LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page iptables configuration
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-15-2004, 05:44 AM   #1
tungaw2001
Member
 
Registered: Aug 2003
Posts: 45

Rep: Reputation: 15
iptables configuration

Hi All,
I'm having problem converting my Redhat Linux DSL 6.2 to Redhat Linux 9.0

The RH 6.2 uses kernel 2.2 while RH 9.0 uses kernel 2.4

this is my setup on redhat 6.2 using ipchains and i want to convert it into iptables.

#!/bin/sh
#
# rc.firewall
#
echo 1 > /proc/sys/net/ipv4/ip_forward

## Flush everything, start from scratch
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward


## Create your own chain
/sbin/ipchains -N good-bad
/sbin/ipchains -N bad-good
/sbin/ipchains -N icmp-acc

## Setup jumps from forward chains
/sbin/ipchains -A forward -s 10.0.5.0/24 -i ppp0 -j good-bad
/sbin/ipchains -A forward -i eth0 -j bad-good
/sbin/ipchains -A forward -j DENY -l

## Define the icmp-acc chain
/sbin/ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
/sbin/ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
/sbin/ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT

#############################################################################################
## Define good-to-bad chain allow POP3,DNS,PING,SENDMAIL to all, selective WWW ##
## ##
## General Rule for all users. DENY surfing. ##
## ##
## ##
#############################################################################################
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d 0/0 pop-3 -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d 0/0 smtp -j MASQ
/sbin/ipchains -A good-bad -p udp -s 0/0 -d 0/0 domain -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d 0/0 domain -j MASQ
/sbin/ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
/sbin/ipchains -A good-bad -p udp --dport 33434:33863 -j MASQ
/sbin/ipchains -A good-bad -p icmp -j icmp-acc

#############################################################################################
## ##
## Machine Specific Permissions ##
## ##
## ##
#############################################################################################
### Bay
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.53 -d 0/0 www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.53 -d 0/0 ftp -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.53 -d 0/0 ftp-data -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.53 -d 0/0 telnet -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.53 -d 0/0 443 -j MASQ
/sbin/ipchains -A good-bad -p udp -s 10.0.5.53 -d 0/0 443 -j MASQ

### Bay
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.23 -d 0/0 www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.23 -d 0/0 ftp -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.23 -d 0/0 ftp-data -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.23 -d 0/0 telnet -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.23 -d 0/0 443 -j MASQ
/sbin/ipchains -A good-bad -p udp -s 10.0.5.23 -d 0/0 443 -j MASQ

### Jeff
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.8 -d 0/0 www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.8 -d 0/0 ftp -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.8 -d 0/0 ftp-data -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.8 -d 0/0 telnet -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.8 -d 0/0 443 -j MASQ
/sbin/ipchains -A good-bad -p udp -s 10.0.5.8 -d 0/0 443 -j MASQ

### Randy
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.34 -d 0/0 www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.34 -d 0/0 ftp -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.34 -d 0/0 ftp-data -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.34 -d 0/0 telnet -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.34 -d 0/0 443 -j MASQ
/sbin/ipchains -A good-bad -p udp -s 10.0.5.34 -d 0/0 443 -j MASQ

### Ronald
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.35 -d 0/0 www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.35 -d 0/0 ftp -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.35 -d 0/0 ftp-data -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 10.0.5.35 -d 0/0 443 -j MASQ
/sbin/ipchains -A good-bad -p udp -s 10.0.5.35 -d 0/0 443 -j MASQ

## temporary remove by OCT 15, 2002
#/sbin/ipchains -A good-bad -p tcp -s 10.0.5.20 -d 0/0 www -j MASQ
#/sbin/ipchains -A good-bad -p tcp -s 10.0.5.20 -d 0/0 443 -j MASQ
#/sbin/ipchains -A good-bad -p udp -s 10.0.5.20 -d 0/0 443 -j MASQ
#/sbin/ipchains -A good-bad -p tcp -s 10.0.5.20 -d 0/0 ftp -j MASQ
#/sbin/ipchains -A good-bad -p tcp -s 10.0.5.20 -d 0/0 ftp-data -j MASQ


#############################################################################################
## ##
## Site Specific Rules ##
## ##
## ##
#############################################################################################

### adamas.com.ph
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d www.adamas.com.ph www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d cypress.he.net ftp -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d cypress.he.net ftp-data -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d cypress.he.net telnet -j MASQ

### r&d sites
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d java.sun.com www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d www.mysql.com www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d www.phpbuilder.com www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d developer.java.sun.com www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d www.pushlets.com www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d octopus.cdut.edu.cn www -j MASQ
/sbin/ipchains -A good-bad -p tcp -s 0/0 -d www.nscb.gov.ph www -j MASQ

### FIlter other services
###########################################################################
### YAHOO MESSENGER ###
###########################################################################



###########################################################################
### END YAHOO MESSENGER ###
###########################################################################

#############################################################################################
## Anything else, REJECT it ##
#############################################################################################
/sbin/ipchains -A good-bad -j REJECT -l


#############################################################################################
## ##
## Rules for incomming Traffic. ##
## ##
## ##
#############################################################################################
## Define bad-to-good chain DO NOT ALLOW ANYTHING
/sbin/ipchains -A bad-good -j REJECT -l

## Deny everything else
# /sbin/ipchains -P bad-good input DENY

HELP PLEASE!!!!
 
Old 04-15-2004, 08:59 AM   #2
Robert0380
LQ Guru
 
Registered: Apr 2002
Location: Atlanta
Distribution: Gentoo
Posts: 1,280

Rep: Reputation: 47
a good sed script would be useful here.

a few ideas for regexes:

s/ipchains/iptables/g
s/MASQ/MASQUERADE/g
s/forward/FORWARD/g


that much would eliminate a lot of keystrokes

from the looks of it, all u want that box to do is forward packets (router-like). If you dont want it to accept INPUT you would add the following to the top of the file somewhere:

/sbin/iptables -P INPUT DROP


and as a suggestion:

i'd use some variables in the script for easy editing:

IPTABLES="/sbin/iptables"

then everywhere u have /sbin/iptables u can use sed to change it to $IPTABLES. that way if by some chance u need to change the script or move it to a box that doesnt put iptables in /sbin (SuSE puts it in /usr/sbin/) then u'll only have to edit 1 line and not 50 lines.

the regex:

s/\/sbin\/iptables/\$IPTABLES/g

or on the original script

s/\/sbin\/ipchains/\$IPTABLES/g

i cant really run any scripts right now because im at work on a windows box and it seems all outgoing ssh isnt working here so i'd have to write an actual sed script later if u dont know any sed.
 
Old 04-15-2004, 03:01 PM   #3
WeNdeL
Member
 
Registered: Oct 2002
Location: At my desk...
Distribution: RedHat, Fedora, Ubuntu
Posts: 344

Rep: Reputation: 30
learn iptables...

Maquerading in iptables is different than what it was in ipchains.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables configuration help mousie Linux - Security 2 09-01-2005 01:57 PM
iptables configuration props666999 Linux - Security 3 08-28-2005 02:32 PM
iptables configuration help Alien#007 Linux - Networking 1 08-12-2005 01:32 PM
IPTables Configuration shaileshjain Linux - Networking 2 04-07-2005 12:16 AM
iptables configuration know Linux - Networking 2 05-25-2003 04:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:21 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration