Re: iptables filtering ports under nat

[Julian Esteban Perconti <vh1988@yahoo.com.ar>]

Diego Lilioso escribió:
> Luis,
>
> You'd be use FORWARD chain in the table filter.
>
> POSTROUTING and PREROUTING is in the nat table.
>
> # The first rule allow traffic in port tcp/80
> /sbin/iptables -A FORWARD -s 12.16.2.5 <http://12.16.2.5> -p tcp --dport 
> 80 -j ACCEPT
>
> # The second rule allow the trafic inbound to 12.16.2.5 
> <http://12.16.2.5> source from port tcp/80.
> /sbin/iptables -A FORWARD -d 12.16.2.5 <http://12.16.2.5> -p tcp --sport 
> 80 -j ACCEPT
>
> # The third rule drop all trafics in all ports and protocols.
> /sbin/iptables -A FORWARD -s 12.16.2.5 <http://12.16.2.5>  -j DROP
>
> Best Regards,
> Diego Lilioso
>
>
>
>
>
> 2008/10/16 James Shupe <shupej@hermetek.com <mailto:shupej@hermetek.com>>
>
>     Correction:
>
>     [QUOTE]
>     You'd be better off with a DROP policy where you could just use:
>
>     /sbin/iptables .... -d $EXTERNAL_HOST -p 80 -j ACCEPT
>
>     With your ACCEPT policy, just use inverse:
>
>     /sbin/iptables .... -d ! $EXTERNAL_HOST -p 80 -j DROP
>     [/QUOTE]
>
>     "-p 80" needs to be "-p tcp --dport 80". Not sure how I overlooked it.
>
>     -
>     James Maurice Shupe       | HermeTek Network Solutions
>     shupej@hermetek.com <mailto:shupej@hermetek.com>       | *NIX
>     Consulting and Hosting
>     GPG signed mail preferred | http://www.hermetek.com
>     Plain text mail preferred | 1.866.325.6207
>
>     Key fingerprint: D484 EACC 9D0F A2A5 5277 C4A8 5704 1987 A938 DF3A
>
>     ------------------------------------------------------------------------
>     This Email is covered by the Electronic Communications Privacy Act,
>     18 U.S.C. 2510-2521 and is legally privileged. The information
>     contained in this Email is intended only for use of the individual
>     or entity named above. If the reader of this message is not the intended
>     recipient, or the employee or agent responsible to deliver it to the
>     intended recipient, you are hereby notified that any dissemination,
>     distribution or copying of this communication is strictly prohibited.
>     If you have received this communication in error, please immediately
>     notify us by telephone 1.866.325.6207 and destroy the original message.
>
>
>     On Thu, 2008-10-16 at 15:27 -0400, Luis Rondon Paz wrote:
>      > hello everyone i have a question
>      > i have this in my iptables
>      >
>      > EXT_IF=eth1
>      >
>      > #############
>      > /sbin/iptables -t nat -A POSTROUTING -s 12.16.2.5
>     <http://12.16.2.5> -o $EXT_IF -j MASQUERADE
>      >
>      >
>      > now
>      > how can i DROP ALL TRAFIC FROM IP 12.16.2.5 <http://12.16.2.5>
>     ??? exept port 80 to one
>      > external ip ?
>      >
>      > example
>      >
>      > i neeed to drop all traffic
>      > and  i need to allow the traffic to one address only
>      >
>      > how can i do that Ç????
>      >
>      >
>      > /sbin/iptables -t nat -A POSTROUTING -s 12.16.2.5
>     <http://12.16.2.5> -d EXTERNALONEHOSTONLY
>      > -o $EXT_IF -j  ACCEPT
>      >
>      > /sbin/iptables -t nat -A POSTROUTING -s 12.16.2.5
>     <http://12.16.2.5> -d 0.0.0.0/0 <http://0.0.0.0/0> -o $EXT_IF
>      > -j  DROP ???
>      >
>      >
>      > OR SHOULD I NEED TO USE TO FORWARD ??
>      >
>      > thanks for reading me .
>      >
>      >
>      >
>      >
>      >
>      >
>      >
>      >
>      >
Hi, I am new on this list.
I'm from argentina.
I think that if he only can use the 80/tcp port for surf, the rule

/sbin/iptables -A FORWARD -d 12.16.2.5 -p tcp --sport 80 -j ACCEPT

isn't necesary, with rule

iptables -t filter -A FORWARD -s 192.16.2.5 -d 0/0 -p tcp --sport 
1024:65535 --dport 80 -j ACCEPT

it gonna work fine, if the FORWARD policy is DROP.


regards.