Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've only been using RedHat for about 6 months. I have read a lot about IP tables but I'm not confident that I can say "I know iptables". I've tried gShield, Firestarter, Guarddog... Other independantly made scripts... And I cant get this to work. Stop traffic, yes! But what I want is to forward my incoming port 80 requests to another machine. I have a dual-homed system with static IPs running Redhat 9 or Fedora Core 1... Take your pic! I really need to get this up and I really appreciate any definite help. Again, I have no problem blocking services or allowing telnet to that machine or using it as a gateway. The only problem is using it to forward port requests. Thanks again for your help!
I thought I'd done the echo 1 /proc/.../ip_forward thing but I discovered that when I do a "service network restart" it resets that to a 0. And it didn't work without restarting it either. I replaced the 7th line with the one you suggested Dewar but still no luck. Could this be a network settings problem? Do I need to add a route somewhere maybe?
Still no... Not with -A or -I. I'm not running Apache on the firewall. It is running on 1.12 though and I can access it with lynx to the local IP of the web server. My dg on the ext. nic is correct. On the internal nic I dont have one specified but I have a route for 192.168.1.0 to the other (windows) gateway.
take a look at the script... it should serve u... change as your need..
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#
###########################################################################
#
# Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
###########################################################################
#
# 3. /proc set up.
#
# Enable ip_forward if you have two or more networks, including the
# Internet, that needs forwarding of packets through this box. This is
# critical since it is turned off as default in Linux.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
###########################################################################
#
# 4. IPTables rules set up.
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains.
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we don't want.
#
$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# Do some checks for obviously spoofed IP's
#
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
#
# Enable simple IP Forwarding and Network Address Translation
#
I build a file to port my machines. (ie prtfwd) thin chmod 775, install it in my rc.local
(ie /usr/sbin/prtfwd) this way you can tinker with it and make changes without having to disturb the main rule and restart it all the time. It looks like this.
Of course the 0.0.0.0 is your out side ip, notice the ports that look like 27650:27970, a range of ports or single. Works good for me. Great if you have a lan party and want to host several games on different ports or machiens. Hope this helps
I also did the same thing... i modified the script and now i only execute the file. no restart. it depends on your need and practice... do some editing in the script. use a service iptables save and then service iptables restart at the bottom of the script... that i used to do...
Yea thats why I 775 it. So now I just /usr/sbin/prtfwd when I make a change. But its a good idea to put it in the rc.local that way if ya reboot it's there
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.