Help an IPTABLES neophyte please

[Waldher, Travis R]

> -----Original Message-----
> From: Rick Stevens [mailto:ricks at nerd.com]
> Sent: Friday, May 09, 2008 9:54 AM
> To: Getting started with Red Hat Linux
> Subject: Re: Help an IPTABLES neophyte please

<snip>

> 
> You didn't say which NICs are on the external and which are on the
> internal (and I see 3 NICS in your ruleset).  However, assuming eth0
is
> the external and eth1 and eth2 are the internal, then
> 
> # Permit incoming and outgoing LDAP:// traffic on eth0...
> iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 389 -m state --state \
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o eth0 -s 0/0-p tcp --sport 389 -m state --state \
> NEW -j ACCEPT
> # Permit incoming and outgoing LDAPS:// traffic on eth0...
> iptables -A INPUT -i eth1 -s 0/0 -p tcp -sport 636 -m state --state \
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o eth0 -s 0/0-p tcp --sport 636 -m state --state \
> NEW -j ACCEPT
> 
> Should be a good basis to start with.  
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer                       rps2 at nerd.com -
> - Hosting Consulting, Inc.                                           -
> -                                                                    -
> -           Blech!  ACKth!  Ooop!  -- Bill the Cat (Outland)         -
> ----------------------------------------------------------------------

Okay, I finally got that working.

#Allow outbound LDAP
## Permit incoming and outgoing LDAP:// traffic on eth0...
iptables -A INPUT -i eth0 -s 0/0 -p tcp --sport 389 --dport 1024:65535
-m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -s 0/0 -p tcp --sport 1024:65535 --dport 389
-m state --state NEW,ESTABLISHED -j ACCEPT

There was no talking on 636, so I was going to leave that closed off
unless there is a good reason to open it.

Next step, forwarding LDAP requests over eth1 or eth2 going out eth0.