Dear Lunix Netfilter users:
I am trying to build a firewall on my brand new system. I have already
setup ip filtering from and to the ethernet adapters (eth0) and (eth1)
of the firewall.
Next what I would like to to is to use NAT and iptables to make my
private systems available for other systems coming from the Internet.
An example:
-------- --------- ---------
| client | -- | firewal | -- | server1 |
-------- --------- | ---------
| ---------
- | server2 |
---------
IP client: 0.0.0.0/0 (The Internet)
IP firewall (eth1, Internet) 1.2.3.4
IP firewall (eth0, private) 172.16.1.1
IP server1 (private) 172.16.1.2
IP server2 (private) 172.16.1.3
I would like to do the following:
1. private server1
------------------
from client to firewall
source address: 0.0.0.0 (any port)
destination: 1.2.3.4 (port 2400)
from fireall to client
source address: 1.2.3.4 (port 2400)
destination: 0.0.0.0 (any)
(all packets exept SYN -request
for new TCP/IP session. It's the ! --syn
option in 'iptables')
firewall translates address from
1.2.3.4:2400 to 172.16.1.2:2400 and
let the client make an connection to
my private server 'server1'.
Connections are not allowed from my private
server 'server1' over port 2400 to the Internet
clients.
All other IP traffic to 'server1' should be blocked
2. same as private server1 but than
replace server1:2400 to server2:2500
3. All other traffic (other tcp/upd ports)
from and to my private servers needs to
be blocked.
Does anybody has an idea how to configure this with iptables and NAT. I
have looked several examples about port forwarding, but I can not figure
out howto configure this in a good way. Like I wrote before I would like
a connection build from the Internet to the private servers, but not
from the private servers to the Internet.
Please help me, I am a little bit confused about possibilities like PORT
forwarding, masquerading and NAT, combined with the 'iptables FORWARD
chain'.
Thanks in advance,
Joris Smits
email: Joris@TReeData.nl
I am trying to build a firewall on my brand new system. I have already
setup ip filtering from and to the ethernet adapters (eth0) and (eth1)
of the firewall.
Next what I would like to to is to use NAT and iptables to make my
private systems available for other systems coming from the Internet.
An example:
-------- --------- ---------
| client | -- | firewal | -- | server1 |
-------- --------- | ---------
| ---------
- | server2 |
---------
IP client: 0.0.0.0/0 (The Internet)
IP firewall (eth1, Internet) 1.2.3.4
IP firewall (eth0, private) 172.16.1.1
IP server1 (private) 172.16.1.2
IP server2 (private) 172.16.1.3
I would like to do the following:
1. private server1
------------------
from client to firewall
source address: 0.0.0.0 (any port)
destination: 1.2.3.4 (port 2400)
from fireall to client
source address: 1.2.3.4 (port 2400)
destination: 0.0.0.0 (any)
(all packets exept SYN -request
for new TCP/IP session. It's the ! --syn
option in 'iptables')
firewall translates address from
1.2.3.4:2400 to 172.16.1.2:2400 and
let the client make an connection to
my private server 'server1'.
Connections are not allowed from my private
server 'server1' over port 2400 to the Internet
clients.
All other IP traffic to 'server1' should be blocked
2. same as private server1 but than
replace server1:2400 to server2:2500
3. All other traffic (other tcp/upd ports)
from and to my private servers needs to
be blocked.
Does anybody has an idea how to configure this with iptables and NAT. I
have looked several examples about port forwarding, but I can not figure
out howto configure this in a good way. Like I wrote before I would like
a connection build from the Internet to the private servers, but not
from the private servers to the Internet.
Please help me, I am a little bit confused about possibilities like PORT
forwarding, masquerading and NAT, combined with the 'iptables FORWARD
chain'.
Thanks in advance,
Joris Smits
email: Joris@TReeData.nl