- In the router we have the iptables:
- check the default rules
iptables -t filter -L
- for the nat table
iptables -t nat -L -n
- To see line number in the rule
iptables -t nat -L -n
--line-numbers
- We want to bring up one machine
hostA-10.9.0.5 bash
using the commanddocker exec -it hostA-10.9.0.5 bash
- We will ping the router at
10.9.0.11
- Now use
telnet
command to login into userseed
with passworddees
- Copy the four rules from the website:
- Restore the filter table to its original state by the following commands:
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
To confirm that you are back to the beginning do
iptables -t filter -L -n --line-numbers
iptables -P FORWARD DROP
Now from the machine 10.9.0.5
:
ping the host 192.168.60.6
You should not be able to access that since we drop all the FORWARD.
This is the Router
addresses interfaces using the command ip a
:
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
From the host1-192.168.60.5
use the command ping 192.168.60.11
You should not be able to ping the router !!
Add these two rules to the router:
iptables -A FORWARD -i eth1 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
If you want to start fresh
iptables -F
iptables -t filter -L -n --line-numbers
TCP
listen on the port 23
iptables -A FORWARD -i eth0 -p tcp --dport 23 -j ACCEPT
From internal network we will use eth1
iptables -A FORWARD -i eth1 -p tcp --dport 23 -j ACCEPT