Iptables configuration

  • Thread starter Oleg Shushkovsky
  • Start date
O

Oleg Shushkovsky

Guest
Hello!
I'm new in linux and need help to configure iptables for my home server
(sorry for my english, I'm from Ukraine)
I have server at home with Proxmox 2 and 3 VM's
xx.xx.xx.xx - income net on eth1
192.168.0.1 - local net on eth0 with bridge vmbr2 with connected 1 pc , 1 mediaplayer, and wifi router
1 VM - 192.168.0.150 - home web server
2 VM - 192.168.0.200 - Win XP
3 VM - 192.168.0.250 - FreeNAS
I need configure iptables for:
internet go to all my local network include VM's
ssh and proxmox ports (default) for my server
redirect port 80 to 192.168.0.150 - home web server
based on this rules i create redirects rules for mail server and other VM's, PC and MP
basic firewall security to drop all hackers and log it
Can anybody write this rules for me? I'm very need help, don't understand how do it. those rules what i written do some what i need but my web server see income connections with my public IP but i need see real client ip and my firewall unsecure. This my rules from iptables.up.rules
Code:
# Generated by iptables-save v1.4.8 on Wed Jun 27 09:13:27 2012
*nat
:PREROUTING ACCEPT [4288:345373]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [16:1118]
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.0.150 
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.150 
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p udp -m udp --dport 27016 -j DNAT --to-destination 192.168.0.200 
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.200 
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 9091 -j DNAT --to-destination 192.168.0.250 
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 51413 -j DNAT --to-destination 192.168.0.250 
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 9090 -j DNAT --to-destination 192.168.0.250 
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.150 
-A PREROUTING -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.150 
-A POSTROUTING -d 192.168.0.150/32 -p tcp -m tcp --dport 143 -j SNAT --to-source xxx.xxx.xxx.xxx 
-A POSTROUTING -d 192.168.0.150/32 -p tcp -m tcp --dport 80 -j SNAT --to-source xxx.xxx.xxx.xxx 
-A POSTROUTING -d 192.168.0.200/32 -p udp -m udp --dport 27016 -j SNAT --to-source xxx.xxx.xxx.xxx 
-A POSTROUTING -d 192.168.0.200/32 -p tcp -m tcp --dport 3389 -j SNAT --to-source xxx.xxx.xxx.xxx 
-A POSTROUTING -d 192.168.0.250/32 -p tcp -m tcp --dport 9091 -j SNAT --to-source xxx.xxx.xxx.xxx 
-A POSTROUTING -d 192.168.0.250/32 -p tcp -m tcp --dport 51413 -j SNAT --to-source xxx.xxx.xxx.xxx 
-A POSTROUTING -d 192.168.0.250/32 -p tcp -m tcp --dport 9090 -j SNAT --to-source xxx.xxx.xxx.xxx 
-A POSTROUTING -d 192.168.0.150/32 -p tcp -m tcp --dport 25 -j SNAT --to-source xxx.xxx.xxx.xxx 
-A POSTROUTING -j MASQUERADE 
-A POSTROUTING -d 192.168.0.150/32 -p tcp -m tcp --dport 110 -j SNAT --to-source xxx.xxx.xxx.xxx 
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.0.150 
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.150 
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p udp -m udp --dport 27016 -j DNAT --to-destination 192.168.0.200 
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.200 
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 9091 -j DNAT --to-destination 192.168.0.250 
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 51413 -j DNAT --to-destination 192.168.0.250 
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 9090 -j DNAT --to-destination 192.168.0.250 
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.150 
-A OUTPUT -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.150 
COMMIT
# Completed on Wed Jun 27 09:13:27 2012
# Generated by iptables-save v1.4.8 on Wed Jun 27 09:13:27 2012
*mangle
:PREROUTING ACCEPT [26186:8926783]
:INPUT ACCEPT [479:42388]
:FORWARD ACCEPT [25707:8884395]
:OUTPUT ACCEPT [425:67758]
:POSTROUTING ACCEPT [26132:8952153]
COMMIT
# Completed on Wed Jun 27 09:13:27 2012
# Generated by iptables-save v1.4.8 on Wed Jun 27 09:13:27 2012
*filter
:INPUT ACCEPT [479:42388]
:FORWARD ACCEPT [4983:402489]
:OUTPUT ACCEPT [425:67758]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 192.168.0.0/24 -i eth0 -o eth1 -m conntrack --ctstate NEW -j ACCEPT 
COMMIT
# Completed on Wed Jun 27 09:13:27 2012
 
Thnx mmenaz. But I need help to configure iptables. I can not learn another firewall...
 
thats what mmenaz tried to tell you. shorewall helps to configure iptables.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!