|
Home > Archive > Red Hat Networking > January 2004 > iptables / firewall question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
iptables / firewall question
|
|
|
| please help I am trying to setup a firewall in my REDHAT 9 2.4.20-8
kernel box
I am trying to use iptables but am struggling with the basics ! sorry.
my linux router has one ppp0 interface ( adsl dialup ) and eth1
192.168.0.10 (eth0 is disabled for the time being) all I'm trying to do
is disable all connection and then slowly add and test the ip
ports/settings as nessacary and have falling at the first hurdle.
I have two scripts which I am running manually.
my first script clears all default rules
========================================
========================
/sbin/iptables -F #flushes ipchains
/sbin/iptables -t nat -F #flushes nat table
/sbin/iptables -t mangle -F #flushes mangle table
/sbin/iptables --delete-chain #deletes all chains
/sbin/iptables -t nat --delete-chain #deletes all chains
/sbin/iptables -t mangle --delete-chain #deletes all chains
========================================
========================
my second is trying to allow me to ssh my box from my local lan and be
able to ping it from my internal network. Both action need to be
disabled from the internet for obvious reasons.
========================================
========================
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
#first attempt allow ssh from internal network
/sbin/iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 22 -j ACCEPT
#allow previous connections
#/sbin/iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED
-j ACCEPT
#second atempt to allow ssh
#/sbin/iptables -A INPUT -p tcp -i eth1 --dport 22 --sport 1024:65535 -m
state -state NEW -j ACCEPT
#/sbin/iptables -A INPUT -s 192.168.0.0/24 -p udp --sport 22 -j ACCEPT
#loopback
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#icmp
/sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT
========================================
========================
can someone please point me in the right direction, thankyou inadvance
| |
| Dave Griffiths 2004-01-23, 7:47 pm |
| On Sat, 18 Oct 2003 14:47:03 +0100, Paul wrote:
quote:
> please help I am trying to setup a firewall in my REDHAT 9 2.4.20-8
> kernel box
>
> I am trying to use iptables but am struggling with the basics ! sorry.
>
> my linux router has one ppp0 interface ( adsl dialup ) and eth1
> 192.168.0.10 (eth0 is disabled for the time being) all I'm trying to do
> is disable all connection and then slowly add and test the ip
> ports/settings as nessacary and have falling at the first hurdle.
>
> I have two scripts which I am running manually.
>
> my first script clears all default rules
> ========================================
========================
> /sbin/iptables -F #flushes ipchains /sbin/iptables -t nat
> -F #flushes nat table /sbin/iptables -t mangle -F #flushes
> mangle table
>
> /sbin/iptables --delete-chain #deletes all chains
> /sbin/iptables -t nat --delete-chain #deletes all chains
> /sbin/iptables -t mangle --delete-chain #deletes all chains
> ========================================
========================
>
> my second is trying to allow me to ssh my box from my local lan and be
> able to ping it from my internal network. Both action need to be
> disabled from the internet for obvious reasons.
>
> ========================================
========================
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -P OUTPUT DROP
> /sbin/iptables -P FORWARD DROP
>
> #first attempt allow ssh from internal network /sbin/iptables -A INPUT
> -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT /sbin/iptables -A INPUT -s
> 192.168.0.0/24 -p udp --dport 22 -j ACCEPT
>
> #allow previous connections
> #/sbin/iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED
> -j ACCEPT
>
> #second atempt to allow ssh
> #/sbin/iptables -A INPUT -p tcp -i eth1 --dport 22 --sport 1024:65535 -m
> state -state NEW -j ACCEPT
> #/sbin/iptables -A INPUT -s 192.168.0.0/24 -p udp --sport 22 -j ACCEPT
>
> #loopback
> /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo
> -j ACCEPT
>
> #icmp
> /sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
> /sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
> /sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
> /sbin/iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT
> ========================================
========================
>
> can someone please point me in the right direction, thankyou inadvance
Have you edited /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=localhost.localdomain
#DOMAINNAME=
#GATEWAY=
GATEWAYDEV=ppp0
Have you need to set net.ipv4.ip_forward = 1 in /etc/sysctl.conf (by
default it is set to 0)
| |
|
| see the thread "I succeeded in setting up a RH9 box " etcetera
frgr
Erik
|
|
|
|
|