IPTABLES - Allow Internal HOST with Public IP through Firewall

Hello:

I am new to IPTABLES. I have setup and Ubuntu 8.04 Server running ebox. It is running DHCP (192.168.1.0-250), NAT, DNS, Squid Transparent Proxy. All of the firewall rules were configured using ebox's firewall module.

Basic setup: Eth0 - external interface 12.32.12.2 (GW 12.32.12.1) - Internet

Eth1 - internal Interface 192.168.1.254

I have a host on the internal network that I need to assign a public IP to allow unrestricted access to the internet. 12.32.12.3...

I have been told that ebox can not configure this for me and I have no idea what I'm doing in IPTABLES. From what I have read it looks like I should be able to setup something in PREROUTING and POSTROUTING to allow me to do this?

Any help would be greatly appreciated!!!

Thanks,

Reply to
redmondmj
Loading thread data ...

You don't need a public IP address for unrestricted access to the Internet. Who told you such nonsense?

Please describe what exactly you're trying to achieve, and also post your current ruleset.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

If you could post the output for a few commands and describe what you want to do e.g. web client access, then some one can easily tell you rules.

iptables -nv -L netstat -nr ifconfig

since you are using DHCP you will need to grab the IP address EXT= whatever your DHCP card is DHCPIP=`/sbin/ifconfig ${EXT} | grep 'inet addr' | awk -F ':' '{print $2}' | awk '{print $1}'`

Now you can make rules with eth? and ${DHCPIP}.

Are you wanting this computer to route?

Here are a few example rules.

/sbin/iptables -A INPUT -p tcp -d 10.56.32.248 --destination-port

6000 -j DROP

/sbin/iptables -A OUTPUT -p tcp -s 10.56.32.248 --source-port

1024:65535 -d 10.78.109.150 --destination-port 110 -j ACCEPT /sbin/iptables -A INPUT -p tcp -d 10.56.32.248 --destination-port 1024:65535 -s 10.78.109.150 --source-port 110 -j ACCEPT

-----

formatting link

Reply to
spam

After reading the post more carefully I realized what you are trying to do is nonsensical and my brain was trying to make it sensible.

You cannot have a public IP sitting on your internal network. I assume your ISP gave you 4 IP's and you want 1-3 hosts behind this box as a FW/router. This is not going to work, and you probably only need 1 IP. The hosts on your private LAN would get nonroutable IP's

formatting link
It seems you have DHCP setup for this, which makes it more confusing. Your hosts on your LAN should be in the range for your DHCP server. I don't think I understand what you are doing.

Reply to
spam

Of course he can, if he's given one by his ISP.

Nonsense. Of course that can be made to work. What gives you the idea you couldn't have public IP addresses on a private network?

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.