- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: firewall script
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-31-2003 05:56 PM
тАО03-31-2003 05:56 PM
firewall script
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-01-2003 07:13 AM
тАО04-01-2003 07:13 AM
Re: firewall script
I'm not sure, but I think you have to nat also the output of your inet services....
I.E :
iptables -a POSTROUTING -t nat -p tcp -s 10.0.0.141 --source-port 80 -j SNAT --to-source 204.91.104.141:80
THis is for http, idem for the others services....
With the other card (eth2),
iptables -A FORWARD --in-interface eth2 -j ACCEPT
should be enough...
I noticed that you stop icmp packets, which is a security option, but you don't control the proper tcp packets which is better..
ie. :
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
bad_tcp_packets is a new chain you have to define....
and apply this chain on your INPUT,OUPUT chains (first rule).
ex :
iptables -A INPUT -p tcp -j bad_tcp_packets
and the best way is to try !!! + tcpdump to diagnose...
hth
Benoit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-01-2003 02:40 PM
тАО04-01-2003 02:40 PM
Re: firewall script
this is what i have for each ip/port that i will be using:
***********
iptables -A PREROUTING -t nat -p tcp -d 204.91.104.94 --dport 25 -j DNAT --to 10.0.0.94:25
iptables -A FORWARD -p tcp -d 204.91.104.94 --dport 25 -o eth1 -j ACCEPT
***********
is the FORWARD rule even applicable. From what i have read, the forward rules are implimented after the PREROUTING rules. So by the time the packet gets to FORWARD, the packet doent read 204.91.104.94...It reads 10.0.0.94:25. So can i just get rid of the forward rule altogether and keep only the PREROUTING rule?
***********
iptables -A PREROUTING -t nat -p tcp -d 204.91.104.94 --dport 25 -j DNAT --to 10.0.0.94:25
***********
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-02-2003 12:02 AM
тАО04-02-2003 12:02 AM
Re: firewall script
this means the forward rule looks :
iptables -A FORWARD -p tcp -d 10.0.0.94 --dport 25 -o eth1 -j ACCEPT
because the default policy is DROP for the forward chain....
but the best way is experiment !!!!
hth
Benoit
Amour, amour, quand tu nous tiens, on peut bien dire : "Adieu, prudence !" Jean De La Fontaine
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-02-2003 08:57 PM
тАО04-02-2003 08:57 PM
Re: firewall script
I am providing you mine as a reference.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-04-2003 02:38 PM
тАО04-04-2003 02:38 PM
Re: firewall script
so far the script is working with only:
*****
iptables -A PREROUTING -t nat -p tcp -d 204.91.104.94 --dport 25 -j DNAT --to 10.0.0.94:25
*****
i dont need the forward...
how will packets from the internal net (eth2) reach the dmz? Will the router automatically do this?
example: I am in the internal and want to go to a web server on my dmz (204.91.104.5). What are the steps in which the packet will go based on the script i have attached
***
into eth2 then out eth0 then back into eth0 then to eth1?
***
or
***
into eth2 forwarded to eth1
***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-04-2003 02:38 PM
тАО04-04-2003 02:38 PM
Re: firewall script
so far the script is working with only:
*****
iptables -A PREROUTING -t nat -p tcp -d 204.91.104.94 --dport 25 -j DNAT --to 10.0.0.94:25
*****
i dont need the forward...
how will packets from the internal net (eth2) reach the dmz? Will the router automatically do this?
example: I am in the internal and want to go to a web server on my dmz (204.91.104.5). What are the steps in which the packet will go based on the script i have attached
***
into eth2 then out eth0 then back into eth0 then to eth1?
***
or
***
into eth2 forwarded to eth1
***
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-07-2003 12:07 AM
тАО04-07-2003 12:07 AM
Re: firewall script
You packets will go from eth2 to eth1, and then back from eth1 to eth2.. That's all, in fact it's a kind of router.
And if you need to go to internet (eth0) from your lan, it'll go from eth2 to eth0 and back. Don't forget masquerade of your lan adresses...
hth
Benoit
___________
Un bon "tiens",vaut mieux que deux "tu l'auras"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-18-2003 06:25 PM
тАО04-18-2003 06:25 PM
Re: firewall script
#eth0 (Internet) has the IP 204.91.104.5 and 204.91.104.6
#eth1 (DMZ) has the IP 10.0.0.1, gateway for the 10.0.0.0/24 network
#eth2 (Local Lan) has the IP 10.0.1.1, gateway for the 10.0.1.0/24 network
#everything seems to work except the connection betwen the Lan and the DMZ, I am trying to stop any NEW packets going from the DMZ to the LAN, only ESTABLISHED,RELATED..I am however, trying to have all connections accepted (NEW,ESTABLISHED,RELATED) going to the DMZ from the LAN. when i ping 10.0.0.5 from the lan network(10.0.1.0), I get a reply. When I ping 204.91.104.5 from the lan network(10.0.1.0) I get a time out. I can ftp (passive only) to 204.91.104.5 and 10.0.0.5 from the lan network(10.0.1.0). When I try to connect to the sql server. The reason why i am testing the ping to 204.91.104.5 from inside the LAN network it to see how the packet gets from the LAN to the DMZ. Does it go into eth2, out eth0, back into eth0 as 204.91.104.6, then out eth1, then to 10.0.0.5 or does it go from eth2 straight to eth1 directly using the 10.0.0/ network address
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-18-2003 06:27 PM
тАО04-18-2003 06:27 PM
Re: firewall script
Whene i try to connect to the sql server on 10.0.0.5 i get a time out