[GRLUG] iptables

Rick Vargo rick at vargo.org
Mon Feb 12 15:49:04 EST 2007 

What does the routing table on Linux2 look like?

Rick


Kaminski, Dennis J wrote:
>
> I've been using iptables for years for security on each individual 
> box. I thought I understood it, but I'm having some trouble with 
> address translation.
>
> The 3 boxes involved used to all be on the same network.
> Linux1,                 eth0 172.16.0.10/255.255.255.0
> Linux2,         eth0 172.16.0.20/255.255.255.0
> Other3,                 eth0 172.16.0.30/255.255.255.0
>
> There are some security issues on Other3 (non-linux). I'm trying to 
> move it to a different network, but still have it be accessible on its 
> original address and restrict access using iptables on Linux2. I 
> thought the following would work, but it doesn't.
>
> Linux1,         eth0 172.16.0.10/255.255.255.0 (same)
>
> Linux2, eth0 172.16.0.20/255.255.255.0 (same)
>                 eth1 192.168.0.20/255.255.255.0 (new)
>
> Other3,         eth0 192.168.0.30/255.255.255.0 (changed)
>
> The default route on Other3 is Linux2 (192.168.0.20).
>
> On Linux2, ip forwarding is turned on (/proc/sys/net/ipv4/ip_forward 
> is set to 1) and the iptables contains
>
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -t filter -F
>
> #       set policies
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
>
> iptables -t nat -A PREROUTING  -d 172.16.0.30  -i eth0 -j DNAT 
> --to-destination 192.168.0.30
> iptables -t nat -A POSTROUTING -s 192.168.0.30 -j SNAT --to-source 
> 172.16.0.30 -o eth0
> iptables -A FORWARD -d 172.16.0.30  -j ACCEPT
> iptables -A FORWARD -d 192.168.0.30 -j ACCEPT
> iptables -A FORWARD -s 172.16.0.30  -j ACCEPT
> iptables -A FORWARD -s 192.168.0.30 -j ACCEPT
>
> iptables -A INPUT -s 172.16.0.0/255.255.255.0 -j ACCEPT 
> iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT      
>
> I can ssh from Linux2 to Other3 and from Other3 to Linux2, BUT there 
> is a long pause (about 40 seconds) before it asks for the password.
>
> From Other3 I can ping both ip addresses of Linux2 (172.16.0.20 and 
> 192.168.0.20), but I cannot ping Linux1 (172.16.0.10)
>
> Does anyone have any words of advice?
>
> Thanks.
>
> *Dennis Kaminski*
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug

More information about the grlug mailing list