* iptables rule command help
@ 2005-08-30 10:00 CC commmunication
2005-08-30 10:37 ` Jörg Harmuth
0 siblings, 1 reply; 3+ messages in thread
From: CC commmunication @ 2005-08-30 10:00 UTC (permalink / raw)
To: netfilter
Hi
wt i want to do is just simple setup. I will be very
thankful for the help
firewall/Gateway
lan0---eth0-192.168.1.253/30--eth1-10.0.0.253/30-----Lan1
I want one to write the iptable rule for forwarding of
TCP traffic from Lan0 to lan1 on the server
10.0.0.254/30 port www, telnet, ssh, ftp 21,22 during
the office timeings 9 am to 5pm with syn bit set or
stateful option New, Established, Related and log the
packet field informations as well.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: iptables rule command help
2005-08-30 10:00 CC commmunication
@ 2005-08-30 10:37 ` Jörg Harmuth
0 siblings, 0 replies; 3+ messages in thread
From: Jörg Harmuth @ 2005-08-30 10:37 UTC (permalink / raw)
To: netfilter
CC commmunication schrieb:
> Hi
> wt i want to do is just simple setup. I will be very
> thankful for the help
>
> firewall/Gateway
> lan0---eth0-192.168.1.253/30--eth1-10.0.0.253/30-----Lan1
>
> I want one to write the iptable rule for forwarding of
> TCP traffic from Lan0 to lan1 on the server
> 10.0.0.254/30 port www, telnet, ssh, ftp 21,22 during
> the office timeings 9 am to 5pm with syn bit set or
> stateful option New, Established, Related
Just basic, may need some tuning. Ofcourse there are other ways to
achieve your goal.
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ip_conntrack_ftp
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -N ALLOWED_TIME
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m time --timestart 09:00 --timestop 17:00 \
--days Mon,Tue,Wed,Thu,Fri -j ALLOWED_TIME
iptables -A ALLOWED_TIME -p tcp --dport 80 -s $LAN0 -d $LAN1 \
--syn -j ACCEPT
...
And so on.
> and log the packet field informations as well.
Sorry, what exactly do want to log ?
HTH and have a nice time,
Joerg
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: iptables rule command help
[not found] <20050830135924.86824.qmail@web30208.mail.mud.yahoo.com>
@ 2005-08-30 14:26 ` Jörg Harmuth
0 siblings, 0 replies; 3+ messages in thread
From: Jörg Harmuth @ 2005-08-30 14:26 UTC (permalink / raw)
To: netfilter
CC commmunication schrieb:
> Thankyou very much for your help.
> I have read a lot about iptables, but i cannot find
> any information about how many matches can be done in
> one statement.
> e.g
> can i match source subnet, destination subnet, source
> port range and destination port range with the --syn
> flag set.. etc.
yes
> If any one can explain how options can be matched in
> one iptables statement.
simply write one after the other as in my previous example. Combine as
you need it.
> i know it could be done by using user defined traget,
> and then do further processing with that traget
You can do it in any chain (also user defined ones), but depending on
the chain in question it's more or less usefull. And also depending on
the target some matches are more or less usefull. E.g. with
layer7-patch, matching against ports is totally useless ;)
Have a nice time,
Joerg
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-08-30 14:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20050830135924.86824.qmail@web30208.mail.mud.yahoo.com>
2005-08-30 14:26 ` iptables rule command help Jörg Harmuth
2005-08-30 10:00 CC commmunication
2005-08-30 10:37 ` Jörg Harmuth
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.