I configured NAT on redhat using DSL modem, My objective is I want to allow/access only pop(110) and smtp(25) thru it, I want to block all http, https traffic from lan.

Pls tell me how do i add rules to achive the same.

do not gv me any link pls.

setupNATTING)
ppp0=internet
eth0-Lan

# opens up ports 25 (SMTP) and 110 (POP3)

iptables -I FORWARD -m tcp -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -m tcp -p tcp --dport 110 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# drop all other traffic

iptables -A FORWARD -j DROP


you could drop only http and https traffic, but then you'd have to worry about proxies.

slack. it didn't help.. pls look at given NAT configuration n suggest me

#!/bin/sh

# IPTABLES PROXY script for the Linux 2.4 kernel.
# This script is a derivitive of the script presented in
# the IP Masquerade HOWTO page at:
# http://www.tldp.org/HOWTO/IP-Masquer...-examples.html
# It was simplified to coincide with the configuration of
# the sample system presented in the Guides section of
# www.aboutdebian.com
#
# This script is presented as an example for testing ONLY
# and should not be used on a production proxy server.
#
# PLEASE SET THE USER VARIABLES
# IN SECTIONS A AND B OR C

echo -e "\n\nSETTING UP IPTABLES PROXY..."


# === SECTION A
# ----------- FOR EVERYONE

# SET THE INTERFACE DESIGNATION FOR THE NIC CONNECTED TO YOUR INTERNAL NETWORK
# The default value below is for "eth0". This value
# could also be "eth1" if you have TWO NICs in your system.
# You can use the ifconfig command to list the interfaces
# on your system. The internal interface will likely have
# have an address that is in one of the private IP address
# ranges.
# Note that this is an interface DESIGNATION - not
# the IP address of the interface.
# Enter the internal interface's designation for the
# INTIF variable:

INTIF="eth0"


# SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION
# The default value below is "ppp0" which is appropriate
# for a MODEM connection.
# If you have two NICs in your system change this value
# to "eth0" or "eth1" (whichever is opposite of the value
# set for INTIF above). This would be the NIC connected
# to your cable or DSL modem (WITHOUT a cable/DSL router).
# Note that this is an interface DESIGNATION - not
# the IP address of the interface.
# Enter the external interface's designation for the
# EXTIF variable:

EXTIF="ppp0"


# ! ! ! ! ! Use ONLY Section B *OR* Section C depending on
# ! ! ! ! the type of Internet connection you have.


# === SECTION B
# ----------- FOR THOSE WITH STATIC PUBLIC IP ADDRESSES

# SET YOUR EXTERNAL IP ADDRESS
# If you specified a NIC (i.e. "eth0" or "eth1" for
# the external interface (EXTIF) variable above,
# AND if that external NIC is configured with a
# static, public IP address (assigned by your ISP),
# UNCOMMENT the following EXTIP line and enter the
# IP address for the EXTIP variable:

#EXTIP="your.static.IP.address"



# === SECTION C
# ---------- DIAL-UP MODEM, AND RESIDENTIAL CABLE-MODEM/DSL (Dynamic IP) USERS


# SET YOUR EXTERNAL INTERFACE FOR DYNAMIC IP ADDRESSING
# If you get your IP address dynamically from SLIP, PPP,
# BOOTP, or DHCP, UNCOMMENT the command below.
# (No values have to be entered.)
# Note that if you are uncommenting these lines then
# the EXTIP line in Section B must be commented out.

EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"


# -------- No more variable setting beyond this point --------


echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc

echo " Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo " External interface: $EXTIF"
echo " External interface IP address is: $EXTIP"

echo " Loading proxy server rules..."

# Clearing any existing rules and setting default policy
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F

# FWD: Allow all connections OUT and only existing and related ones IN
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

iptables -I FORWARD -m tcp -p tcp --dport 110 -j ACCEPT
iptables -I FORWARD -m tcp -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -m tcp -p tcp --dport 53 -j ACCEPT

iptables -A FORWARD -j DROP

# Enabling SNAT (MASQUERADE) functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e " Proxy server rule loading complete\n\n"

The colored line needs to be removed

edit: also DNS uses udp 53 for queries. tcp 53 is for zone transfers. so the following line needs to be changed from:

iptables -I FORWARD -m tcp -p tcp --dport 53 -j ACCEPT

to

iptables -I FORWARD -m udp -p udp --dport 53 -j ACCEPT

thanx dude.. I liked ur prompt reply..solved






U guys take linux to the moon..

TCP is not only used for zone transfers. If there is a need for a DNS server to send more than 512 bytes of data, then TCP is used.

true but thats quite a rare occurence

edit: Junior's right. It appears that if organizations use virtual IPs for their server farms and have a certain number of servers, the DNS information is considerably larger. This is not uncommon in larger organizations nowadays. You'll want to add the TCP 53 port back into your script if you have removed it.