Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i cannot ping and no access to the local http or telnet even if i specify
external address
iptables -A PREROUTING -t nat -p tcp -s allowed-ip -d int-ip --dport 23 -j DNAT --to-destination 198.168.1.12:23
i cannot ping and no access to the local http or telnet even if i specify
external address
iptables -A PREROUTING -t nat -p tcp -s allowed-ip -d int-ip --dport 23 -j DNAT --to-destination 198.168.1.12:23
nothing and even no ping !
any help
The problem is you're dropping all packets regardless, as your default policy for the INPUT chain is DROP.
Under your PREROUTING rules you have to ACCEPT incoming packets for both your ports, i.e.:
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 23 -i eth1 -j ACCEPT
Hi I want to know how to disable/enable access to a site with iptables.
I have read many tutorials for iptables.Could someone tell me how to do it.(If it cannot be done reply me that it cannot be done).And something more:If what I asked for can be done how do we discover the ip of a site?
I am sorry if you became tired reading my post!
(please try to answer quickly)
thank you very much!
Because I am new in iptables could you:
1)How to enable the iptables logging feauture?
2)How can I tell iptables not to have/don't have access in a site.
Sorry for the many questions!
Thank you for the quick answer!
archer
ext_ip : net ip
192.168.1.11: ip of the eth0 card
192.168.1.2 pc that i want to access from the net
iptables -A PREROUTING -t nat -p tcp -d ext_ip --dport 23 -j DNAT --to-destination 192.168.1.2:23
iptables -A OUTPUT -t nat -p tcp -d ext_ip --dport 23 -j DNAT --to-destination 192.168.1.2:23
iptables -A POSTROUTING -t nat -p tcp -d 192.168.1.2 -j SNAT --to-source 192.168.1.11
iptables -I INPUT -i ext_ip -p tcp --dport 23 -m state --state NEW -j LOG
iptables -I INPUT -i ext_ip -p tcp --dport 23 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp -d 10.10.5.208 --dport 23 -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
it is wrking ...
but everything is open and i see attack on my eth1 so when i add :
iptables -p input drop
iptables -p output drop
it does not work
ext_ip : net ip
192.168.1.11: ip of the eth0 card
192.168.1.2 pc that i want to access from the net
iptables -A PREROUTING -t nat -p tcp -d ext_ip --dport 23 -j DNAT --to-destination 192.168.1.2:23
iptables -A OUTPUT -t nat -p tcp -d ext_ip --dport 23 -j DNAT --to-destination 192.168.1.2:23
iptables -A POSTROUTING -t nat -p tcp -d 192.168.1.2 -j SNAT --to-source 192.168.1.11
iptables -I INPUT -i ext_ip -p tcp --dport 23 -m state --state NEW -j LOG
iptables -I INPUT -i ext_ip -p tcp --dport 23 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp -d 10.10.5.208 --dport 23 -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED it is wrking ...
but everything is open and i see attack on my eth1 so when i add :
iptables -p input drop
iptables -p output drop
it does not work
sorry, i got so tired today - and not too comfortable reading.
but your iptables seems not in order.
actually simple - that is because you did not allow localhost 127.0.0.1/8 to communicate also.
Code:
iptables -I INPUT -i lo -s 127.0.0.1/8 -j ACCEPT # allow localhost
iptables -I INPUT -i LAN_IF -s LAN_IP -d LAN_IP -j ACCEPT # allow LAN
iptables -I INPUT -i WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT # allow established session from WAN
iptables -I INPUT -i WAN_IF -m state ! --state RELATED,ESTABLISHED -j DROP # drop new or invalid session from WAN
iptables -t nat -I PREROUTING -i WAN_IF -p tcp --dport 23 -j DNAT --to LAN_IP:23 # redirecting telnet to inside
iptables -t nat -I POSTROUTING -o WAN_IF -j MASQUERADE # basic masquerade
iptables -P INPUT DROP
and you dont need to DROP the FORWARD and OUTPUT chain unless you already mastered the iptables. no offense
try step by step - analyze how it works - then customize once you get familier with it.
HTH.
Last edited by rossonieri#1; 03-05-2008 at 07:34 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.