Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey all,
I have a server(bill) connected to the internet through eth0 (public ip 212.34.228.48/28). This same server is connected through eth1 to another server(bob) (ip 192.168.1.1) which acts like a router to other computers in the network.
I want to make sure that server bob is not visible to the users accessing bill through the internet. Any idea what kind of rules I should set in my firewall on bill using iptables or ipforward?
An easy solution would be a NAT routing just like a ADSL router does, but I'm sorry I have absolutely no experience with linux and firewalling. As this should be a standart case, you might look for tutorials for this.
Read up on iptables -- there are a number of good guides and howtos available on the net for it. In this case, what you want to do is have a rule on bill that rejects all packets bound to the internal 192.168.1.0/24 subnet that are not part of existing connections initiated from within. This is easy to do with the state module (-m state on the iptables command line). But it's hard to work up a complete configuration with the relatively limited information you have provided, so I'd suggest working through an iptables tutorial to try to set your own up and post back here for help if you can't seem to get it going.
ok here is the pic of the network, the router I want to hide from the internet is the one at the centre (192.168.1.1) connected to all the other routers and to the firewall. http://p80.free.fr/net.jpg
Is the "firewall" shown in your diagram a separate server, or is it a firewall running on the 192.168.1.1 server, as that makes a huge difference.
You implied in your 1st post, that bill and bob were different servers, but in that diagram, they appear to be different interfaces in the same server.
If i understand the diagram correctly, then (bill) is your firewall and (bob) is the gateway for the 192.168.1.0/24 network. In that case, you're in the uber-cool position to double NAT the 192.168.1.0/24 network making access to it from outside very difficult.
The main idea is to run yet another firewall on (bob) and the 2 firewalls work together like this:
1. BILL
Set the FILTER table policies to DROP by default
FILTER-IN:
allow loopback device
allow traffic coming from (bob_ip)
allow RELATED and ESTABLISHED traffic
FILTER-FORWARD:
allow RELATED and ESTABLISHED traffic
allow traffic coming from (bob_ip)
FILTER-OUT:
allow loopback device
allow traffic going to (bob_ip)
allow traffic going out eth0
NAT-POSTROUTING
MASQUERADE all traffic coming from (bob_ip) and going out eth0
2. BOB
Set the FILTER table policies to DROP by default
FILTER-IN:
allow loopback device
allow traffic coming from (LAN_ip_range) network
allow RELATED and ESTABLISHED traffic
FILTER-FORWARD:
allow RELATED and ESTABLISHED traffic
allow traffic coming from (LAN_ip_range) network
FILTER-OUT:
allow loopback device
allow traffic going to (bill_ip)
NAT-POSTROUTING
MASQUERADE all traffic coming from (LAN_ip_range) and going to (bill_ip)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.