IPTables Question

rootyard · 06-24-2004, 03:17 PM

I need to do the following on my Slackware box:

I need to be able to forward the following:

traffic on port 80 to 172.10.10.81
traffic on port 110 to 172.10.10.66
traffic on port 22 to 172.10.10.5

I need to be able to block the following domains from users within my LAN:

uproar.com
mail.yahoo.com

I need to disallow the following range of users from accessing the web:

172.10.6.101/199

I need to allow this range to access the web:

172.10.6.201/229

I need to block the following range of ports to ANY machine on my LAN from the web:

23 to 79

Can anyone tell me how this is done with IPTables?

ToniT · 06-24-2004, 04:31 PM

You could read the fine manuals around the world regarding to iptables
(there is also one in linuxquestions.org tutorial section, and comprehensive ones in www.netfilter.org)

1.

Code:

iptables -t nat -A PREROUTING --destination your.ip.address --destination-port 80 --jump DNAT --to-destination 172.10.10.81

etc...
2.

Code:

iptables -A FORWARD --destination uproar.com -j REJECT --reject-with icmp-admin-prohibited

and same to the other place. Also you can use DROP, if you don't want to be nice admin.

3.
Why do you want to use so unround numbers? How about
disallowing 64-127 and allowing 128-159?
This can be archived by

Code:

iptables -A FORWARD -p tcp --source 172.10.6.64/26 --destination-port 80 -j REJECT --reject-with icmp-admin-prohibited
iptables -A FORWARD -p tcp --source 172.10.6.128/27 --destination-port 80 -j ACCEPT

You can use those ranges you suggested, but then you have to fight with them.
eg. for the the 101-199 range you have to repeat that command
with values: 172.10.6.101/32,172.10.6.102/31,172.10.6.104/29, 172.10.6.112/28, 172.10.6.128/26 and 172.10.6.192/29.

4.
iptables -A FORWARD -p tcp -i yourINETInterface --destination-port 23:79 -j DROP