im attemping to setup a linux box for routing / gateway

but i noticed with forwarding on, it automaticcaly forwards everything.

is there a way to only allow certain kind of traffic to be forwarded?
ex: only http and ftp requests get forwarded, while a pop3 or imap request would be denied ?

Yes, you can. Use --dport or --sport options (depending on the situation). You may find it useful: http://www.knowplace.org/netfilter/s...ml#portforward

hmm it doesn't say much..

im just trying to filter all traffic to only allow a few ports.
and i only got 1 nic. looks in some configurations that im required to have 2?

you can control what gets forwarded using the FORWARD chain

iptables -A FORWARD -p tcp -dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -dport 21 -j ACCEPT
iptables -P FORWARD DROP

you also have to turn on forwarding in the kernel,
echo 1 > /proc/sys/net/ipv4/ip_forward

the -p specifies the protocol and -dport matches the destination port the -j says what to do with the packet. the -P says what to do with any packet that reaches the end of the chain.

this forwards http - tcp port 80, and ftp - tcp port 21 and drops everything else that wants to be forwarded. you might need to forward another port for ftp as well(think it needs 22?) but the principle is exactly the same.

just out of interest if you only have 1 nic, why do you need forwarding because surley any host that can reach you can also reach whoever your forwarding to?

users on this network have a bunch of 'crap' installed, and installing a proxy and disabling a gateway straight to the router caused a lot of heads to spin lol.

and ftp is 20-21, 20 is for intiation i believe.

the current shema is

192.168.1.1 vpn/router
192.168.1.250 linux runnin, ssh/squid:8080/apache
192.168.1.253 dhcp
192.168.1.254 dns

disabling the users proxy settings in IE, and removing a gateway so they cant use 3rd party to 'specify' it for some of their cute little programs, worked, till my boss had enough of the compaints on not being able to do 'certain' things.

so i want all the users to route through the linux box, and kill all non essential requests other than, pop3, http, imap, ftp.

while still being allowed to connect to its apache/ssh.

heres a mear attempt at the text.

iptables -F
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -dport 8080 -j ACCEPT
iptables -P INPUT DROP
iptables -A FORWARD -p tcp -i eth0 -dport 110 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 -dport 143 -j ACCEPT
iptables -P FORWARD DROP

set dhcp gateway for clients 192.168.1.250
set router to only accept outgoing through 192.168.1.250


hmm.. squid service to test client machine no worky

where youve put -p all put nothing so line 2 should be this accepts all incomming connections on lo.

iptables -A INPUT -i lo -j ACCEPT

to make output only to 192.168.1.250

iptables -A OUTPUT -d 192.168.1.250
iptables -P OUTPUT DROP

but i dont think you wanna do that cos you wanna be able to talk to all your machines? what do you mean by "set router to only accept outgoing through 192.168.1.250"

changing dhcp settings can be done in the server config file.

yea, dhcp settings are done in /etc/dhcpd.conf


to set a gateway in the dhcpd.conf file you will need the following line (note, im leaving out a lot of other lines)

option routers 192.168.1.250


iptables part:

iptables -F #flush the INPUT/FORWARD/OUTPUT chains
iptables -A INPUT -j FORWARD
iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT #forward anything headed for port 80 on any machine using tcp
iptables -A FORWARD -p tcp --destination-port 20 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 21 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 22 -j ACCEPT #ssh is ok in my book
iptables -A FORWARD -p tcp --destination-port 8080 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 143 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 110 -j ACCETP
iptables -P FORWARD DROP


you only have 1 nic so you dont have to specify and lo is loopback, not a real interface as far as i thought, correct me if im wrong. If that doesnt work, holla back.

iptables -A INPUT -j FORWARD

invalid arguement.

I think ill just use the 'setup' command, and set the properties of the firewall 'input' i believe thats what it does.

and use your forward chain ?

damn.. that doesnt even work, it still forwards everything... why won't it stop traffic

i think theres something wrong with my test machine...

somehow... even without a gateway specified, static ip.. this machine can um, ping my 'test' machine on the otherside of the planet.. but nothing else.. its like it has a static route table 'just' for that address, can ping, access, ssh, the domain or by ip..

but the rest of the world dont work.. i find this very interesting on a win2k machine.

damn after all that.. i got it working, somethings really interesting with this magic 'tunnel' where the machine im using to test the gateway out allows me to connect to my other station accross the internet without a gateway, ftp, ssh, http.. etc.. without a gateway and its not internal lan.. lol

heres what the config is thou

/etc/sysctl
ipforwarding 1
setup /firewall off

made a file for it just for testing..

vi test.sh

#!/bin/bash
iptables -F

uptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables INPUT -p tcp --dport 8080 -m state --state NEW -j ACCEPT
iptables INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -j DROP

iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --dport 143 -m state --state NEW -j ACCEPT
iptables -A FORWARD -j DROP

If you want even finer control, I suggest trying this...
assuming eth1 is the internet NIC
FORWARD controls direct connections from the LAN to Internet.

iptables -P FORWARD DROP
iptables -N ok_list
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -o eth1 -m state --state NEW -j ok_list
iptables -A FORWARD -j LOG --log-level 6 --log-prefix "not_allowed "

iptables -A ok_list -s 192.168.1.~ -p tcp -m multiport --destination-port 21,25,110,143,443 -j ACCEPT

do these lines for each individual ip number.
You get very fine control over what is and isn't allowed this way.

What does "-m state" option means in your iptables???

load the state module so he can use it with --state. read connection state tracking in your kernel configuration