iptables

x-plicit · 05-13-2006, 03:47 PM

Hello,

can anyone help me with ibtables?

i need to make a firewall, a packet filter....can anyone help me out??

Thanks

Brian1 · 05-13-2006, 05:20 PM

This is one of the simpliest sites that builds a basic firewall whether as single or masquerading. Just answer the questions it ask. http://easyfwgen.morizot.net/gen/

Your distro installation may contain one as well. Unknown since not mentioning your system setup.

Brian1

x-plicit · 05-13-2006, 05:53 PM

i have to configue a linux computer that functions as a router!

it connects to outside web
and internal computers using nat

the computer has 2 ip, 1 for inside and the other for outside

i have to filter some services

from in to out
out to in

Brian1 · 05-13-2006, 06:09 PM

Filter some service to do what?

Brian1

jayjwa · 05-13-2006, 09:41 PM

Check out the docs on http://www.netfilter.org/. NAT can be kind of tricky.

x-plicit · 05-14-2006, 05:38 AM

This is the scene of the testing:

------pc2
internet------linux computer----switch-----pc1
(Outside) -----pc3
(LAN)

my eth0 is 192.168.0.10 Inside Network
my etho1 is 10.2.15.9 Outside Network

1st) one of the machines that are in the lan (192.168.0.254)must be possible to communicate to outside doing

NS, NTP,
SSH, HTTP e HTTPS.(and only these)

Resolution i did for dns:

Code:

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j DNAT --to-dest 10.2.15.9
iptables -A FORWARD -p tcp -i eth0 --dport 53 –d 10.2.15.9  -j ACCEPT

is this right???

2end)The machine from inside give serviçes to outside such as SSH, HTTP e HTTPS
for example ssh connections recieved from the firewall on external adress, must be automatically sent to the internal machine!

3rd)For the rest of the internal machine i should use nat, using external adress for these serviçes FTP,
DNS, NTP, SSH, SMTP, SMTPS, POP3, POP3S, IMAP e IMAPS.

All other type of connections and serviçes must be denied at firewall!

x-plicit · 05-14-2006, 05:39 AM

switch is connected to pc1, pc2, and pc3...and that is internal network, it was all pulled to the left!

Brian1 · 05-14-2006, 09:23 AM

What looks like the easiest for you to do is check out this firewall script. Modify to do what you need. http://www.linuxguruz.com/iptables/s...rewall_004.txt

1. To me it looks like you want that machine to communicate going out to the internet. Nat takes care of that.
2. portforwarding is what you are going to do using dnat once the port is open on the outside nic.
3. Confused here. Do you mean the services mention are client. If so no problem, again NAT. If daemon service then you need to do as in 2.

I would modify the script above to match your setup. Open the needed parts in the first part. Even though they are not on the nic it needs to be seen on the outside. Then at the bottom enable the dnat examples and forward the ports as needed to the proper intenal IP.

Brian1

Brian1

x-plicit · 05-14-2006, 09:50 AM

do you have yahoo msn or msn messenger ? So i can explain to you what i need!

Thanks
Best Regards

Brian1 · 05-14-2006, 04:59 PM

No I don't do any messenger services. I perfer to stay in this forum to help as well as others can along the way.

Do you have iptable firewall setup yet?

Brian1

x-plicit · 05-14-2006, 05:12 PM

i have configured

eth0 Link encap:Ethernet HWaddr 00:11:09

6:72:91
inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::211:9ff:fed6:7291/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:31366943 errors:0 dropped:0 overruns:0 frame:0
TX packets:10648 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1898360120 (1810.4 Mb) TX bytes:1468887 (1.4 Mb)
Interrupt:185 Base address:0xe200

eth0:01 Link encap:Ethernet HWaddr 00:11:09

6:72:91
inet addr:10.2.15.9 Bcast:10.2.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:185 Base address:0xe200

x-plicit · 05-14-2006, 05:21 PM

how can i do that?

x-plicit · 05-14-2006, 05:26 PM

can you please see the drawing cenario

at this site :

http://dme.uma.pt/edu/ssc/login/pdf_...jecto_0506.pdf

DENSVO · 05-15-2006, 07:54 AM

Maybe I can be of some help, my ICQ is 339434027

Best regards,
Den

Brian1 · 05-15-2006, 03:54 PM

Ok I think I see something that I missed. Do you have 2 nics in this machine or only one?

To do what you want you need two nics installed. Make eth0 as your wan internat port and eth1 as the lan machine side.

Now is there two external IP's? or only one?

eth0
IP 10.2.15.9
Gateway Unkown at this time
Subnet Unknown at this time
DNS Unkown at this time

eth1
IP 192.168.0.10
Gateway DO Not Define One
Subnet My guess the full Class C 255.255.255.0

Enable MAsqueradeing

Then machines connected to the lan side will use
Subnet 255.255.255.0
Gateway 192.168.0.10
IP Define as needed but no two machines can have the same.
You can use DHCP for some but if for the ones that will need to run the services then they require static IP's.

So first thing to to do is get two nics installed and configure as above.
Then one can use that easy firewall genrator to get started or better to use the firewall script posted above.

Brian1