Please help me with iptables configuration

rbm · 01-20-2006, 04:02 AM

Hello,

I need to configure a firewall and this I want to do with iptables. Now I need some help with portforwarding on a linux-computer.

The eth0 port resolves it's IP with dhcp and is connected to the internet. No problems with that.

The eth1 is connected to my webserver. I want only port 80 forward to this computer (NAT routing / DMZ zone). The webserver does not need any other service.
IP: 192.168.0.1 (subnet: 255.255.255.248) - Linux (Ubuntu) machine

The eth2 is connected to a (private) lan. Only traffic form these computers to the internet is allowed. The IP of this interface is on the next subnet. So it's ip is 192.168.0.9 and the subnet is the same as the eth1 port.

Can someone please help me to configure this firewall. Thanks in advantage.

damicatz · 01-20-2006, 05:23 PM

Gentoo has a good guide on how to do a firewall/router type setup. The steps should apply to any distro using iptables/netfilter.

http://www.gentoo.org/doc/en/home-router-howto.xml

fotoguy · 01-20-2006, 06:50 PM

you have eth1 and eth2 on the same C class network 192.168.0.1 and 192.168.0.9, put your webserver on different C class network ( e.g. 192.168.1.1 or 192.168.2.1). also set your network ID to 255.255.255.0 not 255.255.255.248 otherwise you will realy stuff up your network.

win32sux · 01-28-2006, 07:18 PM

this little script i wrote for you should do the trick:

Code:

#!/bin/sh

IPT="/sbin/iptables"

EXT_IFACE="eth0"
DMZ_IFACE="eth1"
LAN_IFACE="eth2"

WEB_SERVER_IP="192.168.FIX.ME"

echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -p TCP -i $EXT_IFACE -o $DMZ_IFACE \
-d $WEB_SERVER_IP --dport 80 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -i $LAN_IFACE -o $EXT_IFACE \
-m state --state NEW -j ACCEPT

$IPT -t nat -A PREROUTING -p TCP -i $EXT_IFACE --dport 80 \
-j DNAT --to-destination $WEB_SERVER_IP

$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo "1" > /proc/sys/net/ipv4/ip_forward

just my

... good luck!!!

rbm · 01-29-2006, 05:48 AM

Thank you very much. I got some useful information out of the website.