[H-GEN] IPTABLES
Conor Cunningham
cunningtek at optusnet.com.au
Tue Nov 8 23:52:01 EST 2005
Rick,
I find your description a bit ambiguous, but I can guide you in the
right direction (hopefully).
What I think you will need are some stateful packet filter rules using
iptables.
correct me if I am wrong, but you have the following setup.
B
/
/
ethx / eth0
A ------------------- NAT BOX
\ eth1
\
\
C
Firstly, on your rules above, you have used the -d flag and not
specified a destination. You can be very specific with iptables, and it
is a good idea to do so. (imho)
On the NAT box I would use the following basic rules.
iptables -F # flush all chains
iptables -P INPUT DROP # set policies to drop everything
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# I am assuming that your NAT box is acting as a router and is
forwarding packets, so in turn we
will ignore for now ( you will need to do more research by looking at
the HOWTOs and
IPTABLES docs. They are very bloody useful - ok, lets crack on.) the
INPUT and OUTPUT
chains and concentrate on the FORWARD chain.
iptables -A FORWARD -p tcp -s B -d A -m state --state NEW, ESTABLISHED
-j ACCEPT
iptables -A FORWARD -p tcp -s C -d A -m state --state NEW, ESTABLISHED
-j ACCEPT
these two rules will allow any tcp data coming from B or C with a
destination of A to be forwarded through the NAT box.
the following rules will allow the A to send communications to B and C
if and only if they have been requested from B or C and are TCP
iptables -A FORWARD -p tcp -s A -d B -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -s A -d C -m state --state, ESTABLISHED -j ACCEPT
these are the basics you will need to get going. You can get quite more
specific with iptables by using source ports and destination ports.
Remember that servers listen on low ports 1 - 1024 and generally send
data back to the high ports >= 1025. You can also keep track of ports so
your rules are dynamic (i think).
one last example. Below is a rule for HTTP comms from B to A.
iptables -A FORWARD -i eth0 -o ethx -p tcp -s B -d A --dport 80 --sport
1024:65535 -m state --state NEW, ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ethx -o eth0 -p tcp -s A -d B --dport 1024:65535
--sport 80 -m state --state ESTABLISHED -j ACCEPT
note that i have also included the interfaces in these rules - this
makes things a little more specific/secure. -o is the interface on which
the data is leaving
and -i is the interface on which the data is entering.
There is quite a bit more to iptables than seen in your previous E-Mail,
and indeed mine. Practice is the best bet. I did four or so months of
this stuff at uni during pracs and in assignments. It was a great way to
learn and become reasonably confident with iptables. Saying that, I have
now finished uni and I am not working in the industry as I am moving to
Germany soon so I may have made a mistake above. So in other words,
have a good read and check my rules.
hope this helps mate,
ciao,
...conor
rickp at suntech.net.au wrote:
>[ Humbug *General* list - semi-serious discussions about Humbug and ]
>[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
>
>I am hopeless at iptables and need a rule which will block attempts to
>communicate with other servers on a net via multiple ethernet connections.
>In other words Server A is on the internet behind NAT and is connected to
>network B via eth0 and network C via eth1. I need to prevent access from
>server A to B and C but allow B & C to connect to A.
>
>I can't afford to get this wrong and need some help. Would -
>
>IPTABLES -A OUTPUT -d -o eth0 -j DROP
>IPTABLES -A OUTPUT -d -o eth1 -j DROP
>
>do the trick?
>
>I need to put these in a script which runs at startup to reload them do I
>not?
>
>Thanks in advance,
>
>Rick Phillips
>
>--------------------------------------------------------------------
>mail2web - Check your email from the web at
>http://mail2web.com/ .
>
>
>
>_______________________________________________
>General mailing list
>General at lists.humbug.org.au
>http://lists.humbug.org.au/cgi-bin/mailman/listinfo/general
>
>
>
>
More information about the General
mailing list