need help with iptables and 2 net connections
 

Ok, some of you may be wondering why I am trying this. I want to set up my router/server with two internet connections.

eth0 is for my highest speed ISP connection, which of course does not allow me to run certain types of servers.

eth1 is my internal network connection.

eth2 is for my other ISP connection that allows me to run needed servers, but of course is slower.

I am looking to use iptables, but the problem is that I have no idea how to block the ports for eth0 and open the required ports for eth2 at the same time. I will need both connections to be active at the same time, with eth0 being my main internet connection. I am using iptables now as a firewall for only a single internet connection and it works fine, but I cant seem to find any information on how to accomplish what I need to.

If anyone has any ideas it would be very much appreciated.

well i know they SAY you can't use servers.. but thats not only their opinion, it is CRAP!

i'm not sure HOW you would doit, .. something about using 80 or some other common port (which the scum bag isp's CAN'T block!) haha

and what do you mean you have no idea how2 block eth0 ports and open eth2's?

are you not familiar with iptables (or some front end gui like guarddog?).

i mean, .. do you MEAN that you really dont' know HOW to doit, oor that you dont' know WHICH ones would be appropriate?

good luck.. lettuce know :]

it's actually quite simple... you just need to add a match to your rules which specifies the interface the rule applies to... for example:this (above) rule would allow all incoming packets destined for tcp port 80 (on all interfaces)... but if you just want the rule to apply to eth1, then you'd just need to add the interface match, like so:so now the tcp port 80 packets would only get accepted by that rule if they came-in through eth1... any packet which did NOT come in through eth1 would not be matched against that rule, so it would continue traversing the chain - and if it doesn't match any rules after that one, it would run into the chain's policy, which hopefully you've set to DROP... :)

Thanks for your reply Win, yeah I do have some knowledge of iptables (although im not an iptables knowledge king), but I have dont have any experience using it when you have to set up different firewall settings on multiple interfaces with internet connections. With my current setup, my firewall blocks most incoming traffic into my external nic unless I request it. For my internal nic it doesnt block anything.

Somehow the firewall knows what interface represents the internet connection and so it will apply the rules to that interface. Again I do have some knowledge of iptables, but im not a knowledge king. I am wondering when I do add another internet connection interface, in which both will be active at the same time, do I have to somehow tell iptables to monitor both interfaces.

Take for examble my following script:

#eth0 is the interface with the internet connection. Notice that I do not have to tell iptables to also accept INPUT on eth1, which is currently the internal interface.

iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
chkconfig --level 345 iptables on
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -P INPUT DROP
iptables -A INPUT -i ! eth0 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A INPUT -i ! eth0 -p tcp --dport 80 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p tcp --dport 139 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --dport 80 -j ACCEPT
service iptables save

In a nutshell I want to drop all packets on all internet interfaces that dont quality.

I used to be with Bell Sympatico, who did let me run servers, but they were getting bad with their customer service so I decided to switch to Rogers Cable Internet which is much faster. I was running email and ssh servers at the time of the switch when Rogers remotely run a port scanner and found out that I was running these servers, so they shut down my internet connection on me, which sucked.

if you tell me what type of incoming packets (HTTP/HTTPS, POP3, etc.) you wanna accept on each interface, i'll post a custom-made script for you... :)

Yeah I would be looking for SMTP, POP, HTTPS/HTTP. Any ideas that you have would be great. I tried googling my subject but havent found anything specifically for people who want to run two internet interfaces although there is lots of other great material.


Thanks,


Anthony


BTW you can feel free to contact me should you need any help too with other things.

okay, so if i'm understanding you right, you want incoming SMTP, POP, and HTTPS/HTTP on eth2, while filtering all incoming connections on eth0... also, you want all traffic coming from boxes hooked-up to eth1 (LAN) to be forwarded and masqueraded out through eth0... if that's the case, then this script should do the trick:
you can do an "iptables-save" right after executing the script (and making sure it works properly)... keep in mind that kernel parameter settings, such as rp_filter and ip_forward won't get saved when you do an "iptables-save", so you'd need to edit your sysctl.conf file accordingly... the lines you'd need to set would look like:

Ahhhh ok, so you are setting the parameters for eth2 (internal interface) before setting those for eth0, thats clearer and makes more sense to me.

Thanks


Anthony