ok I know there are a million IPTABLES threads, but.... see inside
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
ok I know there are a million IPTABLES threads, but.... see inside
*flamesuit on*
i've searched and tried a million different strings and went through a dozen guide's, but I still cant get something to work
i have a fedora machine with two network cards, i am trying to get traffic from one network card across to the other network card
(172.16.19.2)machine-A (http, dns, dhcp, ftp server for machine B)
^
|
|
|
|
(eth0-172.16.19.1)
[router fedora BOX]
(eth1-192.168.43.153)
^
|
|
|
|
machine-B(192.168.43.154)
how can get machine B to be able to get an address (its static for testing), get to the http(9090), ftp(2020), and dns from machine A, there is no internet in this scenario, i presume I need to use forward chains which i've tried over and over again and back to square one.
#### this is what I have so far in my firewall script ####
iptables -F
echo 1 > proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED
#HTTP
iptables -A INPUT -p tcp --dport 9090 -j ACCEPT
#FTP
iptables -A INPUT -p tcp --dport 2020 -j ACCEPT
#DNS
#iptables -A INPUT -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -p udp --dport 53 -j ACCEPT
#DHCP
#iptables -A INPUT -p tcp --dport 67 -j ACCEPT
#iptables -A INPUT -p udp --dport 68 -j ACCEPT
#iptables -A INPUT -j REJECT
#iptables -A FORWARD -j REJECT
i've searched and tried a million different strings and went through a dozen guide's, but I still cant get something to work
i have a fedora machine with two network cards, i am trying to get traffic from one network card across to the other network card
(172.16.19.2)machine-A (http, dns, dhcp, ftp server for machine B)
^
|
|
|
|
(eth0-172.16.19.1)
[router fedora BOX]
(eth1-192.168.43.153)
^
|
|
|
|
machine-B(192.168.43.154)
how can get machine B to be able to get an address (its static for testing), get to the http(9090), ftp(2020), and dns from machine A, there is no internet in this scenario, i presume I need to use forward chains which i've tried over and over again and back to square one.
#### this is what I have so far in my firewall script ####
iptables -F
echo 1 > proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED
#HTTP
iptables -A INPUT -p tcp --dport 9090 -j ACCEPT
#FTP
iptables -A INPUT -p tcp --dport 2020 -j ACCEPT
#DNS
#iptables -A INPUT -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -p udp --dport 53 -j ACCEPT
#DHCP
#iptables -A INPUT -p tcp --dport 67 -j ACCEPT
#iptables -A INPUT -p udp --dport 68 -j ACCEPT
#iptables -A INPUT -j REJECT
#iptables -A FORWARD -j REJECT
### END OF FILE ###
Please.. if anyone can help me out
firstly - turn on logging. it helps massively.
second...
these rules are incorrect
Code:
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
why?? because they are saying only related or established connections should be allowed.
RELATED - meaning that the packet is starting a new connection, but is associated with an existing connection.
You would need to add NEW, just in front of RELATED.
the rule would look more like this
Code:
iptables -A FORWARD -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
this is one way.
another is to use NAT
Code:
iptables -t nat -A POSTROUTING -j SNAT --to-source eth0
#add ports to this for diff services
iptables -A INPUT -o eth1 -d x.x.x.x -dport 21 -m state --state NEW -j ACCEPT
#accept all related/established connections
iptables -m state --state ESTABLISHED,RELATED -j ACCEPT
before you carry on with testing, dont forget to turn on logging.
it implemented correctly, it points straight away to why rules are not working
iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -j SNAT --to-source 172.16.19.2
iptables -A INPUT -o eth1 -d 172.16.19.2 -dport 9090 -m state --state NEW -j ACCEPT
iptables -A INPUT -o eth1 -d 172.16.19.2 -dport 2020 -m state --state NEW -j ACCEPT
and trying to figure out the "'multiple -d flags not allowed'" error in the
Code:
iptables -A INPUT -o eth1 -d 172.16.19.2 -dport 9090 -m state --state NEW -j ACCEPT
iptables -A INPUT -o eth1 -d 172.16.19.2 -dport 2020 -m state --state NEW -j ACCEPT
iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -j SNAT --to-source 172.16.19.2
iptables -A INPUT -o eth1 -d 172.16.19.2 -dport 9090 -m state --state NEW -j ACCEPT
iptables -A INPUT -o eth1 -d 172.16.19.2 -dport 2020 -m state --state NEW -j ACCEPT
and trying to figure out the "'multiple -d flags not allowed'" error in the
Code:
iptables -A INPUT -o eth1 -d 172.16.19.2 -dport 9090 -m state --state NEW -j ACCEPT
iptables -A INPUT -o eth1 -d 172.16.19.2 -dport 2020 -m state --state NEW -j ACCEPT
lines
Code:
iptables -A INPUT -o eth1 -d 172.16.19.2 -dport 9090 -m state --state NEW -j ACCEPT
iptables -A INPUT -o eth1 -d 172.16.19.2 -dport 2020 -m state --state NEW -j ACCEPT
you cant use -o with INPUT.
-dport...should be --dport
iptables -A INPUT -o eth1 -d 172.16.19.2 -dport 9090 -m state --state NEW -j ACCEPT
iptables -A INPUT -o eth1 -d 172.16.19.2 -dport 2020 -m state --state NEW -j ACCEPT
you cant use -o with INPUT.
-dport...should be --dport
i've changed that to the -i and to --dport already, and tried to fight with it for a while, its saying Unknown arg '--dport'.
i think the logic here is right, just that the syntax order is incorrect somehow
it has been really useful for me since it can be very confusing with all the arguments
ive had the same problems like you unknown argument etc
by using this and examing it i learned how to use correct syntax
not really a direct answer to the question but it has really helped me understand iptables better
thanks, it's a useful util, but its concentrating on internet gateway which I already know how to do, what I'm trying to do is get two seperate network segments to communicate (see first post)
thanks, it's a useful util, but its concentrating on internet gateway which I already know how to do, what I'm trying to do is get two seperate network segments to communicate (see first post)
i understand that but the basics of the script is to route one interface to another in your first post u say "i am trying to get traffic from one network card across to the other network card" thats what this does
im using this (modified) script myself to have other machines to use the internet so if you analyze this script and remove the gateway and parts u dont need u should end up with what you want
theres a couple of rules on there that allow traffic from one to the other
also some rules for routing
with the script for example u can route ports from one to another (the option comes as you go on) i use this myself to route ports from the internet so say my workstation.
am i wrong here but isnt that in essence what a router or gateway does
also didnt really mean this specific script as solution but to use parts from it thats how i learned and solved errors
well in any case i hope you solve it i was hoping that script had some lines that could help you debug yours
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.