LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Rules for Firewall (https://www.linuxquestions.org/questions/linux-networking-3/rules-for-firewall-789169/)

longvnit 02-15-2010 01:50 AM
Rules for Firewall
 
hi, i tried to build a linux firewall using Centos 5.4 but not sucessfully.
Topology:

RangeIP Public <--->Firewall<--->HTTP Server

1. Firewall server includes 2 NIC:
NIC 01 have 2 IP public 64.34.34.1&2
NIC 02 has 1 internal IP 10.0.0.1
2. HTTP Server include 1 NIC
NIC 1: 10.0.0.2

I want to config to every body can access to webserver (10.0.0.2)

Use Iptables, i try to write rules on FireWall Server bellow:
#iptables -t nat -A PREROUTING -t tcp -i eth0 --dport 80 -d <IP PUBLIC> -j DNAT --to 10.0.0.2:80
#iptables -t nat -A POSTROUTING -t tcp -s 10.0.0.2 -j SNAT --to <IP PUBLIC>

But not sucessfully. Please help me !

Simon Bridge 02-15-2010 02:08 AM
What is it that is not working and how can you tell?

Naturally everyone can access the web server if you just turn forwarding on for everyone. Since you are running a firewall, I guess there are some people or some kinds of access you want to block.

Instead of direct IP forwarding, you may want to try IP masquerade - normally used at gatways - or try setting your firewall box as a bridge or transparent proxy.

I wouldn't normally use both pre and post-routing. example of a gateway firewall:
http://www.linuxquestions.org/questi...0/#post2224036
... and an example with masquerade:
http://www.linuxquestions.org/questi...2/#post2790552
... as a bridge:
http://www.linuxjournal.com/article/8172
... transparent proxy:
http://www.faqs.org/docs/Linux-mini/...rentProxy.html

... now, typical free software, you have too many choices.
Happy hacking.

Choon Keat 02-15-2010 03:37 AM
What your forward flag say
/proc/sys/net/ipv4/ip_forward

Also shouldn't you just use the FORWARD chain instead

longvnit 02-15-2010 04:18 AM
/proc/sys/net/ipv4/ip_forward = 0

I want when every body access from internet by IP Public, HTTP traffic will throught firewall into HTTP Server ?

Choon Keat 02-15-2010 10:41 AM
That should be 1
Putting it in the network init script will do it
echo "1" > /proc/sys/net/ipv4/ip_forward

You can also try putting it in your sysconfig file
/etc/sysconfig/network-scripts/ifcfg-eth0 (Referencing redhat here)
FORWARD_IPV4="Yes"
This you will have to test, it changes from distro to distro and version to version


All times are GMT -5. The time now is 07:09 PM.