Additional Help! - Rule in IPTables
menonrr at jmu.edu
menonrr at jmu.edu
Tue Sep 28 20:20:40 UTC 2004
Hello,
Thank You Mr. Kindermann for the big help. I have included the
rules I tried to implement below. I would need some more help
to succeed.
Problem:
1) I cannot access internet from the internal network
192.168.1.0/24, once the rules are implemented on the GW along
with the MASQUERADING rule. I could access the internet only
with the Masquerade rule.
2) The GW can access internet.
3) I would like to enable NEW/ESTABLISHED/RELATED connection
for outgoing/incoming traffic from internal network
172.16.4.0/24 also.
IPTABLE RULES
---------------
# Allow loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
-------------------------------------------------
# Allow access between home network and firewall
# eth0 is internal interface, 192.168.1.10
# allow ingress through eth0
$IPTABLES -A INPUT -p all -s 0/0 -i eth0 -j ACCEPT
#allow egress through eth0
iptables -A OUTPUT -p all -d 0/0 -o eth0 -j ACCEPT
-----------------------------------------------------
# Allow forwarding rules,eth1 is external interface
#Allow gateway to access internet
#OUT
iptables -A OUTPUT -o eth1 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
#IN
#$IPTABLES -A INPUT -i eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
----------------------------------------------------------
#Internal Network 192.168.1.0/24
#egress to internet from 192.168.1.0 network
iptables -A FORWARD -o eth1 -s 192.168.1.0/24 -m state --state
NEW,ESTABLISHED,RELATED
#ingress from internet to 192.168.1.0 network
iptables -A FORWARD -i eth1 -d 192.168.1.0/24 -m state --state
ESTABLISHED,RELATED
----------------------------------------------------------
# Turn on NAT {IP Forwarding}
$IPTABLES -A POSTROUTING -t nat -o eth1 -j MASQUERADE
----------------------------------------------------
----------------------------------------------------
Additionally: If total access has to be given to 172.16.4.0
network (IN/OUT) would this rule work?
iptables -A FORWARD -o eth1 -s 172.16.4.0/24 -m state --state
NEW,ESTABLISHED,RELATED
#ingress from internet to 192.168.1.0 network
iptables -A FORWARD -i eth1 -d 172.16.4.0/24 -m state --state
NEW,ESTABLISHED,RELATED
Thank You For the fast response and help.
Menon
---- Original message ----
>Date: Tue, 28 Sep 2004 20:01:53 +0200
>From: Volker Kindermann <ml at ps102.de>
>Subject: Re: Pls Help - Rule in IPTables
>To: General Red Hat Linux discussion list
<redhat-list at redhat.com>
>Cc: menonrr at jmu.edu
>
>Hello Menon,
>
>
>> I would like to configure the IPTables so that no new
>> connection can be established from outside to the Gateway.
>>
>> Network set up: Internet ---- ||eth1 |134.public-IP "Gateway"
>> 192.168.1.10 |eth0 ||----- inside
>
>I would suggest that you block all by default and then open
the firewall with the rules you need.
>
>Something like (only fragments shown):
>
>$IPTABLES -P OUTPUT DROP
>$IPTABLES -P INPUT DROP
>$IPTABLES -P FORWARD DROP
>
>$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
>$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
>$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j
ACCEPT
>
>And then add the rules for allowed traffic. This way all not
explicitly allowed is forbidden by default.
>
> -volker
More information about the redhat-list
mailing list