LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 04-23-2003, 02:37 PM   #1
hakcenter
Member
 
Registered: Apr 2003
Location: Not to far from the computer screen
Distribution: RedHat 9.0
Posts: 324

Rep: Reputation: 30
Arrow iptables / routing


im attemping to setup a linux box for routing / gateway

but i noticed with forwarding on, it automaticcaly forwards everything.

is there a way to only allow certain kind of traffic to be forwarded?
ex: only http and ftp requests get forwarded, while a pop3 or imap request would be denied ?
 
Old 04-23-2003, 02:48 PM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,527

Rep: Reputation: 147Reputation: 147
Yes, you can. Use --dport or --sport options (depending on the situation). You may find it useful: http://www.knowplace.org/netfilter/s...ml#portforward
 
Old 04-23-2003, 03:10 PM   #3
hakcenter
Member
 
Registered: Apr 2003
Location: Not to far from the computer screen
Distribution: RedHat 9.0
Posts: 324

Original Poster
Rep: Reputation: 30
hmm it doesn't say much..

im just trying to filter all traffic to only allow a few ports.
and i only got 1 nic. looks in some configurations that im required to have 2?
 
Old 04-23-2003, 04:16 PM   #4
kev82
Senior Member
 
Registered: Apr 2003
Location: Lancaster, England
Distribution: Debian Etch, OS X 10.4
Posts: 1,263

Rep: Reputation: 50
you can control what gets forwarded using the FORWARD chain

iptables -A FORWARD -p tcp -dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -dport 21 -j ACCEPT
iptables -P FORWARD DROP

you also have to turn on forwarding in the kernel,
echo 1 > /proc/sys/net/ipv4/ip_forward

the -p specifies the protocol and -dport matches the destination port the -j says what to do with the packet. the -P says what to do with any packet that reaches the end of the chain.

this forwards http - tcp port 80, and ftp - tcp port 21 and drops everything else that wants to be forwarded. you might need to forward another port for ftp as well(think it needs 22?) but the principle is exactly the same.

just out of interest if you only have 1 nic, why do you need forwarding because surley any host that can reach you can also reach whoever your forwarding to?
 
Old 04-23-2003, 04:44 PM   #5
hakcenter
Member
 
Registered: Apr 2003
Location: Not to far from the computer screen
Distribution: RedHat 9.0
Posts: 324

Original Poster
Rep: Reputation: 30
users on this network have a bunch of 'crap' installed, and installing a proxy and disabling a gateway straight to the router caused a lot of heads to spin lol.

and ftp is 20-21, 20 is for intiation i believe.

the current shema is

192.168.1.1 vpn/router
192.168.1.250 linux runnin, ssh/squid:8080/apache
192.168.1.253 dhcp
192.168.1.254 dns

disabling the users proxy settings in IE, and removing a gateway so they cant use 3rd party to 'specify' it for some of their cute little programs, worked, till my boss had enough of the compaints on not being able to do 'certain' things.

so i want all the users to route through the linux box, and kill all non essential requests other than, pop3, http, imap, ftp.

while still being allowed to connect to its apache/ssh.

 
Old 04-23-2003, 05:45 PM   #6
hakcenter
Member
 
Registered: Apr 2003
Location: Not to far from the computer screen
Distribution: RedHat 9.0
Posts: 324

Original Poster
Rep: Reputation: 30
heres a mear attempt at the text.

iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -dport 8080 -j ACCEPT
iptables -P INPUT DROP
iptables -A FORWARD -p tcp -i eth0 -dport 110 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -dport 143 -j ACCEPT
iptables -P FORWARD DROP

set dhcp gateway for clients 192.168.1.250
set router to only accept outgoing through 192.168.1.250


hmm.. squid service to test client machine no worky

Last edited by hakcenter; 04-23-2003 at 06:15 PM.
 
Old 04-23-2003, 06:18 PM   #7
kev82
Senior Member
 
Registered: Apr 2003
Location: Lancaster, England
Distribution: Debian Etch, OS X 10.4
Posts: 1,263

Rep: Reputation: 50
where youve put -p all put nothing so line 2 should be this accepts all incomming connections on lo.

iptables -A INPUT -i lo -j ACCEPT

to make output only to 192.168.1.250

iptables -A OUTPUT -d 192.168.1.250
iptables -P OUTPUT DROP

but i dont think you wanna do that cos you wanna be able to talk to all your machines? what do you mean by "set router to only accept outgoing through 192.168.1.250"

changing dhcp settings can be done in the server config file.
 
Old 04-24-2003, 03:14 AM   #8
Robert0380
Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
yea, dhcp settings are done in /etc/dhcpd.conf


to set a gateway in the dhcpd.conf file you will need the following line (note, im leaving out a lot of other lines)

option routers 192.168.1.250


iptables part:

iptables -F #flush the INPUT/FORWARD/OUTPUT chains
iptables -A INPUT -j FORWARD
iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT #forward anything headed for port 80 on any machine using tcp
iptables -A FORWARD -p tcp --destination-port 20 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 21 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 22 -j ACCEPT #ssh is ok in my book
iptables -A FORWARD -p tcp --destination-port 8080 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 143 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 110 -j ACCETP
iptables -P FORWARD DROP


you only have 1 nic so you dont have to specify and lo is loopback, not a real interface as far as i thought, correct me if im wrong. If that doesnt work, holla back.
 
Old 04-24-2003, 10:59 AM   #9
hakcenter
Member
 
Registered: Apr 2003
Location: Not to far from the computer screen
Distribution: RedHat 9.0
Posts: 324

Original Poster
Rep: Reputation: 30
iptables -A INPUT -j FORWARD

invalid arguement.

I think ill just use the 'setup' command, and set the properties of the firewall 'input' i believe thats what it does.

and use your forward chain ?

damn.. that doesnt even work, it still forwards everything... why won't it stop traffic

Last edited by hakcenter; 04-24-2003 at 11:04 AM.
 
Old 04-25-2003, 12:25 PM   #10
hakcenter
Member
 
Registered: Apr 2003
Location: Not to far from the computer screen
Distribution: RedHat 9.0
Posts: 324

Original Poster
Rep: Reputation: 30
i think theres something wrong with my test machine...

somehow... even without a gateway specified, static ip.. this machine can um, ping my 'test' machine on the otherside of the planet.. but nothing else.. its like it has a static route table 'just' for that address, can ping, access, ssh, the domain or by ip..

but the rest of the world dont work.. i find this very interesting on a win2k machine.
 
Old 04-25-2003, 04:07 PM   #11
hakcenter
Member
 
Registered: Apr 2003
Location: Not to far from the computer screen
Distribution: RedHat 9.0
Posts: 324

Original Poster
Rep: Reputation: 30
damn after all that.. i got it working, somethings really interesting with this magic 'tunnel' where the machine im using to test the gateway out allows me to connect to my other station accross the internet without a gateway, ftp, ssh, http.. etc.. without a gateway and its not internal lan.. lol

heres what the config is thou

/etc/sysctl
ipforwarding 1
setup /firewall off

made a file for it just for testing..

vi test.sh

#!/bin/bash
iptables -F

uptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables INPUT -p tcp --dport 8080 -m state --state NEW -j ACCEPT
iptables INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -j DROP

iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --dport 143 -m state --state NEW -j ACCEPT
iptables -A FORWARD -j DROP
 
Old 04-26-2003, 12:06 PM   #12
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
If you want even finer control, I suggest trying this...
assuming eth1 is the internet NIC
FORWARD controls direct connections from the LAN to Internet.

iptables -P FORWARD DROP
iptables -N ok_list
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -o eth1 -m state --state NEW -j ok_list
iptables -A FORWARD -j LOG --log-level 6 --log-prefix "not_allowed "

iptables -A ok_list -s 192.168.1.~ -p tcp -m multiport --destination-port 21,25,110,143,443 -j ACCEPT

do these lines for each individual ip number.
You get very fine control over what is and isn't allowed this way.

Last edited by peter_robb; 04-26-2003 at 12:08 PM.
 
Old 05-01-2003, 01:51 AM   #13
n.antonio
LQ Newbie
 
Registered: Apr 2003
Posts: 18

Rep: Reputation: 0
What does "-m state" option means in your iptables???
 
Old 05-01-2003, 04:16 AM   #14
kev82
Senior Member
 
Registered: Apr 2003
Location: Lancaster, England
Distribution: Debian Etch, OS X 10.4
Posts: 1,263

Rep: Reputation: 50
load the state module so he can use it with --state. read connection state tracking in your kernel configuration
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
routing by iptables ali_dd15 Linux - Networking 14 10-14-2005 05:38 AM
iptables routing CJ_Grobler Linux - Security 1 06-14-2005 02:13 AM
iptables and routing palhope Linux - Networking 2 07-10-2003 12:01 PM
More Help routing with iptables LAR12345 Linux - Networking 2 02-02-2003 10:28 AM
routing with iptables Han_Solo Linux - Security 0 10-28-2001 06:04 PM


All times are GMT -5. The time now is 02:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration