Re: Secure Firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I think you can complet with

Change this

$IPTABLES -t nat -A POSTROUTING -s 192.168.51.40 -p tcp -dport 80 -o
$EXT -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 192.168.51.80 -p tcp -dport 80 -o
$EXT -j MASQUERADE

Add this

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -d
192.168.51.0/24 -j ACCEPT

$IPTABLES -A FORWARD -s 192.168.51.20 -j ACCEPT

$IPTABLES -A FORWARD -s 192.168.51.40 -p tcp --dport 80 -j ACCEPT

$IPTABLES -A FORWARD -s 192.168.51.80 -p tcp --dport 80 -j ACCEPT

Try this!

Att,

Sp0oKeR
On 8/9/05, Alexander Salmin <security.member@xxxxxxxxx> wrote:
> Hello friends,
> 
> I'm trying to set up a secure NAT firewall in my home, for that I need
> help with some rules.
> 
> I've got a total of four computers, including the server.
> 
> These are the ones who should be NAT'ed:
> 
> #1 --- 192.168.51.20 --- Should be able to access all internet.
> #2 --- 192.168.51.40 --- Should be able to access only websites (port 80,443).
> #3 --- 192.168.51.80 --- Should be able to access only websites (port 80,443).
> 
> This is how my non-working iptables-script looks like right now:
> -------------------------------------------------------------------------------------
> INT="eth0"
> EXT="eth1"
> IPTABLES=/sbin/iptables
> 
> $IPTABLES -F INPUT
> $IPTABLES -F OUTPUT
> $IPTABLES -F FORWARD
> $IPTABLES -F -t nat
> 
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
> 
> $IPTABLES -A INPUT -i $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT
> $IPTABLES -A INPUT -p UDP --dport bootps -i $INT -j ACCEPT
> $IPTABLES -A INPUT -p UDP --dport domain -i $INT -j ACCEPT
> 
> $IPTABLES -t nat -A POSTROUTING -s 192.168.51.20 -o $EXT -j MASQUERADE
> $IPTABLES -t nat -A POSTROUTING -s 192.168.51.40 -dport 80 -o $EXT -j MASQUERADE
> $IPTABLES -t nat -A POSTROUTING -s 192.168.51.80 -dport 80 -o $EXT -j MASQUERADE
> 
> $IPTABLES -A INPUT -j DROP
> -------------------------------------------------------------------------------------
> 
> Somehow, it doesn't work with -dport 80, and I believe that I have
> missed some allow-rules because the -j DROP denies the computer from
> 192.168.51.20 too.
> 
> Any help would be appreciated!
> 
> 
> Thanks,
> --Alexander.
> 
>
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux