Restricting Internal Users Ports

Discussion in 'Linux Networking' started by teknoe, Oct 29, 2005.

  1. teknoe

    teknoe Guest

    I am attempting to setup an internal network on my Ubuntu machine. I
    have taken a look at the various iptables rules and believe I have a
    rather complex setup. I need to use IP Masquerading for the internal
    network, but I only want the internal users to be able to use SSH (port
    22). Once the users are connected, I want them to be able to access
    any established port so that I can use SSH tunneling for web/mail
    access to the external network. The main reason behind this is I will
    be using a wireless network and wish to use SSH in addition to the
    standard WAP protection, because I have "snoopers" in my neighborhood.
    For the IP Masquerading, I have used:
    iptables --table nat --append POSTROUTING --jump MASQUERADE --source

    I am thinking that before this line I need to use:
    iptables -A INPUT -i eth1 -s --dport 22 -j ACCEPT

    My external device is eth0, and my internal device is eth1. Any help
    would be appreciated. Thank you.
    teknoe, Oct 29, 2005
    1. Advertisements

  2. teknoe

    Eric Guest

    If you want to use an encrypted internal network, you need a VPN. You
    cannot just use port 22 for any traffic such as web, mail aso except you
    first connect to your router with ssh, but i don't think it is what you

    To forward traffic from inside to outside you need the following rules:

    iptables -A POSTROUTING -s -o eth0 -j MASQUERADE
    iptables -A FORWARD -i eth1 -s -j ACCEPT
    iptables -A FORWARD -i eth0 -m state --state ESTABLISHED -j ACCEPT

    Eric, Oct 29, 2005
    1. Advertisements

  3. teknoe

    teknoe Guest

    What I was going to do was allow anyone on the internal network
    (wireless router) to only be able to connect to port 22. That way the
    user can login remotely via SSH and setup tunneling from there. I
    suppose it would be like a VPN. I would need the firewall to restrict
    incoming ports to port 22, but allow any established outgoing ports so
    say for instance POP could be tunnelled over SSH. This way a user
    would only be able to connect to port 22, but could still get to other
    services once they were connected. As I understand it, with the
    masquerading rules above, it's forward all or nothing. No choice on
    what traffic passes through the internal interface.

    teknoe, Oct 29, 2005
  4. teknoe

    Eric Guest

    Do you have a tunnel server running on your router? If so you don't need
    any postrouting or forwarding rules, because your tunnel server should
    handle the traffic. In this case yhou only need input/output rules set up.
    If not, there is another way to do it, use a VPN, then you can postroute
    and forward your internal traffic using the vpn network devices (i.E.
    vpn0 instead of eth1) in your firewalll configuration.

    If your clients just connect to the ssh2 deamon, it wont work as you
    wish. The ssh deamon does not know how to handle your traffic such as
    POP or WWW aso.

    Eric, Oct 30, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.