Jump to content

Recommended Posts

Posted

i have a linux router. now i'm adding a new nic. i wanna join the networks the easiest way possible. i don't want to plug it into my main network so i can restrict the shit out of it.

Posted

Here's some iptables scripts from my super simple home cookbook to get you going...

#turn routing on

#echo "1" > /proc/sys/net/ipv4/ip_forward

Here's my rules file, it's a default deny policy with explicit statements to allow everything. Ironic eh? But useful. :)

eth0 is LAN, eth1 is Internet with static IP.

If you just want to join the networks, you don't even really need to NAT.

#iptables-restore iptables.rules

*nat

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A POSTROUTING -o eth1 -j SNAT --to-source 123.221.123.1

COMMIT

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

-A INPUT -j ACCEPT

-A OUTPUT -j ACCEPT

-A FORWARD -j ACCEPT

COMMIT

Now getting fancier, this logs all traffic but doesn't drop anything (still a "default deny" policy)...

*nat

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A POSTROUTING -o eth1 -j SNAT --to-source 123.221.123.1

COMMIT

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

-A INPUT -j LOG --log-prefix "Bad input "

-A INPUT -j ACCEPT

-A OUTPUT -j LOG --log-prefix "Bad output "

-A OUTPUT -j ACCEPT

-A FORWARD -j LOG --log-prefix "Bad forward "

-A FORWARD -j ACCEPT

COMMIT

And here's an example of something really restrictive, forwards only web traffic from the LAN...

*nat

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A POSTROUTING -o eth1 -j SNAT --to-source 123.221.123.1

COMMIT

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

-A INPUT -i eth0 -j ACCEPT

-A INPUT -j LOG --log-prefix "Bad input "

-A OUTPUT -o eth0 -j ACCEPT

-A OUTPUT -j LOG --log-prefix "Bad output "

-A FORWARD -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

-A FORWARD -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT

-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -j LOG --log-prefix "Bad forward "

COMMIT

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...