Secure Firewall

Alexander Salmin security.member at gmail.com
Tue Aug 9 15:24:47 CEST 2005


Hello friends,

I'm trying to set up a secure NAT firewall in my home, for that I need
help with some rules.

I've got a total of four computers, including the server. 

These are the ones who should be NAT'ed:

#1 --- 192.168.51.20 --- Should be able to access all internet.
#2 --- 192.168.51.40 --- Should be able to access only websites (port 80,443).
#3 --- 192.168.51.80 --- Should be able to access only websites (port 80,443).

This is how my non-working iptables-script looks like right now:
-------------------------------------------------------------------------------------
INT="eth0"
EXT="eth1"
IPTABLES=/sbin/iptables

$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT -i $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT
$IPTABLES -A INPUT -p UDP --dport bootps -i $INT -j ACCEPT
$IPTABLES -A INPUT -p UDP --dport domain -i $INT -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -s 192.168.51.20 -o $EXT -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 192.168.51.40 -dport 80 -o $EXT -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 192.168.51.80 -dport 80 -o $EXT -j MASQUERADE

$IPTABLES -A INPUT -j DROP
-------------------------------------------------------------------------------------

Somehow, it doesn't work with -dport 80, and I believe that I have
missed some allow-rules because the -j DROP denies the computer from
192.168.51.20 too.

Any help would be appreciated!


Thanks,
--Alexander.



More information about the netfilter mailing list