Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-27-2006, 01:45 AM
|
#1
|
Member
Registered: Sep 2005
Posts: 136
Rep:
|
need help with iptables and 2 net connections
Ok, some of you may be wondering why I am trying this. I want to set up my router/server with two internet connections.
eth0 is for my highest speed ISP connection, which of course does not allow me to run certain types of servers.
eth1 is my internal network connection.
eth2 is for my other ISP connection that allows me to run needed servers, but of course is slower.
I am looking to use iptables, but the problem is that I have no idea how to block the ports for eth0 and open the required ports for eth2 at the same time. I will need both connections to be active at the same time, with eth0 being my main internet connection. I am using iptables now as a firewall for only a single internet connection and it works fine, but I cant seem to find any information on how to accomplish what I need to.
If anyone has any ideas it would be very much appreciated.
|
|
|
01-27-2006, 03:54 PM
|
#2
|
Member
Registered: Aug 2005
Location: Anchorage, Alaska (soon EU, hopefully)
Distribution: Anything NOT SystemD (ie. M$) related.
Posts: 918
Rep:
|
Quote:
Originally Posted by anthonysaulnier
..eth0 is for my highest speed ISP connection, which of course does not allow me to run certain types of servers. ..
.. but the problem is that I have no idea how to block the ports for eth0 and open the required ports for eth2 at the same time. ..
If anyone has any ideas it would be very much appreciated.
|
well i know they SAY you can't use servers.. but thats not only their opinion, it is CRAP!
i'm not sure HOW you would doit, .. something about using 80 or some other common port (which the scum bag isp's CAN'T block!) haha
and what do you mean you have no idea how2 block eth0 ports and open eth2's?
are you not familiar with iptables (or some front end gui like guarddog?).
i mean, .. do you MEAN that you really dont' know HOW to doit, oor that you dont' know WHICH ones would be appropriate?
good luck.. lettuce know :]
|
|
|
01-27-2006, 06:43 PM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
it's actually quite simple... you just need to add a match to your rules which specifies the interface the rule applies to... for example:
Code:
iptables -A INPUT -p TCP --dport 80 -j ACCEPT
this (above) rule would allow all incoming packets destined for tcp port 80 (on all interfaces)... but if you just want the rule to apply to eth1, then you'd just need to add the interface match, like so:
Code:
iptables -A INPUT -p TCP -i eth1 --dport 80 -j ACCEPT
so now the tcp port 80 packets would only get accepted by that rule if they came-in through eth1... any packet which did NOT come in through eth1 would not be matched against that rule, so it would continue traversing the chain - and if it doesn't match any rules after that one, it would run into the chain's policy, which hopefully you've set to DROP... 
Last edited by win32sux; 01-27-2006 at 06:48 PM.
|
|
|
01-27-2006, 08:59 PM
|
#4
|
Member
Registered: Sep 2005
Posts: 136
Original Poster
Rep:
|
Thanks for your reply Win, yeah I do have some knowledge of iptables (although im not an iptables knowledge king), but I have dont have any experience using it when you have to set up different firewall settings on multiple interfaces with internet connections. With my current setup, my firewall blocks most incoming traffic into my external nic unless I request it. For my internal nic it doesnt block anything.
Somehow the firewall knows what interface represents the internet connection and so it will apply the rules to that interface. Again I do have some knowledge of iptables, but im not a knowledge king. I am wondering when I do add another internet connection interface, in which both will be active at the same time, do I have to somehow tell iptables to monitor both interfaces.
Take for examble my following script:
#eth0 is the interface with the internet connection. Notice that I do not have to tell iptables to also accept INPUT on eth1, which is currently the internal interface.
iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
chkconfig --level 345 iptables on
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -P INPUT DROP
iptables -A INPUT -i ! eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -i ! eth0 -p tcp --dport 80 -m state --state NEW -j ACCEPT
#iptables -A INPUT -p tcp --dport 139 -m state --state NEW -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --dport 80 -j ACCEPT
service iptables save
In a nutshell I want to drop all packets on all internet interfaces that dont quality.
I used to be with Bell Sympatico, who did let me run servers, but they were getting bad with their customer service so I decided to switch to Rogers Cable Internet which is much faster. I was running email and ssh servers at the time of the switch when Rogers remotely run a port scanner and found out that I was running these servers, so they shut down my internet connection on me, which sucked.
|
|
|
01-27-2006, 09:07 PM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
if you tell me what type of incoming packets (HTTP/HTTPS, POP3, etc.) you wanna accept on each interface, i'll post a custom-made script for you... 
|
|
|
01-27-2006, 11:07 PM
|
#6
|
Member
Registered: Sep 2005
Posts: 136
Original Poster
Rep:
|
Yeah I would be looking for SMTP, POP, HTTPS/HTTP. Any ideas that you have would be great. I tried googling my subject but havent found anything specifically for people who want to run two internet interfaces although there is lots of other great material.
Thanks,
Anthony
BTW you can feel free to contact me should you need any help too with other things.
|
|
|
01-28-2006, 05:19 AM
|
#7
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
okay, so if i'm understanding you right, you want incoming SMTP, POP, and HTTPS/HTTP on eth2, while filtering all incoming connections on eth0... also, you want all traffic coming from boxes hooked-up to eth1 (LAN) to be forwarded and masqueraded out through eth0... if that's the case, then this script should do the trick:
Code:
#!/bin/sh
IPT="/sbin/iptables"
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p TCP -i eth2 --dport 25 \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i eth2 --dport 110 \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i eth2 --dport 80 \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i eth2 --dport 443 \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD -i eth1 -o eth0 -j ACCEPT
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
you can do an "iptables-save" right after executing the script (and making sure it works properly)... keep in mind that kernel parameter settings, such as rp_filter and ip_forward won't get saved when you do an "iptables-save", so you'd need to edit your sysctl.conf file accordingly... the lines you'd need to set would look like:
Code:
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 1
Last edited by win32sux; 01-28-2006 at 06:18 AM.
|
|
|
01-28-2006, 07:51 AM
|
#8
|
Member
Registered: Sep 2005
Posts: 136
Original Poster
Rep:
|
Ahhhh ok, so you are setting the parameters for eth2 (internal interface) before setting those for eth0, thats clearer and makes more sense to me.
Thanks
Anthony
|
|
|
All times are GMT -5. The time now is 03:19 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|