IPTABLES - Allow Internal HOST with Public IP through Firewall - Firewalls

This is a discussion on IPTABLES - Allow Internal HOST with Public IP through Firewall - Firewalls ; Hello: I am new to IPTABLES. I have setup and Ubuntu 8.04 Server running ebox. It is running DHCP (192.168.1.0-250), NAT, DNS, Squid Transparent Proxy. All of the firewall rules were configured using ebox's firewall module. Basic setup: Eth0 - ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: IPTABLES - Allow Internal HOST with Public IP through Firewall

  1. IPTABLES - Allow Internal HOST with Public IP through Firewall

    Hello:

    I am new to IPTABLES. I have setup and Ubuntu 8.04 Server running
    ebox. It is running DHCP (192.168.1.0-250), NAT, DNS, Squid
    Transparent Proxy. All of the firewall rules were configured using
    ebox's firewall module.

    Basic setup:
    Eth0 - external interface 12.32.12.2 (GW 12.32.12.1) - Internet

    Eth1 - internal Interface 192.168.1.254

    I have a host on the internal network that I need to assign a public
    IP to allow unrestricted access to the internet. 12.32.12.3...

    I have been told that ebox can not configure this for me and I have no
    idea what I'm doing in IPTABLES. From what I have read it looks like I
    should be able to setup something in PREROUTING and POSTROUTING to
    allow me to do this?

    Any help would be greatly appreciated!!!

    Thanks,

  2. Re: IPTABLES - Allow Internal HOST with Public IP through Firewall

    redmondmj@gmail.com wrote:
    > I am new to IPTABLES. I have setup and Ubuntu 8.04 Server running
    > ebox. It is running DHCP (192.168.1.0-250), NAT, DNS, Squid
    > Transparent Proxy. All of the firewall rules were configured using
    > ebox's firewall module.
    >
    > Basic setup:
    > Eth0 - external interface 12.32.12.2 (GW 12.32.12.1) - Internet
    >
    > Eth1 - internal Interface 192.168.1.254
    >
    > I have a host on the internal network that I need to assign a public
    > IP to allow unrestricted access to the internet. 12.32.12.3...


    You don't need a public IP address for unrestricted access to the
    Internet. Who told you such nonsense?

    Please describe what exactly you're trying to achieve, and also post
    your current ruleset.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  3. Re: IPTABLES - Allow Internal HOST with Public IP through Firewall

    On Jun 30, 3:19 pm, redmon...@gmail.com wrote:
    > Hello:
    >
    > I am new to IPTABLES. I have setup and Ubuntu 8.04 Server running
    > ebox. It is running DHCP (192.168.1.0-250), NAT, DNS, Squid
    > Transparent Proxy. All of the firewall rules were configured using
    > ebox's firewall module.
    >
    > Basic setup:
    > Eth0 - external interface 12.32.12.2 (GW 12.32.12.1) - Internet
    >
    > Eth1 - internal Interface 192.168.1.254
    >
    > I have a host on the internal network that I need to assign a public
    > IP to allow unrestricted access to the internet. 12.32.12.3...
    >
    > I have been told that ebox can not configure this for me and I have no
    > idea what I'm doing in IPTABLES. From what I have read it looks like I
    > should be able to setup something in PREROUTING and POSTROUTING to
    > allow me to do this?
    >
    > Any help would be greatly appreciated!!!
    >
    > Thanks,



    If you could post the output for a few commands and describe what you
    want to
    do e.g. web client access, then some one can easily tell you rules.

    iptables -nv -L
    netstat -nr
    ifconfig

    since you are using DHCP you will need to grab the IP address
    EXT= whatever your DHCP card is
    DHCPIP=`/sbin/ifconfig ${EXT} | grep 'inet addr' | awk -F ':' '{print
    $2}' | awk '{print $1}'`

    Now you can make rules with eth? and ${DHCPIP}.

    Are you wanting this computer to route?

    Here are a few example rules.

    /sbin/iptables -A INPUT -p tcp -d 10.56.32.248 --destination-port
    6000 -j DROP

    /sbin/iptables -A OUTPUT -p tcp -s 10.56.32.248 --source-port
    1024:65535 -d 10.78.109.150 --destination-port 110 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -d 10.56.32.248 --destination-port
    1024:65535 -s 10.78.109.150 --source-port 110 -j ACCEPT

    -----
    http://www.1150riverviewdr.com/

  4. Re: IPTABLES - Allow Internal HOST with Public IP through Firewall

    On Jul 14, 2:31 am, s...@gnostheos.org wrote:
    > On Jun 30, 3:19 pm, redmon...@gmail.com wrote:
    >


    > > I have a host on the internal network that I need to assign a public
    > > IP to allow unrestricted access to the internet. 12.32.12.3...

    >


    After reading the post more carefully I realized what you are trying
    to
    do is nonsensical and my brain was trying to make it sensible.

    You cannot have a public IP sitting on your internal network.
    I assume your ISP gave you 4 IP's and you want 1-3 hosts
    behind this box as a FW/router. This is not going to work, and
    you probably only need 1 IP. The hosts on your private LAN
    would get nonroutable IP's

    http://tools.ietf.org/html/rfc1597

    It seems you have DHCP setup for this, which makes it more
    confusing. Your hosts on your LAN should be in the range for
    your DHCP server. I don't think I understand what you are
    doing.

    >
    > -----http://www.1150riverviewdr.com/



  5. Re: IPTABLES - Allow Internal HOST with Public IP through Firewall

    spam@gnostheos.org wrote:
    > On Jul 14, 2:31 am, s...@gnostheos.org wrote:
    >> On Jun 30, 3:19 pm, redmon...@gmail.com wrote:
    >>> I have a host on the internal network that I need to assign a public
    >>> IP to allow unrestricted access to the internet. 12.32.12.3...

    >
    > After reading the post more carefully I realized what you are trying
    > to do is nonsensical and my brain was trying to make it sensible.
    >
    > You cannot have a public IP sitting on your internal network.


    Of course he can, if he's given one by his ISP.

    > I assume your ISP gave you 4 IP's and you want 1-3 hosts behind this
    > box as a FW/router. This is not going to work, and you probably only
    > need 1 IP.


    Nonsense. Of course that can be made to work. What gives you the idea
    you couldn't have public IP addresses on a private network?

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

+ Reply to Thread