LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-12-2005, 12:50 AM   #1
jkmartha
Member
 
Registered: Apr 2005
Location: india
Distribution: Redhat 9
Posts: 66

Rep: Reputation: 15
nat & firewall thru iptables


fedora core -2.

i have 2 NIC on my system. suppose,
eth0 is 60.61.62.63 (public IP ) and
eth1 is 192.168.239.20 (for internal users).
i want to configure nat as well as firewall. following are the commands which i am planning to run. will it be ok ??

FLUSH

iptables -t filter -F INPUT
iptables -t filter -F OUTPUT
iptables -t filter -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -t nat -F OUTPUT

DEFAULT policies
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

Set up the firewall rules
iptables -t filter -A INPUT -i ${LOOPBACK} -j ACCEPT
iptables -t filter -A INPUT -i eth1 -j ACCEPT
iptables -t filter -A INPUT -i eth0 state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth1 state --state RELATED,ESTABLISHED -j ACCEPT

Set up ip masquerading
iptables -t nat -A POSTROUTING -s 192.168.239.0/255.255.255.0 -o eth0 -j MASQUERADE


i can understand this is a lengthy post . but i have been trying this since 2 days. Is this OK ?? pliz help....
 
Old 05-12-2005, 02:16 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Looks like it should work. Might want to add iptables -X to the FLUSH rules, but that is rather nit-picky. If you're have problems try doing:

echo "1"> /proc/sys/net/ipv4/ip_forward

Beyond that try describing your problem in more detail (ie. can you ping hosts inside the network, outside the network, by hostname, etc)
 
Old 05-12-2005, 05:15 AM   #3
RomanG
Member
 
Registered: Jan 2005
Location: Russia, Kazan
Distribution: Mandrake 10.2, RedHat sometimes..
Posts: 110

Rep: Reputation: 15
Hello.
It's OK. Your post is not a a lengthy one.
1) You forgot to flush 'mangle' table and set up its default policy
2) Think about adding some policies to packets with wrong flag combinations etc.
 
Old 05-12-2005, 10:35 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I missed this the first time I looked over your rules, but there appears to be a typo in your state matching rules. You need to prefix the state match with the -m option, so your rules for state matching should be:

iptables -t filter -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
 
Old 05-13-2005, 02:44 AM   #5
jkmartha
Member
 
Registered: Apr 2005
Location: india
Distribution: Redhat 9
Posts: 66

Original Poster
Rep: Reputation: 15
hi Capt_Caveman & RomanG,
Thanx.
i used the same commands & working fine now. but, The commands which i have used .......is it sufficient for a good firewall.
what exactly "iptables -X "does ?
flushing 'mangle' table and setting up its default policy....................is it mandatory ???
Think about adding some policies to packets with wrong flag combinations etc..............what does this mean ???
yeah, i used the -m state --state option.
 
Old 05-13-2005, 08:47 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
i used the same commands & working fine now. but, The commands which i have used .......is it sufficient for a good firewall.
It's a very minimal firewall that you could use some additional features. However, it is reasonably secure.

what exactly "iptables -X "does ?
Removes any user-defined chains (see the iptables man page under the -N option for more info)

flushing 'mangle' table and setting up its default policy....................is it mandatory ???
technically no, because if no default policy is defined then it will automatically be set to ACCEPT. However, you set policies for all the other tables and it's a good idea in case you've inadvertantly set the policy to something else or have rules listed for mangle.

Think about adding some policies to packets with wrong flag combinations etc..............what does this mean ???
This would be a good feature to add to your firewall. It DROPs/LOGs packets that contain imposible TCP flag combinations. These are almost always associated with malicious traffic like port scanning. Another good feature to add would be spoofing protection (rules to prevent forging of IP addresses on packets). This post has a basic example of both spoofing and bad flags protection.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NAT, iptables, forwading, firewall w3it Linux - Newbie 7 11-17-2005 03:15 AM
NAT, iptables, firewall, and Windoze AWyant Linux - Newbie 7 09-23-2003 05:30 PM
iptables questions: NAT & firewall insanitee Linux - Networking 10 08-24-2003 07:32 AM
Iptables firewall with 4 NICs and nat jod Linux - Security 7 08-06-2003 06:14 AM
IPTABLES, NAT & Firewall dsylvester Slackware 1 02-15-2003 08:14 PM


All times are GMT -5. The time now is 11:12 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration