O
Oleg Shushkovsky
Guest
Hello!
I'm new in linux and need help to configure iptables for my home server
(sorry for my english, I'm from Ukraine)
I have server at home with Proxmox 2 and 3 VM's
xx.xx.xx.xx - income net on eth1
192.168.0.1 - local net on eth0 with bridge vmbr2 with connected 1 pc , 1 mediaplayer, and wifi router
1 VM - 192.168.0.150 - home web server
2 VM - 192.168.0.200 - Win XP
3 VM - 192.168.0.250 - FreeNAS
I need configure iptables for:
internet go to all my local network include VM's
ssh and proxmox ports (default) for my server
redirect port 80 to 192.168.0.150 - home web server
based on this rules i create redirects rules for mail server and other VM's, PC and MP
basic firewall security to drop all hackers and log it
Can anybody write this rules for me? I'm very need help, don't understand how do it. those rules what i written do some what i need but my web server see income connections with my public IP but i need see real client ip and my firewall unsecure. This my rules from iptables.up.rules
I'm new in linux and need help to configure iptables for my home server
(sorry for my english, I'm from Ukraine)
I have server at home with Proxmox 2 and 3 VM's
xx.xx.xx.xx - income net on eth1
192.168.0.1 - local net on eth0 with bridge vmbr2 with connected 1 pc , 1 mediaplayer, and wifi router
1 VM - 192.168.0.150 - home web server
2 VM - 192.168.0.200 - Win XP
3 VM - 192.168.0.250 - FreeNAS
I need configure iptables for:
internet go to all my local network include VM's
ssh and proxmox ports (default) for my server
redirect port 80 to 192.168.0.150 - home web server
based on this rules i create redirects rules for mail server and other VM's, PC and MP
basic firewall security to drop all hackers and log it
Can anybody write this rules for me? I'm very need help, don't understand how do it. those rules what i written do some what i need but my web server see income connections with my public IP but i need see real client ip and my firewall unsecure. This my rules from iptables.up.rules
Code:
# Generated by iptables-save v1.4.8 on Wed Jun 27 09:13:27 2012
*nat
:PREROUTING ACCEPT [4288:345373]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [16:1118]
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p udp -m udp --dport 27016 -j DNAT --to-destination 192.168.0.200
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.200
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 9091 -j DNAT --to-destination 192.168.0.250
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 51413 -j DNAT --to-destination 192.168.0.250
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 9090 -j DNAT --to-destination 192.168.0.250
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.150
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.150
-A POSTROUTING -d 192.168.0.150/32 -p tcp -m tcp --dport 143 -j SNAT --to-source xxx.xxx.xxx.xxx
-A POSTROUTING -d 192.168.0.150/32 -p tcp -m tcp --dport 80 -j SNAT --to-source xxx.xxx.xxx.xxx
-A POSTROUTING -d 192.168.0.200/32 -p udp -m udp --dport 27016 -j SNAT --to-source xxx.xxx.xxx.xxx
-A POSTROUTING -d 192.168.0.200/32 -p tcp -m tcp --dport 3389 -j SNAT --to-source xxx.xxx.xxx.xxx
-A POSTROUTING -d 192.168.0.250/32 -p tcp -m tcp --dport 9091 -j SNAT --to-source xxx.xxx.xxx.xxx
-A POSTROUTING -d 192.168.0.250/32 -p tcp -m tcp --dport 51413 -j SNAT --to-source xxx.xxx.xxx.xxx
-A POSTROUTING -d 192.168.0.250/32 -p tcp -m tcp --dport 9090 -j SNAT --to-source xxx.xxx.xxx.xxx
-A POSTROUTING -d 192.168.0.150/32 -p tcp -m tcp --dport 25 -j SNAT --to-source xxx.xxx.xxx.xxx
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -d 192.168.0.150/32 -p tcp -m tcp --dport 110 -j SNAT --to-source xxx.xxx.xxx.xxx
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.0.150
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.150
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p udp -m udp --dport 27016 -j DNAT --to-destination 192.168.0.200
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.200
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 9091 -j DNAT --to-destination 192.168.0.250
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 51413 -j DNAT --to-destination 192.168.0.250
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 9090 -j DNAT --to-destination 192.168.0.250
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.150
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.150
COMMIT
# Completed on Wed Jun 27 09:13:27 2012
# Generated by iptables-save v1.4.8 on Wed Jun 27 09:13:27 2012
*mangle
:PREROUTING ACCEPT [26186:8926783]
:INPUT ACCEPT [479:42388]
:FORWARD ACCEPT [25707:8884395]
:OUTPUT ACCEPT [425:67758]
:POSTROUTING ACCEPT [26132:8952153]
COMMIT
# Completed on Wed Jun 27 09:13:27 2012
# Generated by iptables-save v1.4.8 on Wed Jun 27 09:13:27 2012
*filter
:INPUT ACCEPT [479:42388]
:FORWARD ACCEPT [4983:402489]
:OUTPUT ACCEPT [425:67758]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -i eth0 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Wed Jun 27 09:13:27 2012