Re: Help with Iptables on with RH linux
- From: James Marcinek <jmarc1@xxxxxxxxxxxxxx>
- Date: Sat, 22 Jul 2006 12:06:42 -0400
Your the man Stuart. I reply next to your posts...
Stuart Sears wrote:
-----BEGIN PGP SIGNED MESSAGE-----I can actually live without the FTP forwarding (prefer it to the secure). I had copied and pasted a couple of items from my original rules and changed them to fit. I actually needed to get rid of my smtp forwarding too upon further review.
Hash: SHA1
James Marcinek wrote:Stuart,you're welcome.
Thanks again.
comments interspersed below.
I was thinking along the lines of the following but wanted to hear back before implementing... Here's what I've been up too
I will add the FORWARD rules too! It looks like I'm getting closer:
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 21 -j DNATFTP? this is commmand-channel only. You may need to do interesting
--to-dest 192.168.0.2
things with ip_conntrack_ftp modules to permit the data transfers
through as well.
Well my one server wears many 'hats'. I already have the DNS rules (acl's) to handle external requests but I must have 2 DNS servers to take over the hosting of my domain. My other system is really doing a big load. Not sure what has to be open (off the top of my head) to handle this. It was another 'cut and paste' error to add the tcp ports. My previous rules did not have the tcp port open for it (for below excerpts). In reality I only really need 22,443,80 and 53 open for now...
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 953 -j DNATExternal access to rndc? Are you sure you wish to allow that? Normally
--to-dest 192.168.0.2
rndc is restricted to localhost.
As a side note I am interested in knowing if (and what I need to do to have a server set up to get ntp traffic)...
If I don't need to keep this open I will certainly leave it out. However my /etc/services does show a udp port for it. If and what it does is another story I don't know off the top of my head. I think I had some problems with the server itself at one point and opened some ports (among the other things I did) to get it working with rndc.
iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
--to-dest 192.168.0.2
I assume one of these was meant to be tcp? Or did you just past a line
twice by mistake?
If it was supposed to be tcp, I have reservations about that too. tcp is
used for zone transfers. Unless you have backup nameservers on external
nets it is not required. If you do, you should only allow connections
from those specific hosts.
And the following forwarding rule:
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
... with the other rules following accordingly. This is what I've come
up with to implement. Can you let me know what you think about this one?
looks about right.
# INPUT chain rules- -p ALL is probably redundant, but will do no harm.
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
[snip]# Rules for incoming packets from the Internetlooks fine.
# Packets for established connections
iptables -A INPUT -p ALL -d 172.10.10.1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# NOT SURE IF I NEED THIS AS IT'S AN INPUT???If all traffic into that IP address is to be either forwarded or dropped
# iptables -A INPUT -p ALL -d 172.10.10.2 -m state --state
ESTABLISHED,RELATED -j ACCEPT
I don't think that is needed either.
# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 953 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 993 -j okay
# UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 953 -j ACCEPT
once again I have (admittedly personal) concerns about port 953.
Which is tcp-only anyway.
are you running a nameserver and smtp server on the firewall as well as
on the internal network? If not, why open 25/tcp, 53/udp, 953/tcp?
You are correct. Again some cut and paste quickies. As mentioned before I would like to set this up as my DNS server for my domain. If I only need udp ports 53 opened do accomplish this, that would be great.
I think this was a cut from you email post that I had forgot to comment out.
# ICMP rules
# FORWARD chain rules
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
fair enough
# - FORWARDS to server
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 953-j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i etho -d 192.168.0.2 -p udp --dport 953-j ACCEPT
# iptables -A FORWARD -i eth0 -d 192.168.0.2 -j ACCEPTif you are going to do this, why bother with the specific ports above?
(or is this just a safety net for testing purposes?)
My goal is any outbound traffic from my internal system (192.168.0.2) will go out with the real IP 172.10.10.2
# OUTPUT chain rules
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 172.10.10.1 -j ACCEPT
# NOT SURE IF THIS IS CORRECT OR NEEDED???OUTPUT is the first chain that packets originating on your firewall will
iptables -A OUTPUT -p ALL -s 172.10.10.2 -j ACCEPT
traverse. Are you going to be creating packets that have that source
address?
# POSTROUTINGSNAT rules look okay.
iptables -t nat -A POSTROUTING -s 192.168.0.2 -j SNAT --to-source
172.10.10.2
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.10.10.1
[snipped fullquoted text. please trim your posts a bit... ]
Kind Regards
Stuart
- --
Stuart Sears RHCA RHCX
Quit worrying about your health. It'll go away.
-- Robert Orben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFEwkLnamPtx1brPQ4RAv7oAJwKijoDHxppSCK0kXNTr4/qfsKhTgCfaQST
9XyxCuyrSo/bJifrp0hNF1o=
=ThGW
-----END PGP SIGNATURE-----
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
- References:
- Help with Iptables on with RH linux
- From: James Marcinek
- Re: Help with Iptables on with RH linux
- From: Stuart Sears
- Re: Help with Iptables on with RH linux
- From: James Marcinek
- Re: Help with Iptables on with RH linux
- From: Stuart Sears
- Re: Help with Iptables on with RH linux
- From: James Marcinek
- Re: Help with Iptables on with RH linux
- From: Stuart Sears
- Help with Iptables on with RH linux
- Prev by Date: Re: Help with Iptables on with RH linux
- Next by Date: nfs and showmount inconsistency
- Previous by thread: Re: Help with Iptables on with RH linux
- Next by thread: Registered Mark symbol appears diffrent on Redhat Enterprise server(2.6.9-5.ELsmp)
- Index(es):
Relevant Pages
|
