ynotssor wrote:

> In news:g90u5e$1vuu$1@biggoron.nerim.net,
> Pascal Hambourg typed:
>
>> The owner of such a host just has
>> to set a route to your private subnet using your public address as
>> gateway :
>>
>> ip route add 10.0.0.0/8 via a.b.c.126
>> and that's it !
>
> And one solves this ... how? Please reply in a positive manner.

For example set FORWARD policy from ACCEPT to DROP - and add rules like
these as last rules.
-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -p udp -j REJECT

Policies are set in the lines starting with a colon:
:FORWARD ACCEPT
This sets the general policy for forwarded packets to accept.

Hope it helps.

Felix

ynotssor a écrit :
> Pascal Hambourg typed:
>
>>The owner of such a host just has
>>to set a route to your private subnet using your public address as
>>gateway :
>>
>>ip route add 10.0.0.0/8 via a.b.c.126
>>and that's it !
>
> And one solves this ... how?

As Tauno Voipio wrote, by adding the necessary filtering in the FORWARD
chain, just as you did in the INPUT table.

For example :

# set default policy DROP
iptables -P FORWARD DROP

# allow outgoing packets from LAN to outside
iptables -A FORWARD -i eth0 -j ACCEPT

# allow packets belonging or related to existing connections
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow incoming packets from outside which have been DNAT'ed
# as suggested by Harry Potter and Eric
iptables -A FORWARD -i eth1 -s w.x.0.0./16 -d 10.0.0.9/32 \
-p tcp --dport 443 --syn -m state --state NEW -j ACCEPT

# deal with the rest in whatever way you like (DROP, REJECT, LOG...)

> Please reply in a positive manner.

Is this positive enough ?

"Pascal Hambourg" wrote in message
news:g91s9o$28g6$1@biggoron.nerim.net...

> For example :
>
> # set default policy DROP
> iptables -P FORWARD DROP
>
> # allow outgoing packets from LAN to outside
> iptables -A FORWARD -i eth0 -j ACCEPT
>
> # allow packets belonging or related to existing connections
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # allow incoming packets from outside which have been DNAT'ed
> # as suggested by Harry Potter and Eric
> iptables -A FORWARD -i eth1 -s w.x.0.0./16 -d 10.0.0.9/32 \
> -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
>
> # deal with the rest in whatever way you like (DROP, REJECT, LOG...)
>
> > Please reply in a positive manner.
>
> Is this positive enough ?

Most excellent, thanks so much to all of you.

On Thu, 21 Aug 2008 12:47:23 -0700, ynotssor wrote:

> What syntax is required to allow a machine w.x.0.0/16 to connect to our
> external iptables eth1 = a.b.c.126:8317 (e.g. "security by obscurity") and
> be forwarded to 10.0.0.9:443 where other AUTH security checks exist, please?

Well the firewall you have listed below blocks nothing from your internal
network. FORWARD ACCEPT forwards everything without question.

> The iptables firewall currently drops all but RELATED, ESTABLISHED on
> external eth1 and logs all unsolicited packets (we have that under control,
> thanks):

This only applies to the box where this firewall resides.

INPUT and OUTPUT are rules that apply to the box only.
FORWARD applies to all traffic that passes through the box.

Presently your network is not protected.

> # Generated by iptables-save v1.3.5 on Sun Mar 2 18:01:01 2008
> *filter
> :FORWARD ACCEPT [0:0]
> :INPUT DROP [eth1:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth0 -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
> UNSOLICITED:
> COMMIT
> *mangle
> :PREROUTING ACCEPT [1471:303908]
> :INPUT ACCEPT [636:240607]
> :FORWARD ACCEPT [832:63181]
> :OUTPUT ACCEPT [437:39285]
> :POSTROUTING ACCEPT [1269:102466]
> COMMIT
> *nat
> :PREROUTING ACCEPT [203:14045]
> :POSTROUTING ACCEPT [192:12653]
> :OUTPUT ACCEPT [20:1217]
> -A POSTROUTING -o eth1 -j MASQUERADE
> COMMIT


--

Regards
Robert

It is not just an adventure.
It is my job!!

Linux User #296285
http://counter.li.org



----== Posted via Pronews.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.pronews.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= - Total Privacy via Encryption =---