LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 06-07-2004, 08:26 PM   #1
deuce868
LQ Newbie
 
Registered: Feb 2004
Posts: 21

Rep: Reputation: 15
help with firewall rules please


I am using ClarkConnect to set up a firewall box on an old 233 machine. I have it up and running, but I need to modify the IPTables rules.

I have two servers in my network to forward to. Both are Terminal Servers, one is a win2k and one is win2k3. I had it set up (on an old SonicWall Firewall box) so that if an offsite location (IP xxx.xxx.xxx.xxx) can in it would forward to the new Win2k3 box. Otherwise it would forward to the production Win2k box.

ClarkConnect has a rc.firewall.local I can add new rules to. If anyone can help me get this going I would appreciate it.

The rules I am trying to use is:
Quote:
-A FORWARD -s 207.xxx.xxx.2 -d xxx.xxx.xxx.177 -i eth0 -o eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -s 68.xxx.xxx.146 -d xxx.xxx.xxx.177 -i eth0 -o eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -d xxx.xxx.xxx.251 -i eth0 -o eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
This is a mess, but this is the current output of iptables -nvL

Quote:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 110.10.117.115 0.0.0.0/0
0 0 DROP all -- eth0 * 43.247.232.68 0.0.0.0/0
0 0 DROP all -- eth0 * 24.19.55.110 0.0.0.0/0
41 2548 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1763 240K ACCEPT all -- !eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 drop-reserved all -- eth0 * 127.0.0.0/8 0.0.0.0/0
0 0 drop-reserved all -- eth0 * 2.0.0.0/8 0.0.0.0/0
0 0 drop-reserved all -- eth0 * 96.0.0.0/3 0.0.0.0/0
0 0 drop-reserved all -- eth0 * 169.254.0.0/16 0.0.0.0/0
0 0 drop-reserved all -- eth0 * 223.0.0.0/8 0.0.0.0/0
0 0 drop-reserved all -- eth0 * 224.0.0.0/4 0.0.0.0/0
0 0 drop-reserved all -- eth0 * 240.0.0.0/4 0.0.0.0/0
237 6636 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 207.74.128.3 udp spt:67 dpt:68
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 207.74.128.3 tcp spt:67 dpt:68
0 0 ACCEPT udp -- eth2 * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
0 0 ACCEPT tcp -- eth2 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- eth2 * 192.168.0.0/24 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 207.74.128.3 tcp dpt:1875
0 0 ACCEPT 47 -- eth0 * 0.0.0.0/0 207.74.128.3
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 207.74.128.3 tcp dpt:1723
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 207.74.128.3 udp spt:500 dpt:500
0 0 ACCEPT esp -- eth0 * 0.0.0.0/0 207.74.128.3
0 0 ACCEPT ah -- eth0 * 0.0.0.0/0 207.74.128.3
5 180 ACCEPT udp -- eth0 * 0.0.0.0/0 207.74.128.3 udp dpts:1024:65535
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 207.74.128.3 tcp dpts:1024:65535 state RELATED,ESTABLISHED
1765 92276 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 4 packets, 296 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 * 110.10.117.115 0.0.0.0/0
1 52 DROP all -- eth0 * 43.247.232.68 0.0.0.0/0
0 0 DROP all -- eth0 * 24.19.55.110 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 eth1 207.73.170.2 207.74.128.177 tcp dpt:3389
0 0 ACCEPT tcp -- eth0 eth1 68.61.15.146 207.74.128.177 tcp dpt:3389
135 13015 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 207.74.128.199 tcp dpt:22
0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 207.74.128.199 tcp dpt:53
184 29287 ACCEPT udp -- eth0 eth1 0.0.0.0/0 207.74.128.199 udp dpt:53
3131 511K ACCEPT tcp -- eth0 eth1 0.0.0.0/0 207.74.128.199 tcp dpt:80
1588 412K ACCEPT tcp -- eth0 eth1 0.0.0.0/0 207.74.128.250 tcp dpt:8080
0 0 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 207.74.128.251 tcp dpt:1494
1516 210K ACCEPT tcp -- eth0 eth1 0.0.0.0/0 207.74.128.251 tcp dpt:3389
0 0 drop-lan tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
0 0 drop-lan udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:111
0 0 drop-lan tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpts:137:139
0 0 drop-lan udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 drop-lan tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:635
0 0 drop-lan udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:635
0 0 ACCEPT icmp -- * * 192.168.0.0/24 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.0/24 icmp type 0
0 0 ACCEPT icmp -- * * 192.168.0.0/24 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.0/24 icmp type 3
0 0 ACCEPT icmp -- * * 192.168.0.0/24 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.0/24 icmp type 11
0 0 ACCEPT icmp -- * * 192.168.0.0/24 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.0/24 icmp type 8
0 0 ACCEPT all -- * * 192.168.0.0/24 207.74.128.128/25 state RELATED,ESTABLISHED
0 0 DROP all -- * * 192.168.0.0/24 207.74.128.128/25
0 0 ACCEPT all -- * * 207.74.128.128/25 192.168.0.0/24
30240 10M ACCEPT all -- !eth0 * 0.0.0.0/0 0.0.0.0/0
25228 17M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
717 43338 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `Stray FORWARD packet: '
6681 396K DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy DROP 1 packets, 1500 bytes)
pkts bytes target prot opt in out source destination
41 2548 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
792 68307 ACCEPT all -- * !eth0 0.0.0.0/0 0.0.0.0/0
242 6956 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * eth0 207.74.128.3 0.0.0.0/0 tcp spt:68 dpt:67
0 0 ACCEPT udp -- * eth0 207.74.128.3 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- * eth2 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
0 0 ACCEPT udp -- * eth2 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- * eth2 0.0.0.0/0 192.168.0.0/24 tcp spt:53
0 0 ACCEPT udp -- * eth2 0.0.0.0/0 192.168.0.0/24 udp spt:53
0 0 ACCEPT tcp -- * eth0 207.74.128.3 0.0.0.0/0 tcp spt:1875
0 0 ACCEPT 47 -- * eth0 207.74.128.3 0.0.0.0/0
0 0 ACCEPT tcp -- * eth0 207.74.128.3 0.0.0.0/0 tcp spt:1723
0 0 ACCEPT udp -- * eth0 207.74.128.3 0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT esp -- * eth0 207.74.128.3 0.0.0.0/0
0 0 ACCEPT ah -- * eth0 207.74.128.3 0.0.0.0/0
0 0 ACCEPT tcp -- * eth0 207.74.128.3 0.0.0.0/0 tcp spts:1024:65535
0 0 ACCEPT udp -- * eth0 207.74.128.3 0.0.0.0/0 udp spts:1024:65535
0 0 DROP all -- * eth0 0.0.0.0/0 0.0.0.0/0

Chain accept-log (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `Accept with log: '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain drop-lan (6 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain drop-log (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `Drop with log: '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain drop-reserved (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
 
Old 06-14-2004, 04:18 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
that if an offsite location (IP xxx.xxx.xxx.xxx) can in it would forward to the new Win2k3 box. Otherwise it would forward to the production Win2k box.

Could you try to be more clear on what you would like the firewall to do?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Resetting ALL Firewall rules RemusX2 Linux - Software 1 02-28-2005 08:18 AM
cannot change the firewall rules 0perat0r Linux - Newbie 4 08-05-2004 12:43 PM
Firewall Rules studpenguin Linux - Security 0 07-01-2004 04:14 AM
Firewall rules question 65_289 Linux - Security 1 02-02-2003 08:21 AM
Dynamic Firewall Rules DavidPhillips Linux - General 2 12-06-2001 07:41 PM


All times are GMT -5. The time now is 09:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration