config firewall for internal http and httos
 

Hi

I have to do the following on a LINUX firewall using iptables:

"Provide access through the firewall to the webserver from address on the internal network using http and https. I then need to block access through the firewall from all other sources and to all other ports."

Having investigated this, I am so what confused as to how to configure the firewall to do this. I have founf two options, but am not sure what it is:

iptables -A FORWARD -m state --state ESTABLISHED, RELATED, -j accept
iptables -A FORWARD -p tcp --dport443 -j accept
iptables -A FORWARD -j log
iptables -A FORWARD -j drop

OR it is this:

iptables -A INPUT -i $ETHERNET -p tcp -d $MYIP --dport 80 -j ACCEPT
iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP --sport 80 ! --syn -j ACCEPY

iptables -A INPUT -i $ETHERNET -p tcp -d $MYIP --dport 22 -s $MYNET -j ACCEPT
iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP --sport 22 -d $MYNET ! --syn -j ACCEPT

Can someone help me? I am new to this and am confused what the difference is. - but I only want to enable internal traffic, not external.

I look forward to some replies

Dales79

To allow external traffic through the firewall to an internal lan machine you would use a command like this for a tcp port. Replace xxx.xxx.xxx.xxx with your external wan IP and yyy.yyy.yyy.yyy to the internal lan server IP

IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to-destination yyy.yyy.yyy.yyy:80

The first section you have is open the 443 port on the exteranl nic of the firewall. Not needed unless you are providing the service on the firewall. The second would work with a few other lines.

You can learn a lot of iptables stuff here as well as looking at many prewritten scripts. Many have good remarks through out for ease of understanding.
http://www.linuxguruz.com/iptables/
http://www.netfilter.org/
http://iptables-tutorial.frozentux.n...-tutorial.html

Hope this helps.
Brian1