iptables

• Previous message: ken: "Re: Fw: Re[2]: FW: Linux server as it own firewall"
• Next in thread: bodzincm@WellsFargo.COM: "RE: iptables"
• Maybe reply: bodzincm@WellsFargo.COM: "RE: iptables"
• Reply: Prakash Purushotham: "Re: iptables"
• Reply: Trevor Benson: "RE: iptables"
• Reply: Rob 'Feztaa' Park: "Re: iptables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 18 Sep 2001 12:50:57 +0200
From: Thomas Kirk <thomas@arkena.com>
To: focus-linux@securityfocus.com
Subject: iptables
Message-ID: <20010918125057.B22980@mmstreaming.dk>

Hey there listmembers

First of all let me point out that im a newbie on the iptables and
security in general. Im writing to this list because i managed to
build a fw using linux 2.4.9 and iptables 1.2.2. The gateway has 5
interfaces one on the outside WAN and four on the inside LAN. Im
running dhcp on all the LAN interfaces supplying the diffrent nets
with connection to internet.

Setup :
                                
                                        +------>192.168.10.x
                                        |
                                        |------>192.168.11.x
Internet->Gatway(running iptables etc)--|
                                        |------>192.168.12.x
                                        |
                                        +------>192.168.13.x
                                        
Since im not very good with iptables yet ive found a firewallscript
that will setup the most bascis rules for what to DENY and what to
ACCEPT. The script also setups basic NAT'ing between the outside and
inside interfaces. Ive put a copy of the rules last in the mail. Now
my question is. Sometimes i need to connect from the inside and
the outside into my fw via ssh (Not root!). How is this done? Right
now i cant connect to the server from any of the sides?

iptablerules :

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp #(needed only if you plan on using FTP)

#Set the default policies - sets the default actions of the built-in chains.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#Blocks all new connections unless initiated from the "protected" network.

iptables -N state_chk
iptables -A state_chk -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A state_chk -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A state_chk -j DROP

#Jump to the state_chk chain from INPUT and FORWARD chains.

iptables -A INPUT -j state_chk
iptables -A FORWARD -j state_chk

#Masquerade connections - only needed on the firewall box if you have an internal network that you wish to rou
te traffic to and from the Internet.
#Enable IP forwarding between the interfaces - remember to disable this if you're going to unload the Iptables
 rules.

echo "1" > /proc/sys/net/ipv4/ip_forward

#Load the NAT modules - needed only if you compiled as modules

modprobe iptable_nat
modprobe ip_nat_ftp (needed only if you plan on using FTP)

#Enable IP masquerading - Use if your eth0 has a dynamic IP address. For static IP, it's recommended that you
use source NAT instead.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#Enable source NAT - Use if your eth0 has a static IP address.

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ip_address_of_eth0

Thanks in advance

--
Venlig hilsen/Kind regards
Thomas Kirk
ARKENA
thomas@arkena.com
http://www.arkena.com

"I'm an idiot.. At least this one [bug] took about 5 minutes to find.."
(Linus Torvalds in response to a bug report.)

> I'm an idiot.. At least this [bug] took about 5 minutes to find..
Disquieting ...
(Gonzalo Tornaria in response to Linus Torvalds's mailing about a kernel bug.)

> I'm an idiot.. At least this [bug] took about 5 minutes to find..
We need to find some new terms to describe the rest of us mere mortals
then.
(Craig Schlenter in response to Linus Torvalds's mailing about a kernel bug.)

> I'm an idiot.. At least this [bug] took about 5 minutes to find..
Surely, Linus is talking about the kind of idiocy that others aspire to :-).
(Bruce Perens in response to Linus Torvalds's mailing about a kernel bug.)

• Previous message: ken: "Re: Fw: Re[2]: FW: Linux server as it own firewall"
• Next in thread: bodzincm@WellsFargo.COM: "RE: iptables"
• Maybe reply: bodzincm@WellsFargo.COM: "RE: iptables"
• Reply: Prakash Purushotham: "Re: iptables"
• Reply: Trevor Benson: "RE: iptables"
• Reply: Rob 'Feztaa' Park: "Re: iptables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: iptables ... Subject: iptables ... chain that prior packets used. ... modprobe ip_conntrack ... (Gonzalo Tornaria in response to Linus Torvalds's mailing about a kernel ... (Focus-Linux) NetFilter : connexion refused with my set of rules ... My set of rules to allow SSH connection from internet on port 443 to my ... $MODPROBE ip_conntrack ... # Adds some $IPTABLES targets like LOG, ... (comp.os.linux.security) HTTP SERVER ON FORWARDED MACHINE ... receives internet forwarded from the linux. ... Anyone can help with iptables or anything? ... $MODPROBE ip_conntrack ... # FORWARD chain rules ... (comp.os.linux.networking) HTTP SERVER ON FORWARDED MACHINE ... receives internet forwarded from the linux. ... Anyone can help with iptables or anything? ... $MODPROBE ip_conntrack ... # FORWARD chain rules ... (comp.os.linux.misc) HTTP SERVER ON FORWARDED MACHINE ... receives internet forwarded from the linux. ... Anyone can help with iptables or anything? ... $MODPROBE ip_conntrack ... # FORWARD chain rules ... (comp.os.linux)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint