Help with Iptables on with RH linux

James Marcinek jmarc1 at jemconsult.biz
Sat Jul 22 16:06:42 UTC 2006


Your the man Stuart. I reply next to your posts...

Stuart Sears wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> James Marcinek wrote:
>> Stuart,
>>
>> Thanks again.
> you're welcome.
> comments interspersed below.
>
>> I was thinking along the lines of the following but wanted to hear back 
>> before implementing... Here's what I've been up too
>> I will add the FORWARD rules too! It looks like I'm getting closer:
>
>> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 21 -j DNAT
>> --to-dest 192.168.0.2
> FTP? this is commmand-channel only. You may need to do interesting
> things with ip_conntrack_ftp modules to permit the data transfers
> through as well.
I can actually live without the FTP forwarding (prefer it to the 
secure). I had copied and pasted a couple of items from my original 
rules and changed them to fit. I actually needed to get rid of my smtp 
forwarding too upon further review.

>
>> iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 953 -j DNAT
>> --to-dest 192.168.0.2
> External access to rndc? Are you sure you wish to allow that? Normally
> rndc is restricted to localhost.
Well my one server wears many 'hats'. I already have the DNS rules 
(acl's) to handle external requests but I must have 2 DNS servers to 
take over the hosting of my domain. My other system is really doing a 
big load. Not sure what has to be open (off the top of my head) to 
handle this. It was another 'cut and paste' error to add the tcp ports. 
My previous rules did not have the tcp port open for it (for below 
excerpts). In reality I only really need 22,443,80 and 53 open for now...

As a side note I am interested in knowing if (and what I need to do to 
have a server set up to get ntp traffic)...
>
>> iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
>> --to-dest 192.168.0.2
>> iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT
>> --to-dest 192.168.0.2
>
> I assume one of these was meant to be tcp? Or did you just past a line
> twice by mistake?
> If it was supposed to be tcp, I have reservations about that too. tcp is
> used for zone transfers. Unless you have backup nameservers on external
> nets it is not required. If you do, you should only allow connections
> from those specific hosts.
>
>> And the following forwarding rule:
>> iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
>> ... with the other rules following accordingly.  This is what I've come
>> up with to implement. Can you let me know what you think about this one?
>
> looks about right.
>
>> # INPUT chain rules
>> iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
> - -p ALL is probably redundant, but will do no harm.
>
> [snip]
>> # Rules for incoming packets from the Internet
>> # Packets for established connections
>> iptables -A INPUT -p ALL -d 172.10.10.1 -m state --state
>> ESTABLISHED,RELATED -j ACCEPT
> looks fine.
>
>> # NOT SURE IF I NEED THIS AS IT'S AN INPUT???
>> # iptables -A INPUT -p ALL -d 172.10.10.2 -m state --state
>> ESTABLISHED,RELATED -j ACCEPT
> If all traffic into that IP address is to be either forwarded or dropped
> I don't think that is needed either.
>
>
>> # TCP rules
>> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
>> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
>> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
>> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
>> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
>> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 953 -j okay
>> iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 993 -j okay
>
>> # UDP rules
>> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
>> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
>> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT
>> iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 953 -j ACCEPT
>
> once again I have (admittedly personal) concerns about port 953.
> Which is tcp-only anyway.
If I don't need to keep this open I will certainly leave it out. However 
my /etc/services does show a udp port for it. If and what it does is 
another story I don't know off the top of my head. I think I had some 
problems with the server itself at one point and opened some ports 
(among the other things I did) to get it working with rndc.
> are you running a nameserver and smtp server on the firewall as well as
> on the internal network? If not, why open 25/tcp, 53/udp, 953/tcp?

You are correct. Again some cut and paste quickies. As mentioned before 
I would like to set this up as my DNS server for my domain. If I only 
need udp ports 53 opened do accomplish this, that would be great.
>
>> # ICMP rules
>>
>> # FORWARD chain rules
>> iptables -A FORWARD -i eth1 -j ACCEPT
>> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> fair enough
>
>> # - FORWARDS to server
>> iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
>> iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 443 -j ACCEPT
>> iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 21 -j ACCEPT
>> iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 22 -j ACCEPT
>> iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 25 -j ACCEPT
>> iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 953-j ACCEPT
>> iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 993 -j ACCEPT
>> iptables -A FORWARD -i eth0 -d 192.168.0.2 -p udp --dport 53 -j ACCEPT
>> iptables -A FORWARD -i etho -d 192.168.0.2 -p udp --dport 953-j ACCEPT
>
>> # iptables -A FORWARD -i eth0 -d 192.168.0.2 -j ACCEPT
> if you are going to do this, why bother with the specific ports above?
> (or is this just a safety net for testing purposes?)
I think this was a cut from you email post that I had forgot to comment 
out.
>
>> # OUTPUT chain rules
>> iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
>> iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
>> iptables -A OUTPUT -p ALL -s 172.10.10.1 -j ACCEPT
>
>> # NOT SURE IF THIS IS CORRECT OR NEEDED???
>> iptables -A OUTPUT -p ALL -s 172.10.10.2 -j ACCEPT
> OUTPUT is the first chain that packets originating on your firewall will
> traverse. Are you going to be creating packets that have that source
> address?
My goal is any outbound traffic from my internal system (192.168.0.2) 
will go out with the real IP 172.10.10.2
>
>> # POSTROUTING
>> iptables -t nat -A POSTROUTING -s 192.168.0.2 -j SNAT --to-source
>> 172.10.10.2
>> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.10.10.1
> SNAT rules look okay.
>
> [snipped fullquoted text. please trim your posts a bit... ]
>
> Kind Regards
>
> Stuart
> - --
> Stuart Sears RHCA RHCX
> Quit worrying about your health.  It'll go away.
> 		-- Robert Orben
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFEwkLnamPtx1brPQ4RAv7oAJwKijoDHxppSCK0kXNTr4/qfsKhTgCfaQST
> 9XyxCuyrSo/bJifrp0hNF1o=
> =ThGW
> -----END PGP SIGNATURE-----
>




More information about the redhat-list mailing list