[gentoo-user] iptables question

[gentoo-user] iptables question

[Dmitry S. Makovey]

[-- Attachment #1: Type: text/plain, Size: 535 bytes --]


somewhat offtopic, but since I need any help I can get:

how do I redirect trafic from outward facing interface 
(192.168.1.114:80) to loopback device (127.0.0.1:80) ?

my most obvious trick:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.114 --dport 80 \
	-j DNAT --to 127.0.0.1:80
and 
echo 1 > /proc/sys/net/ipv4/ip_forward
didn't help. Machine which is opening connection is hanging there 
indefinitely...

what did I miss?

-- 
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-user] Re: iptables question

[James]

Dmitry S. Makovey <dmitry <at> athabascau.ca> writes:

> somewhat offtopic, but since I need any help I can get:

> how do I redirect trafic from outward facing interface 
> (192.168.1.114:80) to loopback device (127.0.0.1:80) ?

> my most obvious trick:
> iptables -t nat -A PREROUTING -p tcp -d 192.168.1.114 --dport 80 \
> 	-j DNAT --to 127.0.0.1:80
> and 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> didn't help. Machine which is opening connection is hanging there 
> indefinitely...

> what did I miss?


Well, let me start off by saying that I'm still learning the
details of iptables.....

An excellent book has been recommended and I can confirm it is wonderful:
"Linux Firewalls Third Edition" 2005. by Steve Suehring and Robert L. Ziegler.
Novell press.

There are many examples covering forwarding, port redirection, dmz's and
proxies. It's hard to tell exactly what you are doing, or what you want to do.

>From the book: Enabling the loopback Interface page 111
"
Local services rely on the loop back network interface. After the system boots,
the systems's default policy is to accept all packets. Flushing any pre existing
chains has no effect. However, if the firewall is being reinitialized and had
previously used a deny-by-default policy, the drop policy would still be in
effect. Without any acceptance firewall rules, the loopback interface would
still be inaccessible. Because the loopback interface is a local, internal
interface, the firewall can allow loopback traffic immediately:

#for unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
"

Granted this is related to an example in the book, but hopefully it helps.
If you get frustrated, send me private email, maybe I can help. I will try.
Some folks on the list do not believe that direct control of iptables is
wise. I desent. Knowledge of iptables is of extreme value, but difficult 
to master. I'd like to see many example of iptable for 2.6 kernels published.
Updated material on iptables + 2.6 kernels, is scarcely available on the net.

hth,
James




-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables question

[Dmitry S. Makovey]

[-- Attachment #1: Type: text/plain, Size: 1035 bytes --]

On Friday 20 January 2006 13:41, James wrote:
> #for unlimited traffic on the loopback interface
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT

since I've done my "flushing" all my rules are nice and permissive ;)

dimon2 ~ # iptables -t filter -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
dimon2 ~ # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

So I doubt I need specific rules for "lo" or any other device except 
for NAT rules to redirect my traffic.

-- 
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] iptables question

[Trenton Adams]

Under the *nat rule,

-A PREROUTING -i eth0 -p tcp -m tcp --dport 58443 -j DNAT --to 192.168.7.1:443

Under the *filter rules.

-A ADAMS-FW-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport
443 -j ACCEPT


On 1/20/06, Dmitry S. Makovey <dmitry@athabascau.ca> wrote:
>
> somewhat offtopic, but since I need any help I can get:
>
> how do I redirect trafic from outward facing interface
> (192.168.1.114:80) to loopback device (127.0.0.1:80) ?
>
> my most obvious trick:
> iptables -t nat -A PREROUTING -p tcp -d 192.168.1.114 --dport 80 \
>         -j DNAT --to 127.0.0.1:80
> and
> echo 1 > /proc/sys/net/ipv4/ip_forward
> didn't help. Machine which is opening connection is hanging there
> indefinitely...
>
> what did I miss?
>
> --
> Dmitry Makovey
> Web Systems Administrator
> Athabasca University
> (780) 675-6245
>
>
>

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables question

[Dmitry S. Makovey]

[-- Attachment #1: Type: text/plain, Size: 433 bytes --]

On Friday 20 January 2006 13:49, Trenton Adams wrote:
> Under the *nat rule,
>
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 58443 -j DNAT --to
> 192.168.7.1:443
>
> Under the *filter rules.
>
> -A ADAMS-FW-INPUT -i eth0 -m state --state NEW -m tcp -p tcp
> --dport 443 -j ACCEPT

I tried similar combination as well to no avail. :(

-- 
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-user] iptables question

[Hiren Dave]

[-- Attachment #1: Type: text/plain, Size: 506 bytes --]

Hi,

I want to configure firewall such that network 192.168.1.0/24 can
only access http server from server1(192.168.0.2/24) and
network 192.168.0.0/24 can not access http server. So I tried this:

#service iptables stop
#iptables -P INPUT DROP
#iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT

But this command sends error that "Unknown arg: --dport"
HOW CAN I ACHIEVE THIS?

ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF
IPTABLES?

TnR
Hiren

[-- Attachment #2: Type: text/html, Size: 746 bytes --]

[gentoo-user] Re: iptables question

[James]

Hiren Dave <hiren2k4 <at> gmail.com> writes:


> ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY 
LEARNING OF IPTABLES?


The only current book I could find, that is centric around the 2.6 linux kernel,
and contains relevant, current examples is:

"Linux Firewalls" Third Edition

authors: Steve Suehring and Rober Ziegler


hth,

James





-- 
gentoo-user@gentoo.org mailing list