iptables help on Linux
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: iptables help on Linux

  1. #1
    Junior Member
    Join Date
    Jan 2002
    Posts
    7

    iptables help on Linux

    Hi,

    I have a cable modem, dedicated linux server and a home LAN. I want to use NAT and I need to have a firewall on the server. I want FTP and HTTP servers on the server.

    I know I need to use iptables, but I don't know how to write the script. Any resources I could look at? Would a kind soul send me theirs so I can try and create my own?

    Thanks,
    Keymoo

    --
    anti@markallison.c0.uk
    replace 0 with o
    Share on Google+

  2. #2
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    Right on! Dedicated linux server, woo!

    Anyways, to make life easier, it might be better for you to get a DSL/Cable router (4 port) so that you'll have the hardware firewall and it does internal nat for you. IPChains is great, but you really have to know the internals of how it works and if your linux box is doing all the work, including the server side (web/ftp/mail/etc) then you might have more problems on your hands in configuring everything, and you also have to have two nic cards in it, one for the cable modem and one for the link to the hub where all your other traffic goes.

    I can give you the setup for the Dlink/Linksys router (4 port) which might be the best way to go:

    1: connect your cable modem to the WAN port of the 4 port router.
    2: connect all pcs and your linux servers to the individual ports to the router (you can daisychain hubs off a port btw)
    3: on a windows pc, set your TCP/IP to obtain automatically, with the gateway set for 192.168.1.1 (default for the router) and reboot.
    4: still on this pc, open your browser to http://192.168.1.1 and log in (they supply the user/pass). From there, put in all your information for your ISP on the main page (there's plenty of onscreen help) and have your router set for static IP handouts. When this is done, it'll say to reboot the router. When you do, go ahead and reset your TCP/IP to an individual IP like 192.168.1.100(101,102,etc) and assign each machine internally an IP address like that, with the gateway on each machine pointing to 192.168.1.1 and all DNS information entered in the DNS page (enable DNS for windows).

    That should take care of your windows machines.

    Now, for your linux machine, whatever distro you're using, make sure the gateway is listed as the router, and all dns information is put in resolv.conf. If you need more help on this, pm me with your hardware/linux setup and I can help out more.

    Now, to configure all services on linux to be accessible outside, (with example IP of 192.168.1.102 for the linux server), go back into the web page for the router (mentioned above) and in the advanced page, you'll find something that allows port forwarding. Ports 21 for ftp, 22 for ssh (I don't recommend leaving 23 open), and 80 for web traffic should be put in the boxes with it pointing to your linux server IP.

    With these being allowed, you'll be able to run services behind a hardware firewall without too much worry of DDoS or other things.

    Hope this helps and if I missed something, I apologize, as I'm in a hurry right now.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
    Share on Google+

  3. #3
    Junior Member
    Join Date
    Jan 2002
    Posts
    7
    Thanks for the help - but that's not what I really want. I need the routing/firewall done on the linux box - I don't want to buy a hardware router.

    I know it's gonna take me a while to get it all set up - perhaps months, but I don't mind cos it's all a learning experience for me. I currently have a Win2000 server box which is doing this stuff for me at the mo and it does it very well, but I want to move it all over to Linux and perhaps use a linux workstation too instead of WinXP.
    If anyone else could help, that would be appreciated.

    Thanks,
    Keymoo
    Share on Google+

  4. #4
    Junior Member
    Join Date
    Dec 2001
    Posts
    24
    It took me about an hour to set this up last night, and that is with little linux administration experience. I followed the steps in this article:

    http://www.unixgeeks.org/security/ne...sc/ipmasq.html

    In addition, it is also beneficial to consult the NET3-HOWTO, the IP-MASQUERADING-HOWTO and the IPCHAINS-HOWTO, which can all be obtained at

    http://www.linux.org

    good luck PAL
    Share on Google+

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Originally posted by autumn regret
    It took me about an hour to set this up last night, and that is with little linux administration experience. I followed the steps in this article:

    http://www.unixgeeks.org/security/ne...sc/ipmasq.html

    In addition, it is also beneficial to consult the NET3-HOWTO, the IP-MASQUERADING-HOWTO and the IPCHAINS-HOWTO, which can all be obtained at

    http://www.linux.org

    good luck PAL
    Autumn Regret,
    The link you provided above shows you only how to do IP MASQUERADING, not NAT (Network Address Translation). There is a very fundamental difference in that with NAT, you can forward say, HTTP requests coming into your IP to another computer on your lan, and then back again.

    As for the original query by keymoo, check out the following url:
    http://netfilter.samba.org/unreliabl....linuxdoc.html
    It's the NAT-HOWTO directly from the netfilter team, so it should be pretty accurate. This sounds more along the lines of what you're looking for.

    Keymoo, I would also be interested in how everything turns out, as I'm about to do this myself. If you could email me some tips/tricks/things to watch for at chris_shepherd@hotmail.com, I would greatly appreciate it.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?
    Share on Google+

  6. #6
    Junior Member
    Join Date
    Dec 2001
    Posts
    24
    directly from the http://www.unixgeeks.org site:


    4.5.1 What Is A Masquerading Firewall Anyway?

    A masquerading firewall is simply an application/kernel modification that acts as a go-between for the masqueraded machines (the winbox in our case) and the internet. It receives requests from the masqueraded client(s) and forwards those requests on to the internet address of the target machine. In this way, a masquerading firewall is a packet filter - it filters network traffic based on information contained in the headers of network packets.
    and:

    'ipchains' is initialized with just three rules or 'chains', input, output
    and forward. When a packet arrives at a network interface it's fate is
    determined by the input chain; if the packet is accepted by the input
    chain, the kernel forwards the packet according to the destination address.
    As you can see, ipchains has the ability to forward packets to and from various network interfaces. Coupled with the IP masquerading, would you not say that this is a NAT solution?
    Share on Google+

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    Maybe this tutorial can be of any help?

    Share on Google+

  8. #8
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    As VictorKaum would say, get BBIagent (www.bbiagent.com). It's a floppy disk oriented program that does it all for you. And it's great for that machine sitting in the corner collecting dust. That is, if you have another machine to run in front.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
    Share on Google+

  9. #9
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,540
    Yep, thx Vorlin,

    If you don't want to spend time (more or less depends on your Linux and protocols knowledge) configuring iptables, ipmasquerading,... use that BBIagent on a cheap box.
    after installation you can even remove the keyboard and the monitor from the box without a prob...so the only thing you need is a computercase, an old motherboard, ram, FDD, 2 NIC's and 1 floppy...
    Share on Google+

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Originally posted by autumn regret
    directly from the http://www.unixgeeks.org site:
    As you can see, ipchains has the ability to forward packets to and from various network interfaces. Coupled with the IP masquerading, would you not say that this is a NAT solution?
    I did not say that ipchains wasn't a NAT solution. IP Masquerading is different from NAT in that IP Masquerading takes one public IP address and allows several PCs on the same LAN to share it and access the internet at once, while NAT is a straight translation of public IP's port into a LAN IP's port and vice versa.

    NAT is far more complicated than Masquerading.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •