Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
you can control what gets forwarded using the FORWARD chain
iptables -A FORWARD -p tcp -dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -dport 21 -j ACCEPT
iptables -P FORWARD DROP
you also have to turn on forwarding in the kernel,
echo 1 > /proc/sys/net/ipv4/ip_forward
the -p specifies the protocol and -dport matches the destination port the -j says what to do with the packet. the -P says what to do with any packet that reaches the end of the chain.
this forwards http - tcp port 80, and ftp - tcp port 21 and drops everything else that wants to be forwarded. you might need to forward another port for ftp as well(think it needs 22?) but the principle is exactly the same.
just out of interest if you only have 1 nic, why do you need forwarding because surley any host that can reach you can also reach whoever your forwarding to?
users on this network have a bunch of 'crap' installed, and installing a proxy and disabling a gateway straight to the router caused a lot of heads to spin lol.
and ftp is 20-21, 20 is for intiation i believe.
the current shema is
192.168.1.250 linux runnin, ssh/squid:8080/apache
disabling the users proxy settings in IE, and removing a gateway so they cant use 3rd party to 'specify' it for some of their cute little programs, worked, till my boss had enough of the compaints on not being able to do 'certain' things.
so i want all the users to route through the linux box, and kill all non essential requests other than, pop3, http, imap, ftp.
while still being allowed to connect to its apache/ssh.
to set a gateway in the dhcpd.conf file you will need the following line (note, im leaving out a lot of other lines)
option routers 192.168.1.250
iptables -F #flush the INPUT/FORWARD/OUTPUT chains
iptables -A INPUT -j FORWARD
iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT #forward anything headed for port 80 on any machine using tcp
iptables -A FORWARD -p tcp --destination-port 20 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 21 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 22 -j ACCEPT #ssh is ok in my book
iptables -A FORWARD -p tcp --destination-port 8080 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 143 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 110 -j ACCETP
iptables -P FORWARD DROP
you only have 1 nic so you dont have to specify and lo is loopback, not a real interface as far as i thought, correct me if im wrong. If that doesnt work, holla back.
i think theres something wrong with my test machine...
somehow... even without a gateway specified, static ip.. this machine can um, ping my 'test' machine on the otherside of the planet.. but nothing else.. its like it has a static route table 'just' for that address, can ping, access, ssh, the domain or by ip..
but the rest of the world dont work.. i find this very interesting on a win2k machine.
damn after all that.. i got it working, somethings really interesting with this magic 'tunnel' where the machine im using to test the gateway out allows me to connect to my other station accross the internet without a gateway, ftp, ssh, http.. etc.. without a gateway and its not internal lan.. lol
heres what the config is thou
setup /firewall off
made a file for it just for testing..
uptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables INPUT -p tcp --dport 8080 -m state --state NEW -j ACCEPT
iptables INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --dport 143 -m state --state NEW -j ACCEPT
iptables -A FORWARD -j DROP