iptables port forwarding to tun0 device

Linux Netfilter discussions
 help / color / mirror / Atom feed

* iptables port forwarding to tun0 device
@ 2007-06-06 13:45 Yaniv Fine
  2007-06-10 14:25 ` Jorge Davila
  0 siblings, 1 reply; 3+ messages in thread
From: Yaniv Fine @ 2007-06-06 13:45 UTC (permalink / raw)
  To: netfilter

Hi experts

i have the following configuration
eth0.10.90.20.3/24
tun0=172.16.10.x/24

eth0 configure as Wan interface
eth1/tun0 are lan interface .
tun0 network 172.16.10.200 =>  web server
in side my tun0 there is a web server i need to manage for the outside
world (eth0, it can also be restricted to specific ip address )
i am trying to find a way using port forwarding to enable this .
can some one please help me modify my correct iptables rules

IPTABLES="/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"

#Flush all rules
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle

#Set default behaviour
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
#$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT

#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT

#Allow ICMP echo on other interfaces (input).
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP

#Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

thank you !

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: iptables port forwarding to tun0 device
  2007-06-06 13:45 iptables port forwarding to tun0 device Yaniv Fine
@ 2007-06-10 14:25 ` Jorge Davila
  2007-06-10 14:29   ` Yaniv Fine
  0 siblings, 1 reply; 3+ messages in thread
From: Jorge Davila @ 2007-06-10 14:25 UTC (permalink / raw)
  To: Yaniv Fine, netfilter

Yaniv:

Since the tun device is created you can reference them as another network 
interface and configure the iptables rules as normal.

Hope this help,

Jorge Davila.
On Wed, 6 Jun 2007 16:45:24 +0300
  Yaniv Fine <yfine@jacada.com> wrote:
> 
> Hi experts
> 
> i have the following configuration
> eth0.10.90.20.3/24
> tun0=172.16.10.x/24
> 
> eth0 configure as Wan interface
> eth1/tun0 are lan interface .
> tun0 network 172.16.10.200 =>  web server
> in side my tun0 there is a web server i need to manage for the outside
> world (eth0, it can also be restricted to specific ip address )
> i am trying to find a way using port forwarding to enable this .
> can some one please help me modify my correct iptables rules
> 
> 
> 
> 
> IPTABLES="/sbin/iptables"
> EXTIF="eth0"
> INTIF="eth1"
> 
> #Flush all rules
> $IPTABLES -F
> $IPTABLES -F -t nat
> $IPTABLES -F -t mangle
> 
> #Set default behaviour
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> 
> #Allow related and established on all interfaces (input)
> $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> #Allow releated, established and ssh on $EXTIF. Reject everything else.
> $IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
> #$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 80 --syn -j ACCEPT
> $IPTABLES -A INPUT -i $EXTIF -j REJECT
> 
> #Allow related and established from $INTIF. Drop everything else.
> $IPTABLES -A INPUT -i $INTIF -j DROP
> 
> #Allow http and https on other interfaces (input).
> #This is only needed if authentication server is on same server as chilli
> $IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
> $IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
> 
> #Allow 3990 on other interfaces (input).
> $IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
> 
> #Allow ICMP echo on other interfaces (input).
> $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
> 
> #Allow everything on loopback interface.
> $IPTABLES -A INPUT -i lo -j ACCEPT
> 
> # Drop everything to and from $INTIF (forward)
> # This means that access points can only be managed from ChilliSpot
> $IPTABLES -A FORWARD -i $INTIF -j DROP
> $IPTABLES -A FORWARD -o $INTIF -j DROP
> 
> #Enable NAT on output device
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> 
> 
> thank you !
> 
> 
> 

Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@nicaraguaopensource.com


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: iptables port forwarding to tun0 device
  2007-06-10 14:25 ` Jorge Davila
@ 2007-06-10 14:29   ` Yaniv Fine
  0 siblings, 0 replies; 3+ messages in thread
From: Yaniv Fine @ 2007-06-10 14:29 UTC (permalink / raw)
  To: Jorge Davila; +Cc: netfilter




my tun0 device is configured with eth1 ,
so in my iptables rules i need to point the forward rules to eth1 instead
of tun0 ?



                                                                           
             Jorge Davila                                                  
             <davila@nicaragua                                             
             opensource.com>                                            To 
                                       Yaniv Fine <yfine@jacada.com>,      
             06/10/2007 05:25          netfilter@lists.netfilter.org       
             PM                                                         cc 
                                                                           
                                                                   Subject 
                                       Re: iptables port forwarding to     
                                       tun0 device                         
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Yaniv:

Since the tun device is created you can reference them as another network
interface and configure the iptables rules as normal.

Hope this help,

Jorge Davila.
On Wed, 6 Jun 2007 16:45:24 +0300
  Yaniv Fine <yfine@jacada.com> wrote:
>
> Hi experts
>
> i have the following configuration
> eth0.10.90.20.3/24
> tun0=172.16.10.x/24
>
> eth0 configure as Wan interface
> eth1/tun0 are lan interface .
> tun0 network 172.16.10.200 =>  web server
> in side my tun0 there is a web server i need to manage for the outside
> world (eth0, it can also be restricted to specific ip address )
> i am trying to find a way using port forwarding to enable this .
> can some one please help me modify my correct iptables rules
>
>
>
>
> IPTABLES="/sbin/iptables"
> EXTIF="eth0"
> INTIF="eth1"
>
> #Flush all rules
> $IPTABLES -F
> $IPTABLES -F -t nat
> $IPTABLES -F -t mangle
>
> #Set default behaviour
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
>
> #Allow related and established on all interfaces (input)
> $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> #Allow releated, established and ssh on $EXTIF. Reject everything else.
> $IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 --syn -j ACCEPT
> #$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 80 --syn -j ACCEPT
> $IPTABLES -A INPUT -i $EXTIF -j REJECT
>
> #Allow related and established from $INTIF. Drop everything else.
> $IPTABLES -A INPUT -i $INTIF -j DROP
>
> #Allow http and https on other interfaces (input).
> #This is only needed if authentication server is on same server as chilli
> $IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
> $IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
>
> #Allow 3990 on other interfaces (input).
> $IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
>
> #Allow ICMP echo on other interfaces (input).
> $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
>
> #Allow everything on loopback interface.
> $IPTABLES -A INPUT -i lo -j ACCEPT
>
> # Drop everything to and from $INTIF (forward)
> # This means that access points can only be managed from ChilliSpot
> $IPTABLES -A FORWARD -i $INTIF -j DROP
> $IPTABLES -A FORWARD -o $INTIF -j DROP
>
> #Enable NAT on output device
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
>
> thank you !
>
>
>

Jorge Isaac Davila Lopez
Nicaragua Open Source
+505 430 5462
davila@nicaraguaopensource.com




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2007-06-10 14:29 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-06-06 13:45 iptables port forwarding to tun0 device Yaniv Fine
2007-06-10 14:25 ` Jorge Davila
2007-06-10 14:29   ` Yaniv Fine

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox