WEB server



Hi all,

I am hosting a webservices to the public, the webserver got 2x interfaces;
one pointing to my network LAN (10.x.x.x)
and the other one connecting to the DMZ 192.168.10.x of the PIX.

Inside PIX I blocked every protocol except WWW and DNS.
From inside the LAN I did the following rules to allow outgoing ssh, Oracle
ports, www, ... from the private network.
I want to add more rules via iptableas to _protect_ my internal LAN from the
public packets. i.e
to block any forwarded packets to my internal lan.



Routing table of the web server:
------------------------------------------------
Destination Gateway Genmask Iface
10.5.0.0 0.0.0.0 255.255.0.0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 eth1
192.168.0.0 0.0.0.0 255.255.0.0 eth1
10.0.0.0 10.5.0.1 255.0.0.0 eth0
0.0.0.0 192.168.10.1 0.0.0.0 eth1

IPTABLES
----------------
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:1521
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited


--
madunix
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list



Relevant Pages

  • Re: RH Fedora as my gateway
    ... > Turn off the FW till you get LAN connected properly. ... > RH gw or the gw listed in route table? ... >> Chain FORWARD (policy DROP) ...
    (comp.os.linux.networking)
  • Re: iptables and vpn...
    ... Don't you allow all the traffic to go out from your lan? ... global policy you set: if policy to drop all then setup to allow rule in ... prerouting chain and the also in forward chain for 1723 port and protocol 47 ... > I have a Linux machine which is connected to the internet. ...
    (comp.security.firewalls)
  • problem with dmz firewall script - cant connect to inet via plan
    ... Everything is fine but I can not access the internet from my private ... I have a dmz and seperate trusted private lan multihomed on the ... # Create chain for bad tcp packets ...
    (comp.os.linux.security)
  • Re: problem with dmz firewall script - cant connect to inet via plan
    ... > can anyone tell me why my firewall script is not working correctly. ... I have a dmz and seperate trusted private lan multihomed on the ... > # Create chain for bad tcp packets ...
    (comp.os.linux.security)
  • Re: How to force use of proxy?
    ... If you want to drop all outgoing connections from your LAN to external sites ... from the LAN going out to the Internet destination port 80). ... this is the FORWARD chain, ... firewall machine itself. ...
    (linux.redhat)