You are not logged in.

#1 2005-03-20 14:52:21

From: Gotland ,Sweden
Registered: 2005-03-17
Posts: 645

Iptables firewall help please!!


I am doing some testing with iptables, but I can't get it to work!

If anyone would be willing to help me I will be very grateful big_smile

This is my setup and my wishes.

Eth0 is connected dynamically to the internet
Eth1 is connected locally on

1. I want to use NAT/Masquerade to give access to all computers in netwok
2. I want to block all outgoing traffic on port 25 on eth0 to all computers in the network..

3. I want to block incoming ICMP packets on eth0, (but it should still be possible to ping other computers)

4. I want to open the ports for SMTP,FTP,POP,WWW , SSH and port 5000-6000 for incoming traffic. Every other port should be closed.

5. Port 21 on eth0 shall be forwarded to in the local net

6. I wanna forward port 9999 on eth0 to port 25 on eth0

7. I want to block specifik homepages (like for everyone on the local net.

is this possible? and how to I do it? Is there an Iptables guru who can help me, I would really really approciate it.

this is the code so far...(i have no experience in this before)(sorry for the language it is swedish)


# eth0 utsida (eth0 outside)
# eth1 insida (eth1 inside)

# Om maskeringen är kompilerad som modul
# aktivera raden nedan (genom att ta bort # i början på raden)
modprobe iptable_nat

# Slå på routing
echo "1" > /proc/sys/net/ipv4/ip_forward

# Firewall rules
# Min egna IP-adress på eth0 (yttre interface)
MEeth0=`/sbin/ifconfig eth0 |sed -n '/inet/s/^[ ]*inet addr:([0-9.]*).*/1/p'`
# Min broadcastadress på eth0
MYBROADCASTeth0=`/sbin/ifconfig eth0 |sed -n '/inet/s/^.*Bcast:([0-9.]*).*/1/p'`

# Min egna IP-adress på eth1 (inre interface)
MEeth1=`/sbin/ifconfig eth1 |sed -n '/inet/s/^[ ]*inet addr:([0-9.]*).*/1/p'`
# Min broadcastadress på eth1
MYBROADCASTeth1=`/sbin/ifconfig eth1 |sed -n '/inet/s/^.*Bcast:([0-9.]*).*/1/p'`

# Skapa kedjan logdrop som loggar och kastar trafiken
/sbin/iptables -N logdrop
/sbin/iptables -A logdrop -j LOG
/sbin/iptables -A logdrop -j DROP

# Logga och kasta nya TCP-paket som inte är SYN-paket
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW NOT SYN  "
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW NOT SYN  "
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

# Spärra trafik som kommer till broadcastadressen
/sbin/iptables -A FORWARD --in-interface eth1 --destination $MYBROADCASTeth0/32 -j logdrop
/sbin/iptables -A FORWARD --in-interface eth0 --destination $MYBROADCASTeth1/32 -j logdrop

# Släpp ut trafik från interna nätet, och släpp in svarstrafik
/sbin/iptables -A FORWARD --in-interface eth0 -j ACCEPT
/sbin/iptables -A FORWARD --in-interface eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Lägg på maskering på utgående trafik som ska ut till Internet så att
# det ser ut som att det är brandväggens utsida som surfar
#/sbin/iptables -t nat -A POSTROUTING -o eth0  -j SNAT --to $MEeth1
# Om du får din adress på yttre interfacet, eth0, dynamiskt via
# t.ex. dhcp ska följande rad användas istället för SNAT-regeln ovan:
 /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Notera att MASQUERADE gör av med lite mer CPU-kraft än SNAT.
# Om du får din adress dynamiskt på eth0 lägg även till följande rad:
 echo "1" > /proc/sys/net/ipv4/ip_dynaddr 

#Spärra och öppna PING
/sbin/iptables -A INPUT  -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT  -p icmp --icmp-type 8 -j DROP
/sbin/iptables -A INPUT  -p icmp --icmp-type 3 -j ACCEPT
/sbin/iptables -A INPUT  -p icmp --icmp-type 11 -j ACCEPT

# Släpp in trafik till egna servertjänster
# Släpp in trafik till servertjänster på låga portar
# Tjänst    protokoll     klientportar     serverport
#  ssh         tcp         1-65535          22
/sbin/iptables -A INPUT -m state --state NEW -p tcp --syn --destination-port 22 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --destination-port 22 -j ACCEPT
#  smtp        tcp         1-65535          25
/sbin/iptables -A INPUT -m state --state NEW -p tcp --syn --destination-port 25 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --destination-port 25 -j ACCEPT
#  www         tcp         1-65535          80
/sbin/iptables -A INPUT -m state --state NEW -p tcp --syn --destination-port 80 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --destination-port 80 -j ACCEPT

#pop        tcp         1-65535       110
/sbin/iptables -A INPUT -m state --state NEW -p tcp --syn --destination-port 110 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --destination-port 110 -j ACCEPT

#ftp        tcp         1-65535       21
/sbin/iptables -A INPUT -m state --state NEW -p tcp --syn --destination-port 21 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --destination-port 21 -j ACCEPT

#5000;6000        tcp         1-65535       5000:6000
/sbin/iptables -A INPUT -m state --state NEW -p tcp --syn --destination-port 5000:6000 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --destination-port 5000:6000 -j ACCEPT

# Logga och spärra resten
/sbin/iptables -A INPUT -j logdrop
/sbin/iptables -A FORWARD -j logdrop  -> Linux Help portal for Linux and ArchLinux (in swedish)

Dell Inspiron 8500
Kernel 2.6.14-archck1  (selfcompiled)
Enlightenment 17


#2 2005-03-20 18:04:58

From: Victoria, BC
Registered: 2004-03-25
Posts: 438

Re: Iptables firewall help please!!


I know you can do those things, but I don't have the time nor the ability to generate the script for you right now.  Here are a few links that might help... … pic_id=151


Board footer

Powered by FluxBB