Re: Help with Iptables on with RH linux

[James Marcinek <jmarc1@xxxxxxxxxxxxxx>]

Stuart,

Thanks again.

I was thinking along the lines of the following but wanted to hear back  
before implementing... Here's what I've been up too
I will add the FORWARD rules too! It looks like I'm getting closer:

iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 80 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 443 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 21 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 22 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 25 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 953 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 993 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT 
--to-dest 192.168.0.2

And the following forwarding rule:

iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT

... with the other rules following accordingly.  This is what I've come 
up with to implement. Can you let me know what you think about this one?

# First drop everything (lets you open what you want)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# PREROUTING chain rules
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 80 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 443 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 21 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 22 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 25 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 953 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p tcp --dport 993 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT 
--to-dest 192.168.0.2
iptables -t nat -A PREROUTING -d 172.10.10.2 -p udp --dport 53 -j DNAT 
--to-dest 192.168.0.2

# User-defined chain for ACCEPTed TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP

# INPUT chain rules
iptables -A INPUT -p ALL -i eth1 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 172.10.10.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 172.10.10.2 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 192.168.0.255 -j ACCEPT

# Rules for incoming packets from the Internet

# Packets for established connections
iptables -A INPUT -p ALL -d 172.10.10.1 -m state --state 
ESTABLISHED,RELATED -j ACCEPT

# NOT SURE IF I NEED THIS AS IT'S AN INPUT???
# iptables -A INPUT -p ALL -d 172.10.10.2 -m state --state 
ESTABLISHED,RELATED -j ACCEPT

# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 443 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 953 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 993 -j okay

# UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 953 -j ACCEPT

# ICMP rules

# FORWARD chain rules
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# - FORWARDS to server
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 953-j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -i eth0 -d 192.168.0.2 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i etho -d 192.168.0.2 -p udp --dport 953-j ACCEPT

# iptables -A FORWARD -i eth0 -d 192.168.0.2 -j ACCEPT

# OUTPUT chain rules
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 172.10.10.1 -j ACCEPT

# NOT SURE IF THIS IS CORRECT OR NEEDED???
iptables -A OUTPUT -p ALL -s 172.10.10.2 -j ACCEPT

# POSTROUTING
iptables -t nat -A POSTROUTING -s 192.168.0.2 -j SNAT --to-source 
172.10.10.2
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.10.10.1


Thanks again for the feedback. I really appreciate it.

Thanks,

James

P.S. let me know if the width is still a problem I think I fixed it.

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> James Marcinek wrote:
> [other stuff snipped]
> /me wrote this:
> > iptables -A FORWARD -i eth0 -d 192.168.0.2 -j ACCEPT does it suddenly
> > start working?
> James wrote this:
> > > Ok, now this is where I'm losing you a little. My server has
> > > several ports that it listens... Any internal established
> > > connections from my traffic from my internal NIC (eth1), as well as
> > > any established connections are OK. The IP address eth0:0 is what
> > > is listening to the IP address. Shouldn't it be from that? Also
> > > when I tried using the eth0:0 I recieved an error indicating that
> > > 'aliases' could not be used so I have to specify -d versus the -i
> > > (eth0:0). then how would this work. I'm trying to interpret the
> > > command... Will this substitute the IP address of 172.x.x.2 for the
> > > IP or will it use the IP address assigned to 172.x.x.1 (eth0).
>
> okay, let's see if I can make this clearer. Apologies if I am telling
> you stuff you already know.
>
> The -i  and -d switches refer to physical NICs. Not IP addresses.
> eth0:0 is merely a way of adding a second IP to the same physical
> interface and being able to bring that 2nd IP up/down at will.
> So packets hitting the virtual IP on eth0:0 really pass through the
> physical interface eth0, which is what netfilter will see.
> You can see a similar view of this using 'ip addr show'.
> which will have no reference to eth0:X at all. Just 2 IPs on eth0.
>
> - -i and -d are used for _directional_ filtering/natting.
>
> If you are dropping packets in the FORWARD chain, there are two rules
> needed to ensure that permitted traffic flows through your firewall:
>
> 1. The DNAT rule in PREROUTING.
>    without this in place the packets you wish to redirect to 192.168.0.2
>    will *never* end up in the FORWARD chain.
>
> 2. A rule in FORWARD that allows specific traffic through your system if
>    it is destined for 192.168.0.2.
>
> *  The eth0 bit was just to ensure that the rule I wrote only applies to
>    packets flowing from out to in. -o eth1 would also do this. In fact
>    you can use both.
> *  You can adjust these rules to allow only certain protocols and ports.
>    I would. In fact, I would do this in the NAT rule as well.
>
> does this make more sense?
>
> #### contrived example #####
> assume I am running a webserver on 192.168.0.2:80
> one of my external IPs (on eth0:X) is 172.16.32.64
> so:
>
> 1) redirect *only* http traffic aimed at eth0:X to 192.168.0.2:
>
> iptables -t nat -A PREROUTING -d 172.16.32.64
>  -p tcp --dport 80 -i eth0 -j DNAT --to-dest 192.168.0.2
>
> 2) permit http traffic to 192.168.0.2 to pass through from out to in:
>
> iptables -A FORWARD -i eth0 -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT
>
> ############################
>
>
> > > I originally wrote the script to build my initial rules and use it
> > > when I want to implement changes... I flush the tables, execute the
> > > firewall script then save the rules.
> good. Just checking. I come across *far* too many people who set their
> rules using a shell script called from rc.local, *after* their network
> has already come up. doh.
>
> Regards
>
> Stuart
>
> ps would you mind setting your MUA (thundervird, I believe) to wrap
> lines at a fixed length? your diagram in the original mail was way over
> to the right and the long lines are sometimes very hard to read...
> thx. :)
>
> - --
> Stuart Sears RHCA RHCX
> Quit worrying about your health.  It'll go away.
> 		-- Robert Orben
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFEwff3amPtx1brPQ4RAgwVAJwMuHFEaO/gdeSXiKP9AhF1JO+bwgCfVeYC
> ulNJCCE2RETwUes4c/aHV4c=
> =NEYW
> -----END PGP SIGNATURE-----

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list