LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-07-2005, 04:23 PM   #1
Brian1
Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 61
Iptables help, block port to outside but open to inside.


I hope I can explain this correct. I have a DMZ firewall setup with 3 Nics.

eth0 is wan
eth1 is internal lan
eth2 is dmz

Now all is working the way I like it so far. Outside connection to httpd running on dmz network is fine. Masquerading fine on both eth1 and eth2 as well. Now on the firewall I have enabled gkrellmd and it uses the port 19150. Now the only way I can see it is open the port to be visable like port 80. Of couarse this allows anyone port scanning to see the port as well.

What I would like to do is if possiable is block anyone from seeing the port 19150 from the outside but allow my internal lan or dmz see the port.

Not sure if this enough but in the /etc/gkrellm.conf I have only allowed two internal ip that can connect to it. This maybe all I need to do since I have not gone outside to a remote linux box and see if I could mount the gkrellmd info stream.

Waiting for a friend to get back from work in about a week. But for now just looking for some input or opions

Also may wish to do the same with sshd. Allow it access to eth1 and eth2 but not seen from outside from a port scan as open port.

Thanks for from help and time
Brian1

Last edited by Brian1; 08-07-2005 at 04:43 PM.
 
Old 08-08-2005, 01:40 AM   #2
angel_hva
LQ Newbie
 
Registered: Mar 2004
Location: Vietnam
Posts: 24

Rep: Reputation: 15
Any body help?
http://www.linuxquestions.org/questi...hreadid=351032
 
Old 09-27-2005, 08:41 PM   #3
Brian1
Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Original Poster
Rep: Reputation: 61
Update : I got it the way I wanted it to work.

I am still new to iptables but learning. I have a DMZ firewall setup with 3 nics.
eth0 is external wan side
eth1 is internal lan side
eth2 is dmz side

I am using the script that can be found here. http://www.linuxguruz.com/iptables/s...rewall_005.txt
I have gkrellmd running on the dmz firewall on tcp port 19150. I want to be able to access from a lan side linux box, but not allow anyone from the wan side to know it is there. If I add it this section of the script it allows me to see it from the lan but of course it is visible on the wan side if a port scan is run on it. There is no need for me to access outside on the internet so I want to block it from being visible on the wan side but still allow the lan side to access it.
Code:
###############################################################################
## Special Chain ALLOW_PORTS
## Rules to allow packets based on port number. This sort of thing is generally
## required only if you're running services on(!!!) the firewall or if you have a
## FORWARD policy of DROP(which we don't right now).

	$IPTABLES -N ALLOW_PORTS
	$IPTABLES -F ALLOW_PORTS

   ##------------------------------------------------------------------------##
   ## ACCEPT TCP traffic based on port number. (Examples)

#	TCP_PORTS="ssh domain"
	TCP_PORTS="22 53 19150"

	for PORT in $TCP_PORTS; do
		$IPTABLES -A ALLOW_PORTS -m state --state NEW -p tcp \
			--dport $PORT -j ACCEPT
	done
   ##------------------------------------------------------------------------##
   ## ACCEPT UDP traffic based on port number.

#	UDP_PORTS="domain"
	UDP_PORTS="53"

	for PORT in $UDP_PORTS; do
		$IPTABLES -A ALLOW_PORTS -m state --state NEW -p udp \
			--dport $PORT -j ACCEPT
	done

   ##------------------------------------------------------------------------##
   ## REJECT port 113 ident requests.
	$IPTABLES -A ALLOW_PORTS -p tcp --dport 113 -j REJECT \
		--reject-with tcp-reset
   ##------------------------------------------------------------------------##

###############################################################################
So after reading the book Linux Firewalls 2nd edition from Robert L. Ziegler, I found the key variable I needed to add. It was the ' -i eth1 ' variable. So I added this to my script after the part that looks similiar to this section. This actually allows me to later on to add addition ports if needed with not to much rewriting.
Code:
   ##------------------------------------------------------------------------##
   ## Special ACCEPT TCP traffic so eth1access and block it on eth0 based on 
   ## port number. (Examples).
   ## This allows gkrellmd on 19150 to be seen from eth1 and not from eth0
	TCP_PORTS="ssh domain"
	TCP_PORTS="19150"

	for PORT in $TCP_PORTS; do
		$IPTABLES -A ALLOW_PORTS -m state --state NEW -p tcp \
			-i eth1 --dport $PORT -j ACCEPT
	done
   ##------------------------------------------------------------------------##
Thanks for your time.
Brian1
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I block all traffic to port 110 to and IP using IPtables? abefroman Linux - Networking 8 11-16-2005 07:26 PM
iptables inside client to inside host with outside DNS or IP - Help! linuxhelp2 Linux - Networking 1 10-15-2005 06:19 AM
iptables, block port 80? frank2 Linux - Security 4 09-12-2004 09:14 AM
Block incoming port Iptables cli_man Linux - Networking 5 08-11-2003 08:32 PM
iptables - howto block by a port and IP address -HELP! macnanc Linux - Networking 2 03-07-2003 04:45 AM


All times are GMT -5. The time now is 06:25 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration