LuckyPhoenix365 Posted February 18, 2013 Share Posted February 18, 2013 Hi Guys I'm having a go at setting up a internet gateway myself. My configuration seems to work fine, but was just curious if I'd done anything obviously stupid or omitted something important? The main thing I was going for is that nothing should be incoming other than ftp,http and https to 10.0.0.24, and that the box should provide normal internet access for all the computers on my LAN. eth0 is my connection to the internet and eth1 is my LAN. Thanks # Generated by iptables-save v1.4.12 on Mon Feb 18 12:28:57 2013 *filter :INPUT ACCEPT [986:236399] :FORWARD ACCEPT [61:9702] :OUTPUT ACCEPT [1446:199609] -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable -A INPUT -i eth0 -j DROP -A INPUT -i lo -j ACCEPT -A FORWARD -d 10.0.0.24/32 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -d 10.0.0.24/32 -p tcp -m tcp --dport 21 -j ACCEPT -A FORWARD -d 10.0.0.24/32 -p tcp -m tcp --dport 443 -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth0 -j ACCEPT -A FORWARD -j LOG COMMIT # Completed on Mon Feb 18 12:28:57 2013 # Generated by iptables-save v1.4.12 on Mon Feb 18 12:28:57 2013 *nat :PREROUTING ACCEPT [7085:1080699] :INPUT ACCEPT [215:56651] :OUTPUT ACCEPT [1349:87741] :POSTROUTING ACCEPT [53:3236] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.24:80 -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.24:443 -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.0.0.24:21 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Mon Feb 18 12:28:57 2013 Link to comment Share on other sites More sharing options...
Recommended Posts