Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-20-2006, 04:02 AM
|
#1
|
LQ Newbie
Registered: Oct 2005
Location: Netherlands
Distribution: Fedora Core 4
Posts: 26
Rep:
|
Please help me with iptables configuration
Hello,
I need to configure a firewall and this I want to do with iptables. Now I need some help with portforwarding on a linux-computer.
The eth0 port resolves it's IP with dhcp and is connected to the internet. No problems with that.
The eth1 is connected to my webserver. I want only port 80 forward to this computer (NAT routing / DMZ zone). The webserver does not need any other service.
IP: 192.168.0.1 (subnet: 255.255.255.248) - Linux (Ubuntu) machine
The eth2 is connected to a (private) lan. Only traffic form these computers to the internet is allowed. The IP of this interface is on the next subnet. So it's ip is 192.168.0.9 and the subnet is the same as the eth1 port.
Can someone please help me to configure this firewall. Thanks in advantage.
|
|
|
01-20-2006, 05:23 PM
|
#2
|
Member
Registered: May 2004
Distribution: FreeBSD 7, Debian "Squeeze", OpenBSD 4.5
Posts: 167
Rep:
|
Gentoo has a good guide on how to do a firewall/router type setup. The steps should apply to any distro using iptables/netfilter.
http://www.gentoo.org/doc/en/home-router-howto.xml
|
|
|
01-20-2006, 06:50 PM
|
#3
|
Senior Member
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291
Rep:
|
you have eth1 and eth2 on the same C class network 192.168.0.1 and 192.168.0.9, put your webserver on different C class network ( e.g. 192.168.1.1 or 192.168.2.1). also set your network ID to 255.255.255.0 not 255.255.255.248 otherwise you will realy stuff up your network.
|
|
|
01-28-2006, 07:18 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
this little script i wrote for you should do the trick:
Code:
#!/bin/sh
IPT="/sbin/iptables"
EXT_IFACE="eth0"
DMZ_IFACE="eth1"
LAN_IFACE="eth2"
WEB_SERVER_IP="192.168.FIX.ME"
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p TCP -i $EXT_IFACE -o $DMZ_IFACE \
-d $WEB_SERVER_IP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACE -o $EXT_IFACE \
-m state --state NEW -j ACCEPT
$IPT -t nat -A PREROUTING -p TCP -i $EXT_IFACE --dport 80 \
-j DNAT --to-destination $WEB_SERVER_IP
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
just my  ... good luck!!!
Last edited by win32sux; 01-28-2006 at 07:22 PM.
|
|
|
01-29-2006, 05:48 AM
|
#5
|
LQ Newbie
Registered: Oct 2005
Location: Netherlands
Distribution: Fedora Core 4
Posts: 26
Original Poster
Rep:
|
Thank you very much. I got some useful information out of the website.
|
|
|
All times are GMT -5. The time now is 02:02 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|