iptables: about FORWADING and nat
I have been thinking about how to solve one problem for a long time. Then, finally decided to ask on the forum.
I want to use iptables to build a firewall. The current network infrastucture is Internet 172.16.0.2 | | eth2 - 172.16.0.1(172.16.0.1/30) Router (firewall) eth0 - 192.168.1.1(192.168.1.1/24) | | 192.168.1.11 Internel Ethernet What I want to do is to configure the firewall, so the router can forwad the Ethernet request to the Internet. For example, the Ethernet can ssh to the Internet through the firewall. My questions are: (1) how to use FORWARD to implement this? (2) Do I need to use nat (PREROUTING and POSTROUTING) for this case? If no, When should I use nat for forwarding packets? Thanks! |
Re: iptables: about FORWADING and nat
Quote:
to allow SSH from your LAN to the Internet, something like this should do the trick: Code:
iptables -P FORWARD DROP |
Re: Re: iptables: about FORWADING and nat
Thanks for your reply. It saves me a lot time. One more thing: What if I had a wireless LAN, and I only wanted to allow Ethernet to access the Internet. How could I apply this rule to the firewall?
Fei |
you mean like if you had a wireless router connected to the switch on eth0??
|
Quote:
Code:
iptables -P FORWARD DROP |
Quote:
|
sorry, i'm not sure i understand what you're asking... :confused:
|
Sorry. I was out of my mind. I was trying to say that if there was another networking interface, eth3, on the router, that connects to a wireless lan. And I only want packets been forwarded if they come from eth0. So, ther ethernet can ssh to internet, but wireless lan cann't.
|
oh, okay... well, the rules i posted would NOT allow anything coming from eth3 to go out... the rules specify the packets must come in through eth0 and go out through eth2... anything coming from eth3 would be met with the default policy of DROP... you'd need to add rules for packets coming from eth3 so they could get forwarded...
so basically the rules as posted do what you want... :) |
I realised that after I asked the question. Anyway, Thanks a lot.
Fei |
I tried the code. It won't work. On a machine with IP 192.168.1.11 on Ethernet, I tried to ssh to the Internet using IP 172.16.0.2. Is something wrong with the code?
|
do you have forwarding enabled??
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward |
I have ip_forward enabled. The code is not working. How can I test the firewall, using tcpdump?
|
please post the output of these:
Code:
iptables -L Code:
iptables -t nat -L |
Just realised the "echo 1 > /proc/sys/net/ipv4/ip_forward" didn't work in rc.firewall script, I had to type on command prompt to enable ip_forward.
After that, the output of ssh 172.16.0.2 is : ssh: connect to host 172.16.0.2 port 22: Connection refused have any idea what's wrong? |
All times are GMT -5. The time now is 05:39 AM. |