Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
im attemping to setup a linux box for routing / gateway
but i noticed with forwarding on, it automaticcaly forwards everything.
is there a way to only allow certain kind of traffic to be forwarded?
ex: only http and ftp requests get forwarded, while a pop3 or imap request would be denied ?
you can control what gets forwarded using the FORWARD chain
iptables -A FORWARD -p tcp -dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -dport 21 -j ACCEPT
iptables -P FORWARD DROP
you also have to turn on forwarding in the kernel,
echo 1 > /proc/sys/net/ipv4/ip_forward
the -p specifies the protocol and -dport matches the destination port the -j says what to do with the packet. the -P says what to do with any packet that reaches the end of the chain.
this forwards http - tcp port 80, and ftp - tcp port 21 and drops everything else that wants to be forwarded. you might need to forward another port for ftp as well(think it needs 22?) but the principle is exactly the same.
just out of interest if you only have 1 nic, why do you need forwarding because surley any host that can reach you can also reach whoever your forwarding to?
users on this network have a bunch of 'crap' installed, and installing a proxy and disabling a gateway straight to the router caused a lot of heads to spin lol.
and ftp is 20-21, 20 is for intiation i believe.
the current shema is
192.168.1.1 vpn/router
192.168.1.250 linux runnin, ssh/squid:8080/apache
192.168.1.253 dhcp
192.168.1.254 dns
disabling the users proxy settings in IE, and removing a gateway so they cant use 3rd party to 'specify' it for some of their cute little programs, worked, till my boss had enough of the compaints on not being able to do 'certain' things.
so i want all the users to route through the linux box, and kill all non essential requests other than, pop3, http, imap, ftp.
while still being allowed to connect to its apache/ssh.
where youve put -p all put nothing so line 2 should be this accepts all incomming connections on lo.
iptables -A INPUT -i lo -j ACCEPT
to make output only to 192.168.1.250
iptables -A OUTPUT -d 192.168.1.250
iptables -P OUTPUT DROP
but i dont think you wanna do that cos you wanna be able to talk to all your machines? what do you mean by "set router to only accept outgoing through 192.168.1.250"
changing dhcp settings can be done in the server config file.
to set a gateway in the dhcpd.conf file you will need the following line (note, im leaving out a lot of other lines)
option routers 192.168.1.250
iptables part:
iptables -F #flush the INPUT/FORWARD/OUTPUT chains
iptables -A INPUT -j FORWARD
iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT #forward anything headed for port 80 on any machine using tcp
iptables -A FORWARD -p tcp --destination-port 20 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 21 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 22 -j ACCEPT #ssh is ok in my book
iptables -A FORWARD -p tcp --destination-port 8080 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 143 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 110 -j ACCETP
iptables -P FORWARD DROP
you only have 1 nic so you dont have to specify and lo is loopback, not a real interface as far as i thought, correct me if im wrong. If that doesnt work, holla back.
i think theres something wrong with my test machine...
somehow... even without a gateway specified, static ip.. this machine can um, ping my 'test' machine on the otherside of the planet.. but nothing else.. its like it has a static route table 'just' for that address, can ping, access, ssh, the domain or by ip..
but the rest of the world dont work.. i find this very interesting on a win2k machine.
damn after all that.. i got it working, somethings really interesting with this magic 'tunnel' where the machine im using to test the gateway out allows me to connect to my other station accross the internet without a gateway, ftp, ssh, http.. etc.. without a gateway and its not internal lan.. lol
heres what the config is thou
/etc/sysctl
ipforwarding 1
setup /firewall off
made a file for it just for testing..
vi test.sh
#!/bin/bash
iptables -F
uptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables INPUT -p tcp --dport 8080 -m state --state NEW -j ACCEPT
iptables INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --dport 143 -m state --state NEW -j ACCEPT
iptables -A FORWARD -j DROP
If you want even finer control, I suggest trying this...
assuming eth1 is the internet NIC
FORWARD controls direct connections from the LAN to Internet.
iptables -P FORWARD DROP
iptables -N ok_list
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -o eth1 -m state --state NEW -j ok_list
iptables -A FORWARD -j LOG --log-level 6 --log-prefix "not_allowed "
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.