3 nic cards and iptables
From: SHALLAM (SHALLAMUK_at_YAHOO.CO.UK)
Date: 10/24/05
- Next message: James Knott: "Re: subnetmask and IP address"
- Previous message: Raqueeb Hassan: "Re: monitoring behind nat?"
- Next in thread: Chris Lowth: "Re: 3 nic cards and iptables"
- Reply: Chris Lowth: "Re: 3 nic cards and iptables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 24 Oct 2005 04:07:59 -0700
Hi new to groups so bear with me.
Got a red hat 8 server. 3 network cards.
using iptables and nat and masquerading.
Can get eth0 ( internal facing network card) and eth1 (external network
card) working fine.
Need to add eth2 as second external facing card to allow only two
internal ip addresses (from the same range of addresses that use eth1)
to access the internet with masquerading.
iptable as follows
# Firewall Gateway system IP address is 10.2.*.* using Ethernet
device eth1
# Firewall Gateway system IP address is 10.65.*.* usning Ethernet
device eth2
# Private network address is 172.16.0.0 using Ethernet device eth0
# turn off IP forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
# Flush chain rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
# set default (policy) rules
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# IP spoofing, deny any packets on the internal network that has an
extenal source address.
# iptables -A INPUT -j LOG -j eth0 \! -s 172.16.0.0/24
# iptables -A INPUT -j DROP -i eth0 \! -s 172.16.0.0/24
# iptables -A FORWARD -j DROP -i eth0 \! -s 172.16.0.0/24
# IP spoofing, deny any outside packets (any not on eth0) that have
the source address of the internal network
iptables -A INPUT -j DROP \! -i eth0 -s 172.16.0.0
iptables -A FORWARD -j DROP \! -i eth0 -s 172.16.0.0
# IP spoofing, deny any outside packets with localhost address
# (packets not on the lo interface (any on eth0 or eth1) that have the
source address of localhost)
iptables -A INPUT -j DROP -i \! lo -s 127.0.0.0/255.0.0.0
iptables -A FORWARD -j DROP -i \! lo -s 127.0.0.0/255.0.0.0
# allow all incoming messages for users on your firewall system
# iptables -A INPUT -j ACCEPT -i lo
# allow established and related outside communication to your system
# allow outside communication to the firewall, except for ICMP packets
iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth1 -p \!
icmp -j ACCEPT
# prevent outside initiated connections
iptables -A INPUT -m state --state NEW -i eth1 -j DROP
iptables -A FORWARD -m state --state NEW -i eth1 -j DROP
# allow all local communication to and from the firewall on eth0 from
the local network
iptables -A INPUT -j ACCEPT -p all -i eth0 -s 172.16.0.0/24
# set up masquerading to allow internal machines access to outside
network
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Accept ICMP ping (0 and 8) and Destination unreachable (3) messages
# Others will be rejected by INPUT and OUTPUT DROP policy
iptables -A INPUT -j ACCEPT -p icmp -i eth1 --icmp-type echo-reply -d
10.*.*.*
iptables -A INPUT -j ACCEPT -p icmp -i eth1 --icmp-type echo-request
-d 10.*.*.* iptables -A INPUT -j ACCEPT -p icmp -i eth1 --icmp-type
destination-unreachable -d 10.*.*.*
# Turn on IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
tried adding the following lines but it would not work
# set up masquerading to allow a specified machine access to the
outside network on second card
iptables -t nat -A PREROUTING -d 10.*.*.* \ --to -destination
172.16.2.107
-j DNAT
iptables -t nat -A POSTROUTING -s 172.16.2.107 \ --to-source 10.*.*.*
-j
SNAT
anyone able to help?
- Next message: James Knott: "Re: subnetmask and IP address"
- Previous message: Raqueeb Hassan: "Re: monitoring behind nat?"
- Next in thread: Chris Lowth: "Re: 3 nic cards and iptables"
- Reply: Chris Lowth: "Re: 3 nic cards and iptables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
