Firewall help: 3 interfaces

Soma · 06-02-2003, 06:58 PM

First a little about the setup on my Linux box:
- eth0: LAN interface (10.0.0.2/24)
- eth1: wireless interface (10.0.1.1/24)
- ppp0: interface that's brought up by PPTPd (192.168.0.0/24)

And my LAN:
- Linux box (Athlon 1400, 512MB RAM, Debian stable (2.4.20)
- Smoothwall box (K6/3 500, 128MB RAM, 2 interfaces; cable and LAN, Smothwall GPL 1.0)

Now my problem: I don't know enough about iptables at the moment to achieve what I want to do, and really need some help from you wonderful people.

What I want to do on the Linux box, is to run a firewall to block all packets coming in from the wireless interface except for PPTPd related ports (47 and 1723), web and FTP and possibly some forwarded ports. I am also sharing my internet connection at the moment over wireless and am using PPTPd\VPN to secure it a little bit (only 128bit encyption though) and want to masquerade the PPTPd\ppp related traffic (192.168.0.0/24) over the LAN interface (10.0.0.2/24) because my Smoothwall box only accepts\forwards connections from my LAN IP range. Is this possible? Is it also possible to setup some rules if the interface doesn't exist when the firewall is brought up (ie. ppp won't exist until a VPN connection is started).

In the past when I have just had two interfaces to worry about I have just used pre-made iptables scripts like monmotha's firewall scripts, which have worked very well.

Thank's for your help!

edit: can I just use one of monmothas script's and modify it maybe?

Soma · 06-04-2003, 08:51 PM

Bump.. anyone?

Robert0380 · 06-05-2003, 07:08 PM

there is plenty of iptables stuff on the forums:

Basic rule examples:

1. block all infor from ppp0 that's not port 10 or 20..THAT IS BOUND FOR THIS MACHINE (that the rules are wrtten on)

iptables -A INPUT -i ppp0 --dport ! 10,20 -j DROP (double check this, ive never use multiple ports in 1 rule before but i think it works).

or you could just do an all out DROP policy to drop anything comming into the box and open up only the ports you want:

iptables -P INPUT DROP ..this drops EVERYTHING bound for the box

then you would want to open up like...port 22 to ssh in:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

and you will want to allow connections that you established to work...like browsing web pages..so u'd want a rule like this:

iptables -A INPUT -m state --state ESTABLISHED,RELATED

2. NATing

lets say u are sharing a connection, you may need to do some NATing.
There are 2 types of NATing, source nating (SNAT) where you change
the source address of the packet, and destination natting (DNAT) where
you change the destination of the packet.

SNAT is the same as MASQUERADEing and DNAT is commonly referred
to as port fowarding. Here are sample rules for both.

1. share internet connection with a compuer connected to eth1

iptables -A POSTROUTING -t nat -s 192.168.0.1 -j SNAT --to <intern ip address>

if you dont have a static address you will do this:

iptables -A POSTROUTING -t nat -s 192.168.0.1 -j MASQUERADE
by using this rule, it determines your ip for you....has more overhead.

2. port fowarding: lets say u have the same setup as above and u want
all web page requests to go to 192.168.0.1:

iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to 192.168.0.1

this sends any request bound for port 80, to 192.168.0.1

misc stuff:

-i incomming interface i.e. eth0, eth1, ppp0...etc
-o out going interface same as above

there is also a FORWARD chain where you can set your forwarding rules or you can leave it alone and just have a default policy to forward everything that needs to be forwarded. If a packet comes in and needs to be forwarded, it wont go through the INPUT or OUTPUT rules (i dont think) unless you do something like -j INPUT for said packet. Because you are new to iptables, i'd go ahead and setup forwarding to forward all (this may be un secure) and get everything set up, then start playing with forwarding rules when u get more familiar with iptables.

iptables -P FORWARD ACCEPT (it should be the default anyway....in most cases it is)

i kind didnt wanna write your rules for you because its a great learning experience
to be able to do it yourself. My examples should help, but if it is still unclear
im more tahn willing to explain something or give more detail to help you solve the problem.
just post again if you have questions

Robert0380 · 06-05-2003, 07:10 PM

oh i forgot....

when u put your rules in rc.firewall, put a line in your rc.local for it. i think you
can just add the line to rc.local like so:

rc.firewall

and your firewall rules wil be set when u boot up....also make sure you flush
all tables at the top of the file:

iptables -F
iptables -t nat -F