Hello,
Finally I was able to code the firewall exactly as it is intended to operate. It was tough and I even tried to cheat by using Firestarter on a live session and copy the resulting codes, but they turned out to be even more complex than what I wanted. Even tried Shorewall but it did not suit my purpose. I was almost giving up but finally got the wall up. Now I have understood the main concepts and what goes to which table/chain.
In this setup, there are 15 machines in a LAN and except 4 senior users, no one had internet access. However the company decided to get a remote office setup at their website and everyone would pass on memos, to-dos, jobs etc through it. Therefore net access had to be enabled but only to that website. The 4 main users would still have to be allowed to go anywhere on the net.
Rony wrote:
Finally I was able to code the firewall exactly as it is intended to operate. It was tough and I even tried to cheat by using Firestarter on a live session and copy the resulting codes, but they turned out to be even more complex than what I wanted. Even tried Shorewall but it did not suit my purpose. I was almost giving up but finally got the wall up. Now I have understood the main concepts and what goes to which table/chain.
Congratulations rony :-)
If you can, please put up detailed instructions/guidelines for other people. May be you can provide them with just your example.
In this setup, there are 15 machines in a LAN and except 4 senior users, no one had internet access. However the company decided to get a remote office setup at their website and everyone would pass on memos, to-dos, jobs etc through it. Therefore net access had to be enabled but only to that website. The 4 main users would still have to be allowed to go anywhere on the net.
Just a thought: If that was the only requirement could it have been solved by proxy (e.g. squid) ?
Thanks and Regards, Ranjeet Walunj
Ranjeet Walunj wrote:
Rony wrote:
Finally I was able to code the firewall exactly as it is intended to operate. It was tough and I even tried to cheat by using Firestarter on a live session and copy the resulting codes, but they turned out to be even more complex than what I wanted. Even tried Shorewall but it did not suit my purpose. I was almost giving up but finally got the wall up. Now I have understood the main concepts and what goes to which table/chain.
Congratulations rony :-)
If you can, please put up detailed instructions/guidelines for other people. May be you can provide them with just your example.
For iptables there are many factors and combinations to consider so explaining it won't be easy. There are many websites explaining it much better and in detail. However there is one thing I want to share with those who have always wondered how internet connection sharing is done in Linux. In doze, we simply right click on the internet interface and enable sharing. Then it asks which interface will be connected to the local network. In Linux too it is the same thing but in command line in 3 simple steps.
We assume 2 devices eth0 connected to the internet router and eth1 connected to the local LAN. The local LAN interface forwards all packets to the internet interface and the internet interface masquerades them to NAT them to the internet.
1.) The interface connected to the internet device is given instructions to masquerade all outgoing local ip address requests going out to the internet, in order to enable NAT. This is done because packets from private IP addresses cannot be directly routed to Public IP addresses. The command to do this is
iptables -t NAT -A POSTROUTING -o eth0 -j MASQUERADE
Here iptables is told to add/append a rule in the POSTROUTING chain of the nat table to MASQUERADE all outgoing requests from the interface connected to the net (eth0). The same as right clicking on the interface in doze to enable sharing.
2.) The interface connected to the local LAN is now instructed to forward all packets it receives from the LAN, via input device eth1. The same as doze asking which is the interface connected to the LAN.
iptables -A FORWARD -i eth1 -j ACCEPT
That's it, except that there is a local 'havaldaar' between the 2 interfaces, who will not allow forwarding without a permit. To get this permit, one has to enable ip_forwarding in the system. This is done by editing the /etc/sysctl.conf file to enable ( un-comment ) the relevant entry in the script.
According to your distro, save your iptables rules and enable them to start every time the system boots.
In this setup, there are 15 machines in a LAN and except 4 senior users, no one had internet access. However the company decided to get a remote office setup at their website and everyone would pass on memos, to-dos, jobs etc through it. Therefore net access had to be enabled but only to that website. The 4 main users would still have to be allowed to go anywhere on the net.
Just a thought: If that was the only requirement could it have been solved by proxy (e.g. squid) ?
Proxy servers only work on web surfing. I wanted pop3, smtp and other such services too. I went through write ups on squid etc but they did not have proper pop3, smtp support. BTY, those who want to setup a transparent proxy where the LAN machines do not use any special proxy settings, have to simply use port forwarding in iptables to forward requests from the regular ports in the LAN to the proxy ports in the server. Squid is happy and clients are happy too.
-
Ranjeet Walunj -
Rony