On Thu, Jan 01, 2009 at 11:42:58PM +0100, itom wrote: > hi all, with iptables I've create > this script(see below or here http://pastebin.com/m416d8f6d) > for this specific situation: > http://img33.picoodle.com/img/img33/3/1/1/f_lanm_1233f0a.jpg > > In the eth2 lan work as I wish because pc can access to internet only > with proxy at port 8080; the problem also in the eth1 and here I want to > access directly using Nat and grant some services to specific ports > (21,22,110,etc..) Just so I understand what you are asking, you have blocked all access from eth1 to the internet (eth0), currently you have http/https via port 8080. But you would also like ftp/ssh/imap and maybe others comment inline below > > thanks in advance > > .... iptables script .... > #!/bin/bash > > # delete all existing rules. > iptables -F > iptables -t nat -F > iptables -t mangle -F > iptables -X > > # DEFAULT policies > iptables -P INPUT DROP > iptables -P OUTPUT ACCEPT > iptables -P FORWARD DROP > > # Always accept loopback traffic > iptables -A INPUT -i lo -j ACCEPT > > # Allow established connections, and those not coming from the outside > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > #iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT > # alternativa > iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED > -j ACCEPT I would open this up to iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT This will not allow any new connection through, but would not allow connections from eth1 to eth0 (presuming this was the only line and drop was the default) then I would add iptables -A FORWARD -p tcp --dport 22 -j ACCEPT or iptables -A FORWARD -p tcp --dport 22 -m state --state NEW -j ACCEPT (depending on how pedantic you want to be, I usually use the first) so this will allow tcp protocol on port 22 to be established you probably only want this on the way out and not on the way in :) so iptables -A FORWARD -p tcp -o eth0 --dport 22 -j ACCEPT remember packets which are being forwarded ie from eth1 to the internet do not hit the input chain (nor the output chain) just the forward chain. You can do the same for the other ports/protocals that you want. also maybe a good idea to finish each chain with -j LOG (or -j ULOG) -j DROP (or what ever default you want for each chain). I prefer explicit rules at the end of each chain instead of using the built in one, mainly for documentation [snip] > -- "I understand there's a suspicion that we�we're too security-conscience." - George W. Bush 04/14/2005 Washington, DC
Attachment:
signature.asc
Description: Digital signature