Answer the question
In order to leave comments, you need to log in
How to set up secure gateway on linux ubuntu?
Hello everyone,
I'm taking my first steps in learning Linux.
The task is to configure the gateway on Linux Ubuntu 14.04.1 LTS .
I want to build network protection according to the scheme, what is not allowed is prohibited.
The server acts as a gateway+nat+firewall for the local network.
eth0 looks to the Internet, eth1 to the local network (192.168.0.0/24)
IP address for eth0: 192.168.136.129
IP address for eth1: 192.168.0.1
pc1 (192.168.0.2) - You need to block access to the Internet.
pc2 (192.168.0.3) - Need to forward port 3389
pc3 (192.168.0.4) - Need to forward port 3390
System settings
1.Network
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp
# eth1 - local
auto eth1
iface eth1 inet static
address 192.168.0.1
netmask 255.255.255.0
pre-up iptables-restore < /etc/firewall.conf
net.ipv4.ip_forward = 1
*filter
:INPUT DROP [608:26735]
:FORWARD DROP [0:0]
:OUTPUT DROP [261:35404]
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.0.0/24 -i eth1 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.2/32 -i eth1 -j DROP
-A FORWARD -s 192.168.0.2/32 -i eth0 -j DROP
-A FORWARD -s 192.168.0.0/24 -i eth1 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.0/24 -i eth0 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [905:67641]
:INPUT ACCEPT [1:52]
:OUTPUT ACCEPT [110:25072]
:POSTROUTING ACCEPT [8:480]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
iptables -t nat -I PREROUTING -p tcp --dport 3389 -j DNAT --to 192.168.0.3:3389
iptables -I FORWARD -p tcp --dport 3389 --destination 192.168.0.3 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 3390 -j DNAT --to 192.168.0.4:3390
iptables -I FORWARD -p tcp --dport 3390 --destination 192.168.0.4 -j ACCEPT
Answer the question
In order to leave comments, you need to log in
Read the iptables tutorial - namely the order and place of application of rules/chains. It's not difficult there - you'll understand the process right away)
I like it: www.amazon.com/Linux-iptables-Pocket-Reference-Gre...
Well, start with something simpler - play around, open / close ports, feel the nat table.
The default drop policy is good, but you can accidentally close yourself) Put it better at the end of the drop all chains.
And to forward the port, you need to not only change the destination address (-j DNAT), but also enable forwarding of the necessary packets.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question