Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 7th November 2007, 16:36
fbifido fbifido is offline
Junior Member
 
Join Date: Dec 2006
Posts: 15
Thanks: 0
Thanked 0 Times in 0 Posts
Default RedHat AS 4 firewall iptables question.

Hi,
I am new to linux firewall, so i don't know how to ask my questions, so i will try my best to let you see what's in my head.

look at the picture i attach.

eth1: static 65.183.x.x
eth0: static 192.168.0.1

workstaions: static 192.168.0.x

I was tring to protect my server with a firewall, and did it using iptables.

can someone look at my iptables below and help me out.

my request:
1. I need to block all ports that can be access from eth1(outside the firewall)
2. The same for eth0.
I want to beable to open a port at anytime for eth1 or eth0 or both.
I also want to forward a port or two to any workstation of my choice.

3. I need all the common ports like 25,22,21,53,80,110,143,443,995 to be setup, but not running for eth1. Only port that will be running on eth1 is 80, so that i can access my webmail when i am away from the office.
I want to beable to enable a port or disable a port as i need them.

4. If i disable say port 22 from eth1, that been no one can ssh into my system from the internet, i want to beable to enable it on eth0, so that any or one workstation can still ssh out to the internet or within the LAN.

5. question: if my mailserver pop3 my mails from the internet, do i need to enable port 25 on eth1, what if i relay all the outgoing mails to my pop3 provider?

6. This is what i know about INPUT, if you set a rule for INPUT, then it only apply the any traffic comming from the internet (eth1), and it you set a rule for OUTPUT it only apply to packets comming from the workstations (eth0).
where dos FORWARD flaw in this now, is it when INPUT is done processing the packets from the internet, then it past it on to FORWARD?

7. I am not too sure about my iptable file below, i was reading and the parts that make sence i just copy and paste.

8. i have more question, but........


The info in this iptable if patch from reading on these forums.

#!/bin/bash
#
# This script file will make a firewall that will be in memory.

IPTABLES="/sbin/iptables"

# Remove any existing rules from all chains
$IPTABLES --flush
$IPTABLES --delete-chain

# Allow packet forwaring
echo "1" > /proc/sys/net/ipv4/ip_forward

# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Set the default policy to DROP
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES --policy FORWARD DROP

# Rules to allow ALTEROO to come into our system.
$IPTABLES -A INPUT -s 224.0.0.251 -d 192.168.0.1 -p udp -m udp --dport 5353 -j ACCEPT

# Enable all pipes to communicate with the firewall.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

# Allow DNS zone transfers
$IPTABLES -A INPUT -i eth1 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT

# BAD GUYS, Block source IP Address.
$IPTABLES -A INPUT -s 192.168.0.39 -j DROP
$IPTABLES -A INPUT -s 192.168.0.57 -j DROP

# Block Port number
$IPTABLES -A INPUT -i eth1 -p tcp --dport 25 -j REJECT
$IPTABLES -A INPUT -i eth1 -p tcp --dport 22 -j REJECT
$IPTABLES -A INPUT -i eth1 -p tcp --dport 8080 -j REJECT
$IPTABLES -A INPUT -i eth1 -p tcp --dport 3128 -J REJECT

# Open ports for Server
$IPTABLES -A INPUT -s 0/0 -p tcp --dport 22 -j ACCEPT # SSH
$IPTABLES -A INPUT -s 0/0 -p tcp --dport 80 -j ACCEPT # HTTP
$IPTABLES -A INPUT -s 0/0 -p tcp --dport 443 -j ACCEPT # HTTPs

$IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp --dport 110 -j ACCEPT # POP3
$IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp --dport 995 -j ACCEPT # POP3s
$IPTABLES -A INPUT -s 192.168.0.0/24 -p tcp --dport 25 -j ACCEPT # SMTP


# Allow any traffic from localhost
$IPTABLES -A INPUT -p icmp -j ACCEPT # ICMP/Ping
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j MASQUERADE

# Global Rejects must come Last
$IPTABLES -A INPUT -j REJECT
$IPTABLES -A FORWARD -j REJECT
Attached Images
 
Reply With Quote
Sponsored Links
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Match IP with MAC using iptables for squid block cooljai Server Operation 0 30th August 2007 19:30
Question about Bind and ISP-COnfig Firewall denmaus Installation/Configuration 1 23rd February 2007 17:00
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 22:42
Firewall question for Virtual Users/domains using postfix/courier/MySQL toastmaster HOWTO-Related Questions 1 25th January 2006 08:04
question about the builtin firewall Ovidiu Installation/Configuration 1 9th October 2005 19:30


All times are GMT +2. The time now is 11:51.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.