- In the router we have the iptables:
- check the default rules
iptables -t filter -L - for the nat table
iptables -t nat -L -n - To see line number in the rule
iptables -t nat -L -n--line-numbers
- We want to bring up one machine
hostA-10.9.0.5 bashusing the commanddocker exec -it hostA-10.9.0.5 bash - We will ping the router at
10.9.0.11 - Now use
telnetcommand to login into userseedwith passworddees - Copy the four rules from the website:
- Restore the filter table to its original state by the following commands:
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
To confirm that you are back to the beginning do
iptables -t filter -L -n --line-numbers
iptables -P FORWARD DROP
Now from the machine 10.9.0.5:
ping the host 192.168.60.6
You should not be able to access that since we drop all the FORWARD.
This is the Router addresses interfaces using the command ip a:
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
From the host1-192.168.60.5 use the command ping 192.168.60.11
You should not be able to ping the router !!
Add these two rules to the router:
iptables -A FORWARD -i eth1 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
If you want to start fresh
iptables -F
iptables -t filter -L -n --line-numbers
TCP listen on the port 23
iptables -A FORWARD -i eth0 -p tcp --dport 23 -j ACCEPT
From internal network we will use eth1
iptables -A FORWARD -i eth1 -p tcp --dport 23 -j ACCEPT