LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 07-23-2002, 06:41 PM   #1
raypen
Member
 
Registered: Jun 2002
Location: Midwest
Distribution: Slackware
Posts: 355

Rep: Reputation: 30
netfilter iptables and multiple interfaces


My current netfilter firewall provides NAT on the external interface
and allows computers connected to the internal network access
to the internet. The private network scheme is employed on the
private network with the internal ethernet interface assigned
192.168.0.100. This works well, but I would also like to allow
the ppp interface (when a ppp connection is established by a
user dialing in) to be available.

I do this now by assigning the internal interface as ppp0 which
works well enough, but I am assigning it as the exclusive
internal interface. I would like to allow both ppp0 and the
internal ether interface simultaneously.

The current iptables setup looks like:

echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

($EXTIF = ETH0 : $INTIF = ETH1)


It seems to me that all I would have to do would be to add a couple of lines such as:

$IPTABLES -A FORWARD -i $EXTIF -o ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i ppp0 -o $EXTIF -j ACCEPT

to accomplish this. However, since I assign the dialin address as 192.168.0.155 I am not
sure whether this isn't somewhat redundant; i.e. the dialin becomes a node on the internal
network anchored at 192.168.0.100. Maybe I don't need these lines at all.

This is somewhat confusing to me and any suggestions would be appreciated.
 
Old 07-23-2002, 09:07 PM   #2
sarin
Member
 
Registered: May 2001
Location: India, Kerala, Thrissur
Distribution: FC 7-10
Posts: 354
Blog Entries: 2

Rep: Reputation: 34
I am not too sure about this, But I don't think it is redundant. Because, In the last rule you give a specific interface ( ie, allow forward if pkts from eth1 ). So I think there should be a rule to allow pkts from ppp0.
Anyway nothing harm in some experimenting :-)? ( Try removing the 2nd rule and see if ppl can still go out. If you find I am wrong, pl. post back so that me too can learn )
--Sarin
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Red Hat 7.3 and multiple gateways on multiple interfaces bluefmc Linux - Networking 2 11-19-2004 05:01 PM
Iptables firewall in multiple lan interfaces Neelesh Linux - Security 3 07-31-2004 01:19 PM
IPTables and multiple interfaces MaverickApollo Linux - Networking 7 12-28-2003 04:19 PM
Netfilter / IPtables SWAT Linux - Newbie 3 11-11-2003 09:04 AM
Firewall, netfilter, iptables...? snowbaby Linux - Security 9 08-13-2002 03:22 AM


All times are GMT -5. The time now is 11:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration