# IPTABLES - Allow Internal HOST with Public IP through Firewall



## redmondmj (Jun 30, 2008)

Hello:

I am new to IPTABLES. I have setup and Ubuntu 8.04 Server running
ebox. It is running DHCP (192.168.1.0-250), NAT, DNS, Squid
Transparent Proxy. All of the firewall rules were configured using
ebox's firewall module.

Basic setup:
Eth0 - external interface 12.32.12.2 (GW 12.32.12.1) - Internet

Eth1 - internal Interface 192.168.1.254

I have a host on the internal network that I need to assign a public
IP to allow unrestricted access to the internet. 12.32.12.3...

I have been told that ebox can not configure this for me and I have no
idea what I'm doing in IPTABLES. From what I have read it looks like I
should be able to setup something in PREROUTING and POSTROUTING to
allow me to do this?

Any help would be greatly appreciated!!!

Thanks,


----------



## wmorri (May 29, 2008)

Welcome to TSF!! Sorry that I took me soo long to get to this post, I have been trying to come up with the best answer for you. It looks like since I haven't done a whole lot with server itself, that your best bet is to look at these two pages. eBox, Iptables. They will have the most information for you as to how to set up your firewall. 

If you have any other problems with setting it up just let us know and we will try to figure them out quicker.

Cheers!


----------



## lensman3 (Oct 19, 2007)

The NAT will be similar to the following. This statement allows all my internal machines to NAT to the Internet. 

## Static IP address ##
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET1 -j SNAT --to-source $EXT_IP

The other part is the following which is for SKYPE, but your internal box will be similar:
SKYPE uses port 10971. Note that both UDP and TCP packets have to be permitted.

SKYPE="10971"

if [ "$SKYPE" != "" ] ; then
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp --sport 1024:65535 -d $EXT_IP --dport $SKYPE -j DNAT --to-destination 192.168.xxx.yy:$SKYPE
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p udp --sport 1024:65535 -d $EXT_IP --dport $SKYPE -j DNAT --to-destination 192.168.xx.yy:$SKYPE
fi

I also have a permit rule for skype to allow "new" connections and it is: 

For me this requires rules in two places: 1) allow "new" connections from the internet to be forwarded to the internal machine, AND 2) the rule that tells iptables what to do with the connections, ie send it to the internal machine.

if [ "$SKYPE" != "" ] ; then
${IPTABLES} -A OK-Pass -i ${EXTERNAL} -o ${INTERNAL} -p tcp --sport 1024:65535 -d 192.168.200.10 --dport $SKYPE -m state --state NEW -j ACCEPT
${IPTABLES} -A OK-Pass -i ${EXTERNAL} -o ${INTERNAL} -p udp --sport 1024:65535 -d 192.168.200.10 --dport $SKYPE -m state --state NEW -j ACCEPT
fi


The rule that actually takes care of most "established" connections is:

## ACCEPT packets which are related to an established connection.
${IPTABLES} -A INETIN -i $EXTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT

This rule is very early in my iptables, since any connection that has already been "blessed" and OKed is quickly passed in to my network. It is only the "new" connections that get heavily scrutinised .

(My firewall is 918 lines long. I block most of South America, Eastern Europe, Asia and most of Africa. I block access both into and out of my network). If you are interest I'll email you my script if you contact me via my profile.


----------

