• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

RedHat 7.3 and iptables. Just a few questions.

B

BML

Senior member
Ok ill make this short and sweet.

1. Is iptables_nat.o built into the kernel of do I need to load the module. (when i try to load it it says it cant find the module)

2. If I block all INPUT packets can i override that rule with a iptables -A INPUT -s 192.168.0.1 -j ACCEPT

3. And how could I allwow ssh? -p ssh or -p 22

Thanx if you can help.
 
I use the following to allow access from outside to the machine when I need it. Usually I have it commented out:

echo -e " - Allowing EXTERNAL access to the sshd service"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT

As far as your RH 7.3 specific questions, I can't help you there.
 
To run a fully functional 7.3 firewall, these are the only modules I ever load:

/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
/sbin/insmod ip_nat_ftp

And of those, I think I only really need the last one to make ftp work smoother.

My script (/etc/rc.d/rc.firewall) looks like so, with the comments that came with it... You'll notice some forwarding and some accepting in there. This is for a DHCP cable modem setup with internal DHCP as well

#!/bin/sh

IPTABLES="/sbin/iptables"
VPN_ADDRESS="10.0.0.5"
WIN_ADDRESS="10.0.0.5"
VNC_ADDRESS="10.0.0.100"
LOCAL_IP="10.0.0.1"
FTP_IP="10.0.0.100"
WEB_IP="10.0.0.100"

#Time to clean house

#Clear out any existing firewall rules, and any chains that might have
#been created
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X

#Setup our policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

#This enables ip forwarding, and thus by extension, NAT
#Turn this on if you're going to be doing NAT or Masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward


#Our actual rules

#Our NAT stuff

#Source NAT everything heading out the eth0 (external) interface to be the
#given IP. If you have a dynamic ip or a DHCP ip that changes
#semi-regularly, comment this and uncomment the second line
#
#Remember to change the ip address to your static ip
#
#$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#These are port-forwarding examples for several different cases.
#These map the specified ports to the specified ip address.
#
#This one maps port 80 to 192.168.1.1. Anything incoming over eth0 to
#the server will be redirected invisibly to port 80 on 192.168.1.1
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to $WEB_IP

$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 8000 -j DNAT --to $WEB_IP
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 8001 -j DNAT --to $WEB_IP

$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 20 -j DNAT --to $FTP_IP
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to $FTP_IP

#These two redirect a block of ports, in both udp and tcp.
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 2300:2400 -j DNAT --to 192.168.1.1
#$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 2300:2400 -j DNAT --to 192.168.1.1

# Dynamic VPN stuff - pg
$IPTABLES -t nat -A POSTROUTING -o eth0 -p 47 -j MASQUERADE

# VNC stuff - pg
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 5800 -j DNAT --to $WIN_ADDRESS
$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 5800 -j DNAT --to $WIN_ADDRESS
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 5900 -j DNAT --to $WIN_ADDRESS
$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 5900 -j DNAT --to $WIN_ADDRESS
# linux VNC - pg
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 5801:5810 -j DNAT --to $VNC_ADDRESS
$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 5801:5810 -j DNAT --to $VNC_ADDRESS
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 5901:5910 -j DNAT --to $VNC_ADDRESS
$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 5901:5910 -j DNAT --to $VNC_ADDRESS
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 5801 -j DNAT --to $LOCAL_IP
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 5901 -j DNAT --to $LOCAL_IP

#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
$IPTABLES -N firewall
$IPTABLES -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPTABLES -A firewall -j DROP

#Now, our dropwall chain, for the final catchall filter
$IPTABLES -N dropwall
$IPTABLES -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPTABLES -A dropwall -j DROP

#Our "hey, them's some bad tcp flags!" chain
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPTABLES -A badflags -j DROP

#And our silent logging chain
$IPTABLES -N silent
$IPTABLES -A silent -j DROP


#Accept ourselves (loopback interface), 'cause we're all warm and friendly
$IPTABLES -A INPUT -i lo -j ACCEPT

#Allow anything from inside the firewall to do anything to anyone else
#inside... better the devil you know....
$IPTABLES -A INPUT -p all -i eth1 -j ACCEPT

#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

#Drop icmp, but only after letting certain types through
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewall

#Accept SSH connections from everywhere.
#Uncomment this if you're running SSH and want to be able to access it
#from the outside world.
#
$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT

# web server - pg
#$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 80 -j ACCEPT
# ftp - pg
#$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 20 -j ACCEPT
#$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 21 -j ACCEPT
# VNC - pg
#$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 5801:5810 -j ACCEPT
#$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 5901:5910 -j ACCEPT
#$IPTABLES -A INPUT -i eth0 -d 0/0 -p udp --dport 5801:5810 -j ACCEPT
#$IPTABLES -A INPUT -i eth0 -d 0/0 -p udp --dport 5901:5910 -j ACCEPT

#Lets do some basic state-matching
#This allows us to accept related and established connections, so
#client-side things like ftp work properly, for example.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Uncomment to drop port 137 netbios packets silently. We don't like
#that netbios stuff, and it's #way too spammy with windows machines on
#the network.
# This should be ok, most windows sharing is done over port 139 (i think) - pg
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent

#Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
$IPTABLES -A INPUT -j dropwall



 
You must log in or register to reply here.
Back
Top