need help with iptables and 2 net connections
Ok, some of you may be wondering why I am trying this. I want to set up my router/server with two internet connections.
eth0 is for my highest speed ISP connection, which of course does not allow me to run certain types of servers. eth1 is my internal network connection. eth2 is for my other ISP connection that allows me to run needed servers, but of course is slower. I am looking to use iptables, but the problem is that I have no idea how to block the ports for eth0 and open the required ports for eth2 at the same time. I will need both connections to be active at the same time, with eth0 being my main internet connection. I am using iptables now as a firewall for only a single internet connection and it works fine, but I cant seem to find any information on how to accomplish what I need to. If anyone has any ideas it would be very much appreciated. |
Quote:
i'm not sure HOW you would doit, .. something about using 80 or some other common port (which the scum bag isp's CAN'T block!) haha and what do you mean you have no idea how2 block eth0 ports and open eth2's? are you not familiar with iptables (or some front end gui like guarddog?). i mean, .. do you MEAN that you really dont' know HOW to doit, oor that you dont' know WHICH ones would be appropriate? good luck.. lettuce know :] |
it's actually quite simple... you just need to add a match to your rules which specifies the interface the rule applies to... for example:
Code:
iptables -A INPUT -p TCP --dport 80 -j ACCEPT Code:
iptables -A INPUT -p TCP -i eth1 --dport 80 -j ACCEPT |
Thanks for your reply Win, yeah I do have some knowledge of iptables (although im not an iptables knowledge king), but I have dont have any experience using it when you have to set up different firewall settings on multiple interfaces with internet connections. With my current setup, my firewall blocks most incoming traffic into my external nic unless I request it. For my internal nic it doesnt block anything.
Somehow the firewall knows what interface represents the internet connection and so it will apply the rules to that interface. Again I do have some knowledge of iptables, but im not a knowledge king. I am wondering when I do add another internet connection interface, in which both will be active at the same time, do I have to somehow tell iptables to monitor both interfaces. Take for examble my following script: #eth0 is the interface with the internet connection. Notice that I do not have to tell iptables to also accept INPUT on eth1, which is currently the internal interface. iptables -F echo 1 > /proc/sys/net/ipv4/ip_forward chkconfig --level 345 iptables on iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -P INPUT DROP iptables -A INPUT -i ! eth0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A INPUT -i ! eth0 -p tcp --dport 80 -m state --state NEW -j ACCEPT #iptables -A INPUT -p tcp --dport 139 -m state --state NEW -j ACCEPT iptables -A INPUT -p TCP -i eth0 --dport 80 -j ACCEPT service iptables save In a nutshell I want to drop all packets on all internet interfaces that dont quality. I used to be with Bell Sympatico, who did let me run servers, but they were getting bad with their customer service so I decided to switch to Rogers Cable Internet which is much faster. I was running email and ssh servers at the time of the switch when Rogers remotely run a port scanner and found out that I was running these servers, so they shut down my internet connection on me, which sucked. |
if you tell me what type of incoming packets (HTTP/HTTPS, POP3, etc.) you wanna accept on each interface, i'll post a custom-made script for you... :)
|
Yeah I would be looking for SMTP, POP, HTTPS/HTTP. Any ideas that you have would be great. I tried googling my subject but havent found anything specifically for people who want to run two internet interfaces although there is lots of other great material.
Thanks, Anthony BTW you can feel free to contact me should you need any help too with other things. |
okay, so if i'm understanding you right, you want incoming SMTP, POP, and HTTPS/HTTP on eth2, while filtering all incoming connections on eth0... also, you want all traffic coming from boxes hooked-up to eth1 (LAN) to be forwarded and masqueraded out through eth0... if that's the case, then this script should do the trick:
Code:
#!/bin/sh Code:
net.ipv4.ip_forward = 1 |
Ahhhh ok, so you are setting the parameters for eth2 (internal interface) before setting those for eth0, thats clearer and makes more sense to me.
Thanks Anthony |
All times are GMT -5. The time now is 10:16 AM. |