[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: simple firewall



Am Don, 2003-04-03 um 17.03 schrieb Kevin Waterson:
Hi,

> 
> I wish to have a simple firewall to forward http traffic to internal network
> This is what I have but it does not forward, any help much appreciated

...
> # External Interface
> EXT_IF=`route -n | awk '$1~/0.0.0.0/ {print $8}'`
...
> # IP of the web machine
> WWW_IP="192.168.0.3"
...
> # Default policies
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD DROP
...
> # Allow packets to return
> $IPTABLES -A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Here you are only allowing packets through your machine coming from the
outside related to a connection. But you do not allow any packets going
out. Why are you not using your $EXT_IF?
> 
> # Allow packets out
> $IPTABLES -A FORWARD -i eth1 -s $INT_NET -j ACCEPT
Here you allow all packets from the inside using the correct IP address.
I would suggest the following rules instead:
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -s $INT_NET -m state --state NEW -j ACCEPT
Allow new packets only from the inside. Allow all established and
related in both directions!
> 
> # Forward http request to internal net
> $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 80 -j DNAT --to $WWW_IP
correct.
> 
> # Allow port 80
> # $IPTABLES -A INPUT -i ppp0 -d 0/0 -p tcp --dport 80 -j ACCEPT
> $IPTABLES -A FORWARD -i ppp0 -d 0/0 -p tcp --dport 80 -j ACCEPT
I would suggest here to allow only the packet initiating the connection.
All other packets are caught by the rules above:
$IPTABLES -A FORWARD -i ppp0 -d $WWW_IP -p tcp --dport 80 -m state \
--state NEW -j ACCEPT
PREROUTING happens before FORWARD, therefore the packet already has the
destination of $WWW_IP.

> 
> # Allow SSH
> $IPTABLES -A INPUT -i ppp0 -d 0/0 -p tcp --dport 22 -j ACCEPT
Again only allow new packets:
$IPTABLES -A INPUT -i ppp0 -p tcp --dport 22 -m state --state NEW \
-j ACCEPT

And again the question: what about $EXT_IF and $INT_NET_IF?

Cheers,

Ralf
> 
> # Log to syslog
> # $IPTABLES -A INPUT -j LOG
> # 
> 
> 
> Kind regards
> Kevin
> 
> -- 
>  ______                              
> (_____ \                             
>  _____) )  ____   ____   ____   ____ 
> |  ____/  / _  ) / _  | / ___) / _  )
> | |      ( (/ / ( ( | |( (___ ( (/ / 
> |_|       \____) \_||_| \____) \____)
> Kevin Waterson
> Port Macquarie, Australia
> 
> 
> 
> -- 
> Psyche-list mailing list
> Psyche-list redhat com
> https://listman.redhat.com/mailman/listinfo/psyche-list
-- 
Ralf Spenneberg
RHCE, RHCX

IPsec/PPTP Kernels for Red Hat Linux:  
http://www.spenneberg.com/.net/.org/.de
Honeynet Project Mirror:                http://honeynet.spenneberg.org
Snort Mirror:                           http://snort.spenneberg.org





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]