Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> An Iptables Question...
Robert83
post Feb 25 2004, 09:16 AM
Post #1


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Here is the IPTABLE setup that I use for my NAT/Proxy server :
********************************************************************************
***********************************************
iptables -A FORWARD -i eth0 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -j DROP
iptables -A FORWARD -i eth0 -o eth1 -j DROP
iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -j DROP
iptables -A FORWARD -i eth2 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -j DROP
iptables -A FORWARD -i eth2 -o eth0 -j DROP
[this way 192.168.0.x can only ping 192.168.0.x, and 192.168.1.x can only ping 192.168.1.x,
and 192.168.2.x can only ping 192.168.2.x , is this a good way to do it?, or is there a better way
to do the same thing?]
********************************************************************************
**********************************************
iptables -A INPUT -i eth1 -s 0/0 -d 192.168.0.15/255.255.255.0 -j ACCEPT [with this I wanted to allow from 192.168.1.x to ping 192.168.0.15, but aint working sad.gif, don't know why ,...HELP]
iptables -A INPUT -i eth2 -s 0/0 -d 192.168.0.15/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth1 -s 0/0 -d 192.168.0.100/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 192.168.0.100/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth1 -s 0/0 -d 192.168.0.110/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 192.168.0.110/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 192.168.1.250/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 192.168.2.250/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth1 -s 0/0 -d 192.168.0.250/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth1 -s 0/0 -d 192.168.2.250/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 192.168.0.250/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 192.168.1.250/255.255.255.0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
********************************************************************************
***************************************************
I don't think I understand this thing completely, before I've aded the frist 3x3 lines I was able to
ping everything from every subnet, but after I've aded them only 0.250 and 1.250 and 2.250 [gateways] can be
pinged.
I think iptables reads it's config file line by line so If I deny all, then enable some, it should enable them...please
help me, how can I do this? to be able to ping 192.168.0.15 from every subnet
********************************************************************************
***************************************************
iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
iptables -A POSTROUTING -t nat -s 192.168.1.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
iptables -A POSTROUTING -t nat -s 192.168.2.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
********************************************************************************
***************************************************
these last lines make it possible to reach 192.168.10.1, and get out to the net... is this the proper way to do it?
any better ideas?


Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Feb 25 2004, 09:47 AM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



iptables does read line by line ... but the accepts must come before the rejects (when a packet matches ... iptables stops and the packet is routed ... so if a reject is hit first, the packet is rejected and iptables exits for that packet....

Also, you can't use the line:
iptables -A FORWARD -i eth0 -o eth2 -j DROP

because then NO traffic can go from eth0 to eth2 (included traffic that is returning from the internet) ... it will be dropped.....

Take a close look at the link I sent you for IPMASQ'ing ... the script in section 6.4.1 is what you want to use ... if you are using more than 1 internal network, it can be modified.


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Feb 25 2004, 09:50 AM
Post #3


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



aha!

so all I have to do, is first define wich packets to accept, and after that drop the rest, yes?


thanx


Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Feb 26 2004, 07:35 AM
Post #4


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



yes....but in the case of routing (and not when installed on a local machine), you have to worry about return traffic ....

For example ... if you drop all eth3 traffic to eth2 (if 3 was outside and 2 was a subnet inside) then you would never get any return traffic from the internet back to a PC on the eth2 subnet ... the web browser traffic would go to the website, the website would respond, and it would get blocked at the firewall.


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 24th October 2017 - 12:56 AM