Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hey everyone,
i need some help with an iptables rule i created last night. My setup is as follows:
slack 10.2, 2.6.10. iptables 1.3.5
eth1 is the internet interface - (that is, its the interface pointing to my linksys router which of course is doing the first nat.) eth0 is the inside LAN interface - this interface is cross-over cabled to a red hat apache web server.
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.7 -m multiport
--dport 80,443 -m state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -f filter -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
the problem:
these rules work fine, i can enter in my public address and the linksys will nat it to 192.168.1.7 and then iptables kick in and i DO actually reach my web server so it worked perfectly! BUT i want to be able to SSH to the Linux firewall (192.168.1.7) i used to be able to access this from the public address and port forward it though the linksys which its still set up to do. now i am going straight to the apache server 10.1.1.2 and SSH'ing to that!.
Well i know it’s because anything coming to the 192.168.1.7.interface is being translated. how can i nat everything else EXCEPT for ssh traffic???
any ideas on what i can insert into my ruleset to allow me to ssh JUST to my firewall?
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.7
This will NAT anything from the local network.. and automatically un-NAT any replies..
iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.1.1.2
This will forward any requests for web service to the web server.
Also needed are..
echo 1 > /proc/sys/net/ipv4/ip_forward # to allow forwarding for the PREROUTING rule
The router also needs to forward the same tcp ports to 192.168.1.7..
The webserver needs to have 10.1.1.1 as a gateway in routing..
Usu the default iptables POLICYs are ACCEPT, so you don't need any other rules.. However read this tutorial for more example scripts and basic info.. http://iptables-tutorial.frozentux.n...-tutorial.html
i have read that tutorial asctually and it is very good.
however, my problem is this:
the rules that i have in place DO work. the web server's gateway is correct, it can reach outside and i can reach it from the outside.
i have already done everything that you mentioned except the echo 1 > /proc/sys/net/ipv4/ip_forward # to allow forwarding for the PREROUTING rule.
the goal was to provide access to my web server (10.1.1.2) from the outside but ALSO be able to manage the firewall (192.168.1.7) from an SSH Session from the outside. this is now not happening. i can reach the web server fine but no ssh to 192.168.1.7.
my question was is there a way to now SSH JUST to my firewall 192.168.1.7. as well as nat port 80 traffic to the web server? i realize i can't ssh to 192.168.1.7 becasue everything hitting that interface is being nat'd to 10.1.1.2. im wondering if there's a rule that will allow me to nat everything BUT ssh traffic? the tutorial doesn't mention this.
Doing NAT your way only works if the router has a static rule for finding the gateway to the 10.1.1.0 network, or if it's smart enough to remember the source MAC address.
Either way that's a major security problem for ip-in-ip encapsulation attacks.
Anyone on your router's net can set you up as a default gw and your router will give them free access via the static route. Simply sniffing your router's network traffic will reveal all..
The standard is to give nothing away. Only NAT to your interface's address.
Only use static rules for outward access or for publicly available networks.
Your rules work, except for anything not http..
The port forwarding in your router should only be for the ports you use.
eg forward 22, 80 & 443 to 192.168.1.7
The iptables rules only need to then forward 80 & 443 for the web server.
This the KISS principle.. Keep It So Simple ..
Last edited by peter_robb; 03-05-2006 at 02:26 PM.
Could you also post the whole iptables script, just to see how all your rules come together, this will help us to understand the whole process and give a better chance of fixing the issue
Thanks for the reply,
i think what i am going to do is flush all the tables and begin again. i am doing this on a test network before going live so its not that bad. i will defintely be taking all your advise as i am no expert but am curious to learn.
i will be putting together a new firewall script tonight.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
