Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
Dear All, Our question is regarding iptables and networking with Firewall. Please kindly help me with this problem, or forward me to the previous posts with the similar solutions, thanking ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2009
    Posts
    9

    iptables help - 1 wan - 2 lan


    Dear All,

    Our question is regarding iptables and networking with Firewall.

    Please kindly help me with this problem, or forward me to the previous posts with the similar solutions, thanking you all

    we have a linux box doing a firewall, proxy - it has 3 NICs

    eth0 - wan ip - static IP - provided by ISP

    eth1 - lan 1 ip - 10.0.0.200 - this is the gateway for the lan Clients(10.0.0.0)

    eth2 - lan2 ip - 192.168.0.200 - this connects the 2nd Lan - where internet is not allowed


    We are comfortable with NAT, port forwarding from the Internet,

    i.e.
    1.) Internet is accessible from eth1 connected terminals

    2.) From WAN, clients are connecting to port 21, and 5900 to the terminals connected with eth1 connection.


    Now, the requirement is we would like to connect a single terminal 10.0.0.211 on eth1 with a terminal 192.168.0.211 on eth2 through port 21 for some FTP access


    (eth1) 10.0.0.211 ----> (eth2) 192.168.0.211:21


    Please help us in creating IPTables rules for this requirement

    Currently from the linux firewall box

    1.) we could able to ping 192.168.0.211 (thru eth2- 192.168.0.200)
    2.) also ping 10.0.0.211 (thru eth1- 10.0.0.200)

    3.) But we cannot telnet to port 21 on 192.168.0.211 from eth1 connected 10.0.0.211

    Kindly help us to solve this problem,

    Thanks / S Ganesh

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Is forwarding turned on from eth1 to eth2?

    A simple rule
    Code:
    iptables -A FORWARD -s 10.0.0.211 -d 192.168.0.211 --dport 21 -j ACCEPT
    I don't know your rules so I do not know how you have your firewall setup to give you an exact rule.

    Check out this TUTORIAL for more information.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jul 2009
    Posts
    9
    thanks for your reply,

    given here are my existing rules

    sudo iptables -A FORWARD -i eth0 -s 192.168.1.0/24 -j DROP
    sudo iptables -A FORWARD -i eth0 -o eth0 -j DROP

    sudo iptables -A FORWARD -d 10.0.0.0/24 -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT

    sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    sudo iptables -t nat -A POSTROUTING -j ACCEPT

    sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-dest 10.0.0.151:3389
    sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-dest 10.0.0.151:22

    But when I issue the rule given by you,

    iptables -A FORWARD -s 10.0.0.211 -d 192.168.0.211 --dport 21 -j ACCEPT


    still I could not telnet from 10.0.0.211 using ,

    telnet 10.0.0.200 21

    I AM NOOB TO BOTH LINUX AS WELL AS IPTABLES, PLEASE CORRECT ME WHERE I AM GOING WRONG

    thanking you,

    S Ganesh

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Change the following
    Code:
    iptables -A FORWARD -s 10.0.0.211 -d 192.168.0.211 --dport 21 -j ACCEPT
    to

    Code:
    iptables -I FORWARD -s 10.0.0.211 -d 192.168.0.211 --dport 21 -j ACCEPT

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Jul 2009
    Posts
    9
    Thanks,

    things are working now, i could able to use the FTP server

    The problem is that, i had not configured the clients gateway entries

    thanks for your guidance

    Now, another request

    we have a multicast services running in ip - 192.168.111.1 on eth2


    but the other system with ip on eth cannot join the multicast group

    so we could not use the software based on this multicast data

    the multicast server details are as given below,

    windows 2003 server hosting Multicasting server
    ip - 19
    udp - 7789
    udp 7790
    udp 9602

    multicast server ip -233.1.2.5

    My Firewall Box details

    Ubuntu - 8.10 server edition - 2.6.27 kernel
    i am using ufw for firewall (but currently disabled)

    wan - 192.168.1.200
    eth1 - 192.168.0.200
    eth2 - 192.168.111.200


    my other pc which is supposed to receive multicast data

    windows 2000 professional
    ip - 192.168.0.203 on eth1


    Kindly guide me how to do receive multicast data through the ubuntu router from eth2 to eth1

    thanks / S Ganesh

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Quote Originally Posted by ganesh_1975 View Post
    Kindly guide me how to do receive multicast data through the ubuntu router from eth2 to eth1

    thanks / S Ganesh
    I think it's about time you read the TUTORIAL for iptables.
    Read up on allowing from/to ip addresses.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Jul 2009
    Posts
    9
    Thanks for your reply

    I had installed mrouted in ubuntu, that had solved the problem.

    But, i do not know i am going in a right direction

    thanks / S Ganesh

  8. #8
    Just Joined!
    Join Date
    Jul 2009
    Posts
    9
    Dear All,

    Help Again,

    We need your help again to achieve the following

    Now our both the networks are able to communicate i.e

    from eth0 - 192.168.0.0 /24

    to eth1 - 192.168.111.0/24 (both directions)

    now the requirement is to use only ftp services at the computer @ 192.168.111.1 on eth1

    only computers from etho - 192.168.0.0/24 will be using this ftp service

    Kindly help us on this

    I am using ubuntu 8.10 with iptables

    Now, i am only masquerade from ppp0 to eth0

    and this is my iptables -L -n output

    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    DROP       all  --  192.168.1.0/24       0.0.0.0/0
    DROP       all  --  0.0.0.0/0            0.0.0.0/0
    ACCEPT     all  --  0.0.0.0/0            192.168.0.0/24      state RELATED,ESTABLISHED
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    and this is my iptables -L -t nat

    Code:
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination
    DNAT       tcp  --  anywhere             anywhere            tcp dpt:5900 to:192.168.0.203:5900
    DNAT       tcp  --  anywhere             anywhere            tcp dpt:www to:192.168.0.204:5938
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination
    MASQUERADE  all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    ALSO PLEASE NOTE IP - 192.168.111.1 IS ALSO A MULTICASTING SERVER

    Thanking you,

    S Ganesh.

  9. #9
    Just Joined!
    Join Date
    Jul 2009
    Posts
    9
    Let me put things more clear,

    As of now, as said in my previous message regarding iptables rules,

    currently,

    we could able to use the ftp services

    but, also we could able to use the other services like windows file sharing, accessing Java Application Server at port 8080, etc

    i.e, we have few windows systems on both networks - eth0 and eth1

    eth0 - 192.168.0.0 /24
    eth1 - 192.168.111.0/24

    so these few windows terminals are able to establish windows file sharing, access JAVA Server, etc

    We would like to BLOCK all the traffic from both eth0 to eth1 and vice verse (except port 21)

    but to allow eth0 network (192.168.0.0/24) computers to access the FTP service at eth1 connected Computer with IP 192.168.111.1 on port 21

    So we need IPTables rules to block all traffic both sides of eth0 and eth1 BUT to allow 192.168.0.0/24 to access 192.168.111.1 on port 1

    additional info

    ours is a linux box

    etho- 192.168.0.200 - connecting 192.168.0.0/24 network
    eth1- 192.168.111.200 - connecting 192.168.111.0/24 network

    eth2 - 192.168.1.200 - for wan traffic

    Thanking you,
    S Ganesh.

  10. #10
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Post the rules you have now and I'll see what what you can do.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •