Home > IT Answers > Security > Linux Firewall settings
ABDAREVA
115 pts.
 Linux Firewall settings
Firewall management, Firewalls, Linux firewalls
HOW CAN I GIVE ACCESS TO A CLIENT (HAVING IP ADDRESS 192.168.12.62) TO A SERVER (IP:192.168.2.0) THROUGH LINUX FIREWALL PC (IP:192.168.110.219)? THE LINUX PC IS CONNECTED TO LAN HAVING IP:192.168.110.1-250. PLEASE NOTE THAT THE CLIENT (IP:192.168.12.62) IS IN ANOTHER LAN.

Software/Hardware used:
ASKED: April 1, 2009  8:55 AM
UPDATED: April 10, 2009  4:31 PM
RELATED QUESTIONS
Answer Wiki:
Well, it appears that you have a situation I wrote about - masquerading is a variant of Network Address Translation (NAT), which can rearrange your IPs in any imaginable (and in a lot of unimaginable) ways... So I really wouldn't suggest to manipulate your firewall after some advices on a discussion board - somebody skillful enough have to inspect the firewall configuration in details and modify it accordingly. Any modifications suggested here will be just speculative and will not help, in the best case - or will ruin your connection (not just your security) in the worst. BR and good luck with a consultant, Petko Dear Friend, As I could not load the sketch, please refer this Server IP:192.168.0.2 | | Linux Firewall PC IP:192.168.11.120 | | ====================================================LAN1 / | | | | | | PC 1 IP:192.168.111.118 | PC2 IP:192.168.111.2 (Access from PC1 & PC2 is OK) | | =====================================================LAN2 | | | | PC 3 IP:192.168.2.41 | (How to give access for this ?) | ====================================================LAN3 | | PC4 IP:192.168.3.10 (How to give access for this ?) And so on. Now I hope you understand my question. Please reply. Regards. ABDAREVA Dear Friend, The IPs are as follows. SERVER IP=192.168.0.2 Linux Firewall IP=192.168.111.120 PC#1 IP =192.168.111.118 Access is possible to server by putting the IP in Masquerading in YAST Window by adding as follws. Source Network=192.168.111.118 Protocol=TCP Requested IP=192.168.111.120 Requested Port=80 Redirection Redirected to Masquaraded IP=192.168.2.0 Requested Port=80 But please explain how to give the access to view the web pages of server who's IP=192.168.0.2 by the client whos IP Address as 192.168.2.41 OR 192.168.3.10 OR 192.168.4.39 OR 192.168.12.87 Will be very obliged if you reply in details. Thanks. ABDAREVA Well, I surely was not able to read the diagram which resides on your hard disk, so the answer will be quite general... First, if you don't feel confident in firewall manipulation, better pick a consultant in your location and invite him to do the job. If you don't like the idea about consultant, make sure you inspected well your current firewall configuration, at least the FORWARD chain of filter table (as root, of course): root@firewall# iptables -t filter --line-numbers -nvL FORWARD Probably you'll have a chain policy DROP and top (or close to the top) rule allowing packets with states "established" and "related": Chain FORWARD (policy DROP xxx packets, xxxK bytes) num pkts bytes target prot opt in out source destination 1 1593K 1703M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ..... Let the line-number of this rule be 1, then your rule will be: root@firewall# iptables --table filter --insert FORWARD 2 --source 192.168.2.41 --destination 192.168.2.0 --jump ACCEPT and so on, for all source addresses of your clients. If you have no related,established rule, just omit the line-number: root@firewall# iptables --table filter --insert FORWARD --source 192.168.2.41 --destination 192.168.2.0 --jump ACCEPT This will work if the server IP is really 192.168.2.0 - it's unusual to have 0 as last number of host IP, but as I already mentioned, you can do almost anything with private IPs. This will work if you have no NAT (network address translation) on firewall host - if you have, better call somebody familiar with the firewalls. This will work if you have no user-defined chains - if you have, follow the advice about consultant... So, good luck with your firewall. BR, Petko Dear Petko, Please find herewith the sketch. <img src="C:Documents and SettingsajalilDesktopTYPICAL NETWORK.htm" alt="Typical Network" /> ACCESS TO SERVER IS POSSIBLE FROM 192.168.110.4 HOW TO GIVE ACCESS TO PC HAVING IP:192.168.2.41 HOW TO GIVE ACCESS TO PC HAVING IP:192.168.3.10 HOW TO GIVE ACCESS TO PC HAVING IP:192.168.4.99 Please Reply. Regards. Abdareva Hi, I'd rather ask some questions than giving an answer... In fact, I can't imagine the network topography from the question - since you can do almost everything with the private range IPs in your LAN, please, draw some diagram showing the situation. BR, Petko ===================== Hmmm. I guess the my question here is how you're routing between the subnets on this diagram. Unless your're using netmasks wider smaller than /24 (255.255.255.0) and treating all of the LANs as one bigger subnet, you'd need some sort of routing for any of these LANs to talk to each other. Disable the firewall on both machines (service iptables stop) and confirm that you can communicate. If you can't communicate, fix the routing issue first. Once you can communicate with both firewalls disabled, add rules to iptables to allow the desired traffic.
Last Wiki Answer Submitted:  April 10, 2009  4:31 pm  by  Sds9985   400 pts.
All Answer Wiki Contributors:  Sds9985   400 pts. , ABDAREVA   115 pts. , petkoa   3,120 pts.
To see all answers submitted to the Answer Wiki: View Answer History.


RSS - Discussions Help
Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

 

Moderator Note: Hello ABDAREVA and welcome to IT Knowledge Exchange. I noticed you used all capital letters for your question title, question and even your username. For future questions you may ask, please use normal case – as all capitals makes it difficult to read your question. You want to make it as easy as possible for other members to answer your question. Take care and thanks for your cooperation.

BrentSheets
 6,565 pts.