Corey, that is exactly why it is a bridge and precisely my setup, except that I have a 8M/1M cable modem with 5 static IPs instead of a T1. But, effectively, it is the same. If people could proof/suggest/comment on the script, I would appreciate it. This is my first time using iptables. In the past, I had a T1 line and I used the cisco router as my firewall. Below is my script: -------------------------- # Do some initialization: # Clear out the current settings: iptables --flush iptables -t nat --flush iptables -t mangle --flush iptables --delete-chain iptables -t nat --delete-chain iptables -t mangle --delete-chain #--------------------------------------------------------------- # If a packet doesn't match one of the built in chains, then # The policy should be to drop it #--------------------------------------------------------------- iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP # Loopback accepts all: iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Define some global variables: # First define the interfaces EXTERNAL_INT="eth0" INTERNAL_INT="eth1" # Now the machines on the inside. BRIDGE_IP="70.89.224.61" TESTBOX_IP="70.89.224.60" WIN2K_IP="70.89.224.59" MEATNOG_IP="70.89.224.58" ICI_IP="70.89.224.57" INTERNAL_NET="192.168.10.0/24" # AEGIS's Firewall, going to accept all from this one. AEGIS_IP="12.39.123.5" # NAT iptables -A POSTROUTING -t nat -o eth0 -s $INTERNAL_NET -d 0/0 -j MASQUERADE iptables -A FORWARD -d $INTERNAL_NET -j ACCEPT sysctl -w net.ipv4.ip_forward=1 echo 1 > /proc/sys/net/ipv4/ip_forward # Allow all outgoing packets. May want to filter this later. iptables -A OUTPUT -o eth0 -j ACCEPT # All internal IPs are assumed to be trusted. iptables -A INPUT -j ACCEPT -p all -s 192.168.10.0/24 -i eth1 iptables -A OUTPUT -j ACCEPT -p all -d 192.168.10.0/24 -o eth1 # Let AEGIS reach the Win2k box. iptables -A FORWARD -i eth0 -s $AEGIS_IP -d $WIN2K_IP -j ACCEPT # SSH Access: # SSH is on port 22, TCP iptables -A FORWARD -i eth0 -s 0/0 -d $MEATNOG_IP -p TCP --dport 22 -j ACCEPT iptables -A FORWARD -i eth0 -s 0/0 -d $ICI_IP -p TCP --dport 22 -j ACCEPT # SMTP Access: # SMTP is on port 25, TCP iptables -A FORWARD -i eth0 -s 0/0 -d $MEATNOG_IP -p TCP --dport 25 -j ACCEPT iptables -A FORWARD -i eth0 -s 0/0 -d $ICI_IP -p TCP --dport 25 -j ACCEPT # DNS Access: # DNS is on port 53, TCP/UDP iptables -A FORWARD -i eth0 -s 0/0 -d $MEATNOG_IP -p TCP --dport 53 -j ACCEPT iptables -A FORWARD -i eth0 -s 0/0 -d $MEATNOG_IP -p UDP --dport 53 -j ACCEPT iptables -A FORWARD -i eth0 -s 0/0 -d $ICI_IP -p TCP --dport 53 -j ACCEPT iptables -A FORWARD -i eth0 -s 0/0 -d $ICI_IP -p UDP --dport 53 -j ACCEPT # HTTP Access: # HTTP is on port 80 iptables -A FORWARD -i eth0 -s 0/0 -d $MEATNOG_IP -p TCP --dport 80 -j ACCEPT iptables -A FORWARD -i eth0 -s 0/0 -d $ICI_IP -p TCP --dport 80 -j ACCEPT iptables -A FORWARD -i eth0 -s 0/0 -d $WIN2K_IP -p TCP --dport 80 -j ACCEPT # POP3 Access: # POP3 is on port 110 iptables -A FORWARD -i eth0 -s 0/0 -d $MEATNOG_IP -p TCP --dport 110 -j ACCEPT iptables -A FORWARD -i eth0 -s 0/0 -d $ICI_IP -p TCP --dport 110 -j ACCEPT # AUTH Access: # AUTH is on port 113. iptables -A FORWARD -i eth0 -s 0/0 -d $MEATNOG_IP -p TCP --dport 113 -j ACCEPT iptables -A FORWARD -i eth0 -s 0/0 -d $ICI_IP -p TCP --dport 113 -j ACCEPT # MUD Access: # The Mud is on port 6250 iptables -A FORWARD -i eth0 -s 0/0 -d $MEATNOG_IP -p TCP --dport 6250 -j ACCEPT -----Original Message----- From: lartc-bounces@xxxxxxxxxxxxxxx [mailto:lartc-bounces@xxxxxxxxxxxxxxx] On Behalf Of Corey Hickey Sent: Wednesday, September 21, 2005 1:27 PM To: lartc@xxxxxxxxxxxxxxx Subject: Re: IP Tables on a bridge ICI Support wrote: > Now, the problem I have is that my LAN is mixed NAT'd addresses and routable > IPs. I have a host of FORWARD rules to determine which packets get sent > onto which servers (routable IPs). My worry is that if I put in the > "iptables -A FORWARD -j ACCEPT" it'll defeat the whole purpose of those > entries. > > My question is: How do I set up a FORWARD for JUST the NATed packets > without touching the non-NATed packets? Would a -d to my internal network > ($INTERNAL_NET is set to 192.168.10.0/24) do it? > > IE would this work: > > iptables -A POSTROUTING -t nat -s $INTERNAL_NET -j MASQUERADE > > iptables -A FORWARD -d $INTERNAL_NET -j ACCEPT If I tested this properly, it does seem to work. You could follow the command above with whatever rules jumping to ACCEPT you want, ending with a REJECT for whatever you don't want (or set the policy for FORWARD to REJECT). There are some other ways to do it. May I ask why this machine is a bridge? My guess is that you have something like this: [Internet] ----> T1 router ----> Linux bridge ----> LAN ...wherein the T1 router handles the routing to/from your public IPs and your bridge handles the routing (with NAT) from your private IPs. > Also, if I post up my iptables entries/script, can someone help me proof > them for problems? Sure; it couldn't hurt, unless someone nasty sees a flaw and tries to attack one of your systems through it. :) I'm going to be gone for several days, but I'll look at it when I get back. Somebody else might look, too. -Corey _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
