LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-28-2009, 12:46 AM   #1
jeff_k
Member
 
Registered: Jan 2008
Location: San Diego, CA USA
Distribution: Debian / Ubuntu
Posts: 51

Rep: Reputation: 17
iptables - allow pings to forwarded group


I use a linux box as my NAT router for my LAN. I am setting up port forwarding on port 6111 to internal LAN client 192.168.0.105 for an online game. This is triggered with a set of conditions (not the subject of this post). I want to only allow pings from the outside of my network to those that are participating in the game. For the duration of the game, I plan on adding the following iptables rules. Will this work?

$IPT -A PREROUTING -i eth1 -p tcp -m tcp --dport 6111 -j DNAT --to-destination 192.168.0.105:6111
$IPT -A FORWARD -d 192.168.0.105 -i eth1 -p tcp -m tcp --dport 6111 -m recent --set --rsource --name gamepool -j ACCEPT

$IPT -I INPUT -i eth1 -p icmp -m recent --rcheck --name gamepool -j ACCEPT

(assuming $IPT is /sbin/iptables and my external interface is eth1).

Thanks
 
Old 03-01-2009, 11:49 PM   #2
jeff_k
Member
 
Registered: Jan 2008
Location: San Diego, CA USA
Distribution: Debian / Ubuntu
Posts: 51

Original Poster
Rep: Reputation: 17
Well, nobody gave me the lazy way out...

Those rules worked OK with one correction: I had to specify the table for the PREROUTING rule.

$IPT -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 6111 -j DNAT --to-destination 192.168.0.105:6111
$IPT -A FORWARD -d 192.168.0.105 -i eth1 -p tcp -m tcp --dport 6111 -m recent --set --rsource --name gamepool -j ACCEPT

$IPT -I INPUT -i eth1 -p icmp -m recent --rcheck --name gamepool -j ACCEPT

The above rules look for those outsiders that connect via port 6111, and put their IP addresses into the pool gamepool. Then they can ping the machine 192.168.0.105. Of course, I set this up so that there is only a limited amount of time that these rules are in force.

In case anyone else ever cares.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables - Don't log pings s0n|k Linux - Networking 1 10-30-2006 01:23 AM
Iptables - Group Of Hosts xathras Linux - Security 1 04-01-2005 01:56 PM
compressing forwarded X? theonebeyond Linux - General 0 12-02-2004 03:05 AM
Group Admin, Group Root, or God over Group crickett Linux - General 5 07-12-2004 04:01 PM
IPtables to allow group Smooth Linux - Security 1 10-16-2003 03:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration