Restricting Internal Users Ports

I am attempting to setup an internal network on my Ubuntu machine. I
have taken a look at the various iptables rules and believe I have a
rather complex setup. I need to use IP Masquerading for the internal
network, but I only want the internal users to be able to use SSH (port
22). Once the users are connected, I want them to be able to access
any established port so that I can use SSH tunneling for web/mail
access to the external network. The main reason behind this is I will
be using a wireless network and wish to use SSH in addition to the
standard WAP protection, because I have "snoopers" in my neighborhood.
For the IP Masquerading, I have used:
iptables --table nat --append POSTROUTING --jump MASQUERADE --source
192.168.0.0/24

I am thinking that before this line I need to use:
iptables -A INPUT -i eth1 -s 192.168.0.0/24 --dport 22 -j ACCEPT

My external device is eth0, and my internal device is eth1. Any help
would be appreciated. Thank you.

 

If you want to use an encrypted internal network, you need a VPN. You
cannot just use port 22 for any traffic such as web, mail aso except you
first connect to your router with ssh, but i don't think it is what you
want.

To forward traffic from inside to outside you need the following rules:

iptables -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED -j ACCEPT

Eric

 

What I was going to do was allow anyone on the internal network
(wireless router) to only be able to connect to port 22. That way the
user can login remotely via SSH and setup tunneling from there. I
suppose it would be like a VPN. I would need the firewall to restrict
incoming ports to port 22, but allow any established outgoing ports so
say for instance POP could be tunnelled over SSH. This way a user
would only be able to connect to port 22, but could still get to other
services once they were connected. As I understand it, with the
masquerading rules above, it's forward all or nothing. No choice on
what traffic passes through the internal interface.

Thanks.

 

Do you have a tunnel server running on your router? If so you don't need
any postrouting or forwarding rules, because your tunnel server should
handle the traffic. In this case yhou only need input/output rules set up.
If not, there is another way to do it, use a VPN, then you can postroute
and forward your internal traffic using the vpn network devices (i.E.
vpn0 instead of eth1) in your firewalll configuration.

If your clients just connect to the ssh2 deamon, it wont work as you
wish. The ssh deamon does not know how to handle your traffic such as
POP or WWW aso.

Eric