LeRoy Cressy on Tue, 11 Mar 2003 07:19:07 -0500 |
In your original post you stated that apachie was listening on port 8888. If this is so then apachie needs to be configured on port 80. Also, I think your line $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE is not correct and you should specify the ports that get mangled as follows. This will add a layer of security with only certain ports allowed to get to the outside. Before you can use nat you need to accept the packet like as follows: iptables -A block -m state --state NEW -p tcp -i eth0 --dport 80 -m limit --limit 1/hour -j LOG --log-level info --log-prefix "Web Acc ess Request " iptables -A block -m state --state NEW -p tcp -i eth0 --dport 80 -j ACCEPT Then you need to accept packets from eth1 which I am assuming is your lan like: for testing you can set up logging # iptables -A block -m state --state NEW -i eth1 -m limit --limit 1/hour -j LOG --log-level info --log-prefix "Accepted Packets from eth1 " iptables -A block -m state --state NEW -i eth1 -j ACCEPT As stated abobe I do not like masquerading so I use this: # Set up the ip forwarding for the local network to get to the outside: iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 20 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 21 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 22 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport 25 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport 465 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport 53 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport 80 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 443 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 110 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 113 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 119 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 389 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 873 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 1024 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p udp -s 192.168.1.0/24 --dport 53 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p udp -s 192.168.1.0/24 --dport 1024 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p icmp -s 192.168.1.0/16 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 43 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 37 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 9412 -j SNAT --to $RealIP iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport 11371 -j SNAT --to $RealIP Finally, I've attached some experemental code I used when first setting up a firewall. Naresh wrote: LeRoy, -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\ http://lrcressy.com ( o.o ) Phone: 215-535-4037 > ^ < gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA Jesus saith unto him, I am the way, the truth, and the life: no man cometh unto the Father, but by me. (John 14:6) Attachment:
firewall-nat-experimental Attachment:
pgpy6dUDEp7Tv.pgp
|
|