Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Warning: wierd character in interface `eth0:1' (No aliases, :, ! or *).
I don't know very well iptables... Googling around I found iptables doesn't like ip aliases... I looking for a way to write rules without "eth0:1" inside... There's a way to build a firewall/router with this requirements?
1. allow every protocol inside my LAN
2. Protect my LAN from internet.
3. allow my Laptop and my Mandrake BOX to access internet without problem (POP3, FTP, HTTP, P2P)
4. Allow my Mandrake box to accept incoming connection from internet with FTP, HTTP, P2P, WEBMIN etc.
iptables -A OUTPUT -o eth0:1 -s 192.168.0.1/24 -d 192.168.0.0/24 -j ACCEPT
what do u want to do?
it is not necessary to block output chain. it is your local output.
eth0:1 doesnt work here too. i dont know if it is possible to use aliased net devices. u can configure your firewall like this without "eth0:1" :
if u want to share your internet securely. u must do that by FORWARD chain.
iptables -F FORWARD # remove all rules in forward chain
iptables -P FOWARD DROP # assing the default policy to drop for FORWARD chain
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT # accpet all packets which come from 192.168.0.0/24 and go to other networks (like internet)
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # allow all established related packets.
now your local networks behind your firewall is in secure enough.
and if u wanna secure your gateway linux, u must do that by INPUT chain:
iptables -F INPUT
iptables -P INPUT DROP
iptables -A INPUT -d lo -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -j ACCPET
iptables -A INPUT -s 10.0.0.0/24 -j ACCPET
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
and open necessary ports comes from ppp0 interface like that:
iptables -A INPUT -i ppp0 -p (protocol) --dport (port_no) -j ACCEPT
u can see the porocols and port numbers of services in /etc/services file.
u can add these iptables rules to your iptables scripts.
iptables -A INPUT -d 127.0.0.1/255.0.0.0 -j ACCEPT
Now..my script
Code:
#!/bin/sh
#Firewall/router script.. Thanx to maxut and Linuxquestions.org
# if u want to share your internet securely. u must do that by FORWARD chain.
iptables -F FORWARD # remove all rules in forward chain
iptables -P FORWARD DROP # assing the default policy to drop for FORWARD chain
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT # accept all which come from your net and go to other net (like internet)
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # allow all established related packets.
#now your local networks behind your firewall is in secure enough.
#and if u wanna secure your gateway linux, u must do that by INPUT chain:
iptables -F INPUT
iptables -P INPUT DROP
iptables -A INPUT -d 127.0.0.1/255.0.0.0 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#open port:
#rule: iptables -A INPUT -i ppp0 -p (protocol) --dport (port_no) -j ACCEPT
#FTP
iptables -A INPUT -i ppp0 -p tcp --dport 21 -j ACCEPT
#SSH
iptables -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT
#SMTP
iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT
#HTTP and HTTPS
iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 443 -j ACCEPT
#POP3
iptables -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT
#NTP
iptables -A INPUT -i ppp0 -p tcp --dport 123 -j ACCEPT
#GAIM and C. on M$N
#iptables -A INPUT -i ppp0 -p tcp --dport 1863 -j ACCEPT
#eDonkey-aMule
iptables -A INPUT -i ppp0 -p tcp --dport 4661 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 4662 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 4665 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp --dport 4666 -j ACCEPT
#Webmin
iptables -A INPUT -i ppp0 -p tcp --dport 10000 -j ACCEPT
#FreeDB and CDDB
iptables -A INPUT -i ppp0 -p tcp --dport 888 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 8880 -j ACCEPT
#Nicotine/Soulseek
iptables -A INPUT -i ppp0 -p tcp --dport 2234 -j ACCEPT
#DNS
iptables -A INPUT -i ppp0 -p tcp --dport 53 -j ACCEPT
### MASQUERADING ###
# Next, an iptables rule to enable masquerading:
iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE
# Finally, enable ip forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
I think it's ok now... Any suggestion? What about "lo" interface?
iptables -A INPUT -d 127.0.0.1/255.0.0.0 -j ACCEPT
sorry, it was my mistake. it should be
Code:
iptables -A INPUT -i lo -j ACCEPT
but your rule (-d 127.0.0.1) is ok too.
u should allow only certain protocols. like this:
iptables -A INPUT -i ppp0 -p tcp --dport 21 -j ACCEPT # do this, if u have a ftp server on gateway box
iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT # do this, if u have http server on gateway box
addational info:
if u have a server behind your firewall u can forward that service port.
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.0.10
this will forward http packets (tcp 80) to 192.168.0.10 if packets come to ppp0.
also u dont have to type $EXTIP, u can use device name. like ppp0.
and u mustnt use :
iptables -A INPUT -i ppp0 -j ACCEPT
if u do, u will allow everthing comes from external network to gateway box.. it is not recommended.
and u mustnt use :
iptables -A INPUT -i ppp0 -j ACCEPT
if u do, u will allow everthing comes from external network to gateway box.. it is not recommended.
Yes, Ok.. I don't use "-i ppp0" but "-s $EXTIP"
I think it means "accept all packets coming from the source $EXTIP", right?
And when I type iptables -L I found this line about it:
Code:
ACCEPT all -- host100-11.pool8000.myserver.com anywhere
I don't know why, but I can't connect to myself using my no-ip account (if I type ftp://myaccount.no-ip.com from my mandrakeBox), without this rule!! (But FROM OUTSIDE I think all is ok, I tested my firewall using https://grc.com/x/ne.dll?bh0bkyd2 )
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.