Re: iptables - newbie
- From: Robby Workman <newsgroups@xxxxxxxxxxxxx>
- Date: Fri, 06 Jan 2006 06:20:25 GMT
On 2006-01-06, explodingGo4@xxxxxxxxx <explodingGo4@xxxxxxxxx> wrote:
> Bear with me if I'm not using the terminology correctly, but I'm new to
> linux and firewalls.
> I have been using Linux Firewalls, 3rd Edition. Good book, not good to
> copy the iptables scripts, lots of missing or in correct info.
It's a good book - hang in there and give it some time -- it will all
come together soon enough...
> I have an internal lan that I'd like to protect with iptables.
> eth0=internet and eth1 connects to my LAN. I'd like to default the
> routing to pass only specific ports. Lets say 80. Masquerading with
> NAT passes everything. Can someone point me to a resource that
> explains the code in plain english?
I would normally direct you to Oskar Andreasson's tutorial at frozentux,
but it's been down for a few weeks. I have a mirror of an older version
at http://iptables.rlworkman.net - read through it completely.
> Here is what I have, it appears using TCPDump, data is passed from eth0
> to eth1, but not back to the workstation that requested it. I assume
> this is called a choke firewall, per the book.... <SNIPPED>
I would suggest starting with something simple, with very little actual
filtering - get that working properly, and then you can worry about
tightening it.
What you're wanting will require filtering in the FORWARD chain of the
filter table.
Try this:
#!/bin/bash
# Set variables
IPT=/usr/sbin/iptables
INT_IF=eth0 # Internet-facing NIC
LAN_IF=eth1 # LAN-facing NIC
LAN_IPRANGE=192.168.0.0/24 # IP Range of LAN
PRIV_IP=x.x.x.x # Private IP address (LAN) of gateway
PUBLIC_IP=x.x.x.x # Public IP Address of gateway
# Set default policies
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# Turn off packet forwarding until all rules are applied
echo 0 > /proc/sys/net/ipv4/ip_forward
# Allow all traffic on loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Allow all packets of established connections and those related to
# established connections
$IPT -A INPUT -i $INT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH from LAN
$IPT -A INPUT -i $LAN_IF -s $LAN_IPRANGE --sport 1024:65535 \
-d $PRIV_IP --dport 22 -m state --state NEW --syn -j ACCEPT
# Allow all traffic destined for the internet to leave the LAN
# (goes through FORWARD chain)
$IPT -A FORWARD -i $LAN_IF -s $LAN_IPRANGE -o $INT_IP -j ACCEPT
# Allow all valid return traffic for the LAN
$IPT -A FORWARD -i $INT_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# SNAT the traffic leaving the LAN
$IPT -t nat -A POSTROUTING -s $LAN_IPRANGE -j SNAT --to-source $PUBLIC_IP
# Turn on packet forwarding now that all rules are applied
echo 1 > /proc/sys/net/ipv4/ip_forward
I did this from memory, so if I missed something obvious, please excuse
me - I'm sure someone will point it out :-)
RW
.
- Follow-Ups:
- Re: iptables - newbie
- From: Robert
- Re: iptables - newbie
- References:
- iptables - newbie
- From: explodingGo4
- iptables - newbie
- Prev by Date: iptables - newbie
- Next by Date: Re: Using DHCP Client to get a POP server
- Previous by thread: iptables - newbie
- Next by thread: Re: iptables - newbie
- Index(es):
Relevant Pages
|
|
