iptables - Opening a range of ports
I've been reading post after post about iptables, and I have to admit that I'm still a little confused (newbie warning).
Here's the situation... I have 15 win-x computers connected to a Mandrake 8.1 server. I am the new IT guy here, and I'm not too familiar with Linux firewalls. I need everyone to be able to connect to the internet through port 400. Currently, we are blocked when trying to connect thru this port. I may also need ports 6660 thru 6670 to be opened up. I tried using: iptables -A INPUT -p tcp -i interface0_in --dport 400 -j ACCEPT That didn't do anything. Is there even a way to open the port for our entire office? This is a huge problem if it can't be done. Also, I'm not sure if we're using NAT or not. I looked at the iptables -nL and it's all greek to me. The listing was rather large, but here's some of it: Code:
Chain FORWARD (policy DROP) |
Re: iptables - Opening a range of ports
You should edit your post to not display the public IP address of your firewall!
Quote:
Quote:
Quote:
Quote:
Quite frankly it looks like you will have a lot of work to do: You can't expect people to understand the firewall concept you have implemented without posting the whole script along with a description of your network topology. Then again this is very sensitive information about your network so at least edit out the public IP addresses should you decide to post this. Bottom line is you will have to understand iptables inside out and know what every one of the lines in your script do exactly or else you're in for a lot of trouble. A good starting point are Rusty Russell's guides and man iptables. http://people.netfilter.org/rusty/unreliable-guides/ |
Right on. Thanks for the help. I'll see what I can find out.
Just for note, I didn't use my own IP address. I replaced all of my real IP addresses with a quickly spoofed one (63.202.100.150). Luckily I'm not that newbish :) If I can get just a single computer in my office to have access in/out on port 400, that may work. We have two people that need it, but even having one would be beneficial. This person's internal IP addy is 192.168.100.48. What's the easiest way to port forward to that address? Thanks again for your help. I'm still going through the tons of iptables documents I've printed out, so it could take awhile. |
Quote:
Code:
iptables -A FORWARD -i $IFACE_INT -p tcp --dport 400 -j ACCEPT Code:
iptables -t nat -A POSTROUTING -i $IFACE_INT -s 192.168.100.0/24 -j SNAT --to $IP_EXT The second rule probably already is in place (or otherwise none of the workstations would have access to the outside world). If you want to keep the structure of the existing firewall script you should put the first rule in the network1_out chain. If what you want is people from the outside being able to contact your external IP and get redirected to 192.168.100.48 you need two rules: Redirect $IP_EXT:400 to 192.168.100.48:400: Code:
iptables -t nat -A PREROUTING -p tcp --dport 400 -i $IFACE_EXT -d $IP_EXT -j DNAT --to 192.168.100.48 Code:
iptables -A FORWARD -p tcp --dport 400 -d 192.168.100.48 -j ACCEPT The above will work without any other rules in place. You will need to find the right place to add them to your iptables script. The order of the rules in a chain is vital. You didn't post your nat table (iptables -t nat -nvL) so I can't tell you if there are rules in there that might interfere with this one. |
All times are GMT -5. The time now is 06:36 PM. |