* Script verification
@ 2005-06-22 4:11 Mohamed Nassih
2005-06-22 10:40 ` Marius Mertens
0 siblings, 1 reply; 2+ messages in thread
From: Mohamed Nassih @ 2005-06-22 4:11 UTC (permalink / raw)
To: netfilter
I'am a new be..
I want to configure a firewall between my local network and internet, I want to permet 123.45.67.2 to see a http web server.
I write this script, please correct to me if there is some error. is this enough?
Thanks
echo 1 > /proc/sys/net /ipv4/ip_forward
IPTABLES -F INPUT
IPTABLES -F OUTPUT
IPTABLES -F FORWARD
IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT DROP
IPTABLES -P FORWARD DROP
Iptables –A INPUT -i lo –j ACCEPT
Iptables –A OUTPUT -o lo –j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 –o eth0 -p tcp -d 123.45.67.2 --destination-port 80
–m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD –p tcp -i eth0 –o eth0 –-source-port 80 –m state --state ESTABLISHED -j ACCEPT
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Script verification
2005-06-22 4:11 Script verification Mohamed Nassih
@ 2005-06-22 10:40 ` Marius Mertens
0 siblings, 0 replies; 2+ messages in thread
From: Marius Mertens @ 2005-06-22 10:40 UTC (permalink / raw)
To: netfilter
Hi everybody,
On Wednesday, June 22, 2005 6:11 AM,
Mohamed Nassih wrote:
> [...]
> echo 1 > /proc/sys/net /ipv4/ip_forward
You still have the space in that line, which Guido already noticed. It
should be
echo 1 > /proc/sys/net/ipv4/ip_forward
without the space between .../net and /ipv4...
> IPTABLES -F INPUT
> IPTABLES -F OUTPUT
> IPTABLES -F FORWARD
> IPTABLES -P INPUT DROP
> IPTABLES -P OUTPUT DROP
> IPTABLES -P FORWARD DROP
> Iptables -A INPUT -i lo -j ACCEPT
> Iptables -A OUTPUT -o lo -j ACCEPT
These rules seem to be good.
> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
This rewrites the source address of every packet originating from
192.168.1.0/24 going out through eth0 to the public IP of your router
(assuming eth0 is the interface connected to the internet side of your
network) --> OK
> iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 123.45.67.2
> --destination-port 80
> -m state --state NEW,ESTABLISHED -j ACCEPT
This allows traffic (including new connections) coming from eth1 and going
out through eth0 to pass, if it is destined for 123.45.67.2:80. With the
assumption that eth1 is connected to the LAN side of your network --> OK
> iptables -A FORWARD -p tcp -i eth0 -o eth0 --source-port 80 -m state
> --state ESTABLISHED -j ACCEPT
With above assumptions regarding your eth0 and eth1 this should be
iptables -A FORWARD -p tcp -i eth0 -o eth1 --source-port 80 -m state --state
ESTABLISHED -j ACCEPT
Then it allows all returning packets from the internet originating from port
80 to pass.
It should work then, but I think it should work equally well if you took
Guido's rules (in
http://lists.netfilter.org/pipermail/netfilter/2005-June/061098.html), since
as he already said, that notation is more readable, and IMHO, also cleaner.
So with above changes the script should be sufficient to allow your LAN
clients access to that single webserver 123.45.67.2. But depending on your
configuration your clients might be unable to do DNS, so it might be
necessary to type the IP address into the browser.
Good luck,
Marius
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-06-22 10:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-22 4:11 Script verification Mohamed Nassih
2005-06-22 10:40 ` Marius Mertens
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.