Firewall Rules

Victor Padro vpadro at gmail.com
Wed Aug 22 21:59:10 UTC 2007 

ok, thank you for the info, now could this be fine just to implement three
servers using ftp, web and mail services behind a ubuntu box firewall?

/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
10.0.0.2
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
10.0.0.3 <http://10.0.0.2/>
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
10.0.0.4 <http://10.0.0.2/>
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
10.0.0.2
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
10.0.0.3 <http://10.0.0.2/>
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
10.0.0.4 <http://10.0.0.2/>
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to
10.0.0.2
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to
10.0.0.3 <http://10.0.0.2/>
/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to
10.0.0.4 <http://10.0.0.2/>

and do i have to implement a DNS server just to resolve internal and
external requests on my network, using NAT?
i ask this because i got a dynamic Public address and its pointing at
myserverdomain.com, myserverdomain.net and myserverdomain.org.
in that case can i do this?

/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 54 -j DNAT --to
10.0.0.5 <http://10.0.0.2/>

thank you  in advance...

Victor.

On 22/08/07, Rashkae <ubuntu at tigershaunt.com> wrote:
>
> Victor Padro wrote:
> > Hello there!
> >
> > I am researching some NAT/firewall rules in order to implement a ubuntu
> > 6.06LTS box as a firewall/router with only one Public IP...the catch is
> that
> > i want to use a couple of servers behind the firewall using web/ftp/mail
> > services, using their own ports(80, 443, 21, 25, etc.) Can this be
> done?  i
> > read something about DNAT but i am confused if i have to change the
> servers
> > ports to something like 1050, 1053, 10023, etc.  any suggestions about
> t?
> >
> > thanks.
> >
> >
>
> yes, this can be done, and no, you don't have to change any of the
> server's ports..
>
> The iptables rules would look something like this:
>
> /usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
> 10.0.0.2
>
>
> In this example, my Internal Webserver would be located at 10.0.0.2
>
> If your default FORWARD Policy is to DROP (which it should), you also
> need to open up a path in FORWARD chain:
>
> /usr/sbin/iptables -A FORWARD -d 10.0.0.2 -p tcp --dport 80 -j ACCEPT
>
> Here's a neat trick.  If you want to completely isolate one of your
> internal computers from the Internet, you can SNAT the incoming
> connections, to re-write the source IP as well as the destination IP.
> This way, as far as the Internal server is concerned, all incoming
> requests are coming from the local network, and it need not even have a
> valid gateway to work.  A consequence of this, however, is the internal
> server would not be able to log the IP addresses of incoming connections.
>
> /usr/sbin/iptables -t nat -A POSTROUTING -d 10.0.0.2 -j SNAT --to 10.0.0.1
>
> For any of this to work, you need to enable IP forwarding.  Hopefully,
> someone on the list can let us know what is the correct Debian way of
> doing this.. For the sake of completeness, my firewall scrip uses:
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070822/c8e9133c/attachment.html>

More information about the ubuntu-users mailing list