Help an IPTABLES neophyte please

Rick Stevens ricks at nerd.com
Thu May 8 17:08:01 UTC 2008 

Waldher, Travis R wrote:
> I’ve got a machine acting as a portal between a public network and a 
> private network.  Right now, all you can do is ssh in to the box from 
> the public side, and then do as you please on the private side.  You 
> cannot ssh or form any other connection that wasn’t initiated by a 
> client on the public side of the machine.  Think of it as a roach motel.
> 
>  
> 
> Well, I need to be able to pull information from an LDAP server that is 
> on the public network.
> 
>  
> 
> How do I setup my firewall so that it will first allow outbound traffic 
> on port 389 (any others?) and second forward any requests it receives 
> from other machines on the private network on.

Hey, Travis!  Long time, no speak!

If this were a normal machine (one not acting as a router), the way you
worded the above sounds like the only incoming connections allowed are
for ssh (TCP port 22), so you probably have a rule such as:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

in your ruleset.  Assuming that the OUTPUT chain has a default policy
of "ACCEPT", you should also have rules such as:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

before the final "-j REJECT" (or "-j DROP") in the input chain.  That
should allow ANY TCP traffic as long as it was INITIATED from the
local machine.

If the machine is a router, then we'd probably have to get into
specifying the different NICs in the rules (by use of the "-i"
parameter).

Could you post your current ruleset so we can get a grip on what you
have set up?  It may be a really simple fix or a simpler ruleset may work.

----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                       rps2 at nerd.com -
- Hosting Consulting, Inc.                                           -
-                                                                    -
-   NEWS FLASH! Intelligence of mankind decreasing!  Details at...   -
-     uh, when, uh, the little hand is, uh, on the...  Aw, NUTS!     -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list