Ubuntu-multiple interfaces- firewall
Hi!
I have a kind of different network configuration. The problem is having a firewall(ubuntu)! So: eth0 - connected to a cisco router (behind even more networks) eth1 - connected to a cisco router2 and bridge to vmware workstation. wlan0 - connected to Internet via adsl Cisco routers are routing rip between each other. Everything works, problem is that i want to configure a firewall in ubuntu. The firewall should protect from wlan0 but no security between eth0 and eth1. Im not so good with iptables. Tried Firestarter and Guarddog but they are allways blocking one of the ethernet interfaces (see's it as external network). Pls help!! |
I have a pdf now with the complete configuration!
1 Attachment(s)
Attached
|
Iptables
OK! I've done some reading on iptables and this is what i came up with:
------------------------------------------------------------------------ #!/bin/bash # flush all chains iptables -F #Set the default policy for each of the pre-defined chains iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #User-defined chain for ACCEPTed packets iptables -N okay iptables -A okay -p TCP --syn -j ACCEPT iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A okay -p TCP -j DROP #Rules for incoming packets from LAN iptables -A INPUT -p ALL -i eth0 -s 192.168.22.0/24 -j ACCEPT iptables -A INPUT -p ALL -i eth0 -s 192.168.23.0/24 -j ACCEPT iptables -A INPUT -p ALL -i eth1 -s 192.168.55.0/24 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 192.168.22.0/24 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 192.168.23.0/24 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 192.168.55.0/24 -j ACCEPT iptables -A INPUT -p ALL -i lo -s 192.168.0.70 -j ACCEPT iptables -A INPUT -p ALL -i eth0 -d 192.168.22.255 -j ACCEPT iptables -A INPUT -p ALL -i eth0 -d 192.168.23.255 -j ACCEPT iptables -A INPUT -p ALL -i eth1 -d 192.168.55.255 -j ACCEPT #Packets for established connections iptables -A INPUT -p ALL -d 192.168.0.70 -m state --state \ESTABLISHED,RELATED -j ACCEPT #TCP rules #iptables -A INPUT -p TCP -i wlan0 -s 0/0 --destination-port 21 -j okay iptables -A INPUT -p TCP -i eth1 -s 192.168.55.1 -d 192.168.0.70 --destination-port 1974 -j okay #UDP rules #iptables -A INPUT -p UDP -i wlan0 -s 0/0 --destination-port 53 -j ACCEPT #ICMP rules #iptables -A INPUT -p ICMP -i wlan0 -s 0/0 --icmp-type 8 -j ACCEPT #iptables -A INPUT -p ICMP -i wlan0 -s 0/0 --icmp-type 11 -j ACCEPT #Forward chain rules #Accept the packets we want to forward iptables -A FORWARD -i eth0 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -i wlan0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ---------------------------------------------------------------------- Communication between eth0 and eth1 works, and they both have access to internet. Problem : Ubuntu doesn't have access to internet. Pls tell me what i am doing wrong! |
Where do you masquerade your packets going from LANs to WAN ?
I haven't seen any firewall rule for that. |
Masquerade!
Don't need that- etho,eth1 and vlan0 are routed via rip or static routes.
My ADSL router takes care of the NAT. Fond a problem , now it looks like it works: iptables -P OUTPUT DROP #changed to ACCEPTED What im trying to do is to have different segments all behind a ADSL router which is connected to Internet. The firewall in that router is quite bad. So i am trying to protect the segments from my own wireless segment even i dont really have to ;) Still have to do some reading about opening ports between the segments. Im studying CISCO so i dont have that much time for iptables! :) |
All times are GMT -5. The time now is 05:58 AM. |