FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 01-01-2009, 10:40 PM
Alex Samad
 
Default iptables problem with two diffrent subnet

On Thu, Jan 01, 2009 at 11:42:58PM +0100, itom wrote:
> hi all, with iptables I've create
> this script(see below or here http://pastebin.com/m416d8f6d)
> for this specific situation:
> http://img33.picoodle.com/img/img33/3/1/1/f_lanm_1233f0a.jpg
>
> In the eth2 lan work as I wish because pc can access to internet only
> with proxy at port 8080; the problem also in the eth1 and here I want to
> access directly using Nat and grant some services to specific ports
> (21,22,110,etc..)

Just so I understand what you are asking,

you have blocked all access from eth1 to the internet (eth0), currently
you have http/https via port 8080. But you would also like ftp/ssh/imap
and maybe others

comment inline below

>
> thanks in advance
>
> .... iptables script ....
> #!/bin/bash
>
> # delete all existing rules.
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -X
>
> # DEFAULT policies
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
>
> # Always accept loopback traffic
> iptables -A INPUT -i lo -j ACCEPT
>
> # Allow established connections, and those not coming from the outside
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> #iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
> # alternativa
> iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED
> -j ACCEPT

I would open this up to

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


This will not allow any new connection through, but would not allow
connections from eth1 to eth0 (presuming this was the only line and drop
was the default)

then I would add

iptables -A FORWARD -p tcp --dport 22 -j ACCEPT

or

iptables -A FORWARD -p tcp --dport 22 -m state --state NEW -j ACCEPT
(depending on how pedantic you want to be, I usually use the first)

so this will allow tcp protocol on port 22 to be established
you probably only want this on the way out and not on the way in so


iptables -A FORWARD -p tcp -o eth0 --dport 22 -j ACCEPT

remember packets which are being forwarded ie from eth1 to the internet
do not hit the input chain (nor the output chain) just the forward
chain.

You can do the same for the other ports/protocals that you want.

also maybe a good idea to finish each chain with

-j LOG (or -j ULOG)
-j DROP (or what ever default you want for each chain).

I prefer explicit rules at the end of each chain instead of using the
built in one, mainly for documentation



[snip]

>

--
"I understand there's a suspicion that we�we're too security-conscience."

- George W. Bush
04/14/2005
Washington, DC
 

Thread Tools




All times are GMT. The time now is 09:21 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org