#!/bin/sh echo "Stopping firewall and allowing everyone..." iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT
If you want to redirect the web service for example, from the public IP address to a Private ones (located in your lan with private IP range) you use:
# iptables -t nat -A PREROUTING -p TCP --dport 80 -j DNAT --to-destination 10.10.0.15 (replace with yours)
In this case I’m mapping the Web service from my Public Server to a Private ones.
Note: The Public server can have the port 80 closed in its firewall rules
Network Address Translation, very useful for me.
You should have at leat two network interfaces.
This is an example using MASQUERADE (SNAT) dump type.
The kernel IP forwarding should be enabled before begins to setup NAT rules.
To enable on debian’s based system
# echo 1 > /proc/sys/net/ipv4/ip_forward ;(temporarily)
or add to the /etc/sysctl.conf file :
net.ipv4.ip_forward = 1 ;(for permanent)
Accepting connections through FORWARD table:
# iptables -P FORWARD ACCEPT
so the rule:
# iptables -t nat -A POSTROUTING -o (interface that has the internet connection) -j MASQUERADE
Note: is very important to have two different network ranges like and know what would be the gateway on the clients.
eth0 > dhcp from ISP
eth1 > 172.20.0.0 (NAT range)
For permanent effect:
add to /etc/rc.local script this line:
/sbin/iptables -t nat -A POSTROUTING -o (interface with internet) -j MASQUERADE
MANUAL CLIENTS CONFIGURATION
note: you can set up a DHCP server and make the job easier.
ip > 172.20.0.10 (into NAT range) ; this address could be different
Subnet Mask > 255.255.255.0 ; this address could be different
Gateway > 172.20.0.1 ; Linux nat interface (in this case eth1 address)
DNS servers > you can set public DNS address like openDNS or internal ones. On the Linux system machine with NAT rules type:
# cat /etc/resolv.conf
and put the Linux’s system DNS. (may be a router with another NAT range with a DNS server configured)
Tip! You can make restrinctions to any service on the network introducing INPUT rules like into FORWARD table with the prefix:
# iptables -A FORWARD ... DOne.
Nowadays, It’s very important to get a fully working/firewall on your computer or in which you put your hands. I used to use Firestarter in my Debian’s Based System, But although is very functional, I didn’t like the way to apply the rules and manage the FORWARD and OUPUT rules as well. To manage your firewall directly with iptables you can read this and find it out in a simple way.
I supose you already have iptables installed in your system.
Previously to set up rules:
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# iptables -P INPUT DROP # iptables -P FORWARD DROP # iptables -P OUTPUT ACCEPT
Examples of rules:
# iptables -A INPUT -d (server address) -p FTP --dport 22 -j ACCEPT # iptables -A INPUT -s 18.104.22.168 -d (server address) -p ICMP -j ACCEPT # iptables -A INPUT -d (server address) -p ICMP -j DROP