Re: Help with Iptables on with RH linux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

James Marcinek wrote:
Stuart,

Thanks again.
you're welcome.
comments interspersed below.

I was thinking along the lines of the following but wanted to hear back
before implementing... Here's what I've been up too
I will add the FORWARD rules too! It looks like I'm getting closer:

iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 21 -j DNAT
--to-dest 192.168.0.2
FTP? this is commmand-channel only. You may need to do interesting
things with ip_conntrack_ftp modules to permit the data transfers
through as well.

iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 953 -j DNAT
--to-dest 192.168.0.2
External access to rndc? Are you sure you wish to allow that? Normally
rndc is restricted to localhost.

iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
--to-dest 192.168.0.2

I assume one of these was meant to be tcp? Or did you just past a line
twice by mistake?
If it was supposed to be tcp, I have reservations about that too. tcp is
used for zone transfers. Unless you have backup nameservers on external
nets it is not required. If you do, you should only allow connections
from those specific hosts.

And the following forwarding rule:
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
... with the other rules following accordingly. This is what I've come
up with to implement. Can you let me know what you think about this one?

looks about right.

# INPUT chain rules
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
- -p ALL is probably redundant, but will do no harm.

[snip]
# Rules for incoming packets from the Internet
# Packets for established connections
iptables -A INPUT -p ALL -d 172.10.10.1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
looks fine.

# NOT SURE IF I NEED THIS AS IT'S AN INPUT???
# iptables -A INPUT -p ALL -d 172.10.10.2 -m state --state
ESTABLISHED,RELATED -j ACCEPT
If all traffic into that IP address is to be either forwarded or dropped
I don't think that is needed either.


# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 953 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 993 -j okay

# UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 953 -j ACCEPT

once again I have (admittedly personal) concerns about port 953.
Which is tcp-only anyway.
are you running a nameserver and smtp server on the firewall as well as
on the internal network? If not, why open 25/tcp, 53/udp, 953/tcp?

# ICMP rules

# FORWARD chain rules
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

fair enough

# - FORWARDS to server
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 953-j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i etho -d 192.168.0.2 -p udp --dport 953-j ACCEPT

# iptables -A FORWARD -i eth0 -d 192.168.0.2 -j ACCEPT
if you are going to do this, why bother with the specific ports above?
(or is this just a safety net for testing purposes?)

# OUTPUT chain rules
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 172.10.10.1 -j ACCEPT

# NOT SURE IF THIS IS CORRECT OR NEEDED???
iptables -A OUTPUT -p ALL -s 172.10.10.2 -j ACCEPT
OUTPUT is the first chain that packets originating on your firewall will
traverse. Are you going to be creating packets that have that source
address?

# POSTROUTING
iptables -t nat -A POSTROUTING -s 192.168.0.2 -j SNAT --to-source
172.10.10.2
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.10.10.1
SNAT rules look okay.

[snipped fullquoted text. please trim your posts a bit... ]

Kind Regards

Stuart
- --
Stuart Sears RHCA RHCX
Quit worrying about your health. It'll go away.
-- Robert Orben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEwkLnamPtx1brPQ4RAv7oAJwKijoDHxppSCK0kXNTr4/qfsKhTgCfaQST
9XyxCuyrSo/bJifrp0hNF1o=
=ThGW
-----END PGP SIGNATURE-----

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Relevant Pages

  • Re: UPD better than TCP in streaming video/audio ?
    ... > UDP gains speed over TCP because it carries no information that would ... it doesn't even know that packets were lost. ... which is perfect for UDP. ... > Finally, there's the possibility of multicast data - for instance, a live ...
    (microsoft.public.win32.programmer.networks)
  • Re: Simulating smaller MTU? ie sending small packets.
    ... This is due to the fact that TCP ... If you want smaller packets, ... >> set there as the MSS is announced by the receiver during the ... Yes, per connection. ...
    (comp.lang.perl.misc)
  • Re: NTP and Firewall help needed.
    ... >port 123 for udp and tcp. ... Also the idea of combining rules for packets arriving at the local machine ... ACCEPT any and all traffic coming from the localhost interface ...
    (comp.os.linux.setup)
  • Re: Help with Iptables on with RH linux
    ... iptables -P OUTPUT DROP ... # PREROUTING chain rules ... # Rules for incoming packets from the Internet ... Just 2 IPs on eth0. ...
    (RedHat)
  • Re: 6.x, 4.x ipfw/dummynet pf/altq - network performance issues
    ... I'll be able to run some more basic tests tomorrow to see some results, but want to wrap my head around what's actually logically meant to be happening based on adjustments, etc. [I suspect this'll do nothing for the UDP issue, but at least I might be able to pipe some TCP traffic] ... Little packets with ip lengths of 28-29 bytes seem to do the most damage. ... UDP floods are much better handled - an ipfw block rule for the packet type and the machine responds as if there were no flood at all (until total bandwidth saturation or PPS limits of the hardware, which in this case was around 950Mbps). ...
    (freebsd-performance)