* problem with ip tables help required
@ 2003-02-07 5:56 purushotham.krishnappa
2003-02-08 7:41 ` uniplex
2003-02-08 16:38 ` Joel Newkirk
0 siblings, 2 replies; 3+ messages in thread
From: purushotham.krishnappa @ 2003-02-07 5:56 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 869 bytes --]
Hi
The requirement is like this
WebServer-------------------- - ----Router/Firewall---------------------------------------client
10.60.90.7/8 eth1 eth0 192.168.10.15
10.60.90.5/8 192.168.10.5/24
Router/Firewall ----->RH linux 8 using iptables
client should be able to access the webserver
With out firewall rule i am able to access webserver from client (ip forwarding is working fine)
I have already set iptable rule pls see the attached file
after FW rule is enable
i am not able to connect to webserver from 192.168.10.5 to 10.60.90.7 BUT i can ping 10.60.90.5
I need clients to connect from 192.168.10.0/24 to able to connect to only port 80 on 10.161.90.7.8
(See attached file: firescript.txt)
Rgds
Puru
[-- Attachment #2: firescript.txt --]
[-- Type: text/plain, Size: 1643 bytes --]
# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# (2) User-defined chain for ACCEPTED TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP
# (3) INPUT chain rules
# Rules for incoming packets from LAN
iptables -A INPUT -p ALL -i eth1 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 10.60.90.5 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.10.5 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 10.0.0.255 -j ACCEPT
# Rules for incoming packets from the internet
# Packets for established connections
iptables -A INPUT -p ALL -d 192.168.10.5 -m state --state ESTABLISHED,RELATED -j ACCEPT
# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
# ICMP rules
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT
# (4) FORWARD chain rules
# Accept the packets we want to forward
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# (5) OUTPUT chain rules
# ONly output packets with local address (no spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.60.90.5 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.10.5 -j ACCEPT
# (6) dynamic NAT to do port forwarding
iptables -t nat -A PREROUTING -p tcp -d 192.168.10.5 --dport 80 -j DNAT --to-destination 10.60.90.7
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: problem with ip tables help required
2003-02-07 5:56 problem with ip tables help required purushotham.krishnappa
@ 2003-02-08 7:41 ` uniplex
2003-02-08 16:38 ` Joel Newkirk
1 sibling, 0 replies; 3+ messages in thread
From: uniplex @ 2003-02-08 7:41 UTC (permalink / raw)
To: purushotham.krishnappa; +Cc: netfilter
purushotham.krishnappa@philips.com wrote:
> Hi
Hi
>
>
> The requirement is like this
>
>
> WebServer-------------------- - ----Router/Firewall---------------------------------------client
> 10.60.90.7/8 eth1 eth0 192.168.10.15
> 10.60.90.5/8 192.168.10.5/24
>
>
after looking at you're script it looks like you're missing a forward
rule to allow the client to access the web server.
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 80 -j ACCEPT
it also looks like you might want to masquerade your internal clients.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
also, unless the connection is actually to the Router/Firewall an INPUT
rule does nothing. If it's a connection between the client and the
webserver then only forward rules on the firewall will apply.
>
> Router/Firewall ----->RH linux 8 using iptables
>
> client should be able to access the webserver
> With out firewall rule i am able to access webserver from client (ip forwarding is working fine)
>
>
> I have already set iptable rule pls see the attached file
>
>
> after FW rule is enable
>
> i am not able to connect to webserver from 192.168.10.5 to 10.60.90.7 BUT i can ping 10.60.90.5
> I need clients to connect from 192.168.10.0/24 to able to connect to only port 80 on 10.161.90.7.8
>
> (See attached file: firescript.txt)
> Rgds
> Puru
>
>
> ------------------------------------------------------------------------
>
> # (1) Policies (default)
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> # (2) User-defined chain for ACCEPTED TCP packets
> iptables -N okay
> iptables -A okay -p TCP --syn -j ACCEPT
> iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A okay -p TCP -j DROP
>
> # (3) INPUT chain rules
> # Rules for incoming packets from LAN
> iptables -A INPUT -p ALL -i eth1 -s 10.0.0.0/8 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 10.60.90.5 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 192.168.10.5 -j ACCEPT
> iptables -A INPUT -p ALL -i eth1 -d 10.0.0.255 -j ACCEPT
>
> # Rules for incoming packets from the internet
>
> # Packets for established connections
> iptables -A INPUT -p ALL -d 192.168.10.5 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # TCP rules
> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
>
> # ICMP rules
> iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
> iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT
>
> # (4) FORWARD chain rules
> # Accept the packets we want to forward
> iptables -A FORWARD -i eth1 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # (5) OUTPUT chain rules
> # ONly output packets with local address (no spoofing)
> iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 10.60.90.5 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 192.168.10.5 -j ACCEPT
>
> # (6) dynamic NAT to do port forwarding
> iptables -t nat -A PREROUTING -p tcp -d 192.168.10.5 --dport 80 -j DNAT --to-destination 10.60.90.7
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: problem with ip tables help required
2003-02-07 5:56 problem with ip tables help required purushotham.krishnappa
2003-02-08 7:41 ` uniplex
@ 2003-02-08 16:38 ` Joel Newkirk
1 sibling, 0 replies; 3+ messages in thread
From: Joel Newkirk @ 2003-02-08 16:38 UTC (permalink / raw)
To: purushotham.krishnappa, netfilter
On Friday 07 February 2003 12:56 am, purushotham.krishnappa@philips.com
wrote:
> Hi
>
>
> The requirement is like this
>
>
> WebServer-------------------- -
> ----Router/Firewall---------------------------------------client
> 10.60.90.7/8 eth1 eth0
> 192.168.10.15 10.60.90.5/8
> 192.168.10.5/24
> i am not able to connect to webserver from 192.168.10.5 to 10.60.90.7
> BUT i can ping 10.60.90.5 I need clients to connect from
> 192.168.10.0/24 to able to connect to only port 80 on 10.161.90.7.8
> # (4) FORWARD chain rules
> # Accept the packets we want to forward
> iptables -A FORWARD -i eth1 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Unless I read your situation wrong, the connections from 192.168.10.x
will be coming in eth0, not eth1. These rules allow any traffic from
10.60.x.y coming in eth1 through, and any EST/REL traffic through either
way You also need:
iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 10.60.90.5 -j ACCEPT
to allow the DNATted connections through.
j
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-02-08 16:38 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-02-07 5:56 problem with ip tables help required purushotham.krishnappa
2003-02-08 7:41 ` uniplex
2003-02-08 16:38 ` Joel Newkirk
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox