iptables port forwarding for specific source addresses - Networking

This is a discussion on iptables port forwarding for specific source addresses - Networking ; ynotssor wrote: > In news:g90u5e$1vuu$1@biggoron.nerim.net, > Pascal Hambourg typed: > >> The owner of such a host just has >> to set a route to your private subnet using your public address as >> gateway : >> >> ip route ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 24 of 24

Thread: iptables port forwarding for specific source addresses

  1. Re: iptables port forwarding for specific source addresses

    ynotssor wrote:

    > In news:g90u5e$1vuu$1@biggoron.nerim.net,
    > Pascal Hambourg typed:
    >
    >> The owner of such a host just has
    >> to set a route to your private subnet using your public address as
    >> gateway :
    >>
    >> ip route add 10.0.0.0/8 via a.b.c.126
    >> and that's it !

    >
    > And one solves this ... how? Please reply in a positive manner.


    For example set FORWARD policy from ACCEPT to DROP - and add rules like
    these as last rules.
    -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
    -A FORWARD -p udp -j REJECT

    Policies are set in the lines starting with a colon:
    :FORWARD ACCEPT
    This sets the general policy for forwarded packets to accept.

    Hope it helps.

    Felix

  2. Re: iptables port forwarding for specific source addresses

    ynotssor a écrit :
    > Pascal Hambourg typed:
    >
    >>The owner of such a host just has
    >>to set a route to your private subnet using your public address as
    >>gateway :
    >>
    >>ip route add 10.0.0.0/8 via a.b.c.126
    >>and that's it !

    >
    > And one solves this ... how?


    As Tauno Voipio wrote, by adding the necessary filtering in the FORWARD
    chain, just as you did in the INPUT table.

    For example :

    # set default policy DROP
    iptables -P FORWARD DROP

    # allow outgoing packets from LAN to outside
    iptables -A FORWARD -i eth0 -j ACCEPT

    # allow packets belonging or related to existing connections
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    # allow incoming packets from outside which have been DNAT'ed
    # as suggested by Harry Potter and Eric
    iptables -A FORWARD -i eth1 -s w.x.0.0./16 -d 10.0.0.9/32 \
    -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT

    # deal with the rest in whatever way you like (DROP, REJECT, LOG...)

    > Please reply in a positive manner.


    Is this positive enough ?

  3. Re: iptables port forwarding for specific source addresses

    "Pascal Hambourg" wrote in message
    news:g91s9o$28g6$1@biggoron.nerim.net...

    > For example :
    >
    > # set default policy DROP
    > iptables -P FORWARD DROP
    >
    > # allow outgoing packets from LAN to outside
    > iptables -A FORWARD -i eth0 -j ACCEPT
    >
    > # allow packets belonging or related to existing connections
    > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    >
    > # allow incoming packets from outside which have been DNAT'ed
    > # as suggested by Harry Potter and Eric
    > iptables -A FORWARD -i eth1 -s w.x.0.0./16 -d 10.0.0.9/32 \
    > -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
    >
    > # deal with the rest in whatever way you like (DROP, REJECT, LOG...)
    >
    > > Please reply in a positive manner.

    >
    > Is this positive enough ?


    Most excellent, thanks so much to all of you.



  4. Re: iptables port forwarding for specific source addresses

    On Thu, 21 Aug 2008 12:47:23 -0700, ynotssor wrote:

    > What syntax is required to allow a machine w.x.0.0/16 to connect to our
    > external iptables eth1 = a.b.c.126:8317 (e.g. "security by obscurity") and
    > be forwarded to 10.0.0.9:443 where other AUTH security checks exist, please?


    Well the firewall you have listed below blocks nothing from your internal
    network. FORWARD ACCEPT forwards everything without question.

    > The iptables firewall currently drops all but RELATED, ESTABLISHED on
    > external eth1 and logs all unsolicited packets (we have that under control,
    > thanks):


    This only applies to the box where this firewall resides.

    INPUT and OUTPUT are rules that apply to the box only.
    FORWARD applies to all traffic that passes through the box.

    Presently your network is not protected.

    > # Generated by iptables-save v1.3.5 on Sun Mar 2 18:01:01 2008
    > *filter
    > :FORWARD ACCEPT [0:0]
    > :INPUT DROP [eth1:0]
    > :OUTPUT ACCEPT [0:0]
    > -A INPUT -i lo -j ACCEPT
    > -A INPUT -i eth0 -j ACCEPT
    > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    > -A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
    > UNSOLICITED:
    > COMMIT
    > *mangle
    > :PREROUTING ACCEPT [1471:303908]
    > :INPUT ACCEPT [636:240607]
    > :FORWARD ACCEPT [832:63181]
    > :OUTPUT ACCEPT [437:39285]
    > :POSTROUTING ACCEPT [1269:102466]
    > COMMIT
    > *nat
    > :PREROUTING ACCEPT [203:14045]
    > :POSTROUTING ACCEPT [192:12653]
    > :OUTPUT ACCEPT [20:1217]
    > -A POSTROUTING -o eth1 -j MASQUERADE
    > COMMIT



    --

    Regards
    Robert

    It is not just an adventure.
    It is my job!!

    Linux User #296285
    http://counter.li.org



    ----== Posted via Pronews.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.pronews.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
    ---= - Total Privacy via Encryption =---

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2