iptables and ip aliases
I run my Mandrake 10 box with this ifconfig
Code:
eth0 Link encap:Ethernet HWaddr 00:A0:A2:00:D8:5C I found this script to enable internet sharing from Mandrake to Windows, and it works well: Code:
#!/bin/sh When I try to set a rule like this: Code:
iptables -A OUTPUT -o eth0:1 -s 192.168.0.1/24 -d 192.168.0.0/24 -j ACCEPT Code:
Warning: wierd character in interface `eth0:1' (No aliases, :, ! or *). 1. allow every protocol inside my LAN 2. Protect my LAN from internet. 3. allow my Laptop and my Mandrake BOX to access internet without problem (POP3, FTP, HTTP, P2P) 4. Allow my Mandrake box to accept incoming connection from internet with FTP, HTTP, P2P, WEBMIN etc. Thank you in advance. SC |
iptables -A OUTPUT -o eth0:1 -s 192.168.0.1/24 -d 192.168.0.0/24 -j ACCEPT
what do u want to do? it is not necessary to block output chain. it is your local output. eth0:1 doesnt work here too. i dont know if it is possible to use aliased net devices. u can configure your firewall like this without "eth0:1" : if u want to share your internet securely. u must do that by FORWARD chain. iptables -F FORWARD # remove all rules in forward chain iptables -P FOWARD DROP # assing the default policy to drop for FORWARD chain iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT # accpet all packets which come from 192.168.0.0/24 and go to other networks (like internet) iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # allow all established related packets. now your local networks behind your firewall is in secure enough. and if u wanna secure your gateway linux, u must do that by INPUT chain: iptables -F INPUT iptables -P INPUT DROP iptables -A INPUT -d lo -j ACCEPT iptables -A INPUT -s 192.168.0.0/24 -j ACCPET iptables -A INPUT -s 10.0.0.0/24 -j ACCPET iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT and open necessary ports comes from ppp0 interface like that: iptables -A INPUT -i ppp0 -p (protocol) --dport (port_no) -j ACCEPT u can see the porocols and port numbers of services in /etc/services file. u can add these iptables rules to your iptables scripts. good luck |
Wonderful!!
It works!!! (until now :-)
Only a problem.. iptables doesn't like "lo" interface Code:
iptables v1.2.9: host/network `lo' not found Code:
iptables -A INPUT -d lo -j ACCEPT Code:
iptables -A INPUT -d 127.0.0.1/255.0.0.0 -j ACCEPT Code:
#!/bin/sh thanks a lot. SC |
first Problem...
It seems that I can't connect to my ppp0 address (every protocol fails: FTP, HTTP..etc)
So I think I'm unreachable from internet.. What's gone wrong? thanx SC |
workaround!
I found this workaround:
Code:
iptables -A INPUT -s $EXTIP -j ACCEPT Code:
EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" Now, Another question: Is this rule secure.. Or have I to allow only some protocol? Thanx!!! SC |
Can u send the contents of /proc/net/dev of the machine from where u have executed the ifconfig command.
Thank U in advance. Regrads, -Ranganathan. |
Re: Wonderful!!
Quote:
Code:
iptables -A INPUT -i lo -j ACCEPT u should allow only certain protocols. like this: iptables -A INPUT -i ppp0 -p tcp --dport 21 -j ACCEPT # do this, if u have a ftp server on gateway box iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT # do this, if u have http server on gateway box addational info: if u have a server behind your firewall u can forward that service port. iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.0.10 this will forward http packets (tcp 80) to 192.168.0.10 if packets come to ppp0. also u dont have to type $EXTIP, u can use device name. like ppp0. and u mustnt use : iptables -A INPUT -i ppp0 -j ACCEPT if u do, u will allow everthing comes from external network to gateway box.. it is not recommended. |
Quote:
I think it means "accept all packets coming from the source $EXTIP", right? And when I type iptables -L I found this line about it: Code:
ACCEPT all -- host100-11.pool8000.myserver.com anywhere Thank you all! SC |
Quote:
|
uh?
uh? Ok .. I'm right! :p
Thanks a lot! SC |
All times are GMT -5. The time now is 11:16 AM. |