iptables firewall rule question

xxrsc · 06-05-2006, 05:24 PM

I have a Fedora machine set up with a wireless card that accesses wireless router. This ip address is 192.168.0.1 range. This machine also has a NIC with ip address range 172.16.0.0. This NIC is connected to a switch in which other Windows machines are connected with the 172.16.0.0 range. With ip masquerade/NAT set up these machines have no problem accessing the internet as well as machines on the 192.168.0.0 side. But I can't access the 172.16.0.0 machines from the 192.168.0.0 side.

So after reading some stuff about iptables and rules, with my limited knowledge of networking, I would like some help on how to allow only say 192.168.0.3 to access 172.16.0.6. Hopefully I am making some sense here.

osor · 06-05-2006, 07:27 PM

On all your 192.168.0.0/24 machines (except wireless router and the fedora machine) make a route for the 172.16.0.0 network pointing to the fedora machine. Enable forwarding on the fedora machine. See if it works with flushed (clean slate) iptables. If so, see if it works with the current iptables. If not, post back with your iptables script, and we'll see what the problem is.

xxrsc · 06-05-2006, 07:48 PM

I should have mentioned that the 192.168.0.0 side has a route. I can ping 172.16.0.1 which is the internal NIC on the Fedora box. But I can't ping past it. So I figure the Fedora box is dropping those pings/packets that are outgoing from the 172.16.0.1 NIC. Anyway here's part of the script. Thanks for the help.

echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

win32sux · 06-05-2006, 07:52 PM

one question: are you willing to use DNAT to do it??

also, what's your output of "/sbin/route -n" look like??

xxrsc · 06-05-2006, 08:04 PM

I'm not familiar with DNAT. What are the advantages and/or drawbacks?

xxrsc · 06-05-2006, 09:51 PM

Results of route -n

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 wlan0

xxrsc · 06-06-2006, 06:41 PM

Any ideas?

win32sux · 06-06-2006, 07:28 PM

Quote:

Originally Posted by xxrsc

Any ideas?

here's one idea you could try:

Code:

echo "0" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle

$IPTABLES -X
$IPTABLES -X -t nat
$IPTABLES -X -t mangle

$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -A FORWARD -m state --state \
ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF \
-m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -s 192.168.0.0/24 \
-d 172.16.0.0/24 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD DROP: "

$IPTABLES -t nat -A PREROUTING -i $EXTIF \
-d 192.168.100.6 -j DNAT 172.16.0.6

$IPTABLES -t nat -A PREROUTING -i $EXTIF \
-d 192.168.100.7 -j DNAT 172.16.0.7

$IPTABLES -t nat -A PREROUTING -i $EXTIF \
-d 192.168.100.8 -j DNAT 172.16.0.8

$IPTABLES -t nat -A PREROUTING -i $EXTIF \
-d 192.168.100.9 -j DNAT 172.16.0.9

$IPTABLES -t nat -A PREROUTING -i $EXTIF \
-d 192.168.100.10 -j DNAT 172.16.0.10

# Etc, etc, etc...

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/ip_forward

this should allow the boxes on 192.168.0.0/24 to connect to the boxes on 172.16.0.0/24, by having them connect to a respective 192.168.100.0/24 address, which would be an aliased IP on $EXTIF... the destination address of 192.168.100.0/24 on the packets coming from the 192.168.0.0/24 network would get *translated* (DNAT = destination network address translation) into destinations in the 172.16.0.0/24 network...

just my

...

xxrsc · 06-07-2006, 02:57 PM

Thanks. When I get some free time I'll work with it and see what happens.