iptables help - 1 wan - 2 lan

[ganesh_1975]

Dear All,

Our question is regarding iptables and networking with Firewall.

Please kindly help me with this problem, or forward me to the previous posts with the similar solutions, thanking you all

we have a linux box doing a firewall, proxy - it has 3 NICs

eth0 - wan ip - static IP - provided by ISP

eth1 - lan 1 ip - 10.0.0.200 - this is the gateway for the lan Clients(10.0.0.0)

eth2 - lan2 ip - 192.168.0.200 - this connects the 2nd Lan - where internet is not allowed


We are comfortable with NAT, port forwarding from the Internet,

i.e.
1.) Internet is accessible from eth1 connected terminals

2.) From WAN, clients are connecting to port 21, and 5900 to the terminals connected with eth1 connection.


Now, the requirement is we would like to connect a single terminal 10.0.0.211 on eth1 with a terminal 192.168.0.211 on eth2 through port 21 for some FTP access


(eth1) 10.0.0.211 ----> (eth2) 192.168.0.211:21


Please help us in creating IPTables rules for this requirement

Currently from the linux firewall box

1.) we could able to ping 192.168.0.211 (thru eth2- 192.168.0.200)
2.) also ping 10.0.0.211 (thru eth1- 10.0.0.200)

3.) But we cannot telnet to port 21 on 192.168.0.211 from eth1 connected 10.0.0.211

Kindly help us to solve this problem,

Thanks / S Ganesh

[Lazydog]

Is forwarding turned on from eth1 to eth2?

A simple rule

Code:

iptables -A FORWARD -s 10.0.0.211 -d 192.168.0.211 --dport 21 -j ACCEPT

I don't know your rules so I do not know how you have your firewall setup to give you an exact rule.

Check out this TUTORIAL for more information.

[ganesh_1975]

thanks for your reply,

given here are my existing rules

sudo iptables -A FORWARD -i eth0 -s 192.168.1.0/24 -j DROP
sudo iptables -A FORWARD -i eth0 -o eth0 -j DROP

sudo iptables -A FORWARD -d 10.0.0.0/24 -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -j ACCEPT

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-dest 10.0.0.151:3389
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-dest 10.0.0.151:22

But when I issue the rule given by you,

iptables -A FORWARD -s 10.0.0.211 -d 192.168.0.211 --dport 21 -j ACCEPT


still I could not telnet from 10.0.0.211 using ,

telnet 10.0.0.200 21

I AM NOOB TO BOTH LINUX AS WELL AS IPTABLES, PLEASE CORRECT ME WHERE I AM GOING WRONG

thanking you,

S Ganesh

[Lazydog]

Change the following

Code:

iptables -A FORWARD -s 10.0.0.211 -d 192.168.0.211 --dport 21 -j ACCEPT

to

Code:

iptables -I FORWARD -s 10.0.0.211 -d 192.168.0.211 --dport 21 -j ACCEPT

[ganesh_1975]

Thanks,

things are working now, i could able to use the FTP server

The problem is that, i had not configured the clients gateway entries

thanks for your guidance

Now, another request

we have a multicast services running in ip - 192.168.111.1 on eth2


but the other system with ip on eth cannot join the multicast group

so we could not use the software based on this multicast data

the multicast server details are as given below,

windows 2003 server hosting Multicasting server
ip - 19
udp - 7789
udp 7790
udp 9602

multicast server ip -233.1.2.5

My Firewall Box details

Ubuntu - 8.10 server edition - 2.6.27 kernel
i am using ufw for firewall (but currently disabled)

wan - 192.168.1.200
eth1 - 192.168.0.200
eth2 - 192.168.111.200


my other pc which is supposed to receive multicast data

windows 2000 professional
ip - 192.168.0.203 on eth1


Kindly guide me how to do receive multicast data through the ubuntu router from eth2 to eth1

thanks / S Ganesh

[Lazydog]

Kindly guide me how to do receive multicast data through the ubuntu router from eth2 to eth1

thanks / S Ganesh

I think it's about time you read the TUTORIAL for iptables.
Read up on allowing from/to ip addresses.

[ganesh_1975]

Thanks for your reply

I had installed mrouted in ubuntu, that had solved the problem.

But, i do not know i am going in a right direction

thanks / S Ganesh

[ganesh_1975]

Dear All,

Help Again,

We need your help again to achieve the following

Now our both the networks are able to communicate i.e

from eth0 - 192.168.0.0 /24

to eth1 - 192.168.111.0/24 (both directions)

now the requirement is to use only ftp services at the computer @ 192.168.111.1 on eth1

only computers from etho - 192.168.0.0/24 will be using this ftp service

Kindly help us on this

I am using ubuntu 8.10 with iptables

Now, i am only masquerade from ppp0 to eth0

and this is my iptables -L -n output

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  192.168.1.0/24       0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            192.168.0.0/24      state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

and this is my iptables -L -t nat

Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere            tcp dpt:5900 to:192.168.0.203:5900
DNAT       tcp  --  anywhere             anywhere            tcp dpt:www to:192.168.0.204:5938

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

ALSO PLEASE NOTE IP - 192.168.111.1 IS ALSO A MULTICASTING SERVER

Thanking you,

S Ganesh.

[ganesh_1975]

Let me put things more clear,

As of now, as said in my previous message regarding iptables rules,

currently,

we could able to use the ftp services

but, also we could able to use the other services like windows file sharing, accessing Java Application Server at port 8080, etc

i.e, we have few windows systems on both networks - eth0 and eth1

eth0 - 192.168.0.0 /24
eth1 - 192.168.111.0/24

so these few windows terminals are able to establish windows file sharing, access JAVA Server, etc

We would like to BLOCK all the traffic from both eth0 to eth1 and vice verse (except port 21)

but to allow eth0 network (192.168.0.0/24) computers to access the FTP service at eth1 connected Computer with IP 192.168.111.1 on port 21

So we need IPTables rules to block all traffic both sides of eth0 and eth1 BUT to allow 192.168.0.0/24 to access 192.168.111.1 on port 1

additional info

ours is a linux box

etho- 192.168.0.200 - connecting 192.168.0.0/24 network
eth1- 192.168.111.200 - connecting 192.168.111.0/24 network

eth2 - 192.168.1.200 - for wan traffic

Thanking you,
S Ganesh.

[Lazydog]

Post the rules you have now and I'll see what what you can do.