LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables outbound traffic to all ports (https://www.linuxquestions.org/questions/linux-security-4/iptables-outbound-traffic-to-all-ports-603704/)

sunlinux 12-01-2007 04:02 AM

iptables outbound traffic to all ports
 
Hi,

I configured NAT on linux box.

I want to allow a lan ip to connect all incomming n all outgoing traffic on destination ip(internet ip) both tcp n udp on all ports.

Pls. help me out.

win32sux 12-01-2007 10:46 AM

Well, to let the LAN IP connect to the WAN IP in only TCP and UDP protocols it's like:
Code:

iptables -P FORWARD DROP

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_IP -d $WAN_IP \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE -s $LAN_IP -d $WAN_IP \
-m state --state NEW -j ACCEPT

Then to forward all TCP and UDP traffic from that WAN IP to the LAN IP (DMZ style) it's like:
Code:

iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE -j DNAT --to-destination $LAN_IP

iptables -t nat -A PREROUTING -p UDP -i $WAN_IFACE -j DNAT --to-destination $LAN_IP

iptables -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE -s $WAN_IP -d $LAN_IP \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -p UDP -i $WAN_IFACE -o $LAN_IFACE -s $WAN_IP -d $LAN_IP \
-m state --state NEW -j ACCEPT

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

Keep in mind this would all be somewhat simpler if you'd just match everything instead of just TCP and UDP:
Code:

iptables -P FORWARD DROP

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s $LAN_IP -d $WAN_IP \
-m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -i $WAN_IFACE -j DNAT --to-destination $LAN_IP

iptables -A FORWARD -i $WAN_IFACE -o $LAN_IFACE -s $WAN_IP -d $LAN_IP \
-m state --state NEW -j ACCEPT

iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE



All times are GMT -5. The time now is 09:43 AM.