[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables problem with two diffrent subnet

On Thu, Jan 01, 2009 at 11:42:58PM +0100, itom wrote:
> hi all, with iptables I've create
> this script(see below or here http://pastebin.com/m416d8f6d)
> for this specific situation:
> http://img33.picoodle.com/img/img33/3/1/1/f_lanm_1233f0a.jpg
> In the eth2 lan work as I wish because pc can access to internet only  
> with proxy at port 8080; the problem also in the eth1 and here I want to  
> access directly using Nat and grant some services to specific ports  
> (21,22,110,etc..)

Just so I understand what you are asking, 

you have blocked all access from eth1 to the internet (eth0), currently
you have http/https via port 8080. But you would also like ftp/ssh/imap
and maybe others

comment inline below

> thanks in advance
> .... iptables script ....
> #!/bin/bash
> # delete all existing rules.
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -X
> # DEFAULT policies
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
> # Always accept loopback traffic
> iptables -A INPUT -i lo -j ACCEPT
> # Allow established connections, and those not coming from the outside
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> #iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT  
> # alternativa
> iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED  

I would open this up to 

 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

This will not allow any new connection through, but would not allow
connections from eth1 to eth0 (presuming this was the only line and drop
was the default)

then I would add

iptables -A FORWARD -p tcp --dport 22 -j ACCEPT


iptables -A FORWARD -p tcp --dport 22 -m state --state NEW -j ACCEPT
(depending on how pedantic you want to be, I usually use the first)

so this will allow tcp protocol on port 22 to be established
you probably only want this on the way out and not on the way in :) so

iptables -A FORWARD -p tcp -o eth0 --dport 22 -j ACCEPT

remember packets which are being forwarded ie from eth1 to the internet
do not hit the input chain (nor the output chain) just the forward

You can do the same for the other ports/protocals that you want.

also maybe a good idea to finish each chain with 

-j LOG (or -j ULOG)
-j DROP (or what ever default you want for each chain).

I prefer explicit rules at the end of each chain instead of using the
built in one, mainly for documentation



"I understand there's a suspicion that we�we're too security-conscience."

	- George W. Bush
Washington, DC

Attachment: signature.asc
Description: Digital signature

Reply to: