Hi
On Sat, 2011-02-12 at 22:39 +0000, Bhasker C V wrote:
Hi all,
I am asking 2 questions in this and apologies if this is a bit too much
in a single mail.
Q1)
I came to understand that the first rule to take the hit is the
PREROUTING nat table (after the mangle). So in case I want to do a DNAT of
input packets to one of the interfaces in another machine on the same
network as the router, then, I can apply a DNAT rule in the PREROUTING.
But if I want to also select that the packet must be DNAT'ed only if
the input is from a specific ip address, then applying the DROP rule for
'anything other-than' type of packets is not effective in the INPUT chain
since the packet traverses the routing decision and goes into the FORWARD
chain and goes outgress...
So out of many experts here, I just wanted to take an advice on where to
keep the DROP/REJECT firewall rules ? Is it in the PREROUGING or the
INPUT? If I keep it at INPUT then the packets which needs to be DNAT'ed
will traverse bypassing the INPUT rule.
What I do is use the PREROUTING table to set up the general forwarding,
and use the FORWARDING and INPUT tables to actually allow or block
traffic. A rule for PREROUTING could be this:
iptables -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP -m multiport
--destination-port 20,21,22,80 -j DNAT --to-destination $WEBSERVER
In this case forwarding ftp, ssh and http ports.
The forwarding and input tables should be used to block unwanted traffic
(or allow wanted traffic).
iptables -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
allows everything from outside to be forwarded to the internal lan in
this case.
An advice is to limit the rules to the smallest possible match, not
allowing anything to slip by that was unintended.
also,
Q2)
I was guessing from the man pages of iptables that I can give multiple
source ip addresses in a single stretch by seperating them with a ',' . I
couldnt apparently do it, and below is the command line I used. Could
someone point me on what is the mistake I am doing please ?
iptables -A INPUT ! -s 1.1.1.1,1.1.1.2 -j ACCEPT
This command is trying to resolve 1.1.1.1,1.1.1.2 ignoring the ',' in the
ip addresses taking this as a complete name.
Perhaps you are looking for the iprange module?
iptables -m iprange --src-range 192.168.1.1-192.168.1.254 -j ACCEPT
That allows you to specify a range of ip's.
Using the -s argument for source ip's, you can only give a single
address, however, it is possible to define a complete subnet like this:
iptables -s 192.168.1.0/24 -j ACCEPT
In other cases you'd need 2 separate rules.
-----------------------------------
root@mac1:/# iptables -A INPUT ! -s 1.1.1.1,1.1.1.2 -j ACCEPT
iptables v1.4.2: host/network `1.1.1.1,1.1.1.2' not found
Try `iptables -h' or 'iptables --help' for more information.
-----------------------------------
Kind regards,
Steven
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 1297554772.6502.21.camel@pc-steven.LAN">http://lists.debian.org/[🔎] 1297554772.6502.21.camel@pc-steven.LAN