* To REDIRECT, DNAT or something else
@ 2002-11-25 23:43 Joel Linuxdude
2002-11-26 14:31 ` Ben Russo
2002-11-26 14:40 ` cbaker
0 siblings, 2 replies; 3+ messages in thread
From: Joel Linuxdude @ 2002-11-25 23:43 UTC (permalink / raw)
To: netfilter
I just had a small question (maybe dumb, I dont care).
My firewall PC is also my DNS server (caching), gateway to
the internet via cable modem, web server, ftp server and
later my proxy server.
Do I need to REDIRECT packets coming into eth0 (from the
cable modem) to the firewall itself?? I know, the packets
are suppose to go right to INPUT chain but people over
the internet can no longer access my WWW, FTP or TELNET
daemon. I fear A) The cable modem company are blocking
the use of servers or B) I screwed up somewhere in my
firewall script.
HOW CAN I MAKE SURE ALL TCP/UDP PORT 20,21,22,23,80,443
GO FROM CABLE MODEM ON ETH0 TO MY FIREWALL AND NOT GET
FORWARDED OVER ETH1 TO MY LAN?
Thank you!
_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: To REDIRECT, DNAT or something else
2002-11-25 23:43 To REDIRECT, DNAT or something else Joel Linuxdude
@ 2002-11-26 14:31 ` Ben Russo
2002-11-26 14:40 ` cbaker
1 sibling, 0 replies; 3+ messages in thread
From: Ben Russo @ 2002-11-26 14:31 UTC (permalink / raw)
To: Joel Linuxdude; +Cc: netfilter
On Mon, 2002-11-25 at 18:43, Joel Linuxdude wrote:
> I just had a small question (maybe dumb, I dont care).
>
> My firewall PC is also my DNS server (caching), gateway to
> the internet via cable modem, web server, ftp server and
> later my proxy server.
>
> Do I need to REDIRECT packets coming into eth0 (from the
> cable modem) to the firewall itself?? I know, the packets
> are suppose to go right to INPUT chain but people over
> the internet can no longer access my WWW, FTP or TELNET
> daemon. I fear A) The cable modem company are blocking
> the use of servers or B) I screwed up somewhere in my
> firewall script.
>
> HOW CAN I MAKE SURE ALL TCP/UDP PORT 20,21,22,23,80,443
> GO FROM CABLE MODEM ON ETH0 TO MY FIREWALL AND NOT GET
> FORWARDED OVER ETH1 TO MY LAN?
Assuming you have only 2 interfaces on your firewall
and the internal interface has only one subnet.
In the POSTROUTING rules set your MASQUERADE rule
for source $INTERNAL_SUBNET where -o $EXTERNAL_INTERFACE
Set your FORWARD policy to DROP
Allow only ESTABLISHED,RELATED in your FORWARD rule set
for -d $INTERNAL_SUBNET
Allow NEW,RELATED,ESTABLISHED in your FORWARD rule set
where source is $INTERNAL_SUBNET and -i $INTERNAL_INTERFACE
Set your INPUT policy to DROP
Allow INPUT of RELATED,ESTABLISHED
In the INPUT rules allow NEW to come
into tcp ports 20,21,22,23,80,443 for -i eth0
Allow -i eth0 -udp --sport 67:68 --dport 67:68
in INPUT for the DHCP traffic from your cable
and you also might want *some* ICMP
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 5 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p icmp -j DROP
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: To REDIRECT, DNAT or something else
2002-11-25 23:43 To REDIRECT, DNAT or something else Joel Linuxdude
2002-11-26 14:31 ` Ben Russo
@ 2002-11-26 14:40 ` cbaker
1 sibling, 0 replies; 3+ messages in thread
From: cbaker @ 2002-11-26 14:40 UTC (permalink / raw)
To: netfilter
I know that this doesn't really answer the question. But the best
strategy is to have a firewall all by itself. If you have an old 486
around, you could try Coyote Linux <coyotelinux.com>. It boots and
runs off a floppy.
On 25 Nov 2002 at 18:43, Joel Linuxdude wrote:
> I just had a small question (maybe dumb, I dont care).
>
> My firewall PC is also my DNS server (caching), gateway to
> the internet via cable modem, web server, ftp server and
> later my proxy server.
>
> Do I need to REDIRECT packets coming into eth0 (from the
> cable modem) to the firewall itself?? I know, the packets
> are suppose to go right to INPUT chain but people over
> the internet can no longer access my WWW, FTP or TELNET
> daemon. I fear A) The cable modem company are blocking
> the use of servers or B) I screwed up somewhere in my
> firewall script.
>
> HOW CAN I MAKE SURE ALL TCP/UDP PORT 20,21,22,23,80,443
> GO FROM CABLE MODEM ON ETH0 TO MY FIREWALL AND NOT GET
> FORWARDED OVER ETH1 TO MY LAN?
>
> Thank you!
>
> _________________________________________________________________ Add
> photos to your messages with MSN 8. Get 2 months FREE*.
> http://join.msn.com/?page=features/featuredemail
>
>
>
Chris Baker -- technical specialist
614-839-2447x108
cbaker@bbbscolumbus.org
Big Brothers Big Sisters of Central Ohio
www.bbbscolumbus.org
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-11-26 14:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-11-25 23:43 To REDIRECT, DNAT or something else Joel Linuxdude
2002-11-26 14:31 ` Ben Russo
2002-11-26 14:40 ` cbaker
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox