[TriLUG] a quick firewall
John Jones
john at networkveterans.com
Thu Aug 14 14:53:18 EDT 2003
>I want to build an internal firewall that will sit between an Internet
connected device and my core switch.
I did this exact thing. I used iptables. You dont need any kind of
script generator, it is better to learn what is happening on your own.
In my case, the eth1 is the outside nic, and eth0 is the outside nic
(10.10.10.4)
Here is some of the code I used:
# Clear the iptables first, just in case
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
echo "1" > /proc/sys/net/ipv4/ip_forward # Dont forget to turn on
forwarding, however you do it on your *nix
# Short and sweet, and it works for multiple nic cards!!! JMJ
# Add the port forwarding to go to 10.10.10.2 (internal machine)
iptables -t nat -A PREROUTING -p tcp -d 64.xxx.xxx.xxx --dport 80 -i
eth1 -j DNAT --to 10.10.10.2:80
# Masquerade it so that the ip gets "mangled" to an internal IP
(10.10.10.x) so the packet gets routed back correctly
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Add rule so I can get to the server from behind the FW...
iptables -t nat -A OUTPUT -p tcp -d 64.xxx.xxx.xxx --dport 80 -j DNAT
--to 10.10.10.2:80
And if you are really in a bind, put these three lines after the echo
statement:
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
But you should only do that for testing purposes, you do not want an
ACCEPT policy for everything.
That sould do it. Just change the outside and inside IP numbers (and
the ethx numbers in case your internal and external do not match my
system) and you are in business.
Good luck and let me know if it works.
John Jones
Network Veterans
More information about the TriLUG
mailing list