Firewall Rules

[Rashkae]

Victor Padro wrote:
> Hello there!
> 
> I am researching some NAT/firewall rules in order to implement a ubuntu
> 6.06LTS box as a firewall/router with only one Public IP...the catch is that
> i want to use a couple of servers behind the firewall using web/ftp/mail
> services, using their own ports(80, 443, 21, 25, etc.) Can this be done?  i
> read something about DNAT but i am confused if i have to change the servers
> ports to something like 1050, 1053, 10023, etc.  any suggestions about t?
> 
> thanks.
> 
> 

yes, this can be done, and no, you don't have to change any of the 
server's ports..

The iptables rules would look something like this:

/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 
10.0.0.2


In this example, my Internal Webserver would be located at 10.0.0.2

If your default FORWARD Policy is to DROP (which it should), you also 
need to open up a path in FORWARD chain:

/usr/sbin/iptables -A FORWARD -d 10.0.0.2 -p tcp --dport 80 -j ACCEPT

Here's a neat trick.  If you want to completely isolate one of your 
internal computers from the Internet, you can SNAT the incoming 
connections, to re-write the source IP as well as the destination IP. 
This way, as far as the Internal server is concerned, all incoming 
requests are coming from the local network, and it need not even have a 
valid gateway to work.  A consequence of this, however, is the internal 
server would not be able to log the IP addresses of incoming connections.

/usr/sbin/iptables -t nat -A POSTROUTING -d 10.0.0.2 -j SNAT --to 10.0.0.1

For any of this to work, you need to enable IP forwarding.  Hopefully, 
someone on the list can let us know what is the correct Debian way of 
doing this.. For the sake of completeness, my firewall scrip uses:

echo "1" > /proc/sys/net/ipv4/ip_forward