Help an IPTABLES neophyte please
Waldher, Travis R
Travis.R.Waldher at boeing.com
Fri May 9 21:00:45 UTC 2008
> -----Original Message-----
> From: Rick Stevens [mailto:ricks at nerd.com]
> Sent: Friday, May 09, 2008 9:54 AM
> To: Getting started with Red Hat Linux
> Subject: Re: Help an IPTABLES neophyte please
<snip>
>
> You didn't say which NICs are on the external and which are on the
> internal (and I see 3 NICS in your ruleset). However, assuming eth0
is
> the external and eth1 and eth2 are the internal, then
>
> # Permit incoming and outgoing LDAP:// traffic on eth0...
> iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 389 -m state --state \
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o eth0 -s 0/0-p tcp --sport 389 -m state --state \
> NEW -j ACCEPT
> # Permit incoming and outgoing LDAPS:// traffic on eth0...
> iptables -A INPUT -i eth1 -s 0/0 -p tcp -sport 636 -m state --state \
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o eth0 -s 0/0-p tcp --sport 636 -m state --state \
> NEW -j ACCEPT
>
> Should be a good basis to start with.
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer rps2 at nerd.com -
> - Hosting Consulting, Inc. -
> - -
> - Blech! ACKth! Ooop! -- Bill the Cat (Outland) -
> ----------------------------------------------------------------------
Okay, I finally got that working.
#Allow outbound LDAP
## Permit incoming and outgoing LDAP:// traffic on eth0...
iptables -A INPUT -i eth0 -s 0/0 -p tcp --sport 389 --dport 1024:65535
-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -s 0/0 -p tcp --sport 1024:65535 --dport 389
-m state --state NEW,ESTABLISHED -j ACCEPT
There was no talking on 636, so I was going to leave that closed off
unless there is a good reason to open it.
Next step, forwarding LDAP requests over eth1 or eth2 going out eth0.
More information about the Redhat-install-list
mailing list