iptables help - 1 wan

sganesh_1975 · 07-25-2009, 06:35 AM

Dear All,

Our question is regarding iptables and networking with Firewall.

Please kindly help me with this problem, or forward me to the previous posts with the similar solutions, thanking you all

we have a linux box doing a firewall, proxy - it has 3 NICs

eth0 - wan ip - static IP - provided by ISP

eth1 - lan 1 ip - 10.0.0.200 - this is the gateway for the lan Clients(10.0.0.0)

eth2 - lan2 ip - 192.168.0.200 - this connects the 2nd Lan - where internet is not allowed

We are comfortable with NAT, port forwarding from the Internet,

i.e.
1.) Internet is accessible from eth1 connected terminals

2.) From WAN, clients are connecting to port 21, and 5900 to the terminals connected with eth1 connection.

Now, the requirement is we would like to connect a single terminal 10.0.0.211 on eth1 with a terminal 192.168.0.211 on eth2 through port 21 for some FTP access

(eth1) 10.0.0.211 ----> (eth2) 192.168.0.211:21

Please help us in creating IPTables rules for this requirement

Currently from the linux firewall box

1.) we could able to ping 192.168.0.211 (thru eth2- 192.168.0.200)
2.) also ping 10.0.0.211 (thru eth1- 10.0.0.200)

3.) But we cannot telnet to port 21 on 192.168.0.211 from eth1 connected 10.0.0.211

Kindly help us to solve this problem,

Thanks / S Ganesh

sparc86 · 07-26-2009, 02:13 AM

The host from 192.168.0.211 cannot talk to the host 10.0.0.211 because both hosts are in a different networks. You will have to create a routing table in order to allow them to communicate.

There are many sites on the web covering Linux routing, so go try to check it and if you find some trouble, come back here and ask.

This is one of them: http://www.comptechdoc.org/os/linux/...ugrouting.html

and another one: http://www.gentoo-wiki.info/HOWTO_add_a_static_route

sganesh_1975 · 07-27-2009, 11:11 PM

thanks for your message

i am linux noob and this is practicals on IPTABLES / Routing

As suggested i tried with the routing tables, but could not succeed

like,

route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.0.0.200

but after this, if i ping 192.168.0.0/24 from linux firewall box, i could not reach the 192.168.0.0/24 networks

and my requirement is also not fulfilled

kindly help me to solve this requirement.

acutally i am planning like this

1 wan

1 lan network with 5 systems

1 dmz network with 2 systems

my firewall box has 3 nics all connected respectively

and my requirement is that,

one of my system in the lan network with ip - 10.0.0.211 should get connected with 1 system in the dmz network with ip - 192.168.0.211 for FTP access with port 21

currently i am using the given below iptables rules for Masquerading and port forwarding (this works fine)

sudo iptables -A FORWARD -i eth0 -s 192.168.1.0/24 -j DROP
sudo iptables -A FORWARD -i eth0 -o eth0 -j DROP

sudo iptables -A FORWARD -d 192.168.0.0/24 -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -j ACCEPT

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5900 -j DNAT --to-dest 192.168.0.39:5900
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to-dest 192.168.0.211:21

KINDLY HELP ME WITH THIS

sparc86 · 07-28-2009, 12:02 AM

Please type the following commands:

Quote:

route
route -n

Now please paste here all the output.

sganesh_1975 · 07-28-2009, 01:25 AM

please find below my , (this is without any changes in the routing table)

route / route -n results are as below,

root@fw:/home/comtel# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eth0

root@fw:/home/comtel# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 eth2
localnet * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
default 192.168.1.1 0.0.0.0 UG 100 0 0 eth0
root@fw:/home/comtel#

then, i executed the following

route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.0.0.200

then my route and route -n results are as follows,

root@fw:/home/comtel# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 eth2
localnet * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 10.0.0.200 255.255.255.0 UG 0 0 0 eth2
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
default 192.168.1.1 0.0.0.0 UG 100 0 0 eth0

root@fw:/home/comtel# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 10.0.0.200 255.255.255.0 UG 0 0 0 eth2
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eth0
root@fw:/home/comtel#

I DO NOT KNOW HOW TO PROCEED FURTHER FROM HERE, PLEASE HELP ME

thanking you / S Ganesh.

sparc86 · 07-28-2009, 12:01 PM

Does it works if you specify the interface at the routing table?

Like that:

Quote:

route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.0.0.200 dev eth1

Where eth1 is connected to your 10.0.0.0/24 network.

Can you from the network 10.0.0.0/24 (eth1) ping any host into the 192.168.0.0/24 network now ?

Remember to set the gateway in your client hosts inside the 10.0.0.0/24 network like that:

Quote:

route add default gw 10.0.0.200

Hope it works.

sganesh_1975 · 07-31-2009, 02:13 AM

Thanks,

things are working now, i could able to use the FTP server

The problem is that, i had not configured the clients gateway entries

thanks for your guidance

Now, another request

we have a multicast services running in ip - 192.168.111.1 on eth2

but the other system with ip on eth cannot join the multicast group

so we could not use the software based on this multicast data

the multicast server details are as given below,

windows 2003 server hosting Multicasting server
ip - 19
udp - 7789
udp 7790
udp 9602

multicast server ip -233.1.2.5

My Firewall Box details

Ubuntu - 8.10 server edition - 2.6.27 kernel
i am using ufw for firewall (but currently disabled)

wan - 192.168.1.200
eth1 - 192.168.0.200
eth2 - 192.168.111.200

my other pc which is supposed to receive multicast data

windows 2000 professional
ip - 192.168.0.203 on eth1

Kindly guide me how to do receive multicast data through the ubuntu router from eth2 to eth1

thanks / S Ganesh

sganesh_1975 · 07-31-2009, 02:18 AM

Thanks,

things are working now, i could able to use the FTP server

The problem is that, i had not configured the clients gateway entries

thanks for your guidance

Now, another request

we have a multicast services running in ip - 192.168.111.1 on eth2

but the other system with ip on eth cannot join the multicast group

so we could not use the software based on this multicast data

the multicast server details are as given below,

windows 2003 server hosting Multicasting server
ip - 19
udp - 7789
udp 7790
udp 9602

multicast server ip -233.1.2.5

My Firewall Box details

Ubuntu - 8.10 server edition - 2.6.27 kernel
i am using ufw for firewall (but currently disabled)

wan - 192.168.1.200
eth1 - 192.168.0.200
eth2 - 192.168.111.200

my other pc which is supposed to receive multicast data

windows 2000 professional
ip - 192.168.0.203 on eth1

Kindly guide me how to do receive multicast data through the ubuntu router from eth2 to eth1

thanks / S Ganesh

sparc86 · 07-31-2009, 01:36 PM

Quote:

Originally Posted by sganesh_1975

Thanks,

things are working now, i could able to use the FTP server

The problem is that, i had not configured the clients gateway entries

thanks for your guidance

Now, another request

we have a multicast services running in ip - 192.168.111.1 on eth2

but the other system with ip on eth cannot join the multicast group

so we could not use the software based on this multicast data

the multicast server details are as given below,

windows 2003 server hosting Multicasting server
ip - 19
udp - 7789
udp 7790
udp 9602

multicast server ip -233.1.2.5

My Firewall Box details

Ubuntu - 8.10 server edition - 2.6.27 kernel
i am using ufw for firewall (but currently disabled)

wan - 192.168.1.200
eth1 - 192.168.0.200
eth2 - 192.168.111.200

my other pc which is supposed to receive multicast data

windows 2000 professional
ip - 192.168.0.203 on eth1

Kindly guide me how to do receive multicast data through the ubuntu router from eth2 to eth1

thanks / S Ganesh

Maybe this will going to be helpful: http://www.tldp.org/HOWTO/Multicast-HOWTO-3.html

Reading the */Multicast-HOWTO-2.html and */Multicast-HOWTO-1.html might help too.

sganesh_1975 · 08-02-2009, 11:30 PM

Thanks for your reply

I had installed mrouted in ubuntu, that had solved the problem.

But, i do not know i am giving in a right direction

thanks / S Ganesh

sganesh_1975 · 08-05-2009, 03:09 AM

Dear All,

Help Again,

We need your help again to achieve the following

Now our both the networks are able to communicate i.e

from eth0 - 192.168.0.0 /24

to eth1 - 192.168.111.0/24 (both directions)

now the requirement is to use only ftp services at the computer @ 192.168.111.1 on eth1

only computers from etho - 192.168.0.0/24 will be using this ftp service

Kindly help us on this

I am using ubuntu 8.10 with iptables

Now, i am only masquerade from ppp0 to eth0

and this is my iptables -L -n output

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  192.168.1.0/24       0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            192.168.0.0/24      state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

and this is my iptables -L -t nat

Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere            tcp dpt:5900 to:192.168.0.203:5900
DNAT       tcp  --  anywhere             anywhere            tcp dpt:www to:192.168.0.204:5938

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

ALSO PLEASE NOTE IP - 192.168.111.1 IS ALSO A MULTICASTING SERVER

Thanking you,

S Ganesh.

sparc86 · 08-05-2009, 09:51 AM

Quote:

iptables -A FORWARD -i eth0 -s 192.168.0.0/24 -p tcp --dport 21 -d 192.168.1.111 -j ACCEPT

Does it works? Test it with

Quote:

#telnet 192.168.1.111 21

is it connecting?

sganesh_1975 · 08-06-2009, 02:38 AM

Thanks Sparc86,

Let me put things more clear,

As of now, as said in my previous message regarding iptables rules,

currently,

we could able to use the ftp services

but, also we could able to use the other services like windows file sharing, accessing Java Application Server at port 8080, etc

i.e, we have few windows systems on both networks - eth0 and eth1

eth0 - 192.168.0.0 /24
eth1 - 192.168.111.0/24

so these few windows terminals are able to establish windows file sharing, access JAVA Server, etc

We would like to BLOCK all the traffic from both eth0 to eth1 and vice verse (except port 21)

but to allow eth0 network (192.168.0.0/24) computers to access the FTP service at eth1 connected Computer with IP 192.168.111.1 on port 21

So we need IPTables rules to block all traffic both sides of eth0 and eth1 BUT to allow 192.168.0.0/24 to access 192.168.111.1 on port 1

additional info

ours is a linux box

etho- 192.168.0.200 - connecting 192.168.0.0/24 network
eth1- 192.168.111.200 - connecting 192.168.111.0/24 network

eth2 - 192.168.1.200 - for wan traffic

Thanking you,
S Ganesh.

sparc86 · 08-06-2009, 08:46 AM

Then you should use a DROP policy on iptables.

http://wiki.linuxquestions.org/wiki/Iptables

This link will probably make things clear about iptables policies.