Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Just installed Fedora 2 for use as firewall/email server/web server at home. Set up default firewall w/iptables. The firewall can talk to machines in the house (eth0) and to the internet (eth2). But internal machines can't seem to forward to the internet. Here is the iptables file I currently have - I've marked the 2 rules I added (using webmin, which also added the 2 sections at the bottom of the file to the original provided by the Fedora installation). Can someone tell me what I need to do to get forwarding working? I have modified the /proc/sys/net/ipv4/ip_forward file too...
Thanks,
nbc
====== IPTables file ====
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
# **** I added the following line to try to get pkts forwarded...
-A RH-Firewall-1-INPUT -m state -d 192.168.130.0/24 -i eth2 -o eth0 --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
# **** I added the following line to try to get pkts forwarded...
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 25 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
I'm guessing based on the rule you added that the internal machines all have private (non-routable) IP addresses (like 192.168.X.X). In that case you'll need to do some form of SNAT/IP Masquerading to allow the internal machines out to the internet. Which one you need depends on whether the firewall/router has a fixed IP address or is dynamically assigned (DSL/Cable/Dialup usually are).
Correct - the internal machines have fixed addresses (although I may start using dhcp inside as well and let the firewall be a dhcp server someday). The firewall uses DHCP but the address it gets has not changed in 3 years - I suppose it could change any day tho...
I managed to get it to work this afternoon by adding a MASQUERADE line to the NAT section of the iptables. The command is:
-A POSTROUTING -o eth2 -j MASQUERADE
And this seems to work. I think I need to spend some time with the filter stuff and make sure my machine is really locked down the way I want it to be... But this is a start.
If the firewalls IP is assigned through DHCP, then use masquerading (your rule looks fine).
In term of locking down the firewall, I would absolutely recommend changing the default INPUT and FORWARD policies to DROP. Also, I'd recommend ditching Redhats lokkit firewall and put together your own firewall script. You can use the rules you have currently as a guide. You're on the right track with the RELATED,ESTABLISHED rules although those don't have anything to do with forwarding.
If you need some HOWTOs, take a look at the netfilter website documentation section. If you have any questions about putting together a script, feel free to post a new thread, but you look like you're doing pretty well on your own so far.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.