iptables nat/masquerade - how to act as a basic firewall?
edit: SOLVED - see below for solution
Hi there,
I've inherited a gob of Linux hosts and so am learning linux from the bottom of the deep end of the pool (gotta say I'm warming up to Linux though - it's not half bad)
Right now iptables is confusing me and I could use some pointers as to how I can take a host using MASQEURADE rules between two NICs and have it only allow outbound connections, blocking inbound ones.
Current state:
iptables running on a reverse proxy host with two nics, one nic on a public IP in the DMZ, one on a private IP on a private LAN.
This box takes web requests from the DMZ and fires them at a cluster of webservers on the private net.
My predecessor has figured out that adding an iptables rule:
Code:
-A POSTROUTING -o eth1 -j MASQUERADE
Will allow hosts on the private net to get to the internet (rather handy)
The problem is, this also allows someone that owns any DMZ host to set up a route on it and connect directly to any port on any host on the private net *from the DMZ*
The Question:
How do I have the proxy host (the one with the MASQ rule) only do this from eth0 and going out eth1?
---------- Post updated at 09:24 AM ---------- Previous update was at 08:52 AM ---------- The Solution
Ah, I figured it out - but would still appreciate peer review if anyone has feedback on this.
Writing the question down must have helped my brain straighten the problem out as the solution popped into my head suddenly.
I need a FORWARD rule in the FILTER table because I'm trying to filter a forwarded packet.
I added these rules to the filter table and changed it's default policy to DROP:
Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 45 11573 ACCEPT all -- any eth0 anywhere anywhere state RELATED,ESTABLISHED
2 414 36553 ACCEPT all -- eth0 any anywhere anywhere
I guess I could have had a DROP or REJECT rule that looked for a state of NEW on eth1 but I slightly prefer the paranoid approach of "drop it if I can't think of a reason not accept it" vs "accept it if I can't think of a reason to drop it"
So far, all seems to work.
Last edited by Smiling Dragon; 08-06-2013 at 06:24 PM..
Reason: Figured it out myself :)
My Device is connected to eth1 interface of the host and eth0 is connected to network.
Now when I am pinging google.com from device after executing below commands on host
sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I am... (0 Replies)
Hi everyone,
I have a LAN with :
1 internet box (192.168.1.1)
1 Debian host (192.168.1.224)
3 Windows hosts (192.168.1.32/33/34)
The internet box is set to route all incoming traffic to the Debian host (DMZ).
Then the Debian host is set to accept certain packets and forward others... (0 Replies)
Hi, I am learning IPTables have this question.
My server is behind a firewall that does a PAT & NAT to the LAN address.
Internet IP: 68.1.1.23
Port: 10022
Server LAN IP: 10.1.1.23
port: 22
Allowed Internet IPs: 131.1.1.23, 132.1.1.23
I want to allow a set of IPs are to be able to... (1 Reply)
Hello, please can you help and explain me.
I have two servers. Both are RHEL6.
I use the first one like router and the second one for apache.
Router forwards 80 port on the second server and I can open that from the internet (mysite.com, for example). But I can not open mysite.com if i try to... (0 Replies)
Hello!
I have the following problem with iptables in Debian 6:
My server works as a router and it needs to log server external IP+port for all outgoing connections.
But after command SNAT or MASQUERADE traffic is "lost".
I mean no following rules can catch those traffic.
Everything looks... (0 Replies)
I've experienced this same issue with both the Endian Firewall Appliance and a Vyatta Firewall Appliance. Conversely, it works with a Draytek Firewall/Router.
I am trying to forward port 80 traffic to my internal web server which is located on the /24 subnet. I have an external static IP which... (0 Replies)
Hi,
I'm trying to use launchd to detect whether certain ports are opened
and if they are then to take some appropriate action, e.g. close the
port or, worst case scenario, down the whole net connection. Apparently,
force closing a port is not possible without killing the offending binary so... (3 Replies)
I have a script problem that I am not able to solve due my very limited understanding of unix/awk.
This is the contents of test.sh
awk '{print $1}'
From the prompt if I enter:
./test.sh Hello World
I would expect to see "Hello" but all I get is a blank line. Only then if I enter "Hello... (2 Replies)
Greetings to all.
My new firewall is giving me one hell of a problem.
I'm running iptables and masquerading my intranet
thru NAT. But here is the problem. Whenever I try
to FTP to a server outside of my lan I get a 500
illegal port error.
I've come to the conclusion that NAT is... (2 Replies)
08-06-2013
iptables nat/masquerade - how to act as a basic firewall?
