Re: [SLUG] Linux Networking with IPTABLES

From: Paul Aitken (paitken1@tampabay.rr.com)
Date: Fri Apr 18 2003 - 12:31:56 EDT


Hey,

I was a little tired when I typed that. Let me rephrase it a little.
This is what I want to happen:
I want my computer (192.168.1.2) to have internet using the router. I don't
want any other computers on the internal network to have internet, except
for the linux router.

I am wanting to block all connections, outgoing and incoming.

Paul
----- Original Message -----
From: "Backward Thinker" <backwardthinker@juno.com>
To: <slug@nks.net>
Sent: Friday, April 18, 2003 7:41 AM
Subject: Re: [SLUG] Linux Networking with IPTABLES

>
> Your post was a little confusing. Are you trying to block incoming
connections from the internet to computers on your internal lan? If so,
you're already done. Unless you've set up PREROUTING, people can reach your
router, and that's it (though your router can reach your lan, so make sure
it's up on patches and uneccessary services are disabled).
>
> But it sounds like you want 192.168.1.2 can receive incoming traffic from
outside your linux router with a public ip address? If so, here's the best
way. First realize that 192.168.1.2 is an internal ip address, not publicly
routable, meaning that although people on your lan can reach 192.168.1.2,
when anybody outside your LAN tries to send packets to 192.168.1.2 it isn't
gonna reach you. But, the ip address of your rr address is publicly
routable. So instead of people connecting to 192.168.1.2, people will be
connecting to your linux router, and the linux router will do the magic of
routing it correctly through your lan, a la iptables and PREROUTING. So,
for example, if you had an http server on a box in your internal lan, you
would have the linux router preroute anything on port 80 (or whatever) to
that http server on the internal lan.
>
> Anyway, long story short, what you want is something like:
>
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to
192.168.1.2
>
> Since the external computers will only see one ip address, you can't
really double up on ports. Like, if you wanted to run two different
web-servers on different boxes, both on port 80... external computers will
actually have to go through a different port on the router to get forwarded
to the other host, unless you got more specific than -i eth0. So a second
rule would look like:
>
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j
DNAT --to 192.168.1.3:80
>
> So with the two above PREROUTING rules, those who connect to
IP-ADDRESS-OF-ROUTER:80 will get to 192.168.1.2:80, and those who connect to
IP-ADDRESS-OF-ROUTER:8080 will get to 192.168.1.3:80. Make sense?
>
> There's a lot more detail in the (unfortunately very long) Linux IP
Masquerade HOWTO. http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/
>
> Good luck,
> ~ Daniel
>
>
> --- "Paul Aitken" <paitken1@tampabay.rr.com> wrote:
>
> Hello,
> I am quite the linux newbie, and have tried to get assistance in
networking
> with linux. I am successfuly routed through a linux machine, but am
tyring
> to block internet to another computer.
>
> My main internet connection comes from eth0, which is directly connected
to
> my cable modem.
>
> I then have a LAN cord ran from eth1 to a hub
> The hub then has two more cords plugged into it.
>
> I only want the computer with the ip address 192.168.1.2 to receive
> internet...can you tell me how to do this please?
>
> Thank you
> Paul
>
>
>
> ________________________________________________________________
> The best thing to hit the internet in years - Juno SpeedBand!
> Surf the web up to FIVE TIMES FASTER!
> Only $14.95/ month - visit www.juno.com to sign up today!



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:10:25 EDT