Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm fairly new to iptables, they dont seem too complicated but I am new. I followed a sample setup in the RedHat Bible and then added the seventh line from a posted suggestion. I need to forward in-coming requests on eth0 (X.X.X.X) to a web server. I also need to use this as a proxy but nether seem to work! I can ping the machine, I can ping out of it, and I can browse the web out of it. The file is printed below. Thanks for your help - again!
Quote:
# Generated by iptables-save v1.2.8 on Mon Jan 5 15:52:38 2004
*nat
:PREROUTING ACCEPT [36:3374]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:70]
-A POSTROUTING -o eth0 -j SNAT --to-source X.X.X.X
-A PREROUTING --dst X.X.X.X -p tcp -j DNAT --to-destination 192.168.1.12
COMMIT
# Completed on Mon Jan 5 15:52:38 2004
# Generated by iptables-save v1.2.8 on Mon Jan 5 15:52:38 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
kay - [0:0]
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.1.4 -i lo -j ACCEPT
-A INPUT -s X.X.X.X -i lo -j ACCEPT
-A INPUT -d 192.168.1.255 -i eth1 -j ACCEPT
-A INPUT -d X.X.X.X -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 2401 -j okay
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.1.4 -j ACCEPT
-A OUTPUT -s X.X.X.X -j ACCEPT
COMMIT
# Completed on Mon Jan 5 15:52:38 2004
Thanks for the link. I'm looking over it - I dont want to sound lazy in any way cause I know I need to read this, but, I'm horrible at reading manuals. Can you point me to a more specific page? Or show me what to do? I'll keep reading....
the first line will take care of your pre-routing nat. The second line is what actually forwards the port.
Here is a sample iptables script...this may be rather helpful. I'm sorry I can't be more specific, but FW design is different for everyone's needs. Iptables is much too broad of a subject for us to walk you through. This example below should get you off to a good start though.
#Silently Drop Broadcast and Mulitcast Traffic
$IPT -A INPUT -i $PUBIF -d 255.255.255.255 -j DROP
$IPT -A INPUT -i $PUBIF -d 224.0.0.0/4 -j DROP
#Drop All Invalid Incoming Packets
$IPT -A INPUT -m unclean -j LOG $LOG_OPTIONS "IPTABLES-UNCLEAN: "
$IPT -A INPUT -m unclean -j DROP
$IPT -A INPUT -m state --state INVALID -j DROP
#Drop All Invalid Incoming Packets
$IPT -A FORWARD -m unclean -j LOG $LOG_OPTIONS "IPTABLES-UNCLEAN-FORWARD: "
$IPT -A FORWARD -m unclean -j DROP
$IPT -A FORWARD -m state --state INVALID -j LOG $LOG_OPTIONS "IPTABLES-INVALID-FORWARD: "
$IPT -A FORWARD -m state --state INVALID -j DROP
#Block Outgoing Connections to Places We HATE
$IPT -A FORWARD -i $PRIVIF -d $PLACE_WE_HATE -j DROP
#Block Outgoing Connections by PORT (Last Resort Against DoS)
$IPT -A FORWARD -i $PRIVIF -p tcp --dport 135:139 -j DROP
$IPT -A FORWARD -i $PRIVIF -p udp --dport 135:139 -j DROP
#Allow Otherwise Unrestriced Outgoing Connections
$IPT -A FORWARD -i $PRIVIF -o $PUBIF -j ACCEPT
$IPT -A FORWARD -i $PRIVIF -o $DMZIF -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $DMZIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $DMZIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT
#Allow DMZ Outgoing DNS lookups
$IPT -A FORWARD -i $DMZIF -o $PUBIF -p udp --dport 53 -j ACCEPT
#See No Evil, Foward No Evil
#MS Networking
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 135:139 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-MSNETWORKING: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 135:139 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-MSNETWORKING: "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 135:139 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 135:139 -j DROP
#NFS
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 2049 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NFS: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 2049 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NFS: "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
#X- Windows
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 5999:6003 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XWINDOWS: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 5999:6003 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XWINDOWS: "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 5999:6003 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 5999:6003 -j DROP
#X Font Server
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 7100 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XFONTSERVER: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 7100 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XFONTSERVER "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 7100 -j DROP
#Back Oriface
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 31337 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-BACKORIFACE: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 31337 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-BACKORIFACE: "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 31337 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 31337 -j DROP
#Netbus
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 12345:12346 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NETBUS: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 12345:12346 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NETBUS: "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 12345:12346 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 12345:123456 -j DROP
#Set SSH, DNS, and FTP for minimum delay
$IPT -t mangle -A PREROUTING -i PRIVIF -p tcp --dport 53 -j TOS --set-tos Minimize-Delay
$IPT -t mangle -A PREROUTING -i PRIVIF -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
#Set FTP Data abd Web Traffic for Maximum Throughput
#$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput
#$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput
#Deny ICMP Redirects
$IPT -A FORWARD -p icmp --icmp-type redirect -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-ICMP-REDIRECT: "
$IPT -A FORWARD -p icmp --icmp-type redirect -i $PUBIF -j DROP
#Do Not Allow Any Other Connections on the Extrenal Interface, Including Traceroute
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -j LOG $LOG_OPTIONS "IPTABLES-CONN-PRIVIF-FORWARD: "
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -j DROP
$IPT -A FORWARD -i $PUBIF -o $DMZIF -j LOG $LOG_OPTIONS "IPTABLES-CONN-DMZIF-FORWARD: "
$IPT -A FORWARD -i $PUBIF -o $DMZIF -j DROP
echo Firewall Script Complete
#################################################################
# #
# All Infidels Have Been Denied! #
# Script Complete #
# #
#################################################################
Right. In the above example, the DMZ is running web services and the PRIVNET is a secured network, unaccesable from the outside. Both are on differnet networks using the linux box as a FW/router. Each network is on a different interface/nic.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.