[iptables] insert a linux box in a local network

Greetings !!

I’m trying to put a new computer equipped with two ethernet interfaces in order to set a "linux boxé in the local network.

this linuxbox aims to serve DHCP, DNS for the local network.

the first interface eth0 is network (with static ip
the second interface eth1 network (with static ip

there is an existing network for now and I want to bypass it… the existing “router” has the address but it is impossible to have a correct DHCP service.
so i want to put it on the basket and directly talking to the main school server located on

for now the dhcp server is running ok, all the reserved mac addresses receive the correct ip address just as wanted.
the name resolution works on each client machines, nslookup delivers the correct ip address and the dns server is the correct one.

each client computers receives by the dhcp server the default route as and the dns server as

concerning the routing I have tested with each client of the local network if I could join by ping (icmp echo) each interfaces of the linuxbox: it works from each client I can ping and

the problem is, because of my lack of practice/understandings of iptables: when I try to reach a web site or simply ping a computer I got “destination protocol unreachable” from to the requesting. interface

I really don’t know how to be sure to route from network all paquets from all ports and reversely from to…

Looking at wireshark it seems the forward feature is up but when the packets are coming from (outside) they are not routed “inside” from to :{

All the packets from all port must be routed (forwarded) to… I really don’t know how to set up things like this using iptables.

Is that a pre/post-routing rule, an output rule ?

I got it very easily in fact, but I think the gateway will be exposed to every threat…

iptables -F
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

that was all I did to solve the issue…

I need now to strengthen the gateway… with “protecting rules”

two little things :{

one error in the script for configuring iptables:

iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT

…and there is a need to SNAT…

**iptables -t nat -A POSTROUTING -s -o eth1 -j SNAT --to-source

From your description, you set up your new machine as a router between two networks.
When you do this, you can also set up that machine as the Default Gateway for your own private network which appears to be what you’ve done.

But, a “Default Gateway” is not the same as a a simple “Gateway” to another network… In other words, “Default” only works in one direction.
You need to inform Hosts in the upstream network (closer to the Internet in most cases) how and where to access Hosts in the other direction, and this is where you set up a new entry in the routing table of each Host… In layman’s words, your routing table will more or less say “For all traffic destined for an IP address not in this routing table, send it to the Default Gateway where it’ll eventually find its way… But, if you want to send traffic to this specific private network, then don’t send to the Default Gateway, send it to this address (your new router) where the Host is on the other side”

Only after you’ve done this on any machine in the “old” network can it communicate with a Host in your network.

If your upstream DHCP is capable, like many other configurations this modification to local routing tables can be pushed to every Host in your network easily, otherwise you will have to manually modify each individually.


Thank you tsu2 ^^

The network is running ok but, doing so I saw using iptraf (console) that our network is no more protected by the udp 137 flood coming from windows network outside.

I have not yet dug further but I tried something like: “drop all udp and tcp packets from which source port is 137” in my INPUT chain before I accept the packets.


#ne pas permettre aux interfaces d'adresser des requêtes DHCP sur l'interface eth1 à destination du réseau

iptables -A INPUT -i eth1 -p tcp --sport 67:68 --destination -j DROP

# logger les requêtes correspondant à la règle juste ci-dessus

iptables -A INPUT -i eth1 -p tcp --sport 67:68 --destination -j LOG --log-prefix "[dhcp to eth1]"

# ne pas permettre à l'interface eth1 de laisser les paquets netbios en provenance de
iptables -A INPUT -i eth1 -p tcp --sport 137 --source -j DROP
iptables -A INPUT -i eth1 -p udp --sport 137 --source -j DROP

# permettre le fonctionnement d'au moins un service
#ACCEPT     udp  --  anywhere             anywhere             udp dpt:xdmcp
iptables -A INPUT -p tcp -s --dport 177 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -i eth0 -j ACCEPT
iptables -A INPUT -p udp -s --dport 177 -i eth0 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -s --dport 890 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -s --dport 6000 -i eth0 -j ACCEPT

# mettre mes règles d'entrée
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT

I think I understood a little of the iptables chains: first INPUT then if packets accepted → FORWARD then if packets accepted → OUTPUT.
each rules are a filter that drops or let the packets be filtered by the next rule in each chains…
If I don’t want the packets from to come thru the eth1 interface I have to drop them at INPUT chain. But I’m not sure the rule translates the meaning of what I really want to do.

iptables -A INPUT -i eth1 -p tcp --sport 137 --source -j DROP
iptables -A INPUT -i eth1 -p udp --sport 137 --source -j DROP

it seems it wont work :{


Maybe I missed something… I saw in the standard opensuse firewall set up that this is possible to drop all broadcast packets at a point in a chain… is that correct ? Should I copy/paste those rules in this case ?

it works… I didn’t take the time to check the cables… the cable which is linked to the other networks was put in a slot of the hub… I put it in the eth1 card and, of course, it worked !!

In general,
port 137 (Windows NBT) is generally ignored, I don’t know that blocking it will have much effect on your overall network performance.
If I was in charge of that network generating those packets though, I’d question whether it’s set up properly… Windows hasn’t required that traffic even in Workgroups since… NT4 days (pre-2007?). You’d likely have to find very old Windows (eg XP) and/or NetBIOS Nameservers (WINS) which today is rather archaic since everyone including Windows OS since even XP supports Hosts name resolution which is also the method used by the Internet.