Can someone help me with setting up an iptables script, i have tried to write my own script but it doesn't work.

What i want is share internet with my local network, only port 21,22,80 should be open to internet.

I want this to be redirected and open to internet on my firewall.

192.168.0.2 have the apache http server at port 80

192.168.0.3 have the proftpd ftp server at port 21

192.168.0.2 have the openssh ssh server at port 22

I hope you understand what i mean. Please help me.




THANKS

How do you connect to the internet?

eth0, broadband

OK, how is the network set up? Do you have an external broadband device plugged into eth0 on one machine, and another network card connected to the rest of your network? Usually if you have an external device, it handles the internet sharing for your clients anyway, and you'd just need to set up port forwarding on that device for your servers (i.e no need for iptables). If you're trying to set up a firewall on a linux machine with only one network card, it would be possible for the other machines to just bypass it by using the address of the router as their gateway.

i have an adsl modem that is connected to eth0 and eth1 shares internet on my switch

OK, sounds good! Now, grab the script from the top of this page http://en.tldp.org/HOWTO/IP-Masquera...-examples.html and save it on your system. Make it executable and run it as-is for now. Configure your local machines to use the firewall as their default gateway and see if you can access the net. That HOWTO should explain everything you want to know if you read the whole thing, but come back here if you're having problems you can't solve.

BTW, this doesn't allow anything back in to your network just yet. You'll need to add more lines to the script, like this:

hmm i cant contact my server with http://zlitrox.ath.cx

i used exactly that you said, take out the script in that howto, run that iptables said nothing. tried to ping my ISP:s DNS 195.67.199.27 and that i can do from my server but cant nslookup some page or surfing, nothing without ping my ISP.

from my windows computer i can use msn but cant surf..

on this linux computer im sitting on now it works as it did before. And i used "netconfig" and setting up default gateway to the ipnumber to my router (linux computer)

Sorry, I'm not quite understanding what's happening. Which of these work and which don't? If they don't work, what do they give as an error?

Ping 195.67.199.27 from Windows
Ping 195.67.199.27 from Linux firewall
Ping www.yahoo.com from Windows
Ping www.yahoo.com from firewall
Browse to 66.94.230.52 from Windows
Browse to 66.94.230.52 from firewall

hmm on my http server i cant ping www.yahoo.com but can surf to 66.94.230.52 and ping 195.67.199.27 and 195.67.199.28 who is my ISP:s primary and secondary dns server.

have any ideas on what it can be?

windows computer the same thing

I would say your http server is missing the nameservers in /etc/resolv.conf - make sure one line for each DNS server is there:
nameserver 195.67.199.27
nameserver 195.67.199.28

Same for your windows machine - make sure the DNS servers are set in the TCP/IP properties

yes in my http server that two was missing in that file, now i have added them how to update the server? do i really need to reboot it?

windows is no need or rights to surf, the most important is my http server hehe.. windows will go last. :P

that iptables script for sharing internet connection before was(maybe it works, can you check it?):

echo 1 > /proc/sys/net/ipv4/ip_forward

# by default, nothing is forwarded.
iptables -P FORWARD DROP

# Allow all connections OUT and only related ones IN
#iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# enable MASQUERADING
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Open ports on router for server/services
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --dport 21

# FTP, Port 21 Forwarded to FireWall
iptables -A FORWARD -j ACCEPT -p tcp --dport 21
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to 192.168.0.3:21

# HTTP, Port 80 Forwarded to FireWall
iptables -A FORWARD -j ACCEPT -p tcp --dport 80
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.2:80




ftp forwarded is beening there becouse i have an proftpd server on 192.168.0.3...

No need to reboot - as soon as you've added those lines it should be able to browse directly to www.yahoo.com, and most internet tasks should work for you. I think the next task is making sure you can connect to your services from outside - did you add those two extra lines to the script you downloaded?