Linux Firewall settings

115 pts.
Tags:
Firewall management
Firewalls
Linux security
HOW CAN I GIVE ACCESS TO A CLIENT (HAVING IP ADDRESS 192.168.12.62) TO A SERVER (IP:192.168.2.0) THROUGH LINUX FIREWALL PC (IP:192.168.110.219)? THE LINUX PC IS CONNECTED TO LAN HAVING IP:192.168.110.1-250. PLEASE NOTE THAT THE CLIENT (IP:192.168.12.62) IS IN ANOTHER LAN.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Well, it appears that you have a situation I wrote about – masquerading is a variant of Network Address Translation (NAT), which can rearrange your IPs in any imaginable (and in a lot of unimaginable) ways…

So I really wouldn’t suggest to manipulate your firewall after some advices on a discussion board – somebody skillful enough have to inspect the firewall configuration in details and modify it accordingly. Any modifications suggested here will be just speculative and will not help, in the best case – or will ruin your connection (not just your security) in the worst.

BR and good luck with a consultant,

Petko

Dear Friend,
As I could not load the sketch, please refer this

Server IP:192.168.0.2
|
|
Linux Firewall PC IP:192.168.11.120
|
|
====================================================LAN1 /
| | |
| | |
PC 1 IP:192.168.111.118 | PC2 IP:192.168.111.2 (Access from PC1 & PC2 is OK)
|
|
=====================================================LAN2
| |
| |
PC 3 IP:192.168.2.41 |
(How to give access for this ?) |
====================================================LAN3
|
|
PC4 IP:192.168.3.10
(How to give access for this ?)

And so on.

Now I hope you understand my question.

Please reply.

Regards.
ABDAREVA

Dear Friend,
The IPs are as follows.
SERVER IP=192.168.0.2
Linux Firewall IP=192.168.111.120
PC#1 IP =192.168.111.118
Access is possible to server by putting the IP in Masquerading in YAST Window by adding as follws.
Source Network=192.168.111.118
Protocol=TCP
Requested IP=192.168.111.120 Requested Port=80
Redirection Redirected to Masquaraded IP=192.168.2.0 Requested Port=80

But please explain how to give the access to view the web pages of server who’s IP=192.168.0.2
by the client whos IP Address as
192.168.2.41
OR
192.168.3.10
OR
192.168.4.39
OR
192.168.12.87

Will be very obliged if you reply in details.

Thanks.
ABDAREVA
Well, I surely was not able to read the diagram which resides on your hard disk, so the answer will be quite general…
First, if you don’t feel confident in firewall manipulation, better pick a consultant in your location and invite him to do the job.
If you don’t like the idea about consultant, make sure you inspected well your current firewall configuration, at least the FORWARD chain of filter table (as root, of course):

root@firewall# iptables -t filter –line-numbers -nvL FORWARD

Probably you’ll have a chain policy DROP and top (or close to the top) rule allowing packets with states “established” and “related”:

Chain FORWARD (policy DROP xxx packets, xxxK bytes)
num pkts bytes target prot opt in out source destination
1 1593K 1703M ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
…..

Let the line-number of this rule be 1, then your rule will be:

root@firewall# iptables –table filter –insert FORWARD 2 –source 192.168.2.41 –destination 192.168.2.0 –jump ACCEPT

and so on, for all source addresses of your clients. If you have no related,established rule, just omit the line-number:

root@firewall# iptables –table filter –insert FORWARD –source 192.168.2.41 –destination 192.168.2.0 –jump ACCEPT

This will work if the server IP is really 192.168.2.0 – it’s unusual to have 0 as last number of host IP, but as I already mentioned, you can do almost anything with private IPs. This will work if you have no NAT (network address translation) on firewall host – if you have, better call somebody familiar with the firewalls. This will work if you have no user-defined chains – if you have, follow the advice about consultant…

So, good luck with your firewall.

BR,

Petko

Dear Petko,
Please find herewith the sketch.
<img src=”C:\Documents and Settings\ajalil\Desktop\TYPICAL NETWORK.htm” alt=”Typical Network” />

ACCESS TO SERVER IS POSSIBLE FROM 192.168.110.4
HOW TO GIVE ACCESS TO PC HAVING IP:192.168.2.41
HOW TO GIVE ACCESS TO PC HAVING IP:192.168.3.10
HOW TO GIVE ACCESS TO PC HAVING IP:192.168.4.99

Please Reply.
Regards.
Abdareva

Hi,

I’d rather ask some questions than giving an answer… In fact, I can’t imagine the network topography from the question – since you can do almost everything with the private range IPs in your LAN, please, draw some diagram showing the situation.

BR,

Petko

=====================
Hmmm. I guess the my question here is how you’re routing between the subnets on this diagram. Unless your’re using netmasks wider smaller than /24 (255.255.255.0) and treating all of the LANs as one bigger subnet, you’d need some sort of routing for any of these LANs to talk to each other. Disable the firewall on both machines (service iptables stop) and confirm that you can communicate. If you can’t communicate, fix the routing issue first. Once you can communicate with both firewalls disabled, add rules to iptables to allow the desired traffic.

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • BrentSheets
    Moderator Note: Hello ABDAREVA and welcome to IT Knowledge Exchange. I noticed you used all capital letters for your question title, question and even your username. For future questions you may ask, please use normal case - as all capitals makes it difficult to read your question. You want to make it as easy as possible for other members to answer your question. Take care and thanks for your cooperation.
    6,925 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following