Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I manged to get my gateway working after the advice people gave me here. I currently have this iptables script and need to add port forwarding plus some gateway security because at the moment all ports are visible from the outside.
Here is what I have below, however its just gets it all working. My question is do any of you guys have an iptables script with what I need that all works correctly?
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
You might want to take a look at fwbuilder at http://www.fwbuilder.org. It's a great GUI for managing packet filters, including IPTables. I find the packet filter chains much easier to visualize when they are made of pretty colored icons .
Fwbuilder can be found from Debian 3.1 repositories.
Yeah thanks basileus i'm only running the box in a shell mode non gui as its only a router. I'm still looking and playing around trying to make a script that does:
Port Forwarding
Is secure
Doesn't allow ports on the box to be open
Doesn't reject network traffic and can cause outlook to take upto 1 minute sending an email.
I did have a script that did all of this but sadly I had to reinstall it.
Okay I've now got a working iptables script. I have a small problem, when I send an email from outlook 2003 it takes upto 1 minute to send a small email. Has anyone had this issue and knows the fix for it?
Okay I've now got a working iptables script. I have a small problem, when I send an email from outlook 2003 it takes upto 1 minute to send a small email. Has anyone had this issue and knows the fix for it?
Dan
can you post your *current* iptables script?? also, please post the output of:
#!/bin/sh
# The location of the IPtables binary file on your system.
IPT="/sbin/iptables"
# The Network Interface you will be protecting. For ADSL/dialup users,
# ppp0 should be fine. If you are using a cable internet connection or
# are connected to a LAN, you will have to change this to "eth0".
INT="eth1"
# The following rules will clear out any existing firewall rules,
# and any chains that might have been created.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
# These will setup our policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
# The following line below enables IP forwarding and thus
# by extension, NAT. Turn this on if you're going to be
# doing NAT or IP Masquerading.
echo 1 > /proc/sys/net/ipv4/ip_forward
# Source NAT everything heading out the $INT (external)
# interface to be the given IP. If you have a dynamic IP
# address or a DHCP IP that changes semi-regularly, comment out
# the first line and uncomment the second line.
#
# Remember to change the ip address below to your static ip.
#
$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 12.12.12.12
$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE
# This rule protects your fowarding rule.
$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP
# If you would like to forward specific ports to other machines
# on your home network, edit and uncomment the rules below. They are
# currently set up to forward port 25 & 53 (Mail & DNS) to 10.1.1.51.
# Anything incoming over your $INT through your gateway will
# be automatically redirected invisibly to port 25 & 53 on 10.1.1.51
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 25 -j DNAT --to 10.0.0.1:25
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 81 -j DNAT --to 10.0.0.1:81
#$IPT -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to 10.1.1.51:53
# These two redirect a block of ports, in both udp and tcp.
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 2300:2400 -j DNAT --to 10.1.1.50
#$IPT -t nat -A PREROUTING -i $INT -p udp --dport 2300:2400 -j DNAT --to 10.1.1.50
# Now, our firewall chain. We use the limit commands to
# cap the rate at which it alerts to 15 log messages per minute.
$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPT -A firewall -j DROP
# Now, our dropwall chain, for the final catchall filter.
$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPT -A dropwall -j DROP
# Our "hey, them's some bad tcp flags!" chain.
$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPT -A badflags -j DROP
# And our silent logging chain.
$IPT -N silent
$IPT -A silent -j DROP
# This rule will accept connections from local machines. If you have
# a home network, enter in the IP's of the machines on the
# network below.
$IPT -A INPUT -i lo -j ACCEPT
#$IPT -A INPUT -s 10.1.1.50 -d 0/0 -p all -j ACCEPT
#$IPT -A INPUT -s 10.1.1.51 -d 0/0 -p all -j ACCEPT
#$IPT -A INPUT -s 10.1.1.52 -d 0/0 -p all -j ACCEPT
# Drop those nasty packets! These are all TCP flag
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that
# are used to attack a box in various ways, so we
# just drop them and log them here.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags
# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewall
# If you would like to open up port 22 (SSH Access) to various IP's
# simply edit the IP's below and uncomment the line. If youw wish to
# enable SSH access from anywhere, uncomment the second line only.
$IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT
# If you are running a Web Server, uncomment the next line to open
# up port 80 on your machine.
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT
# Lets do some basic state-matching. This allows us
# to accept related and established connections, so
# client-side things like ftp work properly, for example.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT -A FORWARD -m state --state NEW -p tcp --dport 25 -j ACCEPT
#$IPT -A FORWARD -m state --state NEW -p tcp --dport 110 -j ACCEPT
#$IPT -A FORWARD -m state --state NEW -p tcp --dport 53 -j ACCEPT
and the output of iptables -t nat -v -n -L and iptables -v -n -L
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.