Urgently ! need help about iptable and internet gateway/firewall - Security

This is a discussion on Urgently ! need help about iptable and internet gateway/firewall - Security ; Hi, I need your help about internet gateway. ( firewall :iptable ) Now , i key command like below but i can't use my computer at local network to use internet ( web browser + MSN ) My Objective = ...

+ Reply to Thread
Results 1 to 18 of 18

Thread: Urgently ! need help about iptable and internet gateway/firewall

  1. Urgently ! need help about iptable and internet gateway/firewall

    Hi,

    I need your help about internet gateway. ( firewall :iptable )
    Now , i key command like below but i can't use my computer at local
    network to use internet
    ( web browser + MSN )

    My Objective =
    1. Only want computer IP 192.168.0.111 to use web+MSN
    ( No allow others connection such as flashget/getright/bittorence )
    2. No permit others computer to use internet anyway

    Anyone can help me ?
    Thank you very much
    Pratchaya


    ######################

    My Network Diagram.

    ADSL Router <===> { eth1::: My Server :::: eth0 <===> Local network
    (192.168.0.xx )

    ################## My command line ############################
    /sbin/service iptables stop

    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
    --to-port 3128

    iptables -P FORWARD DROP
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.111 -p tcp --dport 80
    -j ACCEPT
    iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.111 -p tcp --dport
    1863 -j ACCEPT
    iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.111 -p tcp --dport 443
    -j ACCEPT
    iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.111 -p tcp --dport
    3128 -j ACCEPT

    service iptables save
    ################## End My command line ############################



    ################## Result 1 ############################
    [root@firewall ~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT tcp -- 192.168.0.111 anywhere tcp dpt:http
    ACCEPT tcp -- 192.168.0.111 anywhere tcp dpt:1863
    ACCEPT tcp -- 192.168.0.111 anywhere tcp dpt:https
    ACCEPT tcp -- 192.168.0.111 anywhere tcp dpt:squid

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    [root@firewall ~]#

    ################## Result 2 ############################
    [root@firewall ~]# iptables -L -t nat
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    MASQUERADE all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    [root@firewall ~]#


  2. Re: Urgently ! need help about iptable and internetgateway/firewall

    "Pratchaya" (06-01-24 14:02:30):

    > I need your help about internet gateway. ( firewall :iptable )
    > Now , i key command like below but i can't use my computer at local
    > network to use internet
    > ( web browser + MSN )
    >
    > My Objective =
    > 1. Only want computer IP 192.168.0.111 to use web+MSN
    > ( No allow others connection such as flashget/getright/bittorence )
    > 2. No permit others computer to use internet anyway



    Have you activated IP forwarding?

    echo 1 > /proc/sys/net/ipv4/ip_forward

    Regards.

  3. Re: Urgently ! need help about iptable and internet gateway/firewall

    Yes i 've already
    echo 1 > /proc/sys/net/ipv4/ip_forward

    But i still have problem.


  4. Re: Urgently ! need help about iptable and internet gateway/firewall

    Pratchaya wrote:
    > Yes i 've already
    > echo 1 > /proc/sys/net/ipv4/ip_forward
    >
    > But i still have problem.
    >


    Where's the rule to handle DNS traffic?

  5. Re: Urgently ! need help about iptable and internet gateway/firewall

    ?

    I don' t understand.
    Please post again.

    Thank you very much
    Pratchaya


  6. Re: Urgently ! need help about iptable and internetgateway/firewall

    "Pratchaya" (06-01-25 03:35:30):

    > I don' t understand.
    > Please post again.


    What lorenzodes means is that you need to forward DNS traffic as well or
    setup a DNS cache on your server. Otherwise DNS resolution won't work.
    The latter approach is better, so you might want to have a look at the
    BIND package or something similar.

    Regards.

  7. Re: Urgently ! need help about iptable and internet gateway/firewall

    Can u sample be and tell me the step for success ?

    Thank you very much
    Pratchaya


  8. Re: Urgently ! need help about iptable and internet gateway/firewall

    Pratchaya wrote:
    > Can u sample be and tell me the step for success ?
    >
    > Thank you very much
    > Pratchaya
    >


    Ok, let's keep it simple. Add the following:

    iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 53 -j ACCEPT

  9. Re: Urgently ! need help about iptable and internet gateway/firewall

    Now , i can success .

    My Command line
    ===============

    service iptables stop
    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
    --to-port 3128
    iptables -P FORWARD DROP
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -m multiport -p
    tcp --dport 53,80,110,143,443,993,995,3128 -j ACCEPT
    iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -m multiport -p
    udp --dport 53,110,143,993,995,1863 -j ACCEPT
    service iptables save


    ================================================== ================================================== =====
    My Iptable List
    ===============

    [root@firewall ~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state
    RELATED,ESTABLISHED
    ACCEPT tcp -- 192.168.0.0/24 anywhere multiport
    dports domain,http,pop3,imap,https,imaps,pop3s,squid
    ACCEPT udp -- 192.168.0.0/24 anywhere multiport
    dports domain,pop3,imap,imaps,pop3s,1863

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    [root@firewall ~]#

    ================================================== ================================================== =====


  10. Re: Urgently ! need help about iptable and internet gateway/firewall

    Ok,
    Thank you very much
    Pratchaya

    Now i success with these


    My Network Diagram.
    ===============

    ADSL Router <===> { eth1::: My Server :::: eth0 <===> Local network
    (192.168.0.xx )

    ================================================== ================================================== =====
    My Command line
    ===============

    service iptables stop
    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
    --to-port 3128
    iptables -P FORWARD DROP
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -m multiport -p
    tcp --dport 53,80,110,143,443,993,995,3128 -j ACCEPT
    iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -m multiport -p
    udp --dport 53,110,143,993,995,1863 -j ACCEPT
    service iptables save


    ================================================== ================================================== =====
    My Iptable List
    ===============

    [root@firewall ~]# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state
    RELATED,ESTABLISHED
    ACCEPT tcp -- 192.168.0.0/24 anywhere multiport
    dports domain,http,pop3,imap,https,imaps,pop3s,squid
    ACCEPT udp -- 192.168.0.0/24 anywhere multiport
    dports domain,pop3,imap,imaps,pop3s,1863

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    [root@firewall ~]#

    ================================================== ================================================== =====


  11. Re: Urgently ! need help about iptable and internetgateway/firewall

    lorenzodes (06-01-25 15:10:57):

    > > Can u sample be and tell me the step for success ?

    >
    > Ok, let's keep it simple. Add the following:
    >
    > iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 53 -j ACCEPT


    It's simple, but also not really a good solution. Again, go for BIND.
    You'll save the DNS server and yourself a lot of traffic, and thus
    improve the performance of your network considerably.

    Regards.

  12. Re: Urgently ! need help about iptable and internet gateway/firewall

    Hi, All

    Oh , i got many idea from you.
    I 'll next educate in DNS/BIND more.

    Thank you very much
    Pratchaya


  13. Re: Urgently ! need help about iptable and internet gateway/firewall

    Ertugrul Soeylemez wrote:

    > It's simple, but also not really a good solution. Again, go for BIND.
    > You'll save the DNS server and yourself a lot of traffic, and thus
    > improve the performance of your network considerably.



    I would never go for bind, in fact I am using MaraDNS as dns cache.

    Furthermore if you have a small LAN with just a couple of PCs,
    installing and configuring bind is not worth the hassle.

  14. Re: Urgently ! need help about iptable and internet gateway/firewall

    Can u sample me how-to DNS bind
    ( DNS Cache ? )
    May be sample link url ..


    Thank you very much
    Pratchaya


  15. Re: Urgently ! need help about iptable and internet gateway/firewall

    On Thu, 26 Jan 2006 02:14:28 -0800, Pratchaya wrote:

    > Can u sample me how-to DNS bind
    > ( DNS Cache ? )
    > May be sample link url ..


    http://www.netadmintools.com/part27.html

    --
    -Menno.


  16. Re: Urgently ! need help about iptable and internetgateway/firewall

    lorenzodes (06-01-26 09:56:21):

    > I would never go for bind, in fact I am using MaraDNS as dns cache.
    >
    > Furthermore if you have a small LAN with just a couple of PCs,
    > installing and configuring bind is not worth the hassle.


    That's a matter of choice. You can run any DNS server, as long as it
    caches.

    Regards.

  17. Re: Urgently ! need help about iptable and internet gateway/firewall

    Ertugrul Soeylemez wrote:

    > That's a matter of choice. You can run any DNS server, as long as it
    > caches.


    MaraDNS and pdnsd are particularly good choices, for that role. See
    also: "DNS Servers" on http://linuxmafia.com/kb/Network_Other/


  18. Re: Urgently ! need help about iptable and internet gateway/firewall

    Hi, All

    Thank you very much
    Pratchaya


+ Reply to Thread