Hi Rudik Amirjanyan, Try 3 below steps: step1) Modify /etc/sysctl.conf net.ipv4.ip_forward =1 step2) Run "myiptable" that I have used sucessfully for my LAN. step3) Run "service network restart".
Good lucks.
Thach. Rudik Amirjanyan wrote:
Hello In my small office we have local lan 192.168.1.0 and we have put a RH9 as a router, and want to masquerade the local ip addreses of the network. The server has 2 interfaces, eth0 whit global IP adress, and eth1 192.168.1.1. we want to open only ssh, ftp, www, mail, ports from outsaid, and everewhere from local lan. We have setup iptables, but do not know how to make it work. the question is, what entries must be in the /etc/sysconfig/iptables file to work the firewall properly. Any halp is appreciated.
Thanks.
# Flush the rule chains /sbin/iptables -F /sbin/iptables -t nat -F #ignore if you get an error here /sbin/iptables -t mangle -F #deletes every non-builtin chain in the table /sbin/iptables -X # Zero counts /sbin/iptables -Z
############################ # Define LOGGER For Analyzer /sbin/iptables -N LOG_DROP /sbin/iptables -A LOG_DROP -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP] : ' /sbin/iptables -A LOG_DROP -j DROP # Define LOGGER For Analyzer /sbin/iptables -N LOG_INPUT_DROP /sbin/iptables -A LOG_INPUT_DROP -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES INPUT_DROP] : ' /sbin/iptables -A LOG_INPUT_DROP -j DROP #FORWARD, ACCEPT /sbin/iptables -N LOG_ACCEPT /sbin/iptables -A LOG_ACCEPT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES FORWARD_ACCEPT]' /sbin/iptables -A LOG_ACCEPT -j ACCEPT ########################### ####Secure the connection /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ## Allow all incomming connection from Internal /sbin/iptables -A INPUT -m state --state NEW -i eth1 -j ACCEPT /sbin/iptables -A OUTPUT -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -m state --state NEW -i eth0 -j LOG_ACCEPT /sbin/iptables -A OUTPUT -m state --state NEW -o eth0 -j LOG_ACCEPT # DROP all broadcast message UDP from external /sbin/iptables -A INPUT -p udp -m udp -m state --state NEW -i eth0 -j DROP # Allow unlimited traffic on the loopback interface /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT ## Accept some port for external (eth0) # DNS /sbin/iptables -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT /sbin/iptables -A OUTPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -o eth0 -j ACCEPT # Accept UPD Message from ISP DNS /sbin/iptables -A INPUT -p udp -m udp -s 203.162.4.1 --sport 53 -d 0/0 -j LOG_ACCEPT /sbin/iptables -A INPUT -p udp -m udp -s 203.162.0.11 --sport 53 -d 0/0 -j LOG_ACCEPT /sbin/iptables -A INPUT -p udp -m udp -s 10.0.0.138 --sport 53 -d 0/0 -j LOG_ACCEPT # use this line if you have a static IP address from your ISP # replace your static IP with x.x.x.x #/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.3.13 # use this line only if you have dynamic IP address from your ISP /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT # LOG outgoing message /sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp -s 192.168.2.0/24 -j LOG_ACCEPT /sbin/iptables -A FORWARD -i eth0 -o eth0 -j REJECT # Set the default policy to DROP /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP
