LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Linux gateway/firewall problem (https://www.linuxquestions.org/questions/linux-networking-3/linux-gateway-firewall-problem-110030/)

dal-san 10-29-2003 02:03 PM
Linux gateway/firewall problem
 
Hi

I have a Linux box working as a gateway/firewall and a windows box connected to the internet through it. I'm trying give the Windows box access to the internet, but only with ports 80 (http) and 22 (ssh).

My iptables setup:
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

How can I give the Windows box access to the net?
A command such as: iptables -A FORWARD -p tcp --dport 80 -j ACCEPT doesn't do the job. Of course, it works with iptables -P FORWARD ACCEPT but I don't like to keep all the ports open.

McBrain 10-29-2003 05:01 PM
OK, from greenhorn to greenhorn (but it is working in my case):

You have to implement the NAT (Network Address Translation) rules as well.

iptables -t nat -A POSTROUTING --out-interface ppp0 -j MASQUERADE

If it is connected via DSL you need the following:
iptables -t filter -A FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


Further the IP_FORWARDING must be activated:

echo 1 > /proc/sys/net/ipv4/ip_forward

Hope that is everything, otherwise I would have to post the whole script!

dal-san 10-30-2003 01:22 AM
NAT is already implemented and as I said in my previous post, everything works fine with just iptables -P FORWARD ACCEPT, but if I set it to DROP it doesn't work.
The line iptables -t filter -A FORWARD --protocol tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu didn't help at all :(

The thing that I'm still looking for is an iptables command to open a specific port for the Windows client with iptables -P FORWARD DROP being set at the same time.

McBrain 10-31-2003 03:53 AM
OK now an attempt without having neither my script nor the documentation around (the iptables documentation is actually very good from my point of view).

First of all, the MASQUARADE commandis very important, because otherwise the router will try to forward the orignal ip of the other PC.

When you just add the DROP line it's clear that it is not working anymore. You have to add afterwards a rule for forwarding with expicit mentioning the port you want to allow!
I can later on post my complete scirpt (which is not perfect as I am also having a small problem but in principle it is working)!


All times are GMT -5. The time now is 12:19 PM.