Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Technical

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 12th June 2008, 15:17
sud.tech sud.tech is offline
Junior Member
 
Join Date: Jun 2008
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default Running customised firewall script -RHEL 4

I have created a custom firewall script in RHEL 4 .Let me explain the steps which i followed .


etho -Internal lan
eth1 -External lan


During the installtion of RHEL 4 ,i enabled Firewall and after booting to x windows i selected enable firewall and defined the defined and customised ports .

When my client systems tried to access the internet ,they could'nt access ,but when i ran the custom firewall script(fw) they could access .

Now the problem is that when i run the command

iptables -L ----- It processes the fw as well as the ports defined in the gui firewall

even the command service iptables status --- throws the same result.

How do i make ,linux run my customised firewall ,since it seems to run the inbilt iptables script.

The problemm is that i have defined some customised ports ,but when i try to access the ports which are not defined ,it accepts the connection .

Even the PREROUTING iptables command does not run,since i need to access a webserver on private lan configured on port 8080.

Can anybody help

Sud



************************************************** ************************************************** **********************

#! /bin/sh
#
#
# Desc: FireWall Script for a Linux-Based Gateway System.
# This script considers the Host to be Gateway-With-FireWall,
# It takes a restrictive approach, thus allowing only the
# required ports & connections to pass thru.
#

#
# --- DECLARE ALLOWED PORTS --- #
#
# Allow Set-A:
TCP_ALLOW_A="20,21,22,80,81,110"
UDP_ALLOW_A="20,21,22,80,81,110"
#
#
# --- DECLARE VARIABLES ---
#
# Internal Interface/Internal LAN Adapter:
INTR=eth0
#
# External Interface/External (Public/Static-IP) Adapter:
EXTR=eth1
#
# Gateway/Firewall's Internal (LAN) IP:
IN_IP="192.168.3.111"
#
# Gateway/Firewall's External (Public/Static) IP:
OUT_IP="222.x.y.z"

#
# ISP's Gateway:
ISP_GT="222.x.y7.z"

#
# DNS/Nameserver-A:
DNS_A="205.x.y.z"

#
# DNS/Nameserver-A:
DNS_B="205.x.y1.z1"

#
# Trusted Host:
TRST_HOST="192.168.3.0/24"
#

TRST_EXT_HOST="222.x1.y1.z2"



#
# --- POLICY SETUP ---
#
# Flush Existing/Stale Rules (if any):
/sbin/iptables -F
/sbin/iptables -t filter -F
/sbin/iptables -t mangle -F
/sbin/iptables -t nat -F
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
#

service iptables stop
service iptables start
#



# Setup Restrictive Policy:
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP
#


# -- Anti IP-Spoofing --*-
for f in /proc/sys/net/ipv4/conf/*/rp_filter;do
/bin/echo "1" > $f
done
#


# -- SYN-Flood Protection:
sysctl -w net.ipv4.tcp_syncookies=1
#

# -- IP-Forward Enable:
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# -----*-----

# Allow local/loopback device traffic:
/sbin/iptables -A OUTPUT -s localhost -d localhost -j ACCEPT
/sbin/iptables -A INPUT -s localhost -d localhost -j ACCEPT
#

# Allow Ping/ICMP Packets:
/sbin/iptables -A INPUT -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT
#

#
# --- FireWall Rules ---
#
# INPUT Chain:-
# Accept SSH Connections from Trusted Host:
/sbin/iptables -t filter -A INPUT -i $INTR -s $TRST_HOST -p tcp --dport 22 -j ACCEPT
/sbin/iptables -t filter -A INPUT -i $INTR -s $TRST_HOST -p udp --dport 22 -j ACCEPT
#
/sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_HOST -p tcp --sport 22 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_HOST -p udp --sport 22 -j ACCEPT

/sbin/iptables -t filter -A INPUT -i $EXTR -s $TRST_EXT_HOST -p tcp --dport 22 -j ACCEPT
/sbin/iptables -t filter -A INPUT -i $EXTR -s $TRST_EXT_HOST -p udp --dport 22 -j ACCEPT
#
/sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_EXT_HOST -p tcp --sport 22 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_EXT_HOST -p udp --sport 22 -j ACCEPT
#

# Forward DNS Requests:


#not done yet

#
# FORWARD Chain:-


# Allow Connections from Valid (Allowed) Ports:


/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24 -p tcp -m state --state NEW -m multiport --dports $TCP_ALLOW_A -j ACCEPT

/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24 -p udp -m state --state NEW -m multiport --dports $UDP_ALLOW_A -j ACCEPT


# ---- -----------------------------------
# NOTE: DO NOT ADD/REMOVE ANYTHING AFTER THIS LINE:
# ---- -----------------------------------
#
# --- MASQUERADE All-CONNECTIONS ---
#
/sbin/iptables -t nat -A POSTROUTING -o $EXTR -j MASQUERADE
#
# --- --- --- END --- --- --- #
************************************************** ************************************************** ************************
Reply With Quote
Sponsored Links
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fedora 4 TPS mail problem Hagforce HOWTO-Related Questions 13 10th February 2010 18:23
firewall scripts error in RHEL 4 sud.tech Technical 1 6th June 2008 11:22
hardened-php no script is running tom General 1 22nd June 2006 15:28
Firewall script ColdDoT Server Operation 1 8th May 2006 23:50
Running Behind Firewall edong Installation/Configuration 1 19th October 2005 10:04


All times are GMT +2. The time now is 12:11.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.