doc:appunti:linux:sa:iptables
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
doc:appunti:linux:sa:iptables [2014/04/16 15:35] – [Usare iptables per mitigare o bloccare un DNS Amplification Attack] niccolo | doc:appunti:linux:sa:iptables [2020/11/23 14:27] – [Shorewall and DNAT onto a local host] niccolo | ||
---|---|---|---|
Line 40: | Line 40: | ||
A web server is reachable from the internet onto a local host (**192.168.1.5**) via a DNAT rule, local hosts want to use the public address (**130.151.100.69**) to reach the d-natted server. Traffic will be masqueraded by the firewall with its address (**192.168.1.254**) on the local LAN (**eth0**, **192.168.1.0/ | A web server is reachable from the internet onto a local host (**192.168.1.5**) via a DNAT rule, local hosts want to use the public address (**130.151.100.69**) to reach the d-natted server. Traffic will be masqueraded by the firewall with its address (**192.168.1.254**) on the local LAN (**eth0**, **192.168.1.0/ | ||
- | In '' | + | In **/ |
< | < | ||
Line 47: | Line 47: | ||
</ | </ | ||
- | In '' | + | For Shorewall 5 we nedd a line in **/ |
+ | |||
+ | < | ||
+ | # | ||
+ | SNAT(192.168.1.254) | ||
+ | </ | ||
+ | |||
+ | Shorewall 4 instead requires a line in **/ | ||
< | < | ||
Line 54: | Line 61: | ||
</ | </ | ||
- | In '' | + | In **/ |
< | < | ||
Line 60: | Line 67: | ||
# | # | ||
DNAT | DNAT | ||
+ | DNAT | ||
</ | </ | ||
+ | |||
+ | Port translating from outside to inside is handled only in **/ | ||
+ | ===== Shorewall with router in local LAN ===== | ||
+ | |||
+ | Hosts in LAN#1 may access hosts in LAN#2 by just adding a static route to the **192.168.2.0/ | ||
+ | |||
+ | {{shorewall-router-in-lan.png? | ||
+ | |||
+ | You can instead make **two configurations** on the Shorewall firewall. First of all you add the static route into **/ | ||
+ | |||
+ | < | ||
+ | auto eth1 | ||
+ | iface eth1 inet static | ||
+ | address 192.168.1.1 | ||
+ | netmask 255.255.255.0 | ||
+ | up / | ||
+ | down /sbin/route del -net 192.168.2.0/ | ||
+ | </ | ||
+ | |||
+ | then you have to add the **routeback** option for the **eth1** interfaces in the **/ | ||
+ | |||
+ | < | ||
+ | loc eth1 routeback | ||
+ | </ | ||
===== Iptables schema ===== | ===== Iptables schema ===== | ||
Line 137: | Line 169: | ||
< | < | ||
- | iptables -I INPUT -p udp -m string --hex-string ' | + | /sbin/iptables -I INPUT -p udp -m string --hex-string ' |
- | --algo bm --from 40 --to 56 -j DROP | + | --algo bm --from 40 --to 56 -j DROP -m comment --comment "DROP DNS Q zing.zong.co.ua" |
</ | </ | ||
Line 157: | Line 189: | ||
start) | start) | ||
iptables -I INPUT $options -j DROP | iptables -I INPUT $options -j DROP | ||
- | iptables -I INPUT $options -j LOG --log-level debug | + | |
;; | ;; | ||
stop) | stop) | ||
iptables -D INPUT $options -j DROP | iptables -D INPUT $options -j DROP | ||
- | iptables -D INPUT $options -j LOG --log-level debug | + | |
;; | ;; | ||
*) | *) |
doc/appunti/linux/sa/iptables.txt · Last modified: 2020/11/23 14:28 by niccolo