
etel="196.25.100.28"
#Enable IP Forwarding
echo "1" >> /proc/sys/net/ipv4/ip_forward
#Clear All Tables
${ipt} -t filter -F
${ipt} -t nat -F
## allow all from local interfaces [localhost]
${ipt} -t filter -A INPUT -s 127.0.0.1 -j ACCEPT
#Allow all prerouting
${ipt} -t nat -A PREROUTING -s 192.168.2.0/255.255.255.0 -j ACCEPT
${ipt} -t nat -A PREROUTING -s 196.25.100.5/255.255.255.0 -j ACCEPT
## allow pings
${ipt} -t filter -A INPUT -p icmp -j ACCEPT
## keep established connections on all interfaces
${ipt} -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
${ipt} -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
## masquerade int outgoing to internet
${ipt} -t nat -A POSTROUTING -o ${ext} -s ${chad} -j MASQUERADE
${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -s ${chad} -j ACCEPT
## accept www from internet [ext]
${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 80 -j ACCEPT
## accept SSH from outside limit by IP,and on local interfaces
${ipt} -t filter -A INPUT -i ${ext} -s 196.25.100.28 -p tcp --dport 22 -j
ACCEPT
${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 22 -j ACCEPT
## accept incoming SMTP
${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 25 -j ACCEPT
"/etc/rc.d/iptables" 94L, 2645C
## accept external POP3
${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 110 -j ACCEPT
##Allow ftp
${ipt} -t nat -A POSTROUTING -o ${ext} -s ${chad} -p tcp --dport 20:21 -j
MASQUERADE
${ipt} -t filter -A FORWARD -i ${int} -o ${ext} -s ${chad} -p tcp --dport
20:21 -j ACCEPT
##Allow mail from ext to int
${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d 196.25.100.21
-o ${ext} --sport 25 --state NEW,ESTABLISHED,RELATED -j ACCEPT
${ipt} -t filter -A FORWARD -p tcp -m tcp -m state -s ${chad} -d 196.25.100.21
-o ${ext} --sport 110 --state NEW,ESTABLISHED,RELATED -j ACCEPT
##Allow DNS updates
${ipt} -t filter -A INPUT -i ${int} -p tcp --dport 53 -j ACCEPT
${ipt} -t filter -A INPUT -i ${ext} -p tcp --dport 53 -j ACCEPT
##Allow {chad} to 28 direct
${ipt} -t nat -A POSTROUTING -o ${ext} -s ${chad} -d ${etel} -p tcp -m tcp
--dport 80 --state NEW,ESTABLISHED,RELATED -j MASQUERADE
${ipt} -t filter -A FORWARD -p tcp -m tcp -s ${chad} -d ${etel} -o ${ext}
--dport 80 -j ACCEPT
## accept all from local interfaces
${ipt} -t filter -A INPUT -i ${int} -j ACCEPT
${ipt} -t filter -A INPUT -i ${int} -j ACCEPT
## drop all the rest, incoming , and forward between interfaces
#${ipt} -t filter -A INPUT -j DROP
#${ipt} -t filter -A FORWARD -j DROP
### END OF FIREWALL ###
I am still a nebie to iptables so if you think something could be better, I
open for suggestions and :) better rules :)
Thanks
--
Chadley Wilson
Redhat Certified Technician
Cert Number: 603004708291270
Pinnacle Micro
Manufacturers of Proline Computers
====================================
Exercise freedom, Use LINUX
=====================================
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: forward packets directly to net?
2005-05-05 9:53 forward packets directly to net? Chadley Wilson
2005-05-05 10:23 ` Alistair Tonner
@ 2005-05-05 14:24 ` Mariusz Kruk
1 sibling, 0 replies; 4+ messages in thread
From: Mariusz Kruk @ 2005-05-05 14:24 UTC (permalink / raw)
To: netfilter
On Thu, May 05, 2005 at 11:53:52AM +0200, Chadley Wilson wrote:
> #Clear All Tables
> ${ipt} -t filter -F
> ${ipt} -t nat -F
After cleaning the tables, you should set the policies to DROP.
(iptables -P)
> ## allow all from local interfaces [localhost]
> ${ipt} -t filter -A INPUT -s 127.0.0.1 -j ACCEPT
That's weird. You try to accept all traffic on INPUT chain originating
at localhost. Wouldn't it be just simplier to accept INPUT traffic on
interface lo?
> ##Allow {chad} to etel internet direct
> ${ipt} -t nat -A POSTROUTING -o ${ext} -s ${chad} -d ${etel} -p tcp -m tcp
> --dport 80 --state NEW,ESTABLISHED,RELATED -j ACCEPT
> ${ipt} -t filter -A FORWARD -p tcp -m tcp -s ${chad} -d ${etel} -o ${ext}
> --dport 80 -j MASQUERADE
>
>
>
> Please could someone help me with a simpler rule?
1. You swapped the targets in those chains. You should ACCEPT in filter
and MASQUERADE in nat.
2. If you have static IP, why not use SNAT?
3. You need more rules, depending on what you want to achieve. If you
want a 1-1 mapping, you may look at modules like, IIRC, netmap, but
probably DNAT target would be sufficient.
4. Do you really need statefull filtering of forwarded packet?
--
[------------------------] 1*2*3*3*37 - the prime factorization of the
[ Kruk@epsilon.eu.org ] number of the beast
[ http://epsilon.eu.org/ ]
[------------------------]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-05-05 14:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-05-05 9:53 forward packets directly to net? Chadley Wilson
2005-05-05 10:23 ` Alistair Tonner
2005-05-05 10:33 ` Chadley Wilson
2005-05-05 14:24 ` Mariusz Kruk
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.