|
iptables bridge firweall
Ok. Ive spent the past 3 days searching and searching for this.
Heres my situation. I have a box that I setup a bridge br0. The network has one full subnet of public IP's. The bridge has in (eth0) from the internet and out (eth1) to the network which will all have public ip's. I am stumped and also a newbie at iptables. I have all the patches and stuff to make it supposedly work with bridges... i found a site that had some rules that -sorta- worked (it denied access to everything inside the network). Heres what im asking. I need some examples of how to: Deny all incoming requests from the internet to the network. Allow all outgoing from the network to the internet... Then I want to add some rules that allow x.x.x.x on the network to be accessed from the internet on port 22, and x.x.x.y to be accessed from the internet on port 80... While we are at it, I want x.x.x.z to also be accessed from port 80 and 22. Any other rules that are helpful in this situation would be nice too! Can anyone give me some iptables rules that would work with this setup? And also... can I use fwbuilder for this sort of bridged setup? MUCH thanks if anyone can help me out.. Im totally out of places to look. Running gentoo linux w/ latest packages |
|
Thanks...... but not really. The day I actually find the information speicifc to a bridge is the day we get a cisco firewall instead. If you know what im asking for, then please post specifically.
thanks. |
I misunderstood the intent of your post. I hadn't realized you wanted someone to do your work for you:
# Enable packet forwarding. echo "1" > /proc/sys/net/ipv4/ip_forward # Deny all incoming requests from the internet to the network # Unless they match a certain rule or they're current # established connection based packets. iptables -A INPUT -j REJECT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j accept # reject all packets outgoing that don't match a rule. iptables -A OUTPUT -j REJECT # Allow all outgoing from the network to the internet... iptables -A OUTPUT -o eth1 -j ACCEPT # server based rules iptables -A INPUT -d x.x.x.x --dport 22 -j ACCEPT iptables -A INPUT -d x.x.x.y --dport 80 -j ACCEPT iptables -A INPUT -d x.x.x.z --dport 80 -j ACCEPT iptables -A INPUT -d x.x.x.z --dport 22 -j ACCEPT Do I get your paycheck, too? |
ill give your example a try. if it works , we can set something up to give you some money. I find things easier to learn how it works by example, not be reading extensive documentation that has 1/10000 actually being what im looking for.... Thats how most professors teach thier classes.
Bridging firewall seems very underdocumented online, thats the only reason I came here to ask for some example setups. But thanks. I appreciate it. |
Blindsight and I have been working all morning on this and we finally came to a conclusion.. This table will work
# Clear old tables iptables -F iptables -X # Connection tracking iptables -I FORWARD -m state --state INVALID -j DROP iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT # What to allow on gentoo the server. ## Right now, we are ONLY allowing SSH through. iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT # allow all outbound traffic iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT ##################################### ## HERES WHERE YOU WILL EDIT THINGS## ##################################### # SERVICES ALLOWED ## -A append -p protocol -d destination -dport destination port -j accept/reject #iptables -A FORWARD -p tcp -d x.x.x.x --dport 22 -j ACCEPT #iptables -A FORWARD -p tcp -d x.x.x.x --dport 53 -j ACCEPT #iptables -A FORWARD -p udp -d x.x.x.x --dport 53 -j ACCEPT #################################### ## THATS ALL YOU NEED TO EDIT ## #################################### # Allow pinging iptables -A FORWARD -p icmp -i eth0 -o eth1 -j ACCEPT # Reject everything else ## gentoo server specific iptables -A INPUT -i eth0 -j REJECT ## Bridge specific iptables -A FORWARD -i eth0 -j REJECT |
| All times are GMT -5. The time now is 07:58 PM. |