iptables problem (two network interfaces)
From: crowl (crowl_at_gmx.de)
Date: 07/01/04
- Next message: Chris Phillips: "Re: nfs strange failures (getfh, linux server, solaris client)"
- Previous message: Matt Hayes: "Re: Trouble Installing Linux/Cisco VPN Client Has anyone had trouble compiling the linux cisco vpn client? Here is the output of the install script: # uname -rviosm Linux 2.4.22-1.2188.nptl #1 Wed Apr 21 20:19:18 EDT 2004 x86_64 x86_64 GNU/Linux"
- Next in thread: Nuno Paquete: "Re: iptables problem (two network interfaces)"
- Reply: Nuno Paquete: "Re: iptables problem (two network interfaces)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 1 Jul 2004 07:17:40 -0700
My lab:
Internet - PIX - DMZ - Debian box with two network cards - Intranet
PIX IP: 192.168.0.10
Debian eth0 IP: 192.168.0.11
Debian eth1 IP: 172.19.0.11
The debian box should seperate the internet/dmz from local lan
(intranet). IPtables should work as firewall. All traffic from lan ->
internet should be allowed. All traffic from internet -> lan should be
blocked except established connection opened from lan site.
I have a iptables script, but it seems that I have missconfigured
something. If I try to do a ping a website or a pop3 request to my
internet provider from my machine inside the lan (ip 172.19.l.55), I
get no answer. SSH access to the debian box is working.
Here my script, hopefully that someone can help me to figure out my
mistake. Thanks in advance.
# intranet
IFACE_INT=eth1
# internet
IFACE_EXT=eth0
# loopback
IFACE_LO=lo
# flush filters
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X
# policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# accept ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# enable ip-Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
# *** INPUT ***
# allow all from intranet
iptables -A INPUT -i $IFACE_INT -j ACCEPT
# no internet connection with a local ip!
iptables -A INPUT -i $IFACE_EXT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $IFACE_EXT -s 172.16.0.0/16 -j DROP
# allow established internet connection
iptables -A INPUT -i $IFACE_EXT -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# *** FORWARD ***
# intranet -> internet allow all
iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -j ACCEPT
# internet -> intranet only if for established connection
iptables -A FORWARD -i $IFACE_EXT -o $IFACE_INT -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# *** OUTPUT ***
# intranet
iptables -A OUTPUT -o $IFACE_INT -j ACCEPT
# loopback
iptables -A OUTPUT -o $IFACE_LO -j ACCEPT
# internet
iptables -A OUTPUT -o $IFACE_EXT -j ACCEPT
# Masquerading
iptables -A POSTROUTING -o $IFACE_EXT -t nat -j MASQUERADE
- Next message: Chris Phillips: "Re: nfs strange failures (getfh, linux server, solaris client)"
- Previous message: Matt Hayes: "Re: Trouble Installing Linux/Cisco VPN Client Has anyone had trouble compiling the linux cisco vpn client? Here is the output of the install script: # uname -rviosm Linux 2.4.22-1.2188.nptl #1 Wed Apr 21 20:19:18 EDT 2004 x86_64 x86_64 GNU/Linux"
- Next in thread: Nuno Paquete: "Re: iptables problem (two network interfaces)"
- Reply: Nuno Paquete: "Re: iptables problem (two network interfaces)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
