LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-23-2004, 04:50 PM   #1
ZliTroX
LQ Newbie
 
Registered: Aug 2004
Distribution: ...
Posts: 25

Rep: Reputation: 15
Talking Problem Iptables, Firewall rules. Can anybody help ?


I have tried to write a iptables script as a firewall/router but it doesnt work at all

Can anybody help me please. Some nice enough to help my write this script i need?

i have dynamic ipnumber to internet from my ISP Telia, and i want my firewall/router to share internet to my other computers and a server.

Local Network:
192.168.0.1:
Firewall/router, should have SSH at port 22 only in local network.

192.168.0.2
HTTP Server, Should be connectable from internet at port 80.

192.168.0.3
FTP Server, this should be connectable from local network and internet at port 21. Also surf on internet.

192.168.0.4
Surf on internet.

192.168.0.5 - Windows 2000, surf on internet, but none services out to internet

192.168.0.6 - Windows 2000, surf on internet, but none services out to internet

Services open on internet:
192.168.0.2 Port 80
192.168.0.3 Port 21
192.168.0.4 Port 21

Services open on local network
192.168.0.1 Port 22
192.168.0.2 Port 80
192.168.0.3 Port 21
192.168.0.3 Port 21

Im also using DCGui-QT, (Direct Connect) on this ports:

TCP Listen Port:
9176
UDP Listen Port:
9176


other services should not shown out to internet.

I hope someone understand what I need and can help me?


Please someone could help me?

Thanks.

Last edited by ZliTroX; 09-06-2004 at 03:45 PM.
 
Old 08-23-2004, 11:48 PM   #2
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
A very simple script to allow outgoing traffic but block anything that is not a reply.

Code:
#!/bin/bash
# File: simpfw.sh
#
IPT=/usr/sbin/iptables
EXTIF=<external interface>
INTIF=<internal interface>

$IPT -t filter -F
$IPT -t nat -F

$IPT -P INPUT DROP
$IPT -P FORWARD DROP

# -- allow free traffic on the loopback
$IPT -A INPUT -i lo -j ACCEPT

# -- ICMP

# -- Accept all incoming replies
$IPT -A INPUT -i $EXTIF -j ACCEPT -m state --state RELATED, ESTABLISHED

# -- Accept incoming connections 
$IPT -A INPUT -i $EXTIF -p tcp --dport 9176 -j ACCEPT -m state --state NEW 
$IPT -A INPUT -i $EXTIF -p udp --dport 9176 -j ACCEPT -m state --state NEW

# -- 
$IPT -A FORWARD -i $INTIF -j ACCEPT
$IPT -A FORWARD -i $EXTIF -j ACCEPT -m state --state RELATED, ESTABLISHED
$IPT -t nat -A POSTROUTING -i $INTIF -j MASQUERADE

Last edited by ppuru; 08-23-2004 at 11:53 PM.
 
Old 08-24-2004, 01:29 AM   #3
AeonDevil
LQ Newbie
 
Registered: Aug 2004
Posts: 11

Rep: Reputation: 0
heres another thats very easy to understand just paste it in a text file (eg: rc.firewall or something similar and load it on startup) and modify it a bit:

#Internet Sharing and Port Fowarding Script

modprobe iptable_nat
echo '1' > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#NOTE: eth0 can be changed to eth1 etc depending on the device connected to the net.

#here I put the ports I want to be open if you don't have port 22 open then you won't be able to connect to it via ssh i'll just drop the #packets
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#NOTE: if you accept packets for port 80 as well you can set a web server but it's for the netsharing machine if you want to serve a web #server on another computer on your network you have to set port fowarding rules i'll explain below.

/sbin/iptables -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -i lo -j ACCEPT
/sbin/iptables -j LOG --log-level 4 --log-prefix "ATTACK"
/sbin/iptables -A INPUT -j DROP

/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
#since you're on a d class with ip's of 192.168.0.0 - 255 I put 24bit subnet you're going to have to research a bit if you don't understand it #takes a while to explain well actually i'm not that good at explaining things.

#to share the net you're going to have to set up the other computers on the network i'll give a short example:
#ipaddress: 192.168.0.x
#subnet: 255.255.255.0
#gateway: 192.168.0.x whatever your internet sharing computers ip is.
#dns: the isps dns address's usually only need one of them i'm a little stupid because the only way I know how to find out the isp's dns is #by using windows "ipconfig /all" i can't be bother finding out with linux at the moment because i'm busy and just finished school last year

#at this point your internet should be shared between all computers on the network you can test it out.

#port fowarding this is all going to depend on how you want this all setup heres an example:
#iptables -t nat -A PREROUTING -p tcp -d z.z.z.z --dport xx -j DNAT --to y.y.y.y:xx
#iptables -t nat -A POSTROUTING -p tcp -d z.z.z.z --dport xx -j SNAT --to x.x.x.x:xx
#iptables -t nat -A OUTPUT -d z.z.z.z -p tcp --dport xx -j DNAT --to y.y.y.y:xx
#
#z.z.z.z is the internet address, y.y.y.y is the address where you want the port fowarded, x.x.x.x is the other network card address for the #internet sharing computer, xx is anyport you want to be forwarded. you can have port 21 from the net to go to port 500 on another #computer on the network if you wanted to. or you could just have port 21 forwarded to port 21 on another machine it's all up to you.
#if you want to do more with ip tables you'll have to read up about it or just post it's too much to type at the moment i'm getting tired....
 
Old 08-24-2004, 05:24 AM   #4
ZliTroX
LQ Newbie
 
Registered: Aug 2004
Distribution: ...
Posts: 25

Original Poster
Rep: Reputation: 15
Thanks everyone for all help, i think i understand the most.

if the port should be forwarded to my firewall (192.168.0.1) at port 21, should it be like this?:

iptables -t nat -A PREROUTING -p tcp -d z.z.z.z --dport 21 -j DNAT --to 192.168.0.1:21
iptables -t nat -A POSTROUTING -p tcp -d z.z.z.z --dport 21 -j SNAT --to 192.168.0.1:21
iptables -t nat -A OUTPUT -d z.z.z.z -p tcp --dport 21 -j DNAT --to 192.168.0.1:2

hmm, what about -d z.z.z.z, what ip should i have there? the server that have the http is 192.168.0.2. So... Should it be 192.168.0.2 that is replacing z.z.z.z?

Last edited by ZliTroX; 08-24-2004 at 05:47 AM.
 
Old 08-24-2004, 10:37 AM   #5
maxut
Senior Member
 
Registered: May 2003
Location: istanbul
Distribution: debian - redhat - others
Posts: 1,188

Rep: Reputation: 50
Quote:
Originally posted by ZliTroX

iptables -t nat -A PREROUTING -p tcp -d z.z.z.z --dport 21 -j DNAT --to 192.168.0.1:21
iptables -t nat -A POSTROUTING -p tcp -d z.z.z.z --dport 21 -j SNAT --to 192.168.0.1:21
iptables -t nat -A OUTPUT -d z.z.z.z -p tcp --dport 21 -j DNAT --to 192.168.0.1:2

hmm, what about -d z.z.z.z, what ip should i have there? the server that have the http is 192.168.0.2. So... Should it be 192.168.0.2 that is replacing z.z.z.z?

i think the best solition is :
aply nat for all packets comes from 192.168.0.1
iptables -t nat -A POSTRUTING -s 192.168.0.1 -j SNAT --to z.z.z.z

port forward (u may use "-d (public ip of ftp server)" instead of "-i eth1" or use both of them.. )
iptables -t nat -A PREROUTING -p tcp --dport 21 -i eth1 -j DNAT --to 192.168.0.1

and blocking anwated network activity from FORWARD chain.
iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A FORWARD -p tcp --dport 21 -i eth1 -j ACCEPT
allow established related connections
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

u beter visit www.netfilter.org and read the docs.
u can also generate iptables scripts at www.iptables-script.dk
 
Old 08-24-2004, 09:30 PM   #6
AeonDevil
LQ Newbie
 
Registered: Aug 2004
Posts: 11

Rep: Reputation: 0
Quote:
Originally posted by ZliTroX
Thanks everyone for all help, i think i understand the most.

if the port should be forwarded to my firewall (192.168.0.1) at port 21, should it be like this?:

iptables -t nat -A PREROUTING -p tcp -d z.z.z.z --dport 21 -j DNAT --to 192.168.0.1:21
iptables -t nat -A POSTROUTING -p tcp -d z.z.z.z --dport 21 -j SNAT --to 192.168.0.1:21
iptables -t nat -A OUTPUT -d z.z.z.z -p tcp --dport 21 -j DNAT --to 192.168.0.1:2

hmm, what about -d z.z.z.z, what ip should i have there? the server that have the http is 192.168.0.2. So... Should it be 192.168.0.2 that is replacing z.z.z.z?
z.z.z.z should be your actual internet ip address since your ipaddress is dynamic you might be able to write a script. Just use "ifconfig to find out your ipaddress's"
 
Old 08-25-2004, 04:18 AM   #7
ZliTroX
LQ Newbie
 
Registered: Aug 2004
Distribution: ...
Posts: 25

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by AeonDevil
z.z.z.z should be your actual internet ip address since your ipaddress is dynamic you might be able to write a script. Just use "ifconfig to find out your ipaddress's"
ok, but can i set eth0 becouse its the NIC for internet?
 
Old 08-26-2004, 06:58 AM   #8
AeonDevil
LQ Newbie
 
Registered: Aug 2004
Posts: 11

Rep: Reputation: 0
sorry I didn't post yesterday didn't have time.

iptables can't use eth0 and automatically know the ipaddress cause if you use eth0 normally you would need to use the option "-i eth0" instead of "-d 'internet address'" but unfortunatly iptables uses -d for destination which is a direct ipaddress and -i is interface so it's the whole interface which eth0 gives all the info for that device not just the ipaddress.

And thats the main reason why putting eth0 won't work.

If you give me a few days I may have the time to think up of something but at this time I can't think of anything.
 
Old 09-06-2004, 03:46 PM   #9
ZliTroX
LQ Newbie
 
Registered: Aug 2004
Distribution: ...
Posts: 25

Original Poster
Rep: Reputation: 15
Please can somebody help me with my problem?
 
Old 09-06-2004, 04:48 PM   #10
netopia
LQ Newbie
 
Registered: Sep 2004
Location: Boston, MA
Distribution: fedora core 2
Posts: 28

Rep: Reputation: 15
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/

The scripts in this howto give an example of how to use a script to automatically set x.x.x.x to be your internet IP address when you start up the firewall.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
what's problem in my iptables rules? ayiiq180 Linux - Software 4 12-19-2004 08:23 AM
iptables firewall rules not surviving reboot BurceB7 Linux - Newbie 3 03-11-2004 11:45 AM
Suse firewall and custom iptables rules guerilla fighta Linux - Software 1 01-05-2003 07:44 AM
Firewall Rules Problem with Iptables JereBear Linux - Networking 1 06-16-2002 04:28 PM
Firewall Rules for daemons (Iptables) robeb Linux - Security 5 05-31-2002 04:27 PM


All times are GMT -5. The time now is 04:15 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration