Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

iptables

Posted on 2003-02-23
11
Medium Priority
?
1,104 Views
Last Modified: 2008-03-10
hai all,
           
         i am having a machine with 2 NIC. one connected to (eth1)a server and the other(eth0) to intranet. just a testing purpose. my iptable file looks like this. i am actually redirecting the http traffic to my machine.
but it is n't working properly. kindly give me a better script.

# Generated by iptables-save v1.2.5 on Mon Feb 24 01:19:45 2003
*nat
:PREROUTING ACCEPT [6:1112]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.4
COMMIT
# Completed on Mon Feb 24 01:19:45 2003
# Generated by iptables-save v1.2.5 on Mon Feb 24 01:19:45 2003
*mangle
:PREROUTING ACCEPT [6:1112]
:INPUT ACCEPT [3184:911445]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [701:97013]
COMMIT
# Completed on Mon Feb 24 01:19:45 2003
# Generated by iptables-save v1.2.5 on Mon Feb 24 01:19:45 2003
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1 -j DROP
-A INPUT -d 10.255.255.255 -i eth1 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_inbound
-A INPUT -i eth0 -p udp -j udp_inbound
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP " 
-A FORWARD -j bad_packets
-A FORWARD -i eth1 -p tcp -j tcp_outbound
-A FORWARD -i eth1 -p udp -j udp_outbound
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP " 
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 10.255.240.100 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP " 
-A bad_packets -m state --state INVALID -j LOG --log-prefix "fp=bad_packets:1 a=DROP " 
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth1 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP " 
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 443 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --dport 53 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Mon Feb 24 01:19:45 2003


Thank you .
Uma.
0
Comment
Question by:umamaheswari
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
11 Comments
 
LVL 4

Expert Comment

by:Jivko
ID: 8006956
For portforwarding you need only two lines:
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d $PUBLIC_IP --dport 80 -j DNAT --to-destination $INTERNAL_MACHINE_IP:80

Regards
0
 
LVL 4

Expert Comment

by:Jivko
ID: 8006972
Or , if you are aomplicated with this try to use some tool for easy genereting iptables firewall scripts:

This is a very good tool writen in TCL for manipulating iptables rules
http://freshmeat.net/projects/easytables/?topic_id=43%2C151

Regards
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8013090
good script -> http://majorwoo.dynup.net:1024/pub/rc.firewall

modify the ip's to fit your network and change the commented out section about diablo to forward port 80 for http instead of 4000

if you get stuck let me know
0
Python: Series & Data Frames With Pandas

Learn the basics of Python’s pandas library of series & data frames and how we can use these tools for data manipulation.

 
LVL 4

Accepted Solution

by:
Jivko earned 100 total points
ID: 8014618
So..?
0
 

Author Comment

by:umamaheswari
ID: 8022849
hai all,
       i am just learning the basics. i accept ur comments. my problem is this , i have one card (eth0)connected to the server, and the other to another machine. there is no other way to reach the server but through my machine. all in the same network. eth0  ip 192.168.2.68 and eth1
192.168.2.69. i want all the traffic to the server redirected to an application running in my machine. a testing purpose.

Thank you,
Uma.
0
 
LVL 4

Expert Comment

by:Jivko
ID: 8023633
What type of traffic? http?
0
 

Author Comment

by:umamaheswari
ID: 8024068
Yes, http traffic only.
0
 
LVL 9

Assisted Solution

by:majorwoo
majorwoo earned 100 total points
ID: 8025227
as this person already said: (well almost )

enter the IP of the machine you want http sent to liek i show below and it will send all http from your server that comes in eth0 to the internal machine (you need to enter the machines IP not the ip of the server on eth1)

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to <machine to redirect to here>:80
/sbin/iptables -A FORWARD -p tcp --dport 80 -i eth0 -j ACCEPT
0
 

Expert Comment

by:CleanupPing
ID: 9077792
umamaheswari:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question