Find the answer to your Linux question:
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 11 to 20 of 25
Originally Posted by coopstah13 he wants you to post your current iptables rules so he can look at them I did, in my past posts. didn't I?...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Just Joined!
    Join Date
    Sep 2007
    Posts
    16

    Quote Originally Posted by coopstah13 View Post
    he wants you to post your current iptables rules so he can look at them
    I did, in my past posts. didn't I?

  2. #12
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by phpcs View Post
    I did, in my past posts. didn't I?
    I really hope not! That single rule does nothing to protect your system from the evils of the internet.

    Then again without knowing your network setup I cannot say for sure.

    Please answer my last request.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #13
    Just Joined!
    Join Date
    Sep 2007
    Posts
    16
    Quote Originally Posted by Lazydog View Post
    I really hope not! That single rule does nothing to protect your system from the evils of the internet.

    Then again without knowing your network setup I cannot say for sure.

    Please answer my last request.
    believe me, it's the only rule.

    and I've 4 ip on my eth0 ( the only network card that I've)

  4. #14
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    OK, what does your network look like?

    [Internet] <-> <your box>?

    [Internet] <-> <firewall> <-> <your box>?

    [Internet] <-> ?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #15
    Just Joined!
    Join Date
    Sep 2007
    Posts
    16
    [Internet ( vpn server )] <-> [Internet (vpn client) ]

    I'm on trip and connected to internet and my server is in a dc in LA

  6. #16
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    OK, public ip's (4) on a system that is directly connected to the internet.

    Firtst thing I would do is setup a firewall to protect my server. some thought has to go into how and what you want to connect.
    Aslo you have to think about what you want to leave the server (New Connections).

    What you want to be able to connect (not sure what all this server is used for so I'll stay with what I already know):
    1. VPN
    2. SSH

    You want SSH for safety reasons, incase something goes wrong with the VPN connection.

    Do the following:
    Code:
    cd /etc/sysconfig
    mv iptables iptables.org (safe copy)
    vi iptables
    Place the following code into this file
    Code:
    
    *filter
    INPUT DROP
    OUTPUT DROP
    FORWARD DROP
    -A INPUT  -i lo -j ACCEPT
    -A INPUT  -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT  -i eth0  -p tcp --dport <VPN PORT> -m state --state NEW -j ACCEPT
    -A INPUT  -i eth0 -p tcp --dport 22 -m state --state NEW -m limit --limit 3/hour -j ACCEPT
    -A INPUT  -j DROP (not really needed but I like to do this as a sort of secrutiy blanket)
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A OUTPUT -j DROP (same reason as above)
    
    .
    You will notice that I did not setup any MASQ rules. This is because you told me that all your ip addresses are public so MASQ is not needed.

    Replace <VPN PORT> with the port you are using for VPN
    Remove everything, including the (), from the above text when placing it into the file.

    What does this allow?
    VPN connection from the internet in.
    It also allows 3 connection an hour from SSH in.

    Next you want to setup ssh to allow key logins only. This will stop the pasword guessing game from hackers. I'll allow you to figure this one out as it really isn't hard at all and there are enough web pages that tell you how to do this. I would suggest you not invoke this firewall setup until you have setup and tested ssh. This is your back door in when VPN fails, but if this is not setup correctly you will not have access to your box.

    All of this you can expand on with a little reading. I would look at this page for firewall setup:
    Iptables Tutorial 1.2.1

    Search google for setting up ssh keys.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #17
    Just Joined!
    Join Date
    Sep 2007
    Posts
    16
    lazydog you are very kind, thank you so much.
    but is it the solution for my problem? ( look at my first post )

    the crux is:
    I've a vpn server ( plz don't involve in security issues ) with 4 ips on eth0 , eth0:0 , eth0:1 , eth0:2 .
    I can connect to vpn server with each of these ips. no problem yet.
    and I've a iptables rule to do the NAT, ( to forward all of my packets with vpn server's ip )
    this is the rule:

    iptables --table nat --append POSTROUTING \
    --out-interface eth0 --jump MASQUERAD

    as You can see this rule forward all of my packets from eth0 but I want if i'm connected to vpn via eth0:0 so all of my packets be forwarded via eth0:0 .
    I think it will be done by some iptables rules.

    so please help me in NAT rules.

    thank you all.

  8. #18
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    If you have been reading what I have been posting all along about public IP's and NAT you would know that you do not need use NAT for public IP's if you want to use them all.

    Here is what I am understanding;

    You have a server with 4 ip addresses. You want to be able to connect to all 4 ip addresses when you are on the road. Am I missing something?

    Why are you using NAT? Just because the interfaces are eth0, eth0:0, eth0:1 and eth0:2 doesn't mean that you need to use NAT.
    They are all equally connected to the network on that one interface.

    I think you are trying to make this harder then it really needs to be.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  9. #19
    Just Joined!
    Join Date
    Sep 2007
    Posts
    16
    Quote Originally Posted by Lazydog View Post
    You have a server with 4 ip addresses. You want to be able to connect to all 4 ip addresses when you are on the road. Am I missing something?
    no, you know what I want.

    If not NAT how to change ip?

  10. #20
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    OK, I have re-read your posts again. I'm still not understanding what you are trying to do.

    Please explain in DETAIL what it is you are trying to do.
    Give examples!!

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Page 2 of 3 FirstFirst 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •