Re: Firewall IP change

FrÃdÃric Gonzatti <fred99@xxxxxxxxxxxxxx> · Mon, 2 Aug 2004 17:10:01 +0200



1-My iptables rules are the following :
iptables -t filter -F
iptables -t nat -F

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

iptables -t nat POSTROUTING -o eth2 -j MASQUERADE

###########
# FORWARD #
###########

                        ##############
                        # LAN -->DMZ #
                        ##############


iptables -t filter -A FORWARD -i eth0 -o eth1 -s 172.16.0.0/16 -d 
192.168.2.150/32 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j 
ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -s 192.168.2.150/32 -d 
172.16.0.0/16 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT


                        ###############
                        # LAN --> WAN #
                        ###############


####################################
# PROTOCOLE IDENT : TCP et UDP 113 #
####################################
iptables -t filter -A FORWARD -p tcp --dport 113 -j ACCEPT
iptables -t filter -A FORWARD -p tcp --sport 113 -j ACCEPT
iptables -t filter -A FORWARD -p udp --dport 113 -j ACCEPT
iptables -t filter -A FORWARD -p udp --sport 113 -j ACCEPT


###################################
# HTTP, HTTPS : TCP 80 et TCP 443 #
###################################
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p tcp 
--dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p tcp 
--sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p tcp 
--dport 443 -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p tcp 
--sport 443 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p udp 
--dport 443 -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p udp 
--sport 443 -j ACCEPT

##################
# Protocole POP3 #
##################

iptables -t filter -A FORWARD -i eth0 -o eth2 -s 172.16.0.0/16 -d 0/0 -p tcp 
--dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -o eth0 -s 0/0 -d 172.16.0.0/16 -p tcp 
--sport 110 -m state --state ESTABLISHED -j ACCEPT

#################
# Protocole FTP #
#################


modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

iptables -t filter -A FORWARD -s 172.16.0.0/16 -d 0/0 -p tcp --dport 21 -m 
state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.0.0/16 -p tcp --sport 21 -m 
state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 172.16.0.0/16 -d 0/0 -p tcp --dport 20 -m 
state --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.0.0/16 -p tcp --sport 20 -m 
state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -s 172.16.0.0/16 -d 0/0 -p tcp --dport 
1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.0.0/16 -p tcp --sport 
1024:65535 -m state --state ESTABLISHED -j ACCEPT


iptables -t filter -A INPUT -j DROP
iptables -t filter -A OUTPUT -j DROP
iptables -t filter -A FORWARD -j DROP

2- My default route is the IP of the LAN interface of my router which is a 
public IP (62.160.X.X/255.255.255.248)

3- eth0 : 172.16.2.1/255.255.0.0
    eth1: 192.168.2.1/255.255.255.0
    eth2: 62.160.X.Y/255.255.255.248

Regards,

Frederic


> On Monday 02 August 2004 3:12 pm, FrÃdÃric Gonzatti wrote:
> > Sorry, my external interface is eth2 (it's just an error when I wrote the
> > mail).
> > Some pages takes lots of time to appear when I'm using the first line in
> > my script. When I'm using the second one they appear immediately.
> > My DNS server is on my LAN with a private IP address 172.16.2.200.
>
> Please show us:
>
> 1. The exact rules you are referring to (no typos, no hidden addresses, the
> exact rules as they appear in the scripts).
>
> 2. The routing table (output of "route -n") of the firewall
>
> 3. The interface configuration (output of "ifconfig") from the firewall.
>
> Regards,
>
> Antony.
>
> > > On Monday 02 August 2004 1:07 pm, FrÃdÃric Gonzatti wrote:
> > > > If I replace in my iptables script :
> > > > iptables -A POSTROUTING -t nat -o eth2 -j SNAT --to my_public_IP
> > > > by
> > > > iptables -t nat POSTROUTING -o eth1 -j MASQUERADE
> > > >
> > > > ...I can access to the internet faster !
> > > >
> > > > Have you got any idea ?
> > >
> > > Which is your external interface?   eth1 or eth2?
> > >
> > > How are you measuring "faster"?
> > >
> > > Where are your DNS servers?
> > >
> > > Regards,
> > >
> > > Antony.