LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-20-2006, 05:02 AM   #1
rbm
LQ Newbie
 
Registered: Oct 2005
Location: Netherlands
Distribution: Fedora Core 4
Posts: 26

Rep: Reputation: 15
Please help me with iptables configuration


Hello,

I need to configure a firewall and this I want to do with iptables. Now I need some help with portforwarding on a linux-computer.

The eth0 port resolves it's IP with dhcp and is connected to the internet. No problems with that.

The eth1 is connected to my webserver. I want only port 80 forward to this computer (NAT routing / DMZ zone). The webserver does not need any other service.
IP: 192.168.0.1 (subnet: 255.255.255.248) - Linux (Ubuntu) machine

The eth2 is connected to a (private) lan. Only traffic form these computers to the internet is allowed. The IP of this interface is on the next subnet. So it's ip is 192.168.0.9 and the subnet is the same as the eth1 port.

Can someone please help me to configure this firewall. Thanks in advantage.
 
Old 01-20-2006, 06:23 PM   #2
damicatz
Member
 
Registered: May 2004
Distribution: FreeBSD 7, Debian "Squeeze", OpenBSD 4.5
Posts: 167

Rep: Reputation: 30
Gentoo has a good guide on how to do a firewall/router type setup. The steps should apply to any distro using iptables/netfilter.

http://www.gentoo.org/doc/en/home-router-howto.xml
 
Old 01-20-2006, 07:50 PM   #3
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,285

Rep: Reputation: 61
you have eth1 and eth2 on the same C class network 192.168.0.1 and 192.168.0.9, put your webserver on different C class network ( e.g. 192.168.1.1 or 192.168.2.1). also set your network ID to 255.255.255.0 not 255.255.255.248 otherwise you will realy stuff up your network.
 
Old 01-28-2006, 08:18 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
this little script i wrote for you should do the trick:

Code:
#!/bin/sh

IPT="/sbin/iptables"

EXT_IFACE="eth0"
DMZ_IFACE="eth1"
LAN_IFACE="eth2"

WEB_SERVER_IP="192.168.FIX.ME"

echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -p TCP -i $EXT_IFACE -o $DMZ_IFACE \
-d $WEB_SERVER_IP --dport 80 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -i $LAN_IFACE -o $EXT_IFACE \
-m state --state NEW -j ACCEPT

$IPT -t nat -A PREROUTING -p TCP -i $EXT_IFACE --dport 80 \
-j DNAT --to-destination $WEB_SERVER_IP

$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo "1" > /proc/sys/net/ipv4/ip_forward
just my ... good luck!!!

Last edited by win32sux; 01-28-2006 at 08:22 PM.
 
Old 01-29-2006, 06:48 AM   #5
rbm
LQ Newbie
 
Registered: Oct 2005
Location: Netherlands
Distribution: Fedora Core 4
Posts: 26

Original Poster
Rep: Reputation: 15
Thank you very much. I got some useful information out of the website.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables configuration help mousie Linux - Security 2 09-01-2005 02:57 PM
iptables configuration props666999 Linux - Security 3 08-28-2005 03:32 PM
iptables configuration help Alien#007 Linux - Networking 1 08-12-2005 02:32 PM
iptables configuration tungaw2001 Linux - Networking 2 04-15-2004 04:01 PM
iptables configuration know Linux - Networking 2 05-25-2003 05:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration