Hi, i am studing the funcions of iptables for routing and firewall. I would like have a Linux with 3 eth. eth0 outside, eth1 inside one, eth2 inside 2. eth0 192.168.5.1 eth1 192.168.6.0/24 - in this lan there is a web server and ssh server on 192.168.6.100 eth2 192.168.7.0/24 - in this lan there are hosts for developer ad debugger (IP with dhcp). The call for web server on 443 will be forward to 5656 (i will change port on https). Only for internal, the developer and debugger can chat with a software work on port 3136. All segment lan can go outside.
Someone can help me with a script so i can understand and i can do some test. Another question, for wok like a router i should edit also the routes on the linux pc where it will be a router? because i think the different eth dont understand where send package if the routing is not configure. Thanks for patient but i use many years ago IPtables and now i forget everythings.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hi there,
I can try and help you outline a simple iptables configuration that should achieve what you’re looking to do.
-
Firstly, you’ll need to enable IP forwarding on your Linux router.
echo 1 > /proc/sys/net/ipv4/ip_forwardTo make this change permanent, edit the file
/etc/sysctl.confand setnet.ipv4.ip_forward=1. -
Set up iptables rules: Here are the iptables commands you would use:
First, flush (delete) all existing rules:
sudo iptables -FThen, set the default policy to ACCEPT for all chains:
sudo iptables -P INPUT ACCEPT sudo iptables -P OUTPUT ACCEPT sudo iptables -P FORWARD ACCEPTNow, to enable NAT (Network Address Translation) so that your internal networks can share the external IP address, you’d use a rule like this:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADETo forward incoming web traffic on port 443 to port 5656:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 192.168.6.100:5656To allow internal communication on port 3136:
sudo iptables -A INPUT -i eth1 -p tcp --dport 3136 -j ACCEPT sudo iptables -A INPUT -i eth2 -p tcp --dport 3136 -j ACCEPTNote that this is a very basic setup, and in a real-world scenario, you’d probably want to tighten up the security settings considerably. You should limit which IPs can connect to certain ports, drop invalid packets, etc.
-
Configure routing: If your Linux box doesn’t know how to route packets between your networks, you may need to add static routes. You can add routes with the
routecommand. However, in your case, since all the subnets are directly connected to your Linux box, routing should not be required.
Best,
Bobby
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.