WEB server



Hi all,

I am hosting a webservices to the public, the webserver got 2x interfaces;
one pointing to my network LAN (10.x.x.x)
and the other one connecting to the DMZ 192.168.10.x of the PIX.

Inside PIX I blocked every protocol except WWW and DNS.
From inside the LAN I did the following rules to allow outgoing ssh, Oracle
ports, www, ... from the private network.
I want to add more rules via iptableas to _protect_ my internal LAN from the
public packets. i.e
to block any forwarded packets to my internal lan.



Routing table of the web server:
------------------------------------------------
Destination Gateway Genmask Iface
10.5.0.0 0.0.0.0 255.255.0.0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 eth1
192.168.0.0 0.0.0.0 255.255.0.0 eth1
10.0.0.0 10.5.0.1 255.0.0.0 eth0
0.0.0.0 192.168.10.1 0.0.0.0 eth1

IPTABLES
----------------
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:1521
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited


--
madunix
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list



Relevant Pages

  • Re: RH Fedora as my gateway
    ... > Turn off the FW till you get LAN connected properly. ... > RH gw or the gw listed in route table? ... >> Chain FORWARD (policy DROP) ...
    (comp.os.linux.networking)
  • Re: iptables and vpn...
    ... Don't you allow all the traffic to go out from your lan? ... global policy you set: if policy to drop all then setup to allow rule in ... prerouting chain and the also in forward chain for 1723 port and protocol 47 ... > I have a Linux machine which is connected to the internet. ...
    (comp.security.firewalls)
  • problem with dmz firewall script - cant connect to inet via plan
    ... Everything is fine but I can not access the internet from my private ... I have a dmz and seperate trusted private lan multihomed on the ... # Create chain for bad tcp packets ...
    (comp.os.linux.security)
  • Re: problem with dmz firewall script - cant connect to inet via plan
    ... > can anyone tell me why my firewall script is not working correctly. ... I have a dmz and seperate trusted private lan multihomed on the ... > # Create chain for bad tcp packets ...
    (comp.os.linux.security)
  • Netscreen policies using domain names - having problems
    ... This device is a bit of overkill for my needs, but the lan to lan VPN ... I create the policy that allows the kids' computer access to sites ...
    (comp.security.firewalls)