Routing between two Nics Internally

[drumdave]

Hello another newbie to iptables here.

I have a RH9 router (2 NICs) set up internally with one NIC (one subnet) regarded as unsafe.

I do not wish to use NAT if i can help it, or maybe i do?

I would like to have the safe side "eth0" able to access the other subnet with basically no rules at all. For the unsafe eth1 subnet i would like to lock it down to only accept, say, ftp file transfers from a specific PC.

I have -P set to drop for FORWARD, INPUT, OUTPUT with a ICMP chain in forward that will let be open pinging between the two pc'c on either side but i only want traffic to basically go one way.

I have RTFM but cannot find anything that talks about routing internally.

Thanks in advance, and hope this makes sense to someone.

Dave

[kpzani]

tcp/ip connections require data to be transmittable both ways as TCP is connection orientated. So there has to be some handshaking as the pcs establish a communication tunnel. this means that data must be able to travel both ways across your router. Although you only want the conversation to be initiated from the internal side.

I would look at "firestarter" as it provides a nice wizard GUI for this kind of thing.

Don't know if it will do everything you want out of the box. you will probably still need to set up some extra rules after the basic setup.

good luck

Kris

[sarumont]

You have to use NAT to do this if you want to go through the router (which I'm assuming you do ). Basically, it can be done with a few simple rules:

Code:

#!/bin/bash

IPTABLES="/sbin/iptables"

#makes everything seem to come from the router
$IPTABLES -t nat -A POSTROUTING -j SNAT --to-source $eth1_IP

#add ports to this for diff services
$IPTABLES -A INPUT -o eth1 -d $safe_box_IP -dport 21 -m state --state NEW -j ACCEPT

#accept all related/established connections
$IPTABLES -m state --state ESTABLISHED,RELATED -j ACCEPT

Edit that to your liking and add it to your script, and you should be good to go (although it IS 5am and I might've forgotten something )

[drumdave]

Thank you both very much for your replies.

Kpzani: I had an inkling that maybe the case but......

Somehow i got telnet to work in one direction with these rules.

-P default DROP on all

iptables -A FORWARD -p tcp --dport telnet -i eth0 -j ACCEPT
iptables -A FORWARD -p tcp --sport telnet -o eth0 -j ACCEPT

Unfortunatley i'm not really sure how i stumbled on this! Do these seem right to you guys?

I will have a look at firestarter when I get the man off of my back. OH the pressure of it all!

Sarumont: I also thought that NAT may have to be used, as i was bumbling around for a day and a half. I just thought it would be quicker for a newbie to do it without it. I needed to get this built for the Co. quickly... am flying blind really.


Kpzani and Sarumont:

Is there any really good books out there on Iptables? I am OK with linux but this is my first venture into using iptables...started to sink pretty quickly!


Just a quickie:
To throw files over to a share what ports do i need? 137,139 not sure of the NT authentication port?

Thanks Guys

owe you one.

Dave

[sarumont]

Those rules are right, though they don't allow for any restrictions. Here's a tut on IPTABLES that is pretty comprehensive:

IPTABLES tut

That should teach you all the basics of IPTABLES.

[BassekeNL]

To do routing, you do not need NAT. You only need nat if you have one routable IP address and need to have all traffic appear to come from that one IP.

There's a couple of things to consider:

* clients need to know the route to the (untrusted) subnet. If the router is not the default gw of the subnet, aditional routing has to be defined. Often, it's easiest to do this on the default gw. Additionally, reverse ARP can be used to advertise the hosts on the untrusted (eth0) subnet to the eth1 subnet.

* for routing, iptables is not the way to go. It mostly operates on another layer. Instead, use iproute2.

Please read the lartc howto: http://lartc.org/. It will enlighten you about how routing tables work internally and can be manipulated. As a primer into TCP/IP, I recommend TCP/IP Illustrated, Volume 1, by the late Richard Stevens.

[cjl7]

Hello,

All you need to do is to enable forwarding in your box...

echo 1 > /proc/sys/net/ipv4/ip_forward

or set in in the /etc/sysctl.conf and run sysctl -p

//jonas