Hi everyone, I'm kind of new to iptables but I read a lot on the matter.I would like to know if my iptables rules are right. I will show you and explain how my network is organised.
NETWORK
Modem (ADSL) Dlink Router Web apache server ____ ____ _______ |____|--------------------------|____|-----------------| | ____ | \\ ____ |______|
|____| |___| comp1 comp2
Dlink router ip address :192.168.0.1 Comp1 ip address :192.168.0.15 Comp2 ip address :192.168.0.16 Web server ip address (debian) :192.168.0.130
CASE:
-My router forward all requests made on the 80 and 443 ports to the web server (192.168.0.130).I would like to accept on the web server only those 2 kind of request coming from the router (even if the router only send those one).
- Only the 2 computers can connect to the web server via SSH (22).
-Another thing that would be nice is to use the mangle table to put a priority on all request coming from 80 and 443 ports . But I think this kind of rules should be made on the router ...
SCRIPT ###################################################################### iptables -t filter -F iptables -t filter -X iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP
iptables -t nat -F iptables -t nat -X iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -F iptables -t mangle -X iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P INPUT ACCEPT iptables -t mangle -P FORWARD ACCEPT iptables -t mangle -P OUTPUT ACCEPT iptables -t mangle -P POSTROUTING ACCEPT
echo 0 > /proc/sys/net/ipv4/ip_forward
####### LOCALHOST #######
iptables -t filter -A OUTPUT -o lo -p all -j ACCEPT iptables -t filter -A INPUT -i lo -p all -j ACCEPT
####### LAN ####### # Network iptables -t filter -A OUTPUT -o eth0 -s 192.168.0.130 -d 192.168.0.15
-p all --sport 22 -j ACCEPT iptables -t filter -A INPUT -i eth0 -s 192.168.0.15 -d 192.168.0.130
-p all --sport 22 -j ACCEPT iptables -t filter -A OUTPUT -o eth0 -s 192.168.0.130 -d 192.168.0.16
-p all --sport 22 -j ACCEPT iptables -t filter -A INPUT -i eth0 -s 192.168.0.16 -d 192.168.0.130
-p all --sport 22 -j ACCEPT
# broadcast (maybe it's not a good idea) #iptables -t filter -A OUTPUT -o eth0 -s 192.168.0.130 -d 192.168.0.255
-p all -j ACCEPT #iptables -t filter -A INPUT -i eth0 -s 192.168.0.255 -d 192.168.0.130
-p all -j ACCEPT
####### INTERNET ####### modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_conntrack_irc
iptables -t filter -A OUTPUT -o eth0 -s 192.168.0.30 -d 192.168.0.1 -p all --sport 80, 443 -m state --state ! INVALID -j ACCEPT
iptables -t filter -A INPUT -i eth0 -s 192.168.0.30 -d 192.168.0.1 -p all --sport 80, 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
######################################################################
but when I use this script, my website is down. I'm new to this so maybe I made some huge mistake hehe
any help would be appreciated ty