Iptables help, block port to outside but open to inside.

Brian1 · 08-07-2005, 04:23 PM

I hope I can explain this correct. I have a DMZ firewall setup with 3 Nics.

eth0 is wan
eth1 is internal lan
eth2 is dmz

Now all is working the way I like it so far. Outside connection to httpd running on dmz network is fine. Masquerading fine on both eth1 and eth2 as well. Now on the firewall I have enabled gkrellmd and it uses the port 19150. Now the only way I can see it is open the port to be visable like port 80. Of couarse this allows anyone port scanning to see the port as well.

What I would like to do is if possiable is block anyone from seeing the port 19150 from the outside but allow my internal lan or dmz see the port.

Not sure if this enough but in the /etc/gkrellm.conf I have only allowed two internal ip that can connect to it. This maybe all I need to do since I have not gone outside to a remote linux box and see if I could mount the gkrellmd info stream.

Waiting for a friend to get back from work in about a week. But for now just looking for some input or opions

Also may wish to do the same with sshd. Allow it access to eth1 and eth2 but not seen from outside from a port scan as open port.

Thanks for from help and time
Brian1

angel_hva · 08-08-2005, 01:40 AM

Any body help?
http://www.linuxquestions.org/questi...hreadid=351032

Brian1 · 09-27-2005, 08:41 PM

Update : I got it the way I wanted it to work.

I am still new to iptables but learning. I have a DMZ firewall setup with 3 nics.
eth0 is external wan side
eth1 is internal lan side
eth2 is dmz side

I am using the script that can be found here. http://www.linuxguruz.com/iptables/s...rewall_005.txt
I have gkrellmd running on the dmz firewall on tcp port 19150. I want to be able to access from a lan side linux box, but not allow anyone from the wan side to know it is there. If I add it this section of the script it allows me to see it from the lan but of course it is visible on the wan side if a port scan is run on it. There is no need for me to access outside on the internet so I want to block it from being visible on the wan side but still allow the lan side to access it.

Code:

###############################################################################
## Special Chain ALLOW_PORTS
## Rules to allow packets based on port number. This sort of thing is generally
## required only if you're running services on(!!!) the firewall or if you have a
## FORWARD policy of DROP(which we don't right now).

	$IPTABLES -N ALLOW_PORTS
	$IPTABLES -F ALLOW_PORTS

   ##------------------------------------------------------------------------##
   ## ACCEPT TCP traffic based on port number. (Examples)

#	TCP_PORTS="ssh domain"
	TCP_PORTS="22 53 19150"

	for PORT in $TCP_PORTS; do
		$IPTABLES -A ALLOW_PORTS -m state --state NEW -p tcp \
			--dport $PORT -j ACCEPT
	done
   ##------------------------------------------------------------------------##
   ## ACCEPT UDP traffic based on port number.

#	UDP_PORTS="domain"
	UDP_PORTS="53"

	for PORT in $UDP_PORTS; do
		$IPTABLES -A ALLOW_PORTS -m state --state NEW -p udp \
			--dport $PORT -j ACCEPT
	done

   ##------------------------------------------------------------------------##
   ## REJECT port 113 ident requests.
	$IPTABLES -A ALLOW_PORTS -p tcp --dport 113 -j REJECT \
		--reject-with tcp-reset
   ##------------------------------------------------------------------------##

###############################################################################

So after reading the book Linux Firewalls 2nd edition from Robert L. Ziegler, I found the key variable I needed to add. It was the ' -i eth1 ' variable. So I added this to my script after the part that looks similiar to this section. This actually allows me to later on to add addition ports if needed with not to much rewriting.

Code:

   ##------------------------------------------------------------------------##
   ## Special ACCEPT TCP traffic so eth1access and block it on eth0 based on 
   ## port number. (Examples).
   ## This allows gkrellmd on 19150 to be seen from eth1 and not from eth0
	TCP_PORTS="ssh domain"
	TCP_PORTS="19150"

	for PORT in $TCP_PORTS; do
		$IPTABLES -A ALLOW_PORTS -m state --state NEW -p tcp \
			-i eth1 --dport $PORT -j ACCEPT
	done
   ##------------------------------------------------------------------------##

Thanks for your time.
Brian1