[gentoo-user] iptables example on Gentoo - gentoo-user

From:	James <wireless@×××××××××××.com>
To:	gentoo-user@l.g.o
Subject:	[gentoo-user] iptables example on Gentoo
Date:	Tue, 06 Sep 2005 17:31:28
Message-Id:	`loom.20050906T182657-904@post.gmane.org`

1

Hello,

2

3

I've been trying to build a simple firewall with a DMZ for a 

4

web server.

5

x.x.x.x is the local single static IP y.y.y.y is the gateway IP.

6

z.z.z.z is the broadcast.

7

Outward access is working (ip and dns) Currently the dns servers

8

I use are the cable modem company's, and they work just fine,

9

for now. I can download packages and ebuilds just fine. Access

10

to the mail servers outside the network works just fine.

11

12

Note: I have an openbsd firewall with a dmz & web server, and all

13

works just fine. It's disconnected while I try to get this gentoo

14

firewall working with the same web server and other lan components.

15

16

Following this simple example:

17

http://www.gentoo.org/doc/en/home-router-howto.xml

18

19

Here's what I did to add a DMZ based web server:

20

21

A. (3) ethernet interfaces are setup via ifconfig and are working.

22

23

B. /etc/conf.d.net

24

        I added these lines:

25

iface_eth0="192.168.2.20 broadcast 192.168.2.255 

26

netmask 255.255.255.0"

27

iface_eth1="192.168.3.11 broadcast 192.168.3.255 

28

netmask 255.255.255.0"

29

iface_eth2="x.x.x.x broadcast z.z.z.z 

30

netmask 255.255.255.252"

31

routes_eth2=( "default gw y.y.y.y" )

32

33

C. and here's the IP tables portion:

34

Start with ' iptables -F'  and 'iptables -t nat -F'

 export LAN=eth0

39

  export DMZ=eth1

40

  export WAN=eth2

41

  iptables -I INPUT 1 -i ${LAN} -j ACCEPT

42

  iptables -I INPUT 1 -i lo -j ACCEPT

43

  iptables -A INPUT -p UDP --dport bootps -i !

44

       ${LAN} -j REJECT

45

  iptables -A INPUT -p UDP --dport domain -i !

46

       ${LAN} -j REJECT

47

  iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 

48

       --dport 0:1023 -j DROP

49

  iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 

50

      --dport 0:1023 -j DROP

51

  iptables -I FORWARD -i ${LAN} -d 

52

       192.168.0.0/255.255.0.0 -j DROP

53

  iptables -A FORWARD -i ${LAN} -s 

54

      192.168.0.0/255.255.0.0 -j ACCEPT

55

  iptables -A FORWARD -i ${WAN} -d 

56

      192.168.0.0/255.255.0.0 -j ACCEPT

57

  iptables -t nat -A POSTROUTING -o 

58

      ${WAN} -j MASQUERADE

59

iptables -t nat -A PREROUTING -p tcp 

60

      --dport 80 -i ${WAN} -j DNAT --to 192.168.3.11

61

62

D. Next:

63

echo 1 > /proc/sys/net/ipv4/ip_forward

64

  for f in /proc/sys/net/ipv4/conf/*/rp_filter ;

65

        do echo 1 > $f ; done

66

67

E. And finishing with:

68

  /etc/init.d/iptables save  

69

  rc-update add iptables default

70

  vi /etc/sysctl.conf

71

Add/Uncomment the following lines:

72

net.ipv4.ip_forward = 1

73

net.ipv4.conf.default.rp_filter = 1

74

75

Questions

76

Step C: Qestion 1:

77

78

The rule I added:

79

iptables -t nat -A PREROUTING -p tcp 

80

      --dport 80 -i ${WAN} -j DNAT --to 192.168.3.11

81

82

Does not give access to the web server, either from the outside

83

internet, nor from the interlan lan. Can somebody fix the rule

84

or tell me what I've done wrong or what is additionally needed?

85

86

87

Here are the error messages:

88

Warning: wierd character in interface `-j' (No aliases, :, ! or *).

89

Bad argument `DNAT'

90

91

Question 2:

92

Where are the config files, built by iptables (filter, nat,

93

 mangle,

94

 raw)

95

and is it OK to just edit these manually, trying various rules

96

and testing the results? Any other files to edit directly?

97

98

I've read about shorewall, but I prefer to

99

directly edit these files (and any others I have missed) directly

100

while I learn/test the features of iptables/netfilter. Shorewall

101

or any other gui, is for later, when I've develop a 

102

certain confidence

103

via understanding how iptables/netfilter works.

104

105

This is only a simple network, I'm setting up to mostly to 

106

learn about

107

iptables/netfilter. Any help or comments is appreciated. I intend

108

to slowly add features and rules and to test along the way, as 

109

to satisfy my

110

curiousity while learning firewalling on linux based systems.

111

112

James

113

114

--

115

gentoo-user@g.o mailing list

Gentoo Archives: gentoo-user

Replies

1	Hello,
2
3	I've been trying to build a simple firewall with a DMZ for a
4	web server.
5	x.x.x.x is the local single static IP y.y.y.y is the gateway IP.
6	z.z.z.z is the broadcast.
7	Outward access is working (ip and dns) Currently the dns servers
8	I use are the cable modem company's, and they work just fine,
9	for now. I can download packages and ebuilds just fine. Access
10	to the mail servers outside the network works just fine.
11
12	Note: I have an openbsd firewall with a dmz & web server, and all
13	works just fine. It's disconnected while I try to get this gentoo
14	firewall working with the same web server and other lan components.
15
16	Following this simple example:
17	http://www.gentoo.org/doc/en/home-router-howto.xml
18
19	Here's what I did to add a DMZ based web server:
20
21	A. (3) ethernet interfaces are setup via ifconfig and are working.
22
23	B. /etc/conf.d.net
24	I added these lines:
25	iface_eth0="192.168.2.20 broadcast 192.168.2.255
26	netmask 255.255.255.0"
27	iface_eth1="192.168.3.11 broadcast 192.168.3.255
28	netmask 255.255.255.0"
29	iface_eth2="x.x.x.x broadcast z.z.z.z
30	netmask 255.255.255.252"
31	routes_eth2=( "default gw y.y.y.y" )
32
33	C. and here's the IP tables portion:
34	Start with ' iptables -F' and 'iptables -t nat -F'
35
36
37
38	export LAN=eth0
39	export DMZ=eth1
40	export WAN=eth2
41	iptables -I INPUT 1 -i ${LAN} -j ACCEPT
42	iptables -I INPUT 1 -i lo -j ACCEPT
43	iptables -A INPUT -p UDP --dport bootps -i !
44	${LAN} -j REJECT
45	iptables -A INPUT -p UDP --dport domain -i !
46	${LAN} -j REJECT
47	iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0
48	--dport 0:1023 -j DROP
49	iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0
50	--dport 0:1023 -j DROP
51	iptables -I FORWARD -i ${LAN} -d
52	192.168.0.0/255.255.0.0 -j DROP
53	iptables -A FORWARD -i ${LAN} -s
54	192.168.0.0/255.255.0.0 -j ACCEPT
55	iptables -A FORWARD -i ${WAN} -d
56	192.168.0.0/255.255.0.0 -j ACCEPT
57	iptables -t nat -A POSTROUTING -o
58	${WAN} -j MASQUERADE
59	iptables -t nat -A PREROUTING -p tcp
60	--dport 80 -i ${WAN} -j DNAT --to 192.168.3.11
61
62	D. Next:
63	echo 1 > /proc/sys/net/ipv4/ip_forward
64	for f in /proc/sys/net/ipv4/conf/*/rp_filter ;
65	do echo 1 > $f ; done
66
67	E. And finishing with:
68	/etc/init.d/iptables save
69	rc-update add iptables default
70	vi /etc/sysctl.conf
71	Add/Uncomment the following lines:
72	net.ipv4.ip_forward = 1
73	net.ipv4.conf.default.rp_filter = 1
74
75	Questions
76	Step C: Qestion 1:
77
78	The rule I added:
79	iptables -t nat -A PREROUTING -p tcp
80	--dport 80 -i ${WAN} -j DNAT --to 192.168.3.11
81
82	Does not give access to the web server, either from the outside
83	internet, nor from the interlan lan. Can somebody fix the rule
84	or tell me what I've done wrong or what is additionally needed?
85
86
87	Here are the error messages:
88	Warning: wierd character in interface `-j' (No aliases, :, ! or *).
89	Bad argument `DNAT'
90
91	Question 2:
92	Where are the config files, built by iptables (filter, nat,
93	mangle,
94	raw)
95	and is it OK to just edit these manually, trying various rules
96	and testing the results? Any other files to edit directly?
97
98	I've read about shorewall, but I prefer to
99	directly edit these files (and any others I have missed) directly
100	while I learn/test the features of iptables/netfilter. Shorewall
101	or any other gui, is for later, when I've develop a
102	certain confidence
103	via understanding how iptables/netfilter works.
104
105	This is only a simple network, I'm setting up to mostly to
106	learn about
107	iptables/netfilter. Any help or comments is appreciated. I intend
108	to slowly add features and rules and to test along the way, as
109	to satisfy my
110	curiousity while learning firewalling on linux based systems.
111
112	James
113
114	--
115	gentoo-user@g.o mailing list