LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-17-2003, 01:31 AM   #1
dkny01
LQ Newbie
 
Registered: Sep 2003
Posts: 14

Rep: Reputation: 0
IPTables rules


Hi All,

I'm running IPTables MASQ as a gateway in my network running on RH7.3. Its my first experience with IPTables and i've a few questions:

1) How do i allow only certain IPs in my network to be able to use the gateway to access the Internet? I know the IPTables rule to deny a specific host but that would be tedious since there are so many clients in my network

2) I've enabled logging earlier to debug:

iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "

How do i disable this? Its clogging up my var/log/messages...


3) When i try to ftp outside via the gateway, it is unable to retrieve the directory listing and gives a "425 Cant Build Data Connection: Connection Timed Out" error. Any ideas?

Thanks in advance!
 
Old 10-17-2003, 07:43 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,790
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Here are a couple of guesses:

1) iptables -A INPUT -i ethX -p tcp -s !1.2.3.4 -j DROP

In this cast ethX would be the LAN interface and the IP address would be the ones you want to ALLOW access. Note the ! before the IP address, this reverses the logic (essentially a NOT statment). So this rule would drop all traffic NOT from IP address 1.2.3.4. Of course you're going to have to be careful with this rule and check into how to use IP ranges because any IP address not included in this rule would be dropped, even if that IP address is allowed by a later rule. Remember, iptables rules are executed in order and the packet is processed according to the first rule that matches.

2) Just comment out those lines with a #

3) I'm not real sure about this one. Are you allowing NEW,ESTBLISHED and RELATED packet states through your firewall? I know FTP uses ports 20 and 21, but I think it may also try to use other ports as well. State matching may help here.
 
Old 10-19-2003, 09:57 PM   #3
dkny01
LQ Newbie
 
Registered: Sep 2003
Posts: 14

Original Poster
Rep: Reputation: 0
>>"2) Just comment out those lines with a #"

Where does IPTables keep the file? I've looked under /etc/sysconfig/iptables but I cant find the rule there
 
Old 10-20-2003, 07:36 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,790
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
At least in Slackware, it usually is in /etc/rc.d, however I'm not sure with RH. However, I was assuming you knew since you had modified the script for debugging.

So how are you modifying your firewall?
 
Old 10-23-2003, 12:01 AM   #5
dkny01
LQ Newbie
 
Registered: Sep 2003
Posts: 14

Original Poster
Rep: Reputation: 0
i'm doing it by issuing iptables commands on the command line
...

any ideas what is the filename so that i can do a search for it?

or isn't there any commands to delete that rule?
if its any help.....

$iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `INPUT_DROP: '
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:nfs
DROP udp -- anywhere anywhere udp dpt:nfs
DROP tcp -- anywhere anywhere tcp dpts:x11:6009
DROP tcp -- anywhere anywhere tcp dpt:xfs
DROP tcp -- anywhere anywhere tcp dptrinter
DROP udp -- anywhere anywhere udp dptrinter
DROP tcp -- anywhere anywhere tcp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP all -- demo.thgenet.com anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `OUTPUT_DROP: '
ACCEPT all -- anywhere anywhere
 
Old 10-23-2003, 12:33 AM   #6
beolach
LQ Newbie
 
Registered: Jul 2003
Distribution: Gentoo
Posts: 29

Rep: Reputation: 15
To remove chains from the active iptables, run:

iptables --line-number -L INPUT

This will give you the rules in the INPUT chain, with the number for each rule. Then run:

iptables -D INPUT <NUM>

where <NUM> is the line number for your log rule from above. Then repeat for the OUTPUT chain. This will delete the rules from the chains.

Also, you may want to consider creating a startup firewall script to automatically load your rulesets (this is what the previous comments were referring to). This HOWTO has excellent examples of such scripts (tarball of all examples).

Hope this helps,
Beolach
 
Old 10-23-2003, 12:52 AM   #7
dkny01
LQ Newbie
 
Registered: Sep 2003
Posts: 14

Original Poster
Rep: Reputation: 0
worked like a charm
thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
iptables rules Fatz Linux - Security 1 08-05-2004 06:04 AM
iptables rules chrisfirestar Linux - Security 2 10-29-2003 02:30 AM
iptables rules Darin Linux - Security 1 01-23-2003 04:32 PM
iptables rules hazza96 Linux - Security 3 09-09-2001 11:16 AM


All times are GMT -5. The time now is 03:33 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration