From: Sp0oKeR <spooker@gmail.com>
To: Alexander Salmin <security.member@gmail.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Secure Firewall
Date: Thu, 11 Aug 2005 10:29:44 -0300 [thread overview]
Message-ID: <9255886c05081106294b57b9d2@mail.gmail.com> (raw)
In-Reply-To: <393114f90508090624278c8414@mail.gmail.com>
I think you can complet with
Change this
$IPTABLES -t nat -A POSTROUTING -s 192.168.51.40 -p tcp -dport 80 -o
$EXT -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 192.168.51.80 -p tcp -dport 80 -o
$EXT -j MASQUERADE
Add this
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -d
192.168.51.0/24 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.51.20 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.51.40 -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.51.80 -p tcp --dport 80 -j ACCEPT
Try this!
Att,
Sp0oKeR
On 8/9/05, Alexander Salmin <security.member@gmail.com> wrote:
> Hello friends,
>
> I'm trying to set up a secure NAT firewall in my home, for that I need
> help with some rules.
>
> I've got a total of four computers, including the server.
>
> These are the ones who should be NAT'ed:
>
> #1 --- 192.168.51.20 --- Should be able to access all internet.
> #2 --- 192.168.51.40 --- Should be able to access only websites (port 80,443).
> #3 --- 192.168.51.80 --- Should be able to access only websites (port 80,443).
>
> This is how my non-working iptables-script looks like right now:
> -------------------------------------------------------------------------------------
> INT="eth0"
> EXT="eth1"
> IPTABLES=/sbin/iptables
>
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
> $IPTABLES -F -t nat
>
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
>
> $IPTABLES -A INPUT -i $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT
> $IPTABLES -A INPUT -p UDP --dport bootps -i $INT -j ACCEPT
> $IPTABLES -A INPUT -p UDP --dport domain -i $INT -j ACCEPT
>
> $IPTABLES -t nat -A POSTROUTING -s 192.168.51.20 -o $EXT -j MASQUERADE
> $IPTABLES -t nat -A POSTROUTING -s 192.168.51.40 -dport 80 -o $EXT -j MASQUERADE
> $IPTABLES -t nat -A POSTROUTING -s 192.168.51.80 -dport 80 -o $EXT -j MASQUERADE
>
> $IPTABLES -A INPUT -j DROP
> -------------------------------------------------------------------------------------
>
> Somehow, it doesn't work with -dport 80, and I believe that I have
> missed some allow-rules because the -j DROP denies the computer from
> 192.168.51.20 too.
>
> Any help would be appreciated!
>
>
> Thanks,
> --Alexander.
>
>
next prev parent reply other threads:[~2005-08-11 13:29 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-09 13:24 Secure Firewall Alexander Salmin
2005-08-11 13:29 ` Sp0oKeR [this message]
2005-08-12 19:09 ` curby .
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9255886c05081106294b57b9d2@mail.gmail.com \
--to=spooker@gmail.com \
--cc=netfilter@lists.netfilter.org \
--cc=security.member@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.