[QUOTE=Simon Bridge;2959289][QUOTE=saman;2958688]CLI?
Quote:
http://acronyms.thefreedictionary.com/CLI
Command Line Interface - your fav. shell will do.
Hmmm... I thought it was for when the ISP assigned (external) IP was via DHCP. You still use NAT to got packets to the correct internal host.
The bridging method produces a transparent gateway, which can also be used to provide a proxy, content protection, etc. It's very powerful, scaleable, and flexable. So it's become a popular method. Suggest you look into it.
Basic NAT + IP Forwarding usually goes like this:
Code:
# Allow IP Forwarding and use NAT for outgoing connections.
# (Only use for dual homed host acting as an internet gateway.)
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
iptables -A POSTROUTING -t nat -o $WEBFACE -j SNAT --to $WEBIP
Now, you didn't make any DROP policies so the second line is moot. But I don't see you enabling IP-Forwarding, which would be a problem.
If I've understood your setup, the nic that looks at the internet is eth0 (so WEBFACE=eth0), and the IP of this nic is 192.168.1.5 (so WEBIP=192.168.1.5). The only place you can now get errors is in mixing up the IPs and nics (or if your kernel doesn't support this... unusual, but it happens with custom kernels). I'm not about to mirror your setup here, so you'll have to figure that out yourself. The command is correct.
I still think that your lack of DROP policies suggests some confusion about what you are trying to do - especially as you have explicit ACCEPT rules in there. They're moot - with ACCEPT policies on all chains, you need to be explicitly DROPping undesirable packets. Security is easier with DROP policies... then you set up rules to accept desirable packets.
What you are trying to do looks a lot like what I was doing a while ago... I've dug up my old firewall script for reference. I used to use this as a point of departure.
Code:
######################################################################
# sdb firewall: Simon Bridge 2005 #
# Updated 2006, 2007 #
# based on the mdh firewall of Jon "maddog" Hall & Paul G Seary 2003 #
# (CC) Creative Commons Attribution Share-alike #
# Leave this header in place with the CC notice. #
######################################################################
#! /bin/bash
# Load appropriate modules.
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# remove existing rules
iptables --flush
iptables -t nat --flush
iptables --delete_chain
iptables --zero
# Definitions
MYNET="192.168.2.0/24"
LANFACE="eth0"
WEBFACE="eth0"
WEBIP="192.168.0.0" # for a gateway
DNS01=""
DNS02=""
BCAST="192.168.255.255"
LOOPB="127.0.0.1/32"
ADDINP="iptables -A INPUT"
ADDOUT="iptables -A OUTPUT"
ADDFWD="iptables -A FORWARD"
### Kernel Parameters ###
# Uncomment to disable response to icmp ping requests.
#/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance.
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
/bin/echo "0" > $WEBFACE
done
# Enable bad error message protection.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Turn on reverse path filtering.
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > $WEBFACE
done
# Make sure that IP forwarding is turned off.
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward
### Rules ###
# Set up a default DROP policy for the built-in chains.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
### Explicit deny rules before the accept rules
# Prevent external packets from using loopback addr
$ADDINP -i $WEBFACE -s $LOOPB -j DROP
#$ADDFWD -i $WEBFACE -s $LOOPB -j DROP
$ADDINP -i $WEBFACE-d $LOOPB -j DROP
#$ADDFWD -i $WEBFACE -d $LOOPB -j DROP
### Explicit allow rules
# Allow traffic on the loopback interface.
$ADDINP -i lo -j ACCEPT
$ADDOUT -o lo -j ACCEPT
# Allow SSH connections
$ADDINP -p tcp -j ACCEPT -dport 22
# Allow only initiated traffic in
$ADDINP -m state --state RELATED,EXISTING -j ACCEPT
# Allow accesss to Samba shares via the LAN
#$ADDINP -p udp -m udp -s $LANFACE --dport 137 -j ACCEPT
#$ADDINP -p udp -m udp -s $LANFACE --dport 138 -j ACCEPT
#$ADDINP -m state --state NEW -m tcp -p tcp -s $LANFACE --dport 139 -j ACCEPT
#$ADDINP -m state --state NEW -m tcp -p tcp -s $LANFACE --dport 445 -j ACCEPT
# Allow IP Forwarding and use NAT for outgoing connections.
# (Only use for dual homed host acting as an internet gateway.)
#/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
#iptables -P FORWARD ACCEPT
#iptables -A POSTROUTING -t NAT -o $WEBFACE -j SNAT --to $WEBIP
# Allow network traffic through LAN
$ADDINP -i $LANFACE -s $MYNET -j ACCEPT
# Allow all traffic out
# Any other output rule should go /before/ this one
$ADDOUT -m state --state NEW,RELATED,EXISTING -j ACCEPT
# Policy ACCEPT would work as well ... but I could add explicit rules
# here and comment out this line instead
|
Ok since you'd recommendated and I decided to implement DROP policy.
below here is the file:
---------------------------iptables-config--------------------
# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modules.conf.
IPTABLES_MODULES="ip_nat_ftp"
# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"
# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"
# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"
# Numeric status output
# Value: yes|no, default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"
--------------end of iptables-config-------------------
IP forwarding also enabled
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
-----------------------here the iptables-----------------------
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
#*nat
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
##User defined chain for ACCEPTED TCP packet
-N mars
-A mars -p TCP --syn -j ACCEPT
-A mars -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
-A mars -p TCP -j DROP
## INPUT Chain rules
-A INPUT -p ALL -i eth1 -s 192.168.0.10/24 -j ACCEPT
-A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
-A INPUT -p ALL -i lo -s 192.168.0.10 -j ACCEPT
-A INPUT -p ALL -i lo -s 192.168.1.5 -j ACCEPT
-A INPUT -p ALL -i lo -d 192.168.0.10 -j ACCEPT
## rULES FOR INCOMING PACKET FROM THE INTERNET
# PACKET FOR ESTABLISHED CONNECTIONS
-A INPUT -p ALL -d 192.168.1.5 -m state --state ESTABLISHED,RELATED -j ACCEPT
## TCP Rules
-A INPUT -p TCP -i eth0 --destination-port 21 -j mars
-A INPUT -p TCP -i eht0 --destination-port 22 -j mars
-A INPUT -p TCP -i eth0 --destination-port 80 -j mars
-A INPUT -p TCP -i eth0 --destination-port 113 -j mars
## UDP rules
-A INPUT -p ICMP -i eth0 --icmp-type 8 -j ACCEPT
-A INPUT -p ICMP -i eth0 --icmp-type 11 -j ACCEPT
## FORWARD CHAIN RULES
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
## OUTPUT CHAIN RULES
# ONLY OUTPUT PACKET WITH LOCAL ADDRESSES (NO SPOOFING)
-A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
-A OUTPUT -p ALL -s 192.168.0.10 -j ACCEPT
-A OUTPUT -p ALL -s 192.168.1.5 -j ACCEPT
## POSTROUTING chain rules
-table nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.5
COMMIT
---------------------end of iptables --------------------------
When I run it, got error
Bad argument 'nat'
If I changed 'nat' to -table NAT, got same error
-t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.5
or
-t NAT -A ....etc
(iptables-restore v1.2.11: kube 49 seems to have a -t table option [FAILED]
Where did I get wrong, somewhere I can improve to solve the problem?