First off, you'll want to set up the system to block everything and masquerade outbound connections:
#Time to clean house #Clear out any existing firewall rules, and any chains that might have #been created $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X #Setup our policies $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP #Our actual rules $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -p all -m state --state NEW -s xxx.xxx.xxx.xxx/yy -j ACCEPT #Our NAT stuff #Source NAT everything heading out the eth0 (external) interface to be the #given IP. If you have a dynamic ip or a DHCP ip that changes #semi-regularly, comment this and uncomment the second line # #Remember to change the ip address to your static ip # # Source NAT'ing our outbound connections # # Outbound SNAT for the server, itself, assuming you've allocated a # separate IP for the server. # $IPTABLES -t nat -A POSTROUTING -o eth0 -s aaa.aaa.aaa.aaa -j SNAT --to bbb.bbb.bbb.bbb # # Everything else is masqueraded as the firewall's IP # $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE Replace "$IPTABLES" with "iptables"...my script uses a variable...no biggie. Now, for DNAT to the server: # # HTTP to the server # $IPTABLES -t nat -A PREROUTING -i eth0 -d bbb.bbb.bbb.bbb -p tcp --dport 80 -j DNAT --to aaa.aaa.aaa.aaa $IPTABLES -A FORWARD -p tcp --dport 80 -m state --state NEW -d aaa.aaa.aaa.aaa -j ACCEPT In the above examples, xxx.xxx.xxx.xxx is your internal network number and yy is the CIDR net mask. aaa.aaa.aaa.aaa is the internal IP address of your server, and bbb.bbb.bbb.bbb is the internet address assigned to it, for which the firewall answers. The example also assumes that your firewall's external NIC is labelled as eth0...if it's something else, just make that change, as necessary. The thing is that, in my example, I'm assuming that the firewall has one external internet address, and that you can, and will, assign a different external address for the web server. Hope this helps. On Fri, 6 Sep 2002, daniel wrote: > ha! > it's all good > i found out what was wrong and i thought i'd share. > i didn't know i had to do this as well: > > echo 1 > /proc/sys/net/ipv4/ip_forward > > now all i have to do is figure out DNAT and actually impliment security. :) > thanks for your help! > > > > ----- Original Message ----- > Sent: Friday, September 06, 2002 1:57 AM > Subject: Re: networking not working > > > > wonderful! > > it works! > > ...sort of > > > > now i my gateway can see the world > > and my webserver can see the gateway > > but my webserver CAN'T see the world > > and the world CAN'T see my webserver > > > > iptables does this right? > > ...how? > > > > i set the following: > > > > iptables --policy INPUT ACCEPT > > iptables --policy OUTPUT ACCEPT > > iptables --policy FORWARD ACCEPT > > > > iptables -t nat --policy PREROUTING ACCEPT > > iptables -t nat --policy OUTPUT ACCEPT > > iptables -t nat --policy POSTROUTING ACCEPT > > > > > > > > > > ----- Original Message ----- > > Sent: Saturday, September 07, 2002 1:29 AM > > Subject: Re: networking not working > > > > > > > > now i'm not even concerned with actual software yet... at the moment, > i > > > > can't even get the lights on my hub to light up for the connection > from > > my > > > > gateway to the hub. where are the cables supposed to plug into the > hub? > > > > right now i have the cable from the gateway going into the "uplink" > > > plug... > > > > do i need a crossover cable for this? > > > > > > I think the cable from the gateway should just go into any normal plug, > > not > > > the uplink plug. I am not exactly sure what the uplink plug is for. And > > also > > > use a straight cable. > > > > > > HTH, > > > David > > > > > > > > > > -- > > redhat-list mailing list > > unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe > > https://listman.redhat.com/mailman/listinfo/redhat-list > > > > > > -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
