Deags Posted November 15, 2009 Posted November 15, 2009 i have a linux router. now i'm adding a new nic. i wanna join the networks the easiest way possible. i don't want to plug it into my main network so i can restrict the shit out of it. Quote
uberprinnyakatux Posted November 15, 2009 Posted November 15, 2009 set up a vlan? what router os you running? Quote
Deags Posted November 16, 2009 Author Posted November 16, 2009 it's just ubuntu. nothing fancy. Quote
ansichild Posted November 16, 2009 Posted November 16, 2009 Here's some iptables scripts from my super simple home cookbook to get you going... #turn routing on #echo "1" > /proc/sys/net/ipv4/ip_forward Here's my rules file, it's a default deny policy with explicit statements to allow everything. Ironic eh? But useful. :) eth0 is LAN, eth1 is Internet with static IP. If you just want to join the networks, you don't even really need to NAT. #iptables-restore iptables.rules *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o eth1 -j SNAT --to-source 123.221.123.1 COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -j ACCEPT -A OUTPUT -j ACCEPT -A FORWARD -j ACCEPT COMMIT Now getting fancier, this logs all traffic but doesn't drop anything (still a "default deny" policy)... *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o eth1 -j SNAT --to-source 123.221.123.1 COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -j LOG --log-prefix "Bad input " -A INPUT -j ACCEPT -A OUTPUT -j LOG --log-prefix "Bad output " -A OUTPUT -j ACCEPT -A FORWARD -j LOG --log-prefix "Bad forward " -A FORWARD -j ACCEPT COMMIT And here's an example of something really restrictive, forwards only web traffic from the LAN... *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o eth1 -j SNAT --to-source 123.221.123.1 COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i eth0 -j ACCEPT -A INPUT -j LOG --log-prefix "Bad input " -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -j LOG --log-prefix "Bad output " -A FORWARD -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -s 192.168.1.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j LOG --log-prefix "Bad forward " COMMIT Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.