Nat Masquerading and Firewall: Difference between revisions

From ITCwiki
Jump to navigation Jump to search
(Created page with '==Nat Masquerading and Firewall== This page will guide you through creating a simple firewall that includes NAT. *Prep work - Creating or viewing your interfaces sudo nano /…')
 
No edit summary
Line 25: Line 25:
*Allow established connections
*Allow established connections
     iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
     iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp
    iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
*Incoming Connections
*Incoming Connections
This for SSH you can change the --dport to whatever port you need for other protocols for example 80 for http. Check if your protocol is udp and if so change tcp to udp.
This for SSH you can change the --dport to whatever port you need for other protocols for example 80 for http. Check if your protocol is udp and if so change tcp to udp.
     iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT
     iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT
or like this for DNS requests
    iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
*Outgoing Connections
This for HTTP and HTTPS and is for multiple ports so all tcp can be added to this and create another for udp and put all your udp ports on that one.
    iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp -m multiport --dports 80,443
or single entries like this for DNS:
    iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT

Revision as of 09:59, 10 May 2010

Nat Masquerading and Firewall

This page will guide you through creating a simple firewall that includes NAT.

  • Prep work - Creating or viewing your interfaces
    sudo nano /etc/network/interfaces 

Edit this file to fit your need for this guide eth0 will be outside or private interface of the network and eth1 will be the inside or private part of your network.

Interfaces.png

Now restart the network

    sudo /etc/init.d/networking restart

Setting up NAT Masquerading

This is pretty easy to setup as it is only three steps. First part is to start the NAT.

    modprobe iptable_nat

Second part is to tell your iptables to masquerade things going out of your public interface

    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Third part is to allow packet forwarding

    nano /etc/sysctl.conf

Find #net.ipv4.ip_forward=1, uncomment this line and make sure it is equal to 1. You now have Nat configured and should be working if your firewall chains are defaulted to accept all packets.


Firewall Rules

This section will show you examples for rule statements and can be cloned for all ports and protocols.

  • Allow established connections
    iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp
    iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  • Incoming Connections

This for SSH you can change the --dport to whatever port you need for other protocols for example 80 for http. Check if your protocol is udp and if so change tcp to udp.

    iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT

or like this for DNS requests

    iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
  • Outgoing Connections

This for HTTP and HTTPS and is for multiple ports so all tcp can be added to this and create another for udp and put all your udp ports on that one.

    iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp -m multiport --dports 80,443

or single entries like this for DNS:

    iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT