IPTables, combine with IP Forwarding feature of Linux, can be configured for creating static nat. This post will give example configuration to have static nat in Linux machine.
1. Load nat module.
Execute this command., and add this command in /etc/rc.local file so that this command will be executed every reboot.
modprobe iptable_nat
2. Enable IP Forwarding. This command will enable ip forwarding in Linux machine.
echo 1 > /proc/sys/net/ipv4/ip_forward
You can edit /etc/sysctl.conf and uncomment his line,
#net.ipv4.ip_forward=1
To be like this
net.ipv4.ip_forward=1
So that it will have value 1, mean that ip forwarding si enable.
3. Creating IPTables rule.
There are two nat, nat for source address (your home server), using POSTROUTING, nat for destination address (internet server), using PREROUTING.
For example, if you want nat your local server, 192.168.1.1, with public address 201.1.1.1, you have to configure POSTROUTING.
Configure static nat for local server to public ip,
iptables -t nat -A POSTROUTING -s 192.168.1.1 -o eth0 -j SNAT --to-source 201.1.1.1
Allow forwarding snat connection from local server,
iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Save your configuration in your iptables script.
Linux Home Networking (http://www.linuxhomenetworking.com/) can be your source for Linux networking related.
Showing posts with label Linux. Show all posts
Showing posts with label Linux. Show all posts
[11:19 AM
|
3
comments
]
[10:47 AM
|
0
comments
]
By creating interface configuration, ip address, and gateway configuration will remain when machine reboot. In Debian, this configuration can be writen in configuration file name "interfaces" in directory "/etc/network/". The configuration file will have like this:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.10.10.10
netmask 255.255.255.0
network 10.10.10.0
broadcast 10.10.10.255
gateway 10.10.10.1
Fill address, netmask, network, broadcast, and gateway with your IP Address. Also, if you want browse, you need add DNS configuration by creating file "/etc/resolv.conf", with configuration like this:
nameserver 10.10.10.2
nameserver 10.10.10.5
[10:38 AM
|
0
comments
]
Iptables provides packet filtering, network address translation (NAT) and other packet mangling.
Two of the most common uses of iptables is to provide firewall support and NAT.
Configuring iptables manually is challenging for the uninitiated. Fortunately, there are many configuration tools (wizards) available to assist: e.g., fwbuilder, bastille, ferm.
Viewing current configuration
See what rules are already configured. Issue this command:
iptables -L
The output will be similar to this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
This allows anyone access to anything from anywhere.
Storing iptables rules in a file
Let's tighten that up a bit by creating a test iptables file:
nano /etc/iptables.test.rules
In this file enter some basic rules:
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allows SSH connections for script kiddies
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT
# Now you should read up on iptables rules and consider whether ssh access
# for everyone is really desired. Most likely you will only allow access from certain IPs.
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
That may look complicated, but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier.
Activate these new rules:
iptables-restore < /etc/iptables.test.rules
And see the difference:
iptables -L
Now the output tells us that only the ports defined above are open. All the others are closed.
Once you are happy, save the new rules to the master iptables file:
iptables-save > /etc/iptables.up.rules
To make sure the iptables rules are started on a reboot we'll create a new file:
nano /etc/network/if-pre-up.d/iptables
Add these lines to it:
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules
The file needs to be executable so change the permissions:
chmod +x /etc/network/if-pre-up.d/iptables
Note: This HOWTO had been contributed by user Geejay to wiki.openvz.org as a part of installing container howto.
See also
- Documentation about the netfilter/iptables:
. http://www.netfilter.org/documentation/ - Gentle Introductions/Overviews
- Firewall and Advanced Routing Under Linux:
. http://ornellas.apanela.com/dokuwiki/pub:firewall_and_adv_routing - Iptables Basics:
. http://www.justlinux.com/nhf/Security/IPtables_Basics.html
- Securing Debian: Adding firewall capabilities:
. http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup