Help an IPTABLES neophyte please
Rick Stevens
ricks at nerd.com
Thu May 8 17:08:01 UTC 2008
Waldher, Travis R wrote:
> I’ve got a machine acting as a portal between a public network and a
> private network. Right now, all you can do is ssh in to the box from
> the public side, and then do as you please on the private side. You
> cannot ssh or form any other connection that wasn’t initiated by a
> client on the public side of the machine. Think of it as a roach motel.
>
>
>
> Well, I need to be able to pull information from an LDAP server that is
> on the public network.
>
>
>
> How do I setup my firewall so that it will first allow outbound traffic
> on port 389 (any others?) and second forward any requests it receives
> from other machines on the private network on.
Hey, Travis! Long time, no speak!
If this were a normal machine (one not acting as a router), the way you
worded the above sounds like the only incoming connections allowed are
for ssh (TCP port 22), so you probably have a rule such as:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
in your ruleset. Assuming that the OUTPUT chain has a default policy
of "ACCEPT", you should also have rules such as:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
before the final "-j REJECT" (or "-j DROP") in the input chain. That
should allow ANY TCP traffic as long as it was INITIATED from the
local machine.
If the machine is a router, then we'd probably have to get into
specifying the different NICs in the rules (by use of the "-i"
parameter).
Could you post your current ruleset so we can get a grip on what you
have set up? It may be a really simple fix or a simpler ruleset may work.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer rps2 at nerd.com -
- Hosting Consulting, Inc. -
- -
- NEWS FLASH! Intelligence of mankind decreasing! Details at... -
- uh, when, uh, the little hand is, uh, on the... Aw, NUTS! -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list