From: "Marius Mertens" <marius.mertens@gmx.de>
To: netfilter@lists.netfilter.org
Subject: Re: Script verification
Date: Wed, 22 Jun 2005 12:40:17 +0200 [thread overview]
Message-ID: <004d01c57716$cbfda230$4206a8c0@loki> (raw)
In-Reply-To: 20050622041115.96034.qmail@web30615.mail.mud.yahoo.com
Hi everybody,
On Wednesday, June 22, 2005 6:11 AM,
Mohamed Nassih wrote:
> [...]
> echo 1 > /proc/sys/net /ipv4/ip_forward
You still have the space in that line, which Guido already noticed. It
should be
echo 1 > /proc/sys/net/ipv4/ip_forward
without the space between .../net and /ipv4...
> IPTABLES -F INPUT
> IPTABLES -F OUTPUT
> IPTABLES -F FORWARD
> IPTABLES -P INPUT DROP
> IPTABLES -P OUTPUT DROP
> IPTABLES -P FORWARD DROP
> Iptables -A INPUT -i lo -j ACCEPT
> Iptables -A OUTPUT -o lo -j ACCEPT
These rules seem to be good.
> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
This rewrites the source address of every packet originating from
192.168.1.0/24 going out through eth0 to the public IP of your router
(assuming eth0 is the interface connected to the internet side of your
network) --> OK
> iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 123.45.67.2
> --destination-port 80
> -m state --state NEW,ESTABLISHED -j ACCEPT
This allows traffic (including new connections) coming from eth1 and going
out through eth0 to pass, if it is destined for 123.45.67.2:80. With the
assumption that eth1 is connected to the LAN side of your network --> OK
> iptables -A FORWARD -p tcp -i eth0 -o eth0 --source-port 80 -m state
> --state ESTABLISHED -j ACCEPT
With above assumptions regarding your eth0 and eth1 this should be
iptables -A FORWARD -p tcp -i eth0 -o eth1 --source-port 80 -m state --state
ESTABLISHED -j ACCEPT
Then it allows all returning packets from the internet originating from port
80 to pass.
It should work then, but I think it should work equally well if you took
Guido's rules (in
http://lists.netfilter.org/pipermail/netfilter/2005-June/061098.html), since
as he already said, that notation is more readable, and IMHO, also cleaner.
So with above changes the script should be sufficient to allow your LAN
clients access to that single webserver 123.45.67.2. But depending on your
configuration your clients might be unable to do DNS, so it might be
necessary to type the IP address into the browser.
Good luck,
Marius
prev parent reply other threads:[~2005-06-22 10:40 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-22 4:11 Script verification Mohamed Nassih
2005-06-22 10:40 ` Marius Mertens [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='004d01c57716$cbfda230$4206a8c0@loki' \
--to=marius.mertens@gmx.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.