Re: Ip Forwarding - Jason Opperisano

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: Ip Forwarding
Date: Thu, 28 Oct 2004 14:26:03 -0400	[thread overview]
Message-ID: <20041028182603.GA5067@bender.817west.com> (raw)
In-Reply-To: <20041028172521.3B3CB672@mail.817west.com>

On Thu, Oct 28, 2004 at 12:23:50PM -0500, Joe Wright wrote:
> Hi, I'm new to iptables and am trying to set up a firewall for my hosting
> company. We have a block of 128 public ips starting at 207.145.24.128 with a
> mask of 255.255.255.192. I have a redhat 9 box set up with 2 nics. My goal
> is to have it between the router and my network.

is your current configuration that "my network" is 207.145.24.128/26 and
all hosts point to the inside interface of the router as their default
gateway?  and now you want to wedge a firewall between "my network" and
the router?

> It should allow connections
> to port 80 for all ips behind it

  iptables -A FORWARD -i $outsideIF -o $insideIF -p tcp --syn \
    --dport 80 -j ACCEPT

  (assumes you are using connection tracking)

> and I would also like to specify certain
> ports for certain ips for dns, ftp, remote desktop, etc.

mport/multiport is useful for this (i prefer mport, but most distros
ship with multiport):

  iptables -A FORWARD -i $outsideIF -o $insideIF -p tcp --syn \
    -d $server001 -m multiport --dports 21,3389 -j ACCEPT

> I've found tons of
> info on using iptables with nat but not much on just blocking ports for ips
> passing through it. I'm also not quite sure of how to configure the second
> nic that connects to my internal network. Any help would be greatly
> appreciated.

if my description of your scenario above was correct, you have a couple
of options:

(a) get an additional /30 public IP space to use between the outside of
the firewall and the inside of your router

(b) subnet your existing /26 and steal a /30 out of it from the beginning
or end of the range for the network between the firewall and router

(c) use an RFC 1918 network for the network between the firewall and
router

the "best" solution is A, but will cost some extra $$$.  C can cause
problems if certain situations.  B is a nice compromise, basically it
would involve:

  router:
	inside interface:  207.145.24.129/30
	static route:      207.145.24.128/26 via 207.145.24.130

  firewall:
	outside interface:  207.145.24.130/30
	inside interface:   207.145.24.190/26
	default gateway:    207.145.24.129

default gateway of hosts on the 207.145.24.128/26 network:
207.145.24.190

or some variant of the above, depending on how much readdressing you do
or do not want to do.

-j

-- 
Jason Opperisano <opie@817west.com>

next      parent reply	other threads:[~2004-10-28 18:26 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20041028172521.3B3CB672@mail.817west.com>
2004-10-28 18:26 ` Jason Opperisano [this message]
2004-10-30 10:55   ` Ip Forwarding Nick Drage
2004-10-30 15:25     ` Jason Opperisano
2004-10-30 17:29       ` Nick Drage
2012-01-27  9:59 IP forwarding Prashant Batra (prbatra)
  -- strict thread matches above, loose matches on Subject: below --
2005-10-21 21:22 IP Forwarding Jerry Alexander
2005-10-22 12:53 ` Henrik Nordstrom
2005-10-22 13:11 ` Aseem Rastogi
2005-08-04  1:37 IP forwarding Ricardo J. Méndez
2005-08-04  4:15 ` Gömöri Zoltán
2005-08-04  5:02   ` curby .
2005-08-04 18:42     ` Ricardo J. Méndez
2005-08-04 21:33       ` curby .
2005-08-04 22:20         ` Ricardo J. Méndez
2005-08-04  7:55   ` Jan Engelhardt
2005-08-04 16:22 ` Patrick Nelson
2005-08-04 18:19   ` Ricardo J. Méndez
2005-08-04 19:54     ` Patrick Nelson
2005-08-04 19:33 ` Jason Opperisano
2004-10-28 17:23 Ip Forwarding Joe Wright
2003-02-21 23:46 William Olbrys
2003-02-22  0:28 ` Willi Dyck
2003-02-22  0:47   ` William Olbrys
2003-02-22 14:57     ` William Olbrys
2003-02-23  3:43       ` Bjorn Ruberg
2003-02-23 21:38         ` Willi Dyck
2002-09-28  4:22 IP forwarding SB CH
2002-09-28  7:27 ` Antony Stone

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20041028182603.GA5067@bender.817west.com \
    --to=opie@817west.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.