Re: 2 nic setup for firewall machine
Benedict Verheyen wrote:
> Hello,
>
> i have included the changes suggested by Jason and Sven.
> The end result is below. It might be interesting for other people
> who have a similar setup.
>
> It's basically the same script with these changes:
> * i changed the internal_in rules to include imap and smtp
> * added an internal_out rule to OUTPUT to allow imap, dhcp and
> smtp from the firewall to the lan
> * removed 4 forward rules and added port 443
>
> One thing that i'm not sure is the internal_out rule. I've changed
> the ports on the rule like this:
> $IPT -A internal_out -p udp --sport 68 --dport 67 -j ACCEPT
> I'm not sure if this is correct. The in rule had --sport 67 --dport 68
> so i figured it's the other way round for the outgoing connection.
> Is this correct?
I think each of the three dhcp rules should have the ports reversed
(inet_out, internal_in, internal_out). /etc/services says 68 is the
client and 67 the server.
> Anway, thanks to the people who have helped me on this.
> It's very much appreciated. Only a few more weeks and this script is
> going to see some action :)
Cool.
[snip]
> ### allow forwarding to the lan from the net for established or related
> connections
> $IPT -A FORWARD -o $EXTIF -i $INTIF -s $LAN -d ! $LAN \
> -m state --state ESTABLISHED,RELATED -j ACCEPT
You should change this rule to:
$IPT -A FORWARD -i $EXTIF -o $INTIF -d $LAN -s ! $LAN \
-m state --state ESTABLISHED,RELATED -j ACCEPT
(swap -i/-o and -s/-d) so the rule does what the comment says it
does ;)
Other than that, I think you're good to go :)
HTH,
Jason
Reply to: