Help with Iptables on with RH linux
James Marcinek
jmarc1 at jemconsult.biz
Sat Jul 22 14:33:34 UTC 2006
Stuart,
Thanks again.
I was thinking along the lines of the following but wanted to hear back
before implementing... Here's what I've been up too
I will add the FORWARD rules too! It looks like I'm getting closer:
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 80 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 443 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 21 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 22 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 25 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 953 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 993 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
--to-dest 192.168.0.2
And the following forwarding rule:
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
... with the other rules following accordingly. This is what I've come
up with to implement. Can you let me know what you think about this one?
# First drop everything (lets you open what you want)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# PREROUTING chain rules
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 80 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 443 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 21 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 22 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 25 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 953 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 993 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
--to-dest 192.168.0.2
# User-defined chain for ACCEPTed TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP
# INPUT chain rules
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 172.10.10.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 172.10.10.2 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j ACCEPT
# Rules for incoming packets from the Internet
# Packets for established connections
iptables -A INPUT -p ALL -d 172.10.10.1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# NOT SURE IF I NEED THIS AS IT'S AN INPUT???
# iptables -A INPUT -p ALL -d 172.10.10.2 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 953 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 993 -j okay
# UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 953 -j ACCEPT
# ICMP rules
# FORWARD chain rules
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# - FORWARDS to server
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 953-j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i etho -d 192.168.0.2 -p udp --dport 953-j ACCEPT
# iptables -A FORWARD -i eth0 -d 192.168.0.2 -j ACCEPT
# OUTPUT chain rules
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 172.10.10.1 -j ACCEPT
# NOT SURE IF THIS IS CORRECT OR NEEDED???
iptables -A OUTPUT -p ALL -s 172.10.10.2 -j ACCEPT
# POSTROUTING
iptables -t nat -A POSTROUTING -s 192.168.0.2 -j SNAT --to-source
172.10.10.2
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.10.10.1
Thanks again for the feedback. I really appreciate it.
Thanks,
James
P.S. let me know if the width is still a problem I think I fixed it.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> James Marcinek wrote:
> [other stuff snipped]
> /me wrote this:
>> iptables -A FORWARD -i eth0 -d 192.168.0.2 -j ACCEPT does it suddenly
>> start working?
> James wrote this:
>>> Ok, now this is where I'm losing you a little. My server has
>>> several ports that it listens... Any internal established
>>> connections from my traffic from my internal NIC (eth1), as well as
>>> any established connections are OK. The IP address eth0:0 is what
>>> is listening to the IP address. Shouldn't it be from that? Also
>>> when I tried using the eth0:0 I recieved an error indicating that
>>> 'aliases' could not be used so I have to specify -d versus the -i
>>> (eth0:0). then how would this work. I'm trying to interpret the
>>> command... Will this substitute the IP address of 172.x.x.2 for the
>>> IP or will it use the IP address assigned to 172.x.x.1 (eth0).
>
> okay, let's see if I can make this clearer. Apologies if I am telling
> you stuff you already know.
>
> The -i and -d switches refer to physical NICs. Not IP addresses.
> eth0:0 is merely a way of adding a second IP to the same physical
> interface and being able to bring that 2nd IP up/down at will.
> So packets hitting the virtual IP on eth0:0 really pass through the
> physical interface eth0, which is what netfilter will see.
> You can see a similar view of this using 'ip addr show'.
> which will have no reference to eth0:X at all. Just 2 IPs on eth0.
>
> - -i and -d are used for _directional_ filtering/natting.
>
> If you are dropping packets in the FORWARD chain, there are two rules
> needed to ensure that permitted traffic flows through your firewall:
>
> 1. The DNAT rule in PREROUTING.
> without this in place the packets you wish to redirect to 192.168.0.2
> will *never* end up in the FORWARD chain.
>
> 2. A rule in FORWARD that allows specific traffic through your system if
> it is destined for 192.168.0.2.
>
> * The eth0 bit was just to ensure that the rule I wrote only applies to
> packets flowing from out to in. -o eth1 would also do this. In fact
> you can use both.
> * You can adjust these rules to allow only certain protocols and ports.
> I would. In fact, I would do this in the NAT rule as well.
>
> does this make more sense?
>
> #### contrived example #####
> assume I am running a webserver on 192.168.0.2:80
> one of my external IPs (on eth0:X) is 172.16.32.64
> so:
>
> 1) redirect *only* http traffic aimed at eth0:X to 192.168.0.2:
>
> iptables -t nat -A PREROUTING -d 172.16.32.64
> -p tcp --dport 80 -i eth0 -j DNAT --to-dest 192.168.0.2
>
> 2) permit http traffic to 192.168.0.2 to pass through from out to in:
>
> iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
>
> ############################
>
>
>>> I originally wrote the script to build my initial rules and use it
>>> when I want to implement changes... I flush the tables, execute the
>>> firewall script then save the rules.
> good. Just checking. I come across *far* too many people who set their
> rules using a shell script called from rc.local, *after* their network
> has already come up. doh.
>
> Regards
>
> Stuart
>
> ps would you mind setting your MUA (thundervird, I believe) to wrap
> lines at a fixed length? your diagram in the original mail was way over
> to the right and the long lines are sometimes very hard to read...
> thx. :)
>
> - --
> Stuart Sears RHCA RHCX
> Quit worrying about your health. It'll go away.
> -- Robert Orben
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFEwff3amPtx1brPQ4RAgwVAJwMuHFEaO/gdeSXiKP9AhF1JO+bwgCfVeYC
> ulNJCCE2RETwUes4c/aHV4c=
> =NEYW
> -----END PGP SIGNATURE-----
>
More information about the redhat-list
mailing list