LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-28-2009, 01:23 PM   #106
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92

All traffic to your "server" goes though FORWARD chain on "firewall".
Right now they are:
-A FORWARD -i eth0 -o eth2 -j ACCEPT # to the "server"
-A FORWARD -i eth2 -o eth0 -j ACCEPT # from the "server"

To add new filter on "firewall" you can add additional chain, for example:
-A forward_in_filter : for incoming filtration
-A forward_out_filter : for outgoing filtration
And modify them:

-A forward_in_filter -s <nasty IP> -j DROP #this will drop all from <nasty IP>
-A forward_in_filter -s <nasty IP> -j DROP
. . .
-A forward_in_filter -j ACCEPT #this will allow the rest.

And for outgoing:
-A forward_out_filter -m state --state NEW -j DROP #this will prevent connection start.
-A forward_out_filter -j ACCEPT #everything else goes out.

Now modify main chain:
-A FORWARD -i eth0 -o eth2 -j forward_in_filter
-A FORWARD -i eth2 -o eth0 -j forward_out_filter

Last edited by nimnull22; 12-28-2009 at 03:50 PM.
 
1 members found this post helpful.
Old 12-28-2009, 02:28 PM   #107
MikeHammer
Member
 
Registered: Dec 2009
Posts: 61

Original Poster
Rep: Reputation: 15
OK, I should learn more very much about iptables...

Do you means that could have one chains to filter "server" and another chains filter "firewal" and rest of traffic that not goes to "server"??
And ALL them DROP ??
 
Old 12-28-2009, 02:39 PM   #108
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Quote:
Originally Posted by MikeHammer View Post
OK, I should learn more very much about iptables...

Do you means that could have one chains to filter "server" and another chains filter "firewal" and rest of traffic that not goes to "server"??
And ALL them DROP ??
They are all for "firewall"

Do not change anything in "server" - its job = web server.
"firewall" will do the rest.

Last edited by nimnull22; 12-28-2009 at 02:40 PM.
 
1 members found this post helpful.
Old 12-28-2009, 03:31 PM   #109
MikeHammer
Member
 
Registered: Dec 2009
Posts: 61

Original Poster
Rep: Reputation: 15
Mean leave all the original script (the script that I pasted on page 1 of this post) like is without changes, EXCEPT on the chain forward???

But then YES make the changes that you has proposed on chain FILTER FORWARD???
Of mode applied on same "firewall" (and with a more refined filter) one chain to filter traffic to/from "server" and other chain to filter traffic of rest of WAN / LAN ???

Last edited by MikeHammer; 12-28-2009 at 03:44 PM.
 
Old 12-28-2009, 03:38 PM   #110
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Quote:
Originally Posted by MikeHammer View Post
Mean leave all the original script (the script that I pasted on page 1 of this post) like is without changes???
BUT YES make the changes that you has proposed on chain FILTER FORWARD???
Leave script on "server" without changes.

If you decide to filter traffic do changes on "firewall" script.
 
1 members found this post helpful.
Old 12-28-2009, 03:57 PM   #111
MikeHammer
Member
 
Registered: Dec 2009
Posts: 61

Original Poster
Rep: Reputation: 15
No, I wanna say:
Mean leave all the original script into machine "firewall" (the first script that I pasted on page 1 of this post) like it is, without changes, except on the chain forward???

Then make the changes that you has proposed on chain FILTER FORWARD???

So, to applied on the same "firewall" (and with a more refined filter) one chain to filter traffic to/from "server" and other chain to filter traffic of rest of WAN / LAN ???
 
Old 12-28-2009, 04:48 PM   #112
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Quote:
Originally Posted by MikeHammer View Post
No, I wanna say:
Mean leave all the original script into machine "firewall" (the first script that I pasted on page 1 of this post) like it is, without changes, except on the chain forward???
Leave script, which you have sent to this forum "iptables_on_firewall.txt", your post:
http://www.linuxquestions.org/questi...08#post3805608

Quote:
Originally Posted by MikeHammer View Post
Then make the changes that you has proposed on chain FILTER FORWARD???
When you will decide, yes, change chains FORWAND on "firewall" computer, in accordance with my suggestions.

Quote:
Originally Posted by MikeHammer View Post
So, to applied on the same "firewall" (and with a more refined filter) one chain to filter traffic to/from "server" and other chain to filter traffic of rest of WAN / LAN ???
Traffic, which goes from one NIC to other - transit traffic, you can filter it out only in FORWARD chains.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables and DMZ scroogie Linux - Networking 2 02-28-2008 05:39 AM
iptables DMZ garnser Linux - Security 2 12-15-2007 12:14 AM
question about iptables (DMZ machine connect to other DMZ machine 's publuic IP) wingmak Linux - Security 1 01-20-2007 04:01 PM
iptables + DMZ Braytac Linux - Networking 3 10-06-2006 05:57 AM
IPTABLES and DMZ Host htimst Linux - Security 1 12-21-2001 07:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration