IPTABLES Time Limits
Alexey Fadyushin
fab at s-tunnel.com
Sun Sep 26 17:11:07 UTC 2004
I think that the easiest way to use time dependent iptables
configuration is to prepare several configuration files and restart
iptables from a cron job placing the configuration file which shold be
used at that time in /etc/sysconfig/iptables.
To redirect packets sent to/from specific ports on the server in your
internal network you should use PREROUTING and POSTROUTING chains in the
NAT table. For example:
-A PREROUTING -d 172.20.20.20 -p tcp -m tcp --dport 1234 -j DNAT
--to-destination 10.0.0.1
-A POSTROUTING -s 10.0.0.1 -p tcp -m tcp --sport 1234 -j SNAT
--to-source 172.20.20.20
should redirect any packets sent to the TCP port 1234 at the address
172.20.20.20 (the external address of your router, Cisco should redirect
packets to this address) to the same port on the computer 10.0.0.1 (in
the internal network). The second line processes the packets flowing on
that connection in reverse direction.
Alexey Fadyushin
Brainbench MVP for Linux.
http://www.brainbench.com
karlp at ourldsfamily.com wrote:
> I spent much of Friday night and today setting up my network preparatory
> to filtering.
>
> I installed a second NIC in my server, changed it's IP address to
> 10.0.0.1, which was my Cisco router's IP before the change. The Cisco is
> now 172.20.20.1 and the second NIC on my server is 172.20.20.2.
>
> I've looked at Squid and am overwhelmed, but have an iptables script that
> works just fine for IP traffic forwarding, so the network is functioning
> as it did before the change. I had to setup DHCP for an XP Pro PC that
> wasn't working.
>
> 2 questions:
>
> 1. I want to be able to give access to the internet during certain hours
> of the day for some PCs on the network and close down outbound access
> during after-hours and part of the weekend. Can I do these time
> restrictions?
>
> 2. what would the best method be of using NAT on the server. The Cisco
> already does NAT, but the parts of it that translate to the 10.0.0.0
> network now fails. All the services that are translated to the server work
> fine. That's because it's on the same subnet as the Cisco (172.20.20.0).
>
> Topology of NAT look like this:
>
> 172.20.20.2 25 198.60.114.90 25 tcp < still works
> 172.20.20.2 80 198.60.114.90 80 tcp < still works
>
> 10.0.0.2 10001 198.60.114.90 10000 tcp < Webmin to another 'server' fails
> 10.0.0.20 5900 198.60.114.90 5900 tcp < VNC to a laptop fails
>
> I'm thinking that I would need to setup the Cisco to direct those ports to
> the server and then some iptables rules that redirect those ports to the
> internal IP addresses.
>
> Help?
>
> --
> Karl Pearson
> karlp at ourldsfamily.com
> http://consulting.ourldsfamily.com
> http://emailgroups.ourldsfamily.com
> If you don't think the dead come back to life, Be here at quitting time
> --
> My Thoughts on Terrorism In America: http://www.ourldsfamily.com/wtc.shtml
> --
> A right is not what someone gives you; it's what no one can take from you.
> -- Ramsey Clark
>
>
>
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
More information about the Redhat-install-list
mailing list