Deags Posted November 15, 2009 Share Posted November 15, 2009 i have a linux router. now i'm adding a new nic. i wanna join the networks the easiest way possible. i don't want to plug it into my main network so i can restrict the shit out of it. Quote Link to comment Share on other sites More sharing options...
uberprinnyakatux Posted November 15, 2009 Share Posted November 15, 2009 set up a vlan? what router os you running? Quote Link to comment Share on other sites More sharing options...
Deags Posted November 16, 2009 Author Share Posted November 16, 2009 it's just ubuntu. nothing fancy. Quote Link to comment Share on other sites More sharing options...
ansichild Posted November 16, 2009 Share Posted November 16, 2009 Here's some iptables scripts from my super simple home cookbook to get you going... #turn routing on #echo "1" > /proc/sys/net/ipv4/ip_forward Here's my rules file, it's a default deny policy with explicit statements to allow everything. Ironic eh? But useful. :) eth0 is LAN, eth1 is Internet with static IP. If you just want to join the networks, you don't even really need to NAT. #iptables-restore iptables.rules *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o eth1 -j SNAT --to-source 123.221.123.1 COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -j ACCEPT -A OUTPUT -j ACCEPT -A FORWARD -j ACCEPT COMMIT Now getting fancier, this logs all traffic but doesn't drop anything (still a "default deny" policy)... *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o eth1 -j SNAT --to-source 123.221.123.1 COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -j LOG --log-prefix "Bad input " -A INPUT -j ACCEPT -A OUTPUT -j LOG --log-prefix "Bad output " -A OUTPUT -j ACCEPT -A FORWARD -j LOG --log-prefix "Bad forward " -A FORWARD -j ACCEPT COMMIT And here's an example of something really restrictive, forwards only web traffic from the LAN... *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o eth1 -j SNAT --to-source 123.221.123.1 COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i eth0 -j ACCEPT -A INPUT -j LOG --log-prefix "Bad input " -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -j LOG --log-prefix "Bad output " -A FORWARD -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j LOG --log-prefix "Bad forward " COMMIT Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.