From: "Ian Hunter" <ihunter@hunterweb.net>
To: Erick Sanz <esanz@minorplanetusa.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Home web server using front firewall
Date: Wed, 17 Dec 2003 16:56:42 -0500 [thread overview]
Message-ID: <002801c3c4e8$a82ca220$7000a80a@melita.com> (raw)
In-Reply-To: HFEBJMKNPOCPPMGFHDMCAEJBCDAA.esanz@minorplanetusa.com
> iptables -A FORWARD -i eth0 -p tcp -d 10.10.1.240 --dport 80 -m state \
> --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
> iptables -A FORWARD -i eth1 -p tcp -s 10.10.1.0/24 --source-port 80 \
> -j ACCEPT
>
> iptables -A FORWARD -o eth1 -p tcp -s 10.10.1.240 --sport 80 -m state \
> --state NEW,ESTABLISHED,RELATED -j ACCEPT
The first forward allows inbound traffic from eth0 (net?) to hit the
webserver on 10.10.1.240
The second forward allows any traffic FROM any webserver in the 10.10.1.0/24
network out to anywhere (ODD!)
The third forward specifically allows the web server at 10.10.1.240 to
respond to web requests, and should be redundant with the second rule
Here's my question -- which interface is which? Assuming eth0 is the
internet side, and eth1 is your DMZ side, you should have these:
iptables -A FORWARD -i eth0 -p tcp -d 10.10.1.240 --dport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -s 10.10.1.240 --sport 80 -m
state --state ESTABLISHED,RELATED -j ACCEPT
and that should do it.
Are you logging dropped packets?
> Also, I would like to "lock" my OUTPUT chain to avoid Netbios and other
> protocols to go out... any recommendations?
To drop netbios (137-139 tcp & udp), you'd probably want to drop it going
out AND being forwarded, like this:
iptables -A FORWARD -o eth0 -p tcp --dport 137 -j DROP
iptables -A FORWARD -o eth0 -p tcp --dport 138 -j DROP
iptables -A FORWARD -o eth0 -p tcp --dport 139 -j DROP
iptables -A FORWARD -o eth0 -p udp --dport 137 -j DROP
iptables -A FORWARD -o eth0 -p udp --dport 138 -j DROP
iptables -A FORWARD -o eth0 -p udp --dport 139 -j DROP
iptables -A OUTPUT -o eth0 -p tcp --dport 137 -j DROP
iptables -A OUTPUT -o eth0 -p tcp --dport 138 -j DROP
iptables -A OUTPUT -o eth0 -p tcp --dport 139 -j DROP
iptables -A OUTPUT -o eth0 -p udp --dport 137 -j DROP
iptables -A OUTPUT -o eth0 -p udp --dport 138 -j DROP
iptables -A OUTPUT -o eth0 -p udp --dport 139 -j DROP
> Thank you VERY much for your time!
You get what you pay for... lol
next prev parent reply other threads:[~2003-12-17 21:56 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-10 19:33 Access to Internal server via public address Vernon A. Fort
2003-12-10 19:45 ` Antony Stone
2003-12-10 20:16 ` William Stearns
2003-12-10 20:25 ` Antony Stone
2003-12-10 20:55 ` William Stearns
2003-12-10 23:24 ` Home web server using front firewall Erick Sanz
2003-12-10 23:40 ` Antony Stone
2003-12-17 21:30 ` Erick Sanz
2003-12-17 21:56 ` Ian Hunter [this message]
2003-12-17 22:48 ` Antony Stone
2003-12-11 5:30 ` Access to Internal server via public address Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='002801c3c4e8$a82ca220$7000a80a@melita.com' \
--to=ihunter@hunterweb.net \
--cc=esanz@minorplanetusa.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.