* Firewall problem
@ 2005-06-15 3:14 Mohamed Nassih
2005-06-15 3:48 ` Guido Lorenzutti
0 siblings, 1 reply; 4+ messages in thread
From: Mohamed Nassih @ 2005-06-15 3:14 UTC (permalink / raw)
To: netfilter
Hi,
I have this firewall script, the problem is that I can not connect to the webserver (123.45.67.2) from the local network (192.168.1.0).
Please help.
echo 1 > /proc/sys/net /ipv4/ip_forward
IPTABLES -F INPUT
IPTABLES -F OUTPUT
IPTABLES -F FORWARD
IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT DROP
IPTABLES -P FORWARD DROP
Iptables –A INPUT -i lo –j ACCEPT
Iptables –A OUTPUT -o lo –j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -p tcp -d 123.45.67.2 --destination-port 80
–m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD –p tcp -i eth0 –-source-port 80 –m state --state
ESTABLISHED -j ACCEPT
---------------------------------
Discover Yahoo!
Get on-the-go sports scores, stock quotes, news & more. Check it out!
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Firewall problem
2005-06-15 3:14 Firewall problem Mohamed Nassih
@ 2005-06-15 3:48 ` Guido Lorenzutti
2005-06-15 13:01 ` Mohamed Nassih
0 siblings, 1 reply; 4+ messages in thread
From: Guido Lorenzutti @ 2005-06-15 3:48 UTC (permalink / raw)
To: Mohamed Nassih, netfilter
Mohamed Nassih wrote:
> Hi,
>
> I have this firewall script, the problem is that I can not connect to the webserver (123.45.67.2) from the local network (192.168.1.0).
>
> Please help.
maybe if you...
echo 1 > /proc/sys/net/ipv4/ip_forward
and not
echo 1 > /proc/sys/net(((( ))))/ipv4/ip_forward
>
> echo 1 > /proc/sys/net /ipv4/ip_forward
> IPTABLES -F INPUT
> IPTABLES -F OUTPUT
> IPTABLES -F FORWARD
you could...
iptables -F instead of the three rules from above...
> IPTABLES -P INPUT DROP
> IPTABLES -P OUTPUT DROP
> IPTABLES -P FORWARD DROP
> Iptables –A INPUT -i lo –j ACCEPT
> Iptables –A OUTPUT -o lo –j ACCEPT
> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
> iptables -A FORWARD -i eth1 -p tcp -d 123.45.67.2 --destination-port 80
> –m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A FORWARD –p tcp -i eth0 –-source-port 80 –m state --state
> ESTABLISHED -j ACCEPT
>
It would be more readable if you....
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -d 123.45.67.2 -m
state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s 123.45.67.2 -m
state --state ESTABLISHED -j ACCEPT
Check if eth0 = wan and eth1 = lan.
PD: sorry for my english, i never study.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Firewall problem
2005-06-15 3:48 ` Guido Lorenzutti
@ 2005-06-15 13:01 ` Mohamed Nassih
2005-06-15 14:10 ` /dev/rob0
0 siblings, 1 reply; 4+ messages in thread
From: Mohamed Nassih @ 2005-06-15 13:01 UTC (permalink / raw)
To: netfilter
it does not work,
please help
Guido Lorenzutti <guido@lorenzutti.com.ar> wrote:
Mohamed Nassih wrote:
> Hi,
>
> I have this firewall script, the problem is that I can not connect to the webserver (123.45.67.2) from the local network (192.168.1.0).
>
> Please help.
maybe if you...
echo 1 > /proc/sys/net/ipv4/ip_forward
and not
echo 1 > /proc/sys/net(((( ))))/ipv4/ip_forward
>
> echo 1 > /proc/sys/net /ipv4/ip_forward
> IPTABLES -F INPUT
> IPTABLES -F OUTPUT
> IPTABLES -F FORWARD
you could...
iptables -F instead of the three rules from above...
> IPTABLES -P INPUT DROP
> IPTABLES -P OUTPUT DROP
> IPTABLES -P FORWARD DROP
> Iptables –A INPUT -i lo –j ACCEPT
> Iptables –A OUTPUT -o lo –j ACCEPT
> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
> iptables -A FORWARD -i eth1 -p tcp -d 123.45.67.2 --destination-port 80
> –m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A FORWARD –p tcp -i eth0 –-source-port 80 –m state --state
> ESTABLISHED -j ACCEPT
>
It would be more readable if you....
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -d 123.45.67.2 -m
state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s 123.45.67.2 -m
state --state ESTABLISHED -j ACCEPT
Check if eth0 = wan and eth1 = lan.
PD: sorry for my english, i never study.
---------------------------------
Discover Yahoo!
Get on-the-go sports scores, stock quotes, news & more. Check it out!
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Firewall problem
2005-06-15 13:01 ` Mohamed Nassih
@ 2005-06-15 14:10 ` /dev/rob0
0 siblings, 0 replies; 4+ messages in thread
From: /dev/rob0 @ 2005-06-15 14:10 UTC (permalink / raw)
To: netfilter
On Wednesday 15 June 2005 08:01, Mohamed Nassih wrote:
> it does not work,
>
> please help
Sorry, no, but I will tell you why.
OUTPUT restrictions are hard to do. I don't mess with them myself, and
it's possible I have a much greater understanding of firewalling than
you do. Of course OUTPUT only affects locally-generated packets, not
the MASQUERADE ones from your local network, so that may not be your
issue.
What you want to do is probably covered in the simple examples in the
Packet Filtering and NAT HOWTOs. Read them. If you have done so you can
come up with a more specific statement of problem and question than "it
does not work, please help." Then if I have time and know the answer I
might help.
Guido pointed out a definite show-stopping typo in your script, BTW.
There will be no packet forwarding with a typo like that (unless it was
turned on in some other way, such as the distro's sysctl interface.)
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-06-15 14:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-15 3:14 Firewall problem Mohamed Nassih
2005-06-15 3:48 ` Guido Lorenzutti
2005-06-15 13:01 ` Mohamed Nassih
2005-06-15 14:10 ` /dev/rob0
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.