Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
04-07-2013, 08:56 AM
|
#1
|
|
LQ Newbie
Registered: Apr 2013
Posts: 2
Rep: 
|
Iptables
Hello everybody,
I have to do school project with iptables, and after a week of trying to understand iptables I still didnt figure out how to do my project. So maybe someone here can help me.
I have to make .sh scripts. First one should let everybody on the network use only http and https. Second one should let only two computers on the network to use http and https.
Eth0 is IN and Eth1 is OUT.
I would be very thankful if someone could help me.
Last edited by Barskalas; 04-07-2013 at 09:14 AM.
|
|
|
|
|
04-07-2013, 09:15 AM
|
#2
|
|
Member
Registered: Aug 2010
Location: Netherlands
Distribution: Kubuntu, Debian, Suse, Slackware
Posts: 317
Rep: 
|
So what have you done to this point.
For example: did you take an existing linux box with an active firewall and made a listing of the rules and studied them.
What rules did already write.
Cheers
|
|
|
|
|
04-07-2013, 09:24 AM
|
#3
|
|
LQ Newbie
Registered: Apr 2013
Posts: 2
Original Poster
Rep:
|
Until now, I studied about linux scripts, and learned few basics about iptables. Still newbie in linux. I ask for help because I have not much time left to show this project. It took me a while to understand the task it self.
|
|
|
|
|
04-07-2013, 10:07 AM
|
#4
|
|
Member
Registered: Jan 2010
Distribution: Debian, Oracle, Ubuntu, Slackware, OpenBSD, NetBSD, OpenWRT
Posts: 364
Rep:
|
- Assuming, your router's internal IP is 192.168.0.1, internal network is 192.168.0.0/24 and external IP is 12.13.14.15, your LAN clients can reach only HTTP (tcp/80) and HTTPS (tcp/443) outside:
Code:
#!/bin/bash
firewall_start() {
iptables -F
iptables -t nat -F
iptables -t mangle -F
# Setting default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# makros
GATE_LAN_HOME="192.168.0.0/24"
GATE_LAN_HOME_IP="192.168.0.1"
GATE_WAN="12.13.14.15"
###### NAT
iptables -t nat -A POSTROUTING -s $GATE_LAN_HOME -o eth1 -j SNAT --to $GATE_WAN
##### INCOMING #####
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
######## FORWARDING #########
iptables -A FORWARD -p all -s $GATE_LAN_HOME --dport 80,443 -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
}
firewall_stop() {
iptables -F
iptables -t nat -F
}
firewall_restart() {
firewall_stop
sleep 1
firewall_start
}
case "$1" in
'start')
firewall_start
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
- Assuming, your router's internal IP is 192.168.0.1, internal network is 192.168.0.0/24 and external IP is 12.13.14.15, your LAN clients with IP addresses 192.168.0.8 and 192.168.0.19 can reach only HTTP (tcp/80) and HTTPS (tcp/443) outside:
Code:
#!/bin/bash
firewall_start() {
iptables -F
iptables -t nat -F
iptables -t mangle -F
# Setting default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# makros
GATE_LAN_HOME="192.168.0.0/24"
GATE_LAN_HOME_IP="192.168.0.1"
GATE_WAN="12.13.14.15"
###### NAT
iptables -t nat -A POSTROUTING -s $GATE_LAN_HOME -o eth1 -j SNAT --to $GATE_WAN
##### INCOMING #####
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
######## FORWARDING #########
iptables -A FORWARD -p all -s 192.168.0.8 --dport 80,443 -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -p all -s 192.168.0.19 --dport 80,443 -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
}
firewall_stop() {
iptables -F
iptables -t nat -F
}
firewall_restart() {
firewall_stop
sleep 1
firewall_start
}
case "$1" in
'start')
firewall_start
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
This script must be executable. If you'll place it as me ( /etc/rc.d/rc.firewall , but it may depend on your distribution), do ' chmod +x /etc/rc.d/rc.firewall' and tell your system to load it at startup. In my case it's done in /etc/rc.d/rc.local .
You may also start/stop/restart it by typing /etc/rc.d/rc.firewall start (or stop or restart).
Last edited by Lexus45; 04-07-2013 at 10:20 AM.
|
|
|
1 members found this post helpful.
|
All times are GMT -5. The time now is 02:49 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
