Re: iptables problem with two diffrent subnet

To: debian-user@lists.debian.org
Subject: Re: iptables problem with two diffrent subnet
From: Alex Samad <alex@samad.com.au>
Date: Fri, 2 Jan 2009 10:40:13 +1100
Message-id: <[🔎] 20090101234013.GA32718@samad.com.au>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] UFb7l.30378$J84.3391@tornado.fastwebnet.it>
References: <[🔎] UFb7l.30378$J84.3391@tornado.fastwebnet.it>

On Thu, Jan 01, 2009 at 11:42:58PM +0100, itom wrote:
> hi all, with iptables I've create
> this script(see below or here http://pastebin.com/m416d8f6d)
> for this specific situation:
> http://img33.picoodle.com/img/img33/3/1/1/f_lanm_1233f0a.jpg
>
> In the eth2 lan work as I wish because pc can access to internet only  
> with proxy at port 8080; the problem also in the eth1 and here I want to  
> access directly using Nat and grant some services to specific ports  
> (21,22,110,etc..)

Just so I understand what you are asking, 

you have blocked all access from eth1 to the internet (eth0), currently
you have http/https via port 8080. But you would also like ftp/ssh/imap
and maybe others

comment inline below

>
> thanks in advance
>
> .... iptables script ....
> #!/bin/bash
>
> # delete all existing rules.
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -X
>
> # DEFAULT policies
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
>
> # Always accept loopback traffic
> iptables -A INPUT -i lo -j ACCEPT
>
> # Allow established connections, and those not coming from the outside
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> #iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT  
> # alternativa
> iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED  
> -j ACCEPT

I would open this up to 

 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


This will not allow any new connection through, but would not allow
connections from eth1 to eth0 (presuming this was the only line and drop
was the default)

then I would add

iptables -A FORWARD -p tcp --dport 22 -j ACCEPT

or

iptables -A FORWARD -p tcp --dport 22 -m state --state NEW -j ACCEPT
(depending on how pedantic you want to be, I usually use the first)

so this will allow tcp protocol on port 22 to be established
you probably only want this on the way out and not on the way in :) so


iptables -A FORWARD -p tcp -o eth0 --dport 22 -j ACCEPT

remember packets which are being forwarded ie from eth1 to the internet
do not hit the input chain (nor the output chain) just the forward
chain.

You can do the same for the other ports/protocals that you want.

also maybe a good idea to finish each chain with 

-j LOG (or -j ULOG)
-j DROP (or what ever default you want for each chain).

I prefer explicit rules at the end of each chain instead of using the
built in one, mainly for documentation



[snip]

>

-- 
"I understand there's a suspicion that we�we're too security-conscience."

	- George W. Bush
04/14/2005
Washington, DC

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- iptables problem with two diffrent subnet
  - From: itom <itom_bo@yahoo.it>

Prev by Date: Re: hard crash on leap second
Next by Date: host name/name mismatch of samba
Previous by thread: iptables problem with two diffrent subnet
Next by thread: host name/name mismatch of samba
Index(es):
- Date
- Thread