Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to setup RH 8.0 iptables to route on our network, the way we need it to. With the help great of DavidPhillips, I was able to get our RH server to route correctly, now I am trying to setup our firewall.
Here is what we want it to do. We would like to setup I guess you would call it a open part I.E. a non firewall section of our network, we would like that part of our internal network to have full access to the firewall part. I know Shorewall called this kinda a DMZ, I read through Shorewall and I think it is more complicated than the Iptables script file. So I would like to get the rcfirewall.txt script working.
On our network we have a 4 full class C's available, 192.168.69.0, 10.52.1.0, 10.52.2.0, 10.52.3.0. Our 192.168.69.0 is our standard workstation network. This is also the open network. Our cisco router is 192.168.69.1. Our RH box eth0 is on 10.52.1.200. For my testing I have been using on eth1 10.52.3.2 and a workstation on 10.52.3.60.
I have configured the rcfirewall.txt file the way I thought it should work, many times and still no luck. Here it is.
I had to do a few things different on my script file, but this is pretty much the same file, after reading through this though I am thinking that I could just enter a command into the DMZ zone and grant access through. But would like any input available. When the script file is run I am unable to get from any IP on 192.168.69.0 to 10.52.3.0.
Thanks
Larry
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#
#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#
#
# 4.1.3 Create content in userspecified chains
#
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# allowed chain
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
#
# Log weird packets that don't match the above.
#
Cisco has a "local" ip of 192.168.69.1, your workstation network...
RH has eth0 ip 10.52.1.200 & eth1 ip 10.52.3.2...
Your first post didn't have a final reply, so which default gateway does RH have?
How are you connecting the workstation network 192.168.69.0 to the 10.55.x.x networks?
You will need to use the rc.DMZ.firewall script as a starting point, if you intend to put publicly available servers in a separate network.
Our internal network consists of 4 calss C's, 192.168.69.0 which we use for workstations. and 3 other class C's 10.52.1.0, 10.52.2.0 and 10.52.3.0. The cisco(192.168.69.1) has 2 network cards, one card routes the 192.168.69.0 and the other routes the 3 other 10.52. series. We have printers and other systems on the 10.52 class C's that we would like the 192.168.69.0 to be able to have access to but would not like the rest of the network to have access to.
I do not have access to the cisco router, and our corporate office will not grant access. The workstations browse the internet, so I need to leave that network alone.
What we want is to be able to have access to each class c on our network, but block anyone coming from our cisco router. So I thought that I could put a Redhat Box in and control access using a firewall.
peter_robb to answer your question the default gateway is 10.52.1.200.
I would almost agree with you that the DMZ script would be the answer, but not quite. What I need is a way to tell iptables that all information coming in from 192.168.69.0 is ok and let it go through.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.