View Single Post
  #1  
Old 7th November 2007, 16:36
fbifido fbifido is offline
Junior Member
 
Join Date: Dec 2006
Posts: 15
Thanks: 0
Thanked 0 Times in 0 Posts
Default RedHat AS 4 firewall iptables question.

Hi,
I am new to linux firewall, so i don't know how to ask my questions, so i will try my best to let you see what's in my head.

look at the picture i attach.

eth1: static 65.183.x.x
eth0: static 192.168.0.1

workstaions: static 192.168.0.x

I was tring to protect my server with a firewall, and did it using iptables.

can someone look at my iptables below and help me out.

my request:
1. I need to block all ports that can be access from eth1(outside the firewall)
2. The same for eth0.
I want to beable to open a port at anytime for eth1 or eth0 or both.
I also want to forward a port or two to any workstation of my choice.

3. I need all the common ports like 25,22,21,53,80,110,143,443,995 to be setup, but not running for eth1. Only port that will be running on eth1 is 80, so that i can access my webmail when i am away from the office.
I want to beable to enable a port or disable a port as i need them.

4. If i disable say port 22 from eth1, that been no one can ssh into my system from the internet, i want to beable to enable it on eth0, so that any or one workstation can still ssh out to the internet or within the LAN.

5. question: if my mailserver pop3 my mails from the internet, do i need to enable port 25 on eth1, what if i relay all the outgoing mails to my pop3 provider?

6. This is what i know about INPUT, if you set a rule for INPUT, then it only apply the any traffic comming from the internet (eth1), and it you set a rule for OUTPUT it only apply to packets comming from the workstations (eth0).
where dos FORWARD flaw in this now, is it when INPUT is done processing the packets from the internet, then it past it on to FORWARD?

7. I am not too sure about my iptable file below, i was reading and the parts that make sence i just copy and paste.

8. i have more question, but........


The info in this iptable if patch from reading on these forums.

#!/bin/bash
#
# This script file will make a firewall that will be in memory.

IPTABLES="/sbin/iptables"

# Remove any existing rules from all chains
$IPTABLES --flush
$IPTABLES --delete-chain

# Allow packet forwaring
echo "1" > /proc/sys/net/ipv4/ip_forward

# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Set the default policy to DROP
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES --policy FORWARD DROP

# Rules to allow ALTEROO to come into our system.
$IPTABLES -A INPUT -s 224.0.0.251 -d 192.168.0.1 -p udp -m udp --dport 5353 -j ACCEPT

# Enable all pipes to communicate with the firewall.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

# Allow DNS zone transfers
$IPTABLES -A INPUT -i eth1 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT

# BAD GUYS, Block source IP Address.
$IPTABLES -A INPUT -s 192.168.0.39 -j DROP
$IPTABLES -A INPUT -s 192.168.0.57 -j DROP

# Block Port number
$IPTABLES -A INPUT -i eth1 -p tcp --dport 25 -j REJECT
$IPTABLES -A INPUT -i eth1 -p tcp --dport 22 -j REJECT
$IPTABLES -A INPUT -i eth1 -p tcp --dport 8080 -j REJECT
$IPTABLES -A INPUT -i eth1 -p tcp --dport 3128 -J REJECT

# Open ports for Server
$IPTABLES -A INPUT -s 0/0 -p tcp --dport 22 -j ACCEPT # SSH
$IPTABLES -A INPUT -s 0/0 -p tcp --dport 80 -j ACCEPT # HTTP
$IPTABLES -A INPUT -s 0/0 -p tcp --dport 443 -j ACCEPT # HTTPs

$IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp --dport 110 -j ACCEPT # POP3
$IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp --dport 995 -j ACCEPT # POP3s
$IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp --dport 25 -j ACCEPT # SMTP


# Allow any traffic from localhost
$IPTABLES -A INPUT -p icmp -j ACCEPT # ICMP/Ping
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j MASQUERADE

# Global Rejects must come Last
$IPTABLES -A INPUT -j REJECT
$IPTABLES -A FORWARD -j REJECT
Attached Images
 
Reply With Quote
Sponsored Links