IP Routing Tables
I'm using IPTables to design a firewall system for a project I'm doing. I've the routing commands done, but I need to check if they are correct (my professor is gone away). Below are the list of actions I have been asked to implement. I have a diagram of the network here: student.dcu.ie/~collern2 and some info on the simple network. I have given a good attempt at completing this rules and my main problem is that I've no one to compare my answer with. Thanks very much.
------------------------------------------------------------------------------------------------
1) For network clients with IPs 10.4.38.100 to 10.4.38.120, IP Masquerading is used for
Internet connectivity.
Answer: iptables -A INPUT -s 10.4.38.100-10.4.38.120 -d eth0 -j MASQUERADE
The problem I have is that I'm unsure of how to specify a range (10.4.38.100-10.4.38.120).
------------------------------------------------------------------------------------------------
2)For network clients with IPs 10.4.38.121 to 10.4.38.200, Internet connection is via the
proxy server 10.4.38.10: port 3128.
a. Direct Internet connection by these network clients, via eth0, is blocked by the
firewall.
b. SNAT of the proxy’s IP to the public IP 136.206.200.1 is implemented by the
firewall to allow proxy server requests to the Internet.
Answer a: iptables -t NAT -A PREROUTING -p tcp -s 10.4.38.121-10.4.38.200 -d 136.206.200.1 --dport 80 --sport 1024:65535 -j DNAT --to 10.4.38.10:3128
Once again, I'm unsure about how to specify a range. Also, am I labelling the source and destination ports/addresses correctly?
Answer b: iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 136.206.200.1 -s 10.4.38.10 --sport 3128 --dport 80 -m state --state NEW -j ACCEPT
Is this correct?
------------------------------------------------------------------------------------------------
3) To conserve IPv4 IPs, and to reduce the hackers target surface, the public IP, 136.206.200.1
is used for all services, i.e. DNS (including zone transfers) on port 53, email on port 25,
web on port 80 & 443 (http &https). Therefore, all incoming traffic for these services must
be directed to the appropriate servers on the 10.4.38.0 network, and all outgoing traffic to
the Internet must appear to come from the public IP 136.206.200.1.
Answer:
iptables -t NAT -a PREROUTNG -p tcp -i eth0 -d 136.206.200.1 --dport 53 --sport 1024.65535 -j DNAT --to 10.4.38.53:53
iptables -A POSTROUTING -t NAT -o eth0 -s 10.4.38.0/24 -d 0/0 -j MASQUERADE
Is this correct?
------------------------------------------------------------------------------------------------
|