LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 07-24-2005, 01:11 AM   #1
DrunkenDisciple
LQ Newbie
 
Registered: Nov 2004
Posts: 9

Rep: Reputation: 0
Forwarding packets with Iptables


Hi,

I'm hopeing someone can help me create a nice iptables script? Basically I have a machine running snort and i have eth0 and eth1. I'm trying to use Iptables to basically put some security and forward all incoming traffic from eth0 and forward everything to eth1. If someone could point me in the right direction? I wanted to restrict as much access as possible only allowing ssh, www, vnc in and so on? can someone please help me? So far this is what I have...

# iptables configuration file

# module loading

/sbin/depmon -a

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#open ports for outbound established connections
$IPT -A OUTPUT -p tcp -s $NET -d 0/0 --destination-port 1:65535 -j ACCEPT
$IPT -A OUTPUT -p udp -s $NET -d 0/0 --destination-port 1:65535 -j ACCEPT

#Allow ssh and http
$IPT -t filter -A INPUT -p tcp -s 202.x.x.0/27 -d $NET --destination-port 22 -j ACCEPT
$IPT -t filter -A INPUT -p tcp -s 202.x.x.0/27 -d $NET --destination-port 80 -j ACCEPT
 
Old 07-24-2005, 09:00 PM   #2
twsnnva
Member
 
Registered: Oct 2003
Location: Newport News, Va
Distribution: Debian
Posts: 246

Rep: Reputation: 30
Hello Drunk

It looks like you basically want to let everything outbound and only 22(ssh) and 80(http) 5901(vnc)inbound. I don't really understand what you mean by "forward all incoming traffic from eth0 and forward everything to eth1", are you trying to set this box up as a router? If so I can help with that too, however this script doesn't do that.

Code:
#!/bin/sh

# VARIABLES
IPT=/sbin/iptables
ALLOWED_TCP_PORTS="22 80 5901"
ALLOWED_UDP_PORTS=""

# SET DEFAULT POLICY
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

# ALLOW RELATED TRAFFIC BACK IN
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# OPEN INBOUND TCP PORTS
for i in ${ALLOWED_TCP_PORTS};do
$IPT -A INPUT -p tcp --dport $i  -j ACCEPT
done

# OPEN INBOUND UDP PORTS
for i in ${ALLOWED_UDP_PORTS};do
$IPT -A INPUT -j -p udp --dport $i -j ACCEPT
done
 
Old 07-24-2005, 11:00 PM   #3
DrunkenDisciple
LQ Newbie
 
Registered: Nov 2004
Posts: 9

Original Poster
Rep: Reputation: 0
hey =D

yea im rather new with iptables but anyways. Yeah basically I have a server running snort and I basically need to allow all incomming traffic with some restrictions like no ICMP, and such. I would like to also limit the ports that can be accessed with iptables. Like only ports 80, 22, and 5190 for vnc. I was thinking of taking all allowed traffic after that and forward everything to eth1 then from eth1 I would take the cable and put it into a swith? to forward everything else? do you think this will be fine?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Not forwarding packets meadensi Linux - Networking 0 02-08-2005 07:02 PM
forwarding packets to multiple computers for different ports laxy_m Linux - Networking 7 11-11-2004 08:15 AM
Problem about forwarding packets in kernel Lite Linux - Networking 0 07-20-2004 09:33 PM
Forwarding ACK Packets snufferz Linux - Newbie 0 05-12-2004 02:10 AM
pardon the silly question: forwarding packets FROM certain ports? FallenHero Linux - Networking 7 06-18-2002 07:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 02:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration