LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 05-23-2005, 10:13 AM   #1
collern2
LQ Newbie
 
Registered: Mar 2005
Posts: 24

Rep: Reputation: 15
IP Routing Tables


I'm using IPTables to design a firewall system for a project I'm doing. I've the routing commands done, but I need to check if they are correct (my professor is gone away). Below are the list of actions I have been asked to implement. I have a diagram of the network here: student.dcu.ie/~collern2 and some info on the simple network. I have given a good attempt at completing this rules and my main problem is that I've no one to compare my answer with. Thanks very much.


------------------------------------------------------------------------------------------------

1) For network clients with IPs 10.4.38.100 to 10.4.38.120, IP Masquerading is used for
Internet connectivity.

Answer: iptables -A INPUT -s 10.4.38.100-10.4.38.120 -d eth0 -j MASQUERADE

The problem I have is that I'm unsure of how to specify a range (10.4.38.100-10.4.38.120).

------------------------------------------------------------------------------------------------

2)For network clients with IPs 10.4.38.121 to 10.4.38.200, Internet connection is via the
proxy server 10.4.38.10: port 3128.
a. Direct Internet connection by these network clients, via eth0, is blocked by the
firewall.
b. SNAT of the proxy’s IP to the public IP 136.206.200.1 is implemented by the
firewall to allow proxy server requests to the Internet.

Answer a: iptables -t NAT -A PREROUTING -p tcp -s 10.4.38.121-10.4.38.200 -d 136.206.200.1 --dport 80 --sport 1024:65535 -j DNAT --to 10.4.38.10:3128

Once again, I'm unsure about how to specify a range. Also, am I labelling the source and destination ports/addresses correctly?

Answer b: iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 136.206.200.1 -s 10.4.38.10 --sport 3128 --dport 80 -m state --state NEW -j ACCEPT

Is this correct?

------------------------------------------------------------------------------------------------

3) To conserve IPv4 IPs, and to reduce the hackers target surface, the public IP, 136.206.200.1
is used for all services, i.e. DNS (including zone transfers) on port 53, email on port 25,
web on port 80 & 443 (http &https). Therefore, all incoming traffic for these services must
be directed to the appropriate servers on the 10.4.38.0 network, and all outgoing traffic to
the Internet must appear to come from the public IP 136.206.200.1.

Answer:

iptables -t NAT -a PREROUTNG -p tcp -i eth0 -d 136.206.200.1 --dport 53 --sport 1024.65535 -j DNAT --to 10.4.38.53:53

iptables -A POSTROUTING -t NAT -o eth0 -s 10.4.38.0/24 -d 0/0 -j MASQUERADE

Is this correct?

------------------------------------------------------------------------------------------------
 
Old 05-23-2005, 10:48 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The forum rules do not permit posting homework questions on the forum, so we aren't going to answer your questions directly. You do however have some syntax errors in a few of the answers and to do IP address ranges you need to use either netmasks (1.1.1.1/255.255.255.0) or CIDR notation (1.1.1.1/24). This is an awesome tools for helping to calculate CIDR notations. Here are also some of the more helpful guides:

http://iptables-tutorial.frozentux.n...-tutorial.html
http://www.netfilter.org/documentati...NAT-HOWTO.html


//Thread Closed - Please email Jeremy (the admin) or myself to reopen the thread.

Last edited by Capt_Caveman; 05-23-2005 at 10:50 AM.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
routing tables props666999 Linux - Networking 1 10-14-2005 08:27 PM
Routing tables TPB Linux - Networking 3 07-27-2005 09:01 PM
two routing tables fugzi Linux - Networking 7 12-03-2004 06:02 PM
routing tables help hadoque Linux - Networking 0 08-28-2004 09:10 AM
routing tables dunkyb Linux - Networking 3 05-25-2003 02:10 PM


All times are GMT -5. The time now is 09:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration