Hi,
Need help on something. Below are some iptables rules which I�ve wrote but
haven�t tested yet because they�re going to work on a critical part of the
LAN, so any failure would make the users very upset; so please tell me if
I�m missing something or if they�ll work well for what I need to do.
The LAN is something like this, but larger:
[PC.1]=======|
[PC.2]=======|===[NAT/Web.1]===|
[PC.3/Web]===| |
|
[PC.4]==| |
[PC.5]==|====[NAT/Mail/Web.2]===|===[Bridge/FW]==Internet
[PC.6]==| |
|
[DNS/Web.3]==================|
[PC.1], [PC.2] and [PC.3] are terminals that use private IPs which NAT on
the [NAT/Web.1] server so they access Internet.
[PC.3] NATs to public and has a webserver which can be accessed by anyone
from Internet.
[PC.2] also NATs to public.
[PC.4], [PC.5] and [PC.6] are terminals that also use private IPs and also
access the Internet via NAT on the [NAT/Mail/Web.2] server.
[DNS/Web.3] is a dns server that resolves for local terminals and for a
domain from outside.
[Nat/Mail/Web.2] also acts as a mail server for [PC.4], [PC.5], [PC.6].
All the 3 servers and PC.3 have webservers that must be open to outside
connections.
Bridge/FW is the one which will use this rules.
What I need to do:
- Block any connection from Internet to the servers, but allow access to the
webservers on them, DNS requests to the DNS server and mail to the mail
server.
- Allow normal browsing from terminals to Internet, and the use of Web, FTP,
IRC, Realaudio, mail, P2P and any other service. There are no restrictions
on where or what they can browse.
- Allow all access from internet to PC.2
Here are the rules:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 0/0 -d 0/0 -m state --state INVALID -j DROP
iptables -A FORWARD -f -j DROP
#Block ping to servers and allow it to only one terminal
iptables -A FORWARD -p icmp -s 0/0 -d [NAT//Web.1] -j DROP
iptables -A FORWARD -p icmp -s 0/0 -d [NAT/Mail/Web.2] -j DROP
iptables -A FORWARD -p icmp -s 0/0 -d [DNS/Web.3] -j DROP
iptables -A FORWARD -p icmp -s 0/0 -d [PC.3] -j ACCEPT
#Allow mail to mail server
iptables -A FORWARD -p tcp -s 0/0 -d [NAT/Mail/Web.2] --destination-port
25 -j ACCEPT
#Allow DNS queries
iptables -A FORWARD -s 0/0 --source-port 53 -d [DNS/Web.3] -j ACCEPT
iptables -A FORWARD -s 0/0 -d [DNS/Web.3] --destination-port 53 -j ACCEPT
#Allow everything from internet to PC.2
iptables -A FORWARD -s 0/0 -d [PC.2] -j ACCEPT
#Allow webserver traffic
iptables -A FORWARD -p tcp -s 0/0 -d [NAT/Web.1] --destination-port 80 -j
ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d [NAT/Mail/Web.2] --destination-port
80 -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d [DNS/Web.3] --destination-port 80 -j
ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d [PC.3/Web] --destination-port 80 -j
ACCEPT
#Allow POP3 access from outside to mail server
iptables -A FORWARD -p tcp -s 0/0 -d [NAT/Mail/Web.2] --destination-port
110 -j ACCEPT
#Allow everything out
iptables -A FORWARD -s [NAT/Web.1] -j ACCEPT
iptables -A FORWARD -s [NAT/Mail/Web.2] -j ACCEPT
iptables -A FORWARD -s [DNS/Web.3] -j ACCEPT
iptables -A FORWARD -s [PC.2] -j ACCEPT
iptables -A FORWARD -s [PC.3/Web] -j ACCEPT
#Deny everything else
iptables -A FORWARD -j DROP
Here are the questions:
1. For what I need to do could this rules make everything work fine?
2. Could P2P work? I�ve read some issues about kazaa behind firewall...
3. Could terminals browse, FTP, IRC, realaudio without problems? Should I
create ACCEPT rules for each of these ports or does the "everything
out/ESTABLISHED in" makes it?
Thanks,
Eduardo
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge
