LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-24-2003, 11:14 AM   #1
revres xunil
LQ Newbie
 
Registered: Mar 2002
Distribution: gentoo
Posts: 7

Rep: Reputation: 0
iptables bridge firweall


Ok. Ive spent the past 3 days searching and searching for this.

Heres my situation.

I have a box that I setup a bridge br0. The network has one full subnet of public IP's. The bridge has in (eth0) from the internet and out (eth1) to the network which will all have public ip's.

I am stumped and also a newbie at iptables. I have all the patches and stuff to make it supposedly work with bridges... i found a site that had some rules that -sorta- worked (it denied access to everything inside the network).

Heres what im asking. I need some examples of how to:

Deny all incoming requests from the internet to the network. Allow all outgoing from the network to the internet... Then I want to add some rules that allow x.x.x.x on the network to be accessed from the internet on port 22, and x.x.x.y to be accessed from the internet on port 80... While we are at it, I want x.x.x.z to also be accessed from port 80 and 22.

Any other rules that are helpful in this situation would be nice too!

Can anyone give me some iptables rules that would work with this setup?

And also... can I use fwbuilder for this sort of bridged setup?

MUCH thanks if anyone can help me out.. Im totally out of places to look.


Running gentoo linux w/ latest packages
 
Old 08-24-2003, 03:22 PM   #2
Blindsight
Member
 
Registered: Mar 2003
Distribution: Slackware
Posts: 234

Rep: Reputation: 30
Here's everything you ever wanted to know about iptables.

http://www.iptables.org/documentation/
 
Old 08-25-2003, 08:30 AM   #3
revres xunil
LQ Newbie
 
Registered: Mar 2002
Distribution: gentoo
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks...... but not really. The day I actually find the information speicifc to a bridge is the day we get a cisco firewall instead. If you know what im asking for, then please post specifically.

thanks.
 
Old 08-25-2003, 09:12 AM   #4
Blindsight
Member
 
Registered: Mar 2003
Distribution: Slackware
Posts: 234

Rep: Reputation: 30
I misunderstood the intent of your post. I hadn't realized you wanted someone to do your work for you:

# Enable packet forwarding.
echo "1" > /proc/sys/net/ipv4/ip_forward
# Deny all incoming requests from the internet to the network
# Unless they match a certain rule or they're current
# established connection based packets.
iptables -A INPUT -j REJECT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j accept
# reject all packets outgoing that don't match a rule.
iptables -A OUTPUT -j REJECT
# Allow all outgoing from the network to the internet...
iptables -A OUTPUT -o eth1 -j ACCEPT
# server based rules
iptables -A INPUT -d x.x.x.x --dport 22 -j ACCEPT
iptables -A INPUT -d x.x.x.y --dport 80 -j ACCEPT
iptables -A INPUT -d x.x.x.z --dport 80 -j ACCEPT
iptables -A INPUT -d x.x.x.z --dport 22 -j ACCEPT

Do I get your paycheck, too?
 
Old 08-25-2003, 09:17 AM   #5
revres xunil
LQ Newbie
 
Registered: Mar 2002
Distribution: gentoo
Posts: 7

Original Poster
Rep: Reputation: 0
ill give your example a try. if it works , we can set something up to give you some money. I find things easier to learn how it works by example, not be reading extensive documentation that has 1/10000 actually being what im looking for.... Thats how most professors teach thier classes.

Bridging firewall seems very underdocumented online, thats the only reason I came here to ask for some example setups.

But thanks. I appreciate it.
 
Old 08-25-2003, 12:24 PM   #6
revres xunil
LQ Newbie
 
Registered: Mar 2002
Distribution: gentoo
Posts: 7

Original Poster
Rep: Reputation: 0
Blindsight and I have been working all morning on this and we finally came to a conclusion.. This table will work

# Clear old tables
iptables -F
iptables -X

# Connection tracking
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# What to allow on gentoo the server.
## Right now, we are ONLY allowing SSH through.
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT

# allow all outbound traffic
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

#####################################
## HERES WHERE YOU WILL EDIT THINGS##
#####################################

# SERVICES ALLOWED
## -A append -p protocol -d destination -dport destination port -j accept/reject
#iptables -A FORWARD -p tcp -d x.x.x.x --dport 22 -j ACCEPT
#iptables -A FORWARD -p tcp -d x.x.x.x --dport 53 -j ACCEPT
#iptables -A FORWARD -p udp -d x.x.x.x --dport 53 -j ACCEPT

####################################
## THATS ALL YOU NEED TO EDIT ##
####################################

# Allow pinging
iptables -A FORWARD -p icmp -i eth0 -o eth1 -j ACCEPT

# Reject everything else
## gentoo server specific
iptables -A INPUT -i eth0 -j REJECT
## Bridge specific
iptables -A FORWARD -i eth0 -j REJECT

Last edited by revres xunil; 08-25-2003 at 04:07 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
in the bridge mode of the linux 2.6kernel,how can I use iptables to filter "physin" fullbow Linux - Networking 0 06-01-2005 06:19 AM
bridge configuration CARLiCiOUS Linux - Networking 2 03-15-2005 01:17 PM
What exactly is a bridge. zaicheke Linux - Networking 7 10-23-2004 06:12 PM
Linux bridge with iptables and STP wkm001 Linux - Networking 1 02-04-2004 01:37 PM
bridge Cubiq Linux - Networking 9 08-10-2002 11:13 AM


All times are GMT -5. The time now is 01:53 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration