From: "Frédéric Gonzatti" <fred99@qualiflow.com>
To: netfilter@lists.netfilter.org
Subject: Firewall IP change
Date: Fri, 23 Jul 2004 14:57:30 +0200 [thread overview]
Message-ID: <200407231457.30104.fred99@qualiflow.com> (raw)
In-Reply-To: <1090450600.2112.3.camel@localhost>
Hi all,
I've got a big problem with my firewall which have three ethernet cards.
eth0 : 172.16.2.1/255.255.255.0 ---->LAN
eth1: 192.168.2.1/255.255.255.0----->DMZ
eth2: 192.168.3.1/255.255.255.0-----> WAN
This firewall is connect to a router which have Wan IP 192.168.3.254 and a
public IP for WAN : 62.160.X.X/255.255.255.255
This configurations is working !!!
I have tried to replace the Wan IP of my firewall by a public IP : 62.160.X.Y
# ifconfig eth2 62.160.X.Y netmask 255.255.255.248
# route add default gw 62.160.X.Z (which is new Ip of the router (WAN and LAN
interfaces of the router are the same)
I can access to the internet from my firewall but unfortunately not from my
LAN.
So now I come back to my old configuration until I ask why it was not working.
Have you got any idea please ?
My iptables script is :
iptables -t filter -F
iptables -t nat -F
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
###########
# FORWARD #
###########
##############
# LAN -->DMZ #
##############
iptables -t nat -A PREROUTING -d 172.16.2.1 -p tcp --dport 110 -j DNAT
--to-destination 192.168.2.150:110
iptables -t filter -A FORWARD -i eth0 -o eth1 -s 172.16.0.0/16 -d
192.168.2.150/32 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j
ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.2.150/32 -d
172.16.0.0/16 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
###############
# LAN --> WAN #
###############
####################################
# PROTOCOLE IDENT : TCP et UDP 113 #
####################################
iptables -t filter -A FORWARD -p tcp --dport 113 -j ACCEPT
iptables -t filter -A FORWARD -p tcp --sport 113 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 113 -j ACCEPT
iptables -t filter -A FORWARD -p udp --sport 113 -j ACCEPT
###################################
# HTTP, HTTPS : TCP 80 et TCP 443 #
###################################
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p tcp
--dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p tcp
--sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p tcp
--dport 443 -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p tcp
--sport 443 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p udp
--dport 443 -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p udp
--sport 443 -j ACCEPT
##################
# Protocole POP3 #
##################
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p tcp
--dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p tcp
--sport 110 -m state --state ESTABLISHED -j ACCEPT
#################
# Protocole FTP #
#################
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
iptables -t filter -A FORWARD -s 172.16.0.0/16 -d 0/0 -p tcp --dport 21 -m
state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.0.0/16 -p tcp --sport 21 -m
state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 172.16.0.0/16 -d 0/0 -p tcp --dport 20 -m
state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.0.0/16 -p tcp --sport 20 -m
state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -s 172.16.0.0/16 -d 0/0 -p tcp --dport
1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.0.0/16 -p tcp --sport
1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -j DROP
iptables -t filter -A OUTPUT -j DROP
iptables -t filter -A FORWARD -j DROP
Thanks
Fred99
next prev parent reply other threads:[~2004-07-23 12:57 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-21 21:42 Nat for two private subnets with subnet routing Gerry Weaver
2004-07-21 22:02 ` Antony Stone
2004-07-21 22:56 ` John A. Sullivan III
2004-07-23 12:57 ` Frédéric Gonzatti [this message]
2004-07-24 15:47 ` Firewall IP change Antony Stone
2004-07-26 12:13 ` Frédéric Gonzatti
2004-07-26 12:27 ` Antony Stone
2004-07-26 13:20 ` Frédéric Gonzatti
2004-07-26 13:43 ` Antony Stone
2004-07-26 14:03 ` Distributed firewall Gianni Mantellini
2004-07-30 13:22 ` Firewall IP change Fred
2004-07-31 13:50 ` Antony Stone
2004-08-01 3:40 ` Zoup
2004-08-02 12:07 ` Frédéric Gonzatti
2004-08-02 12:26 ` Antony Stone
2004-08-02 14:12 ` Frédéric Gonzatti
2004-08-02 14:57 ` Antony Stone
2004-08-02 15:10 ` Frédéric Gonzatti
-- strict thread matches above, loose matches on Subject: below --
2004-07-24 16:58 Jason Opperisano
2004-07-24 17:17 ` Antony Stone
2004-08-02 15:41 Jason Opperisano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200407231457.30104.fred99@qualiflow.com \
--to=fred99@qualiflow.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox