LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Problem Iptables, Firewall rules. Can anybody help ? (https://www.linuxquestions.org/questions/linux-networking-3/problem-iptables-firewall-rules-can-anybody-help-221459/)

ZliTroX 08-23-2004 04:50 PM
Problem Iptables, Firewall rules. Can anybody help ?
 
I have tried to write a iptables script as a firewall/router but it doesnt work at all :(

Can anybody help me please. Some nice enough to help my write this script i need?

i have dynamic ipnumber to internet from my ISP Telia, and i want my firewall/router to share internet to my other computers and a server.

Local Network:
192.168.0.1:
Firewall/router, should have SSH at port 22 only in local network.

192.168.0.2
HTTP Server, Should be connectable from internet at port 80.

192.168.0.3
FTP Server, this should be connectable from local network and internet at port 21. Also surf on internet.

192.168.0.4
Surf on internet.

192.168.0.5 - Windows 2000, surf on internet, but none services out to internet

192.168.0.6 - Windows 2000, surf on internet, but none services out to internet

Services open on internet:
192.168.0.2 Port 80
192.168.0.3 Port 21
192.168.0.4 Port 21

Services open on local network
192.168.0.1 Port 22
192.168.0.2 Port 80
192.168.0.3 Port 21
192.168.0.3 Port 21

Im also using DCGui-QT, (Direct Connect) on this ports:

TCP Listen Port:
9176
UDP Listen Port:
9176


other services should not shown out to internet.

I hope someone understand what I need and can help me?


Please someone could help me?

Thanks.

ppuru 08-23-2004 11:48 PM
A very simple script to allow outgoing traffic but block anything that is not a reply.

Code:
#!/bin/bash
# File: simpfw.sh
#
IPT=/usr/sbin/iptables
EXTIF=<external interface>
INTIF=<internal interface>

$IPT -t filter -F
$IPT -t nat -F

$IPT -P INPUT DROP
$IPT -P FORWARD DROP

# -- allow free traffic on the loopback
$IPT -A INPUT -i lo -j ACCEPT

# -- ICMP

# -- Accept all incoming replies
$IPT -A INPUT -i $EXTIF -j ACCEPT -m state --state RELATED, ESTABLISHED

# -- Accept incoming connections
$IPT -A INPUT -i $EXTIF -p tcp --dport 9176 -j ACCEPT -m state --state NEW
$IPT -A INPUT -i $EXTIF -p udp --dport 9176 -j ACCEPT -m state --state NEW

# --
$IPT -A FORWARD -i $INTIF -j ACCEPT
$IPT -A FORWARD -i $EXTIF -j ACCEPT -m state --state RELATED, ESTABLISHED
$IPT -t nat -A POSTROUTING -i $INTIF -j MASQUERADE

AeonDevil 08-24-2004 01:29 AM
heres another thats very easy to understand just paste it in a text file (eg: rc.firewall or something similar and load it on startup) and modify it a bit:

#Internet Sharing and Port Fowarding Script

modprobe iptable_nat
echo '1' > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#NOTE: eth0 can be changed to eth1 etc depending on the device connected to the net.

#here I put the ports I want to be open if you don't have port 22 open then you won't be able to connect to it via ssh i'll just drop the #packets
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#NOTE: if you accept packets for port 80 as well you can set a web server but it's for the netsharing machine if you want to serve a web #server on another computer on your network you have to set port fowarding rules i'll explain below.

/sbin/iptables -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -i lo -j ACCEPT
/sbin/iptables -j LOG --log-level 4 --log-prefix "ATTACK"
/sbin/iptables -A INPUT -j DROP

/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
#since you're on a d class with ip's of 192.168.0.0 - 255 I put 24bit subnet you're going to have to research a bit if you don't understand it #takes a while to explain well actually i'm not that good at explaining things.

#to share the net you're going to have to set up the other computers on the network i'll give a short example:
#ipaddress: 192.168.0.x
#subnet: 255.255.255.0
#gateway: 192.168.0.x whatever your internet sharing computers ip is.
#dns: the isps dns address's usually only need one of them i'm a little stupid because the only way I know how to find out the isp's dns is #by using windows "ipconfig /all" i can't be bother finding out with linux at the moment because i'm busy and just finished school last year

#at this point your internet should be shared between all computers on the network you can test it out.

#port fowarding this is all going to depend on how you want this all setup heres an example:
#iptables -t nat -A PREROUTING -p tcp -d z.z.z.z --dport xx -j DNAT --to y.y.y.y:xx
#iptables -t nat -A POSTROUTING -p tcp -d z.z.z.z --dport xx -j SNAT --to x.x.x.x:xx
#iptables -t nat -A OUTPUT -d z.z.z.z -p tcp --dport xx -j DNAT --to y.y.y.y:xx
#
#z.z.z.z is the internet address, y.y.y.y is the address where you want the port fowarded, x.x.x.x is the other network card address for the #internet sharing computer, xx is anyport you want to be forwarded. you can have port 21 from the net to go to port 500 on another #computer on the network if you wanted to. or you could just have port 21 forwarded to port 21 on another machine it's all up to you.
#if you want to do more with ip tables you'll have to read up about it or just post it's too much to type at the moment i'm getting tired....

ZliTroX 08-24-2004 05:24 AM
Thanks everyone for all help, i think i understand the most.

if the port should be forwarded to my firewall (192.168.0.1) at port 21, should it be like this?:

iptables -t nat -A PREROUTING -p tcp -d z.z.z.z --dport 21 -j DNAT --to 192.168.0.1:21
iptables -t nat -A POSTROUTING -p tcp -d z.z.z.z --dport 21 -j SNAT --to 192.168.0.1:21
iptables -t nat -A OUTPUT -d z.z.z.z -p tcp --dport 21 -j DNAT --to 192.168.0.1:2

hmm, what about -d z.z.z.z, what ip should i have there? the server that have the http is 192.168.0.2. So... Should it be 192.168.0.2 that is replacing z.z.z.z?

maxut 08-24-2004 10:37 AM
Quote:
Originally posted by ZliTroX

iptables -t nat -A PREROUTING -p tcp -d z.z.z.z --dport 21 -j DNAT --to 192.168.0.1:21
iptables -t nat -A POSTROUTING -p tcp -d z.z.z.z --dport 21 -j SNAT --to 192.168.0.1:21
iptables -t nat -A OUTPUT -d z.z.z.z -p tcp --dport 21 -j DNAT --to 192.168.0.1:2

hmm, what about -d z.z.z.z, what ip should i have there? the server that have the http is 192.168.0.2. So... Should it be 192.168.0.2 that is replacing z.z.z.z?

i think the best solition is :
aply nat for all packets comes from 192.168.0.1
iptables -t nat -A POSTRUTING -s 192.168.0.1 -j SNAT --to z.z.z.z

port forward (u may use "-d (public ip of ftp server)" instead of "-i eth1" or use both of them.. )
iptables -t nat -A PREROUTING -p tcp --dport 21 -i eth1 -j DNAT --to 192.168.0.1

and blocking anwated network activity from FORWARD chain.
iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A FORWARD -p tcp --dport 21 -i eth1 -j ACCEPT
allow established related connections
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

u beter visit www.netfilter.org and read the docs.
u can also generate iptables scripts at www.iptables-script.dk

AeonDevil 08-24-2004 09:30 PM
Quote:
Originally posted by ZliTroX
Thanks everyone for all help, i think i understand the most.

if the port should be forwarded to my firewall (192.168.0.1) at port 21, should it be like this?:

iptables -t nat -A PREROUTING -p tcp -d z.z.z.z --dport 21 -j DNAT --to 192.168.0.1:21
iptables -t nat -A POSTROUTING -p tcp -d z.z.z.z --dport 21 -j SNAT --to 192.168.0.1:21
iptables -t nat -A OUTPUT -d z.z.z.z -p tcp --dport 21 -j DNAT --to 192.168.0.1:2

hmm, what about -d z.z.z.z, what ip should i have there? the server that have the http is 192.168.0.2. So... Should it be 192.168.0.2 that is replacing z.z.z.z?
z.z.z.z should be your actual internet ip address since your ipaddress is dynamic you might be able to write a script. Just use "ifconfig to find out your ipaddress's"

ZliTroX 08-25-2004 04:18 AM
Quote:
Originally posted by AeonDevil
z.z.z.z should be your actual internet ip address since your ipaddress is dynamic you might be able to write a script. Just use "ifconfig to find out your ipaddress's"
ok, but can i set eth0 becouse its the NIC for internet?

AeonDevil 08-26-2004 06:58 AM
sorry I didn't post yesterday didn't have time.

iptables can't use eth0 and automatically know the ipaddress cause if you use eth0 normally you would need to use the option "-i eth0" instead of "-d 'internet address'" but unfortunatly iptables uses -d for destination which is a direct ipaddress and -i is interface so it's the whole interface which eth0 gives all the info for that device not just the ipaddress.

And thats the main reason why putting eth0 won't work.

If you give me a few days I may have the time to think up of something but at this time I can't think of anything.

ZliTroX 09-06-2004 03:46 PM
Please can somebody help me with my problem?

netopia 09-06-2004 04:48 PM
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/

The scripts in this howto give an example of how to use a script to automatically set x.x.x.x to be your internet IP address when you start up the firewall.


All times are GMT -5. The time now is 08:46 AM.