Find the answer to your Linux question:
Results 1 to 2 of 2
My university has 2 computer labs, CSI and Netowrking...and it's required that a firewall be set up between them on the Linux machine (IP: 192.168.0.1)in the Networking lab. This machine ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2004
    Posts
    1

    Urgent! need to configure port forwarding in firewall


    My university has 2 computer labs, CSI and Netowrking...and it's required that a firewall be set up between them on the Linux machine (IP: 192.168.0.1)in the Networking lab. This machine has 2 NICs eth0 (for traffic from networking lab) and eth1(IP: 10.0.0.40, for traffic from CSI lab). The firewall is not the server;a computer in the CSI lab(IP:10.0.0.2)offers ftp,ssh and http services. I need the computers in the networking lab to be able to access these services through the firewall as if the firewall was the server (i think this requires port forwarding),but block computers in the CSI lab from accessing any service on the firewall machine. I wrote a firwall program but it doesn't allow any of the services. Can you please check to see where my error could be?...Thanks in advance !

    Code:
    # Generated by iptables-save v1.2.10 on Tue Nov 23 18:03:24 2004
    *nat
    :PREROUTING ACCEPT [1439:195200]
    :POSTROUTING ACCEPT [132:10642]
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -d 192.168.0.1 -p tcp -m tcp --dport 20 -j DNAT --to-destination 10.0.0.2:20 
    -A PREROUTING -d 192.168.0.1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.0.0.2:21 
    -A PREROUTING -d 192.168.0.1 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.0.0.2:22 
    -A PREROUTING -d 192.168.0.1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80 
     
    COMMIT
    # Completed on Tue Nov 23 18:03:24 2004
    # Generated by iptables-save v1.2.10 on Tue Nov 23 18:03:24 2004
    *filter
    :INPUT DROP [423:64498]
    :FORWARD DROP [193:13909]
    :OUTPUT DROP [74:5008]
    -A INPUT -d 192.168.0.1 -i eth0 -p tcp -m tcp --dport 20 -j ACCEPT 
    -A INPUT -d 192.168.0.1 -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT 
    -A INPUT -d 192.168.0.1 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
    -A INPUT -d 192.168.0.1 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT 
    -A INPUT -d 192.168.0.1 -i eth1 -p tcp -m tcp --sport 80 -j ACCEPT 
    -A INPUT -d 192.168.0.1 -i eth1 -p tcp -m tcp --sport 22 -j ACCEPT 
    -A INPUT -d 192.168.0.1 -i eth1 -p tcp -m tcp --sport 21 -j ACCEPT 
    -A INPUT -d 192.168.0.1 -i eth1 -p tcp -m tcp --sport 20 -j ACCEPT 
    -A INPUT -d 127.0.0.1 -i lo -j ACCEPT 
    -A INPUT -d 192.168.0.1 -i eth0 -p icmp -j ACCEPT 
    -A INPUT -i eth1 -j LOG 
    -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
    -A INPUT -d 10.0.0.40 -i eth1 -p icmp -j ACCEPT 
    -A INPUT -d 10.0.0.40 -i eth0 -p icmp -j ACCEPT 
    -A FORWARD -d 10.0.0.2 -i eth0 -p tcp -m tcp --dport 20 -j REJECT --reject-with icmp-port-unreachable 
    -A FORWARD -d 10.0.0.2 -i eth0 -p tcp -m tcp --dport 21 -j REJECT --reject-with icmp-port-unreachable 
    -A FORWARD -d 10.0.0.2 -i eth0 -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable 
    -A FORWARD -d 10.0.0.2 -i eth0 -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable 
    -A FORWARD -i eth1 -o eht0 -m state --state RELATED,ESTABLISHED -j REJECT --reject-with icmp-port-unreachable 
    -A FORWARD -s 10.0.0.40 -i eth0 -j DROP 
    -A FORWARD -s 10.0.0.40 -i eth1 -j DROP 
    -A FORWARD -i eth1 -p icmp -j REJECT --reject-with icmp-port-unreachable 
    -A FORWARD -f -j REJECT --reject-with icmp-port-unreachable 
    -A FORWARD -i eth0 -j LOG 
    -A FORWARD -i eth1 -j LOG 
    -A FORWARD -i eth0 -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable 
    -A OUTPUT -o eth1 -p icmp -j ACCEPT 
    -A OUTPUT -o eth0 -p icmp -j ACCEPT 
    -A OUTPUT -o eth0 -p tcp -m tcp --dport 20 -j ACCEPT 
    -A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -j ACCEPT 
    -A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
    -A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT 
    -A OUTPUT -o eth1 -p tcp -m tcp --sport 20 -j ACCEPT 
    -A OUTPUT -o eth1 -p tcp -m tcp --sport 21 -j ACCEPT 
    -A OUTPUT -o eth1 -p tcp -m tcp --sport 22 -j ACCEPT 
    -A OUTPUT -o eth1 -p tcp -m tcp --sport 80 -j ACCEPT 
    -A OUTPUT -o lo -j ACCEPT 
    -A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
    COMMIT
    # Completed on Tue Nov 23 18:03:24 2004
    [/code]

  2. #2
    Just Joined!
    Join Date
    Oct 2004
    Posts
    49
    You always need two llines in the rules:

    /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d nnn.nnn.nnn.nnn --dport nn -j DNAT --to xxx.xxx.xxx.xxxort

    /sbin/iptables -A FORWARD -p tcp -i ethX -d xxx.xxx.xxx.xxx --dport port -j ACCEPT

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •