Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I asked to setup a firewall that have two zones. My LAN having 192.168.1.0/24 (firewall eth1 - 192.168.1.200) and router's connected ip 10.64.78.1/24 (firewall eth0 - 10.64.78.2).
I have written a script with drop policy. Internal (192.168.1.0/24) pcs need to access external SMTP/POP server ip a.b.c.d and also few pcs need to connect to it via SSH(putty).
I have tried to do this using following script and it is not working.(I am only having experience to write few rules for SMTP/POP servers using INPUT and OUTPUT chains that not FORWARD chain)
Code:
# Drop all
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Accept loop back address
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Forward SMTP/POP3,ssh traffic to and from OUT side
iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.1.0/24 -d a.b.c.d --dport smtp,pop3,ssh -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -i eth1 -p tcp -s a.b.c.d -d 192.168.1.0/24 --sport smtp,pop3,ssh -m state --state ESTABLISHED -j ACCEPT
# Save and Start Iptables
service iptables save
service iptables start
Using following script I cant access the a.b.c.d server for smtp, pop3 and ssh.
Pls someone help meto correct this..
Thanks very much. I got the whole theory from the codes you have sent.
Its really helpful. I was stuck in there to apply nat for that. Now you have cleared the way. Thanks.....
Dear win32sux,
I have done that and I am wondering way I cant integrate INPUT, OUTPUT rules that I have create for the firewall box listed bellow. If I run the following rules I cant log to firewall box via ssh because my link disconnects.
If you have time pls check and just guide me for corrections(Highly appreciate If you can correct). Any way thanks for the contribution that you have done for this thread.
Code:
# Drop all
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Enable IP FORWARDING
echo 1 > /proc/sys/net/ipv4/ip_forward
# Accept loop back address
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Rules for connect to SSH firewall box.
IPTABLES -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 -d 192.168.1.200 \
--dport ssh -m state --state NEW, ESTABLISHED -j ACCEPT
IPTABLES -A OUTPUT -o eth1 -p tcp -d 192.168.1.0/24 -s 192.168.1.200 \
--sport ssh -m state --state ESTABLISHED -j ACCEPT
# Rules for Connect SMTP/POP3 and SSH for Admin works
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p TCP -i eth1 -o eth0 -s 192.168.1.0/24 \
-d a.b.c.d -m multiport --dports 22,25,110 -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Save and Start Iptables
service iptables save
service iptables start
It's so much better if you just paste here using CODE tags instead of on that website. In any case, troubleshooting this should be really easy. Change your OUTPUT policy to ACCEPT and try again. If it then works, you know the problem is with your OUTPUT rule. If it still doesn't work, are you positive that 192.168.1.200 is the IP of this box? Your last troubleshooting step will be to enable logging of filtered packets to see what exactly is going on here.
Code:
iptables -A INPUT -j LOG --log-prefix "INPUT DROP: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.