Help - Search - Members - Calendar
Full Version: An Iptables Question...
Linuxhelp > Support > Technical Support
Robert83
Here is the IPTABLE setup that I use for my NAT/Proxy server :
********************************************************************************
***********************************************
iptables -A FORWARD -i eth0 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -j DROP
iptables -A FORWARD -i eth0 -o eth1 -j DROP
iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -j DROP
iptables -A FORWARD -i eth2 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -j DROP
iptables -A FORWARD -i eth2 -o eth0 -j DROP
[this way 192.168.0.x can only ping 192.168.0.x, and 192.168.1.x can only ping 192.168.1.x,
and 192.168.2.x can only ping 192.168.2.x , is this a good way to do it?, or is there a better way
to do the same thing?]
********************************************************************************
**********************************************
iptables -A INPUT -i eth1 -s 0/0 -d 192.168.0.15/255.255.255.0 -j ACCEPT [with this I wanted to allow from 192.168.1.x to ping 192.168.0.15, but aint working sad.gif, don't know why ,...HELP]
iptables -A INPUT -i eth2 -s 0/0 -d 192.168.0.15/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth1 -s 0/0 -d 192.168.0.100/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 192.168.0.100/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth1 -s 0/0 -d 192.168.0.110/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 192.168.0.110/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 192.168.1.250/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 192.168.2.250/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth1 -s 0/0 -d 192.168.0.250/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth1 -s 0/0 -d 192.168.2.250/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 192.168.0.250/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth2 -s 0/0 -d 192.168.1.250/255.255.255.0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
********************************************************************************
***************************************************
I don't think I understand this thing completely, before I've aded the frist 3x3 lines I was able to
ping everything from every subnet, but after I've aded them only 0.250 and 1.250 and 2.250 [gateways] can be
pinged.
I think iptables reads it's config file line by line so If I deny all, then enable some, it should enable them...please
help me, how can I do this? to be able to ping 192.168.0.15 from every subnet
********************************************************************************
***************************************************
iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
iptables -A POSTROUTING -t nat -s 192.168.1.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
iptables -A POSTROUTING -t nat -s 192.168.2.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
********************************************************************************
***************************************************
these last lines make it possible to reach 192.168.10.1, and get out to the net... is this the proper way to do it?
any better ideas?


Sincerely
Robert B
hughesjr
iptables does read line by line ... but the accepts must come before the rejects (when a packet matches ... iptables stops and the packet is routed ... so if a reject is hit first, the packet is rejected and iptables exits for that packet....

Also, you can't use the line:
iptables -A FORWARD -i eth0 -o eth2 -j DROP

because then NO traffic can go from eth0 to eth2 (included traffic that is returning from the internet) ... it will be dropped.....

Take a close look at the link I sent you for IPMASQ'ing ... the script in section 6.4.1 is what you want to use ... if you are using more than 1 internal network, it can be modified.
Robert83
aha!

so all I have to do, is first define wich packets to accept, and after that drop the rest, yes?


thanx


Sincerely
Robert B
hughesjr
yes....but in the case of routing (and not when installed on a local machine), you have to worry about return traffic ....

For example ... if you drop all eth3 traffic to eth2 (if 3 was outside and 2 was a subnet inside) then you would never get any return traffic from the internet back to a PC on the eth2 subnet ... the web browser traffic would go to the website, the website would respond, and it would get blocked at the firewall.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.