iptables: about FORWADING and nat
I have been thinking about how to solve one problem for a long time. Then, finally decided to ask on the forum.
I want to use iptables to build a firewall. The current network infrastucture is Internet 172.16.0.2 | | eth2 - 172.16.0.1(172.16.0.1/30) Router (firewall) eth0 - 192.168.1.1(192.168.1.1/24) | | 192.168.1.11 Internel Ethernet What I want to do is to configure the firewall, so the router can forwad the Ethernet request to the Internet. For example, the Ethernet can ssh to the Internet through the firewall. My questions are: (1) how to use FORWARD to implement this? (2) Do I need to use nat (PREROUTING and POSTROUTING) for this case? If no, When should I use nat for forwarding packets? Thanks! |
Re: iptables: about FORWADING and nat
Quote:
to allow SSH from your LAN to the Internet, something like this should do the trick: Code:
iptables -P FORWARD DROP |
Re: Re: iptables: about FORWADING and nat
Thanks for your reply. It saves me a lot time. One more thing: What if I had a wireless LAN, and I only wanted to allow Ethernet to access the Internet. How could I apply this rule to the firewall?
Fei |
you mean like if you had a wireless router connected to the switch on eth0??
|
Quote:
Code:
iptables -P FORWARD DROP |
Quote:
|
sorry, i'm not sure i understand what you're asking... :confused:
|
Sorry. I was out of my mind. I was trying to say that if there was another networking interface, eth3, on the router, that connects to a wireless lan. And I only want packets been forwarded if they come from eth0. So, ther ethernet can ssh to internet, but wireless lan cann't.
|
oh, okay... well, the rules i posted would NOT allow anything coming from eth3 to go out... the rules specify the packets must come in through eth0 and go out through eth2... anything coming from eth3 would be met with the default policy of DROP... you'd need to add rules for packets coming from eth3 so they could get forwarded...
so basically the rules as posted do what you want... :) |
I realised that after I asked the question. Anyway, Thanks a lot.
Fei |
I tried the code. It won't work. On a machine with IP 192.168.1.11 on Ethernet, I tried to ssh to the Internet using IP 172.16.0.2. Is something wrong with the code?
|
do you have forwarding enabled??
Code:
echo "1" > /proc/sys/net/ipv4/ip_forward |
I have ip_forward enabled. The code is not working. How can I test the firewall, using tcpdump?
|
please post the output of these:
Code:
iptables -L Code:
iptables -t nat -L |
Just realised the "echo 1 > /proc/sys/net/ipv4/ip_forward" didn't work in rc.firewall script, I had to type on command prompt to enable ip_forward.
After that, the output of ssh 172.16.0.2 is : ssh: connect to host 172.16.0.2 port 22: Connection refused have any idea what's wrong? |
you can test the wall by adding a LOG rule to the end of the FORWARD chain and then monitoring the logfile when you attempt to SSH to the outside from within the LAN...
|
Output for iptables -L:
Code:
Chain INPUT (policy DROP) output for iptables -t nat -L Code:
Chain PREROUTING (policy ACCEPT) |
Quote:
Quote:
Quote:
|
YES, I'm using slackware for doing the firewall. IS this a problem of slackware.
|
Quote:
|
Quote:
i'd like to look at your rc.firewall to see what's going on here... |
my rc.firewall
Code:
#!/bin/sh |
Found one thing: I should disable "echo 0 > /proc/sys/net/ipv4/ip_forward" at the end. That's why "echo 1 > ..." didn't work
|
try this cleaned-up version i made of your script :):
Code:
#!/bin/sh |
Quote:
Code:
iptables -t nat -F |
i had missed the ESTABLISHED,RELATED rule in the FORWARD chain of the script i just posted and i just added it so please make sure you are using the latest one when you try...
|
sorry. Can you post the latest version again. Just want to make sure I'm using the right one
|
|
sorry still the same, connection refused
Code:
root@client1:~# ssh 172.16.0.2 |
I think some thing wrong the the server 172.16.0.2, not your fault. I'll try to fix it.
Seriously, Thanks for your help. It might took me forever to do it. It's so hard to understand how iptables works. Especially, FORWARD and nat. |
since there's no REJECT rules in the script, i'd have to say i believe the issue is at 172.16.0.2 (maybe there isn't even an ssh daemon running at that address)...
if the packet was getting dropped by this script you'd be getting a timeout and not a refusal... |
Quote:
hehe... still, the script you had was a mess, i know the one i posted will work much better for you, and it's much cleaner so you'll be able to understand it better... let me know if you have any questions about the script (or about iptables in general) and i'll be glad to do my best and answer them to help you get the hang of iptables... good luck... |
Some thing is wrong with 172.16.0.2. It should work at the first time you gave the code, if I could enabled ip_forward. There are so many things I need to know to solve a single prolbem. If I don't know enought, I cann't even find out what causes the problem.
One last thing. I'm really like playing with firewall. Do you know any good resource to learn iptables. (not doc on the http://netfilter.org. all the docs are leaking details of explanation for what's really going on). |
well, this tutorial is a very popular link here at LQ:
http://iptables-tutorial.frozentux.n...-tutorial.html personally i haven't read it, but it's always recommended by folks here at LQ... feel free to ask me any iptables questions you want... i'll be back online when i wake-up, i'm going to sleep now... take care buddy... buh-bye... |
i've added a few things to the script which i accidentally left-out yesterday cuz i was so sleepy:
- added input rule for loopback interface (very important)... - added "--sport 68" to the dhcp input rule cuz that's what dhcp packets look like, they come from port 68 and into port 67... - added "new not syn" input rule to drop any packets of state NEW which aren't SYN... you can get the updated script at the same place: http://www.linuxquestions.org/questi...70#post1640370 |
Hi, win32sux. I've got the forward and nat working properly. BUT, There is still one thing bothering me for a long time.
Code:
# (1) allow ssh from ralf to client1 Code:
# (1) allow ssh from ralf to client1 I don't know if I explained clearly. The question is how I can know when to check source port only and when to check destination port only?? Thanks. |
Quote:
Code:
$IPTABLES -A INPUT -p TCP -i $EthernetIface -s $EthernetIPs --dport 22 \ Code:
$IPTABLES -A INPUT -p TCP -i $EthernetIface -s 192.168.1.104 --dport 22 \ BTW, these rules you've posted aren't checking for the packet's state, kinda defeats the purpose of having a packet-state filtering firewall... those rules are part of the ones i erased when i cleaned-up your script as they didn't make any sense... as for the source ports: it depends, some connection types always use the same source port, some don't... you need to read docs in order to know which... for example, DHCP will use source port 68 by standard, but SSH won't use any specific source port so using a "--sport 22" in your SSH rules will give you nothing but headaches... |
All times are GMT -5. The time now is 11:44 PM. |