From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.43) id 1EChI8-0004OW-6k for garchives@archives.gentoo.org; Tue, 06 Sep 2005 17:31:28 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j86HRBkK031925; Tue, 6 Sep 2005 17:27:11 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [134.68.220.30]) by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j86HN6OF010896 for ; Tue, 6 Sep 2005 17:23:06 GMT Received: from main.gmane.org ([80.91.229.2] helo=ciao.gmane.org) by smtp.gentoo.org with esmtp (Exim 4.43) id 1EChDG-0007aV-Io for gentoo-user@lists.gentoo.org; Tue, 06 Sep 2005 17:26:26 +0000 Received: from list by ciao.gmane.org with local (Exim 4.43) id 1EChBN-0008UE-37 for gentoo-user@gentoo.org; Tue, 06 Sep 2005 19:24:29 +0200 Received: from www.buffer.net ([24.73.161.102]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 06 Sep 2005 19:24:29 +0200 Received: from wireless by www.buffer.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 06 Sep 2005 19:24:29 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: James Subject: [gentoo-user] iptables example on Gentoo Date: Tue, 6 Sep 2005 17:22:19 +0000 (UTC) Message-ID: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: main.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 24.73.161.102 (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.11) Gecko/20050810) Sender: news X-Archives-Salt: 0f27124e-1304-485e-a61b-62ca20aed8a4 X-Archives-Hash: 2457c3f7ed935998bf4b43f2eed562e2 Hello, I've been trying to build a simple firewall with a DMZ for a web server. x.x.x.x is the local single static IP y.y.y.y is the gateway IP. z.z.z.z is the broadcast. Outward access is working (ip and dns) Currently the dns servers I use are the cable modem company's, and they work just fine, for now. I can download packages and ebuilds just fine. Access to the mail servers outside the network works just fine. Note: I have an openbsd firewall with a dmz & web server, and all works just fine. It's disconnected while I try to get this gentoo firewall working with the same web server and other lan components. Following this simple example: http://www.gentoo.org/doc/en/home-router-howto.xml Here's what I did to add a DMZ based web server: A. (3) ethernet interfaces are setup via ifconfig and are working. B. /etc/conf.d.net I added these lines: iface_eth0="192.168.2.20 broadcast 192.168.2.255 netmask 255.255.255.0" iface_eth1="192.168.3.11 broadcast 192.168.3.255 netmask 255.255.255.0" iface_eth2="x.x.x.x broadcast z.z.z.z netmask 255.255.255.252" routes_eth2=( "default gw y.y.y.y" ) C. and here's the IP tables portion: Start with ' iptables -F' and 'iptables -t nat -F' export LAN=eth0 export DMZ=eth1 export WAN=eth2 iptables -I INPUT 1 -i ${LAN} -j ACCEPT iptables -I INPUT 1 -i lo -j ACCEPT iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.3.11 D. Next: echo 1 > /proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done E. And finishing with: /etc/init.d/iptables save rc-update add iptables default vi /etc/sysctl.conf Add/Uncomment the following lines: net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 Questions Step C: Qestion 1: The rule I added: iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.3.11 Does not give access to the web server, either from the outside internet, nor from the interlan lan. Can somebody fix the rule or tell me what I've done wrong or what is additionally needed? Here are the error messages: Warning: wierd character in interface `-j' (No aliases, :, ! or *). Bad argument `DNAT' Question 2: Where are the config files, built by iptables (filter, nat, mangle, raw) and is it OK to just edit these manually, trying various rules and testing the results? Any other files to edit directly? I've read about shorewall, but I prefer to directly edit these files (and any others I have missed) directly while I learn/test the features of iptables/netfilter. Shorewall or any other gui, is for later, when I've develop a certain confidence via understanding how iptables/netfilter works. This is only a simple network, I'm setting up to mostly to learn about iptables/netfilter. Any help or comments is appreciated. I intend to slowly add features and rules and to test along the way, as to satisfy my curiousity while learning firewalling on linux based systems. James -- gentoo-user@gentoo.org mailing list