umamaheswari
asked on
iptables
hai all,
i am having a machine with 2 NIC. one connected to (eth1)a server and the other(eth0) to intranet. just a testing purpose. my iptable file looks like this. i am actually redirecting the http traffic to my machine.
but it is n't working properly. kindly give me a better script.
# Generated by iptables-save v1.2.5 on Mon Feb 24 01:19:45 2003
*nat
:PREROUTING ACCEPT [6:1112]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.4
COMMIT
# Completed on Mon Feb 24 01:19:45 2003
# Generated by iptables-save v1.2.5 on Mon Feb 24 01:19:45 2003
*mangle
:PREROUTING ACCEPT [6:1112]
:INPUT ACCEPT [3184:911445]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [701:97013]
COMMIT
# Completed on Mon Feb 24 01:19:45 2003
# Generated by iptables-save v1.2.5 on Mon Feb 24 01:19:45 2003
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1 -j DROP
-A INPUT -d 10.255.255.255 -i eth1 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_inbound
-A INPUT -i eth0 -p udp -j udp_inbound
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
-A FORWARD -j bad_packets
-A FORWARD -i eth1 -p tcp -j tcp_outbound
-A FORWARD -i eth1 -p udp -j udp_outbound
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 10.255.240.100 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
-A bad_packets -m state --state INVALID -j LOG --log-prefix "fp=bad_packets:1 a=DROP "
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth1 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 443 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --dport 53 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Mon Feb 24 01:19:45 2003
Thank you .
Uma.
i am having a machine with 2 NIC. one connected to (eth1)a server and the other(eth0) to intranet. just a testing purpose. my iptable file looks like this. i am actually redirecting the http traffic to my machine.
but it is n't working properly. kindly give me a better script.
# Generated by iptables-save v1.2.5 on Mon Feb 24 01:19:45 2003
*nat
:PREROUTING ACCEPT [6:1112]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.4
COMMIT
# Completed on Mon Feb 24 01:19:45 2003
# Generated by iptables-save v1.2.5 on Mon Feb 24 01:19:45 2003
*mangle
:PREROUTING ACCEPT [6:1112]
:INPUT ACCEPT [3184:911445]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [701:97013]
COMMIT
# Completed on Mon Feb 24 01:19:45 2003
# Generated by iptables-save v1.2.5 on Mon Feb 24 01:19:45 2003
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1 -j DROP
-A INPUT -d 10.255.255.255 -i eth1 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_inbound
-A INPUT -i eth0 -p udp -j udp_inbound
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -d 255.255.255.255 -j DROP
-A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
-A FORWARD -j bad_packets
-A FORWARD -i eth1 -p tcp -j tcp_outbound
-A FORWARD -i eth1 -p udp -j udp_outbound
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 10.255.240.100 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
-A bad_packets -m state --state INVALID -j LOG --log-prefix "fp=bad_packets:1 a=DROP "
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth1 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 443 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --dport 53 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Mon Feb 24 01:19:45 2003
Thank you .
Uma.
Or , if you are aomplicated with this try to use some tool for easy genereting iptables firewall scripts:
This is a very good tool writen in TCL for manipulating iptables rules
http://freshmeat.net/projects/easytables/?topic_id=43%2C151
Regards
This is a very good tool writen in TCL for manipulating iptables rules
http://freshmeat.net/projects/easytables/?topic_id=43%2C151
Regards
good script -> http://majorwoo.dynup.net:1024/pub/rc.firewall
modify the ip's to fit your network and change the commented out section about diablo to forward port 80 for http instead of 4000
if you get stuck let me know
modify the ip's to fit your network and change the commented out section about diablo to forward port 80 for http instead of 4000
if you get stuck let me know
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hai all,
i am just learning the basics. i accept ur comments. my problem is this , i have one card (eth0)connected to the server, and the other to another machine. there is no other way to reach the server but through my machine. all in the same network. eth0 ip 192.168.2.68 and eth1
192.168.2.69. i want all the traffic to the server redirected to an application running in my machine. a testing purpose.
Thank you,
Uma.
i am just learning the basics. i accept ur comments. my problem is this , i have one card (eth0)connected to the server, and the other to another machine. there is no other way to reach the server but through my machine. all in the same network. eth0 ip 192.168.2.68 and eth1
192.168.2.69. i want all the traffic to the server redirected to an application running in my machine. a testing purpose.
Thank you,
Uma.
What type of traffic? http?
ASKER
Yes, http traffic only.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
umamaheswari:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d $PUBLIC_IP --dport 80 -j DNAT --to-destination $INTERNAL_MACHINE_IP:80
Regards