* RE: help on NAT Configuration
@ 2003-10-21 13:04 Gaby Schilders
0 siblings, 0 replies; 4+ messages in thread
From: Gaby Schilders @ 2003-10-21 13:04 UTC (permalink / raw)
To: netfilter list
[-- Attachment #1.1: Type: text/plain, Size: 2953 bytes --]
I wouldn't place default policies of drop on mangle or nat tables.
Furthermore, on your INPUT chain, you can kill all the spt rules. Better create OUTPUT rules for those services and leave the ESTABLISHED,RELATED in the INPUT.
I would limit the masquerade by setting the outgoing interface and use -s <localnet>/<localnetmask>. At quick glance, I see nothing else amiss.
Gaby Schilders
IBFD network admin
-----Original Message-----
From: Gilles Yue [mailto:gyue@novelgmt.intnet.mu]
Sent: maandag 20 oktober 2003 15:12
To: netfilter@lists.netfilter.org
Subject: help on NAT Configuration
Dear all
I want to share internet access on my LAN and my configurations are as below. (see picture)
Is my NAT configuration correct? I want to allow only some users to access the internet-and check mail using outlook express.
Thanks for helping.
Rgds
gy
iptables -vnL
> Chain INPUT (policy DROP 485 packets, 51391 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:53
> 21 4504 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:53
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:80
> 813 704K ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:80
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:443
> 16 3793 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:443
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- lo * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 3465 packets, 286K bytes)
> pkts bytes target prot opt in out source
> destination
> [root@rh9 root]# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy DROP)
> target prot opt source destination
> MASQUERADE all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
_____
[-- Attachment #1.2: Type: text/html, Size: 17299 bytes --]
[-- Attachment #2: image001.gif --]
[-- Type: image/gif, Size: 5501 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: help on NAT Configuration
2003-10-21 4:41 Gilles Yue
@ 2003-10-21 13:02 ` Jeffrey Laramie
0 siblings, 0 replies; 4+ messages in thread
From: Jeffrey Laramie @ 2003-10-21 13:02 UTC (permalink / raw)
To: netfilter
Gilles Yue wrote:
> Dear all
>
> I want to share internet access on my LAN and my configurations are as
> below. (see picture)
>
> Is my NAT configuration correct? I want to allow only some users to
> access the internet-and check mail using outlook express.
>
> Thanks for helping.
>
> Rgds
>
> gy
>
> iptables –vnL
>
> *> Chain INPUT (policy DROP 485 packets, 51391 bytes)*
>
>> pkts bytes target prot opt in out source
>
>> destination
>
>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
>
>> 0.0.0.0/0 tcp spt:53
>
>> 21 4504 ACCEPT udp -- * * 0.0.0.0/0
>
>> 0.0.0.0/0 udp spt:53
>
>> 0 0 ACCEPT udp -- * * 0.0.0.0/0
>
>> 0.0.0.0/0 udp spt:80
>
>> 813 704K ACCEPT tcp -- * * 0.0.0.0/0
>
>> 0.0.0.0/0 tcp spt:80
>
>> 0 0 ACCEPT udp -- * * 0.0.0.0/0
>
>> 0.0.0.0/0 udp spt:443
>
>> 16 3793 ACCEPT tcp -- * * 0.0.0.0/0
>
>> 0.0.0.0/0 tcp spt:443
>
>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
>
>> 0.0.0.0/0 state RELATED,ESTABLISHED
>
>> 0 0 ACCEPT all -- lo * 0.0.0.0/0
>
>> 0.0.0.0/0
>
This is the traffic into the firewall host from both NICs. It's a good
idea to put the ESTABLISHED, RELATED rule near the top of the chain.
Also, it should not be limited to the loopback interface.
>>
>
>> *Chain FORWARD (policy DROP 0 packets, 0 bytes)*
>
>> pkts bytes target prot opt in out source
>
>> destination
>
>> 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0
>
>> 0.0.0.0/0 state RELATED,ESTABLISHED
>
>> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
>
>> 0.0.0.0/0
>
>>
>
This is the chain that carries the traffic between the lan and the
outside world. You have it wide open and are not filtering anything. I
recommend you set the default policy to drop and only open the ports you
need ( 80, 63, etc.). BTW, nice graphic :-)
Jeff
^ permalink raw reply [flat|nested] 4+ messages in thread
* help on NAT Configuration
@ 2003-10-21 4:41 Gilles Yue
2003-10-21 13:02 ` Jeffrey Laramie
0 siblings, 1 reply; 4+ messages in thread
From: Gilles Yue @ 2003-10-21 4:41 UTC (permalink / raw)
To: netfilter
[-- Attachment #1.1: Type: text/plain, Size: 2327 bytes --]
Dear all
I want to share internet access on my LAN and my configurations are as
below. (see picture)
Is my NAT configuration correct? I want to allow only some users to
access the internet-and check mail using outlook express.
Thanks for helping.
Rgds
gy
iptables -vnL
> Chain INPUT (policy DROP 485 packets, 51391 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:53
> 21 4504 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:53
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:80
> 813 704K ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:80
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:443
> 16 3793 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:443
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- lo * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 3465 packets, 286K bytes)
> pkts bytes target prot opt in out source
> destination
> [root@rh9 root]# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy DROP)
> target prot opt source destination
> MASQUERADE all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
[-- Attachment #1.2: Type: text/html, Size: 16526 bytes --]
[-- Attachment #2: image001.gif --]
[-- Type: image/gif, Size: 11264 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* help on NAT Configuration
@ 2003-10-20 13:12 Gilles Yue
0 siblings, 0 replies; 4+ messages in thread
From: Gilles Yue @ 2003-10-20 13:12 UTC (permalink / raw)
To: netfilter
[-- Attachment #1.1: Type: text/plain, Size: 2344 bytes --]
Dear all
I want to share internet access on my LAN and my configurations are as
below. (see picture)
Is my NAT configuration correct? I want to allow only some users to
access the internet-and check mail using outlook express.
Thanks for helping.
Rgds
gy
iptables -vnL
> Chain INPUT (policy DROP 485 packets, 51391 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:53
> 21 4504 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:53
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:80
> 813 704K ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:80
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:443
> 16 3793 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:443
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- lo * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 3465 packets, 286K bytes)
> pkts bytes target prot opt in out source
> destination
> [root@rh9 root]# iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy DROP)
> target prot opt source destination
> MASQUERADE all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
_____
[-- Attachment #1.2: Type: text/html, Size: 15073 bytes --]
[-- Attachment #2: image001.gif --]
[-- Type: image/gif, Size: 5501 bytes --]
[-- Attachment #3: image001.gif --]
[-- Type: image/gif, Size: 5501 bytes --]
[-- Attachment #4: image001.gif --]
[-- Type: image/gif, Size: 5501 bytes --]
[-- Attachment #5: image001.gif --]
[-- Type: image/gif, Size: 5501 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-10-21 13:04 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-10-21 13:04 help on NAT Configuration Gaby Schilders
-- strict thread matches above, loose matches on Subject: below --
2003-10-21 4:41 Gilles Yue
2003-10-21 13:02 ` Jeffrey Laramie
2003-10-20 13:12 Gilles Yue
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.