LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-06-2003, 05:49 PM   #1
dulaus
LQ Newbie
 
Registered: Sep 2002
Location: Ottawa
Posts: 13

Rep: Reputation: 0
Port forward blocking internal lan clients


Hi...

I have a script that forwards port 80 from linux (mandrake box)outside IP, to an internal IIS web server. It works well but the problem is I can't see what I develop from my workstations on the internal network. I can resolve things by using (http://192.168.0.2/directory/etc) but that doesn't help with dynamic content, as database stored path's and a host of other things do not resolve.

I think another rule excluding my internal network may solve this, but I am not very good at solving this problem yet.

Thanks...

(rc.firewall)


# Mandrake-Security : if you remove this comment, remove the next line too.
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts


iptables -t nat -A PREROUTING -i ppp0 -p TCP -d 205.150.252.22 --dport 80 -j DNAT --to 192.168.0.2:80
iptables -A FORWARD -i ppp0 -o eth1 -p TCP -d 192.168.0.2 --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -j SNAT --to-source 205.150.252.22
iptables -A INPUT -i ppp0 -p tcp -d 205.150.252.22 --dport 137:139 -j DROP
iptables -A FORWARD -i ppp0 -p tcp -d 205.150.252.22 --dport 137:139 -j DROP
iptables -A FORWARD -o ppp0 -p tcp -d 205.150.252.22 --dport 137:139 -j DROP
iptables -A OUTPUT -o ppp0 -p tcp -d 205.150.252.22 --dport 137:139 -j DROP
iptables -A INPUT -i ppp0 -p udp -d 205.150.252.22 --dport 137:139 -j DROP
iptables -A FORWARD -i ppp0 -p udp -d 205.150.252.22 --dport 137:139 -j DROP
iptables -A FORWARD -o ppp0 -p udp -d 205.150.252.22 --dport 137:139 -j DROP
iptables -A OUTPUT -o ppp0 -p udp -d 205.150.252.22 --dport 137:139 -j DROP
 
Old 06-06-2003, 07:38 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Try using dnsmasq and putting the name entries you want to resolve in the /etc/hosts file.

Then ask everyone to use the firewall as their dns server, or place a redirect rule in the PREROUTING chain, eg
iptables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT

Last edited by peter_robb; 06-06-2003 at 07:41 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables blocking internal access? complus Linux - Networking 17 03-09-2004 12:14 AM
blocking some port for NAT clients freelinuxcpp Linux - Networking 2 02-14-2004 06:06 AM
iptables - change port and forward to a internal server leandrok Linux - Networking 0 01-16-2004 10:52 AM
Port forward ftp to windoz server (lan) dulaus Linux - Networking 6 06-11-2003 04:08 PM
Forward port port 80 to lan web server dulaus Linux - Networking 9 10-04-2002 04:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration