Update : I got it the way I wanted it to work.
I am still new to iptables but learning. I have a DMZ firewall setup with 3 nics.
eth0 is external wan side
eth1 is internal lan side
eth2 is dmz side
I am using the script that can be found here.
http://www.linuxguruz.com/iptables/s...rewall_005.txt
I have gkrellmd running on the dmz firewall on tcp port 19150. I want to be able to access from a lan side linux box, but not allow anyone from the wan side to know it is there. If I add it this section of the script it allows me to see it from the lan but of course it is visible on the wan side if a port scan is run on it. There is no need for me to access outside on the internet so I want to block it from being visible on the wan side but still allow the lan side to access it.
Code:
###############################################################################
## Special Chain ALLOW_PORTS
## Rules to allow packets based on port number. This sort of thing is generally
## required only if you're running services on(!!!) the firewall or if you have a
## FORWARD policy of DROP(which we don't right now).
$IPTABLES -N ALLOW_PORTS
$IPTABLES -F ALLOW_PORTS
##------------------------------------------------------------------------##
## ACCEPT TCP traffic based on port number. (Examples)
# TCP_PORTS="ssh domain"
TCP_PORTS="22 53 19150"
for PORT in $TCP_PORTS; do
$IPTABLES -A ALLOW_PORTS -m state --state NEW -p tcp \
--dport $PORT -j ACCEPT
done
##------------------------------------------------------------------------##
## ACCEPT UDP traffic based on port number.
# UDP_PORTS="domain"
UDP_PORTS="53"
for PORT in $UDP_PORTS; do
$IPTABLES -A ALLOW_PORTS -m state --state NEW -p udp \
--dport $PORT -j ACCEPT
done
##------------------------------------------------------------------------##
## REJECT port 113 ident requests.
$IPTABLES -A ALLOW_PORTS -p tcp --dport 113 -j REJECT \
--reject-with tcp-reset
##------------------------------------------------------------------------##
###############################################################################
So after reading the book Linux Firewalls 2nd edition from Robert L. Ziegler, I found the key variable I needed to add. It was the ' -i eth1 ' variable. So I added this to my script after the part that looks similiar to this section. This actually allows me to later on to add addition ports if needed with not to much rewriting.
Code:
##------------------------------------------------------------------------##
## Special ACCEPT TCP traffic so eth1access and block it on eth0 based on
## port number. (Examples).
## This allows gkrellmd on 19150 to be seen from eth1 and not from eth0
TCP_PORTS="ssh domain"
TCP_PORTS="19150"
for PORT in $TCP_PORTS; do
$IPTABLES -A ALLOW_PORTS -m state --state NEW -p tcp \
-i eth1 --dport $PORT -j ACCEPT
done
##------------------------------------------------------------------------##
Thanks for your time.
Brian1