LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   IPTables rules (https://www.linuxquestions.org/questions/linux-networking-3/iptables-rules-105001/)

dkny01 10-17-2003 01:31 AM

IPTables rules
 
Hi All,

I'm running IPTables MASQ as a gateway in my network running on RH7.3. Its my first experience with IPTables and i've a few questions:

1) How do i allow only certain IPs in my network to be able to use the gateway to access the Internet? I know the IPTables rule to deny a specific host but that would be tedious since there are so many clients in my network

2) I've enabled logging earlier to debug:

iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "

How do i disable this? Its clogging up my var/log/messages...


3) When i try to ftp outside via the gateway, it is unable to retrieve the directory listing and gives a "425 Cant Build Data Connection: Connection Timed Out" error. Any ideas?

Thanks in advance!

Hangdog42 10-17-2003 07:43 AM

Here are a couple of guesses:

1) iptables -A INPUT -i ethX -p tcp -s !1.2.3.4 -j DROP

In this cast ethX would be the LAN interface and the IP address would be the ones you want to ALLOW access. Note the ! before the IP address, this reverses the logic (essentially a NOT statment). So this rule would drop all traffic NOT from IP address 1.2.3.4. Of course you're going to have to be careful with this rule and check into how to use IP ranges because any IP address not included in this rule would be dropped, even if that IP address is allowed by a later rule. Remember, iptables rules are executed in order and the packet is processed according to the first rule that matches.

2) Just comment out those lines with a #

3) I'm not real sure about this one. Are you allowing NEW,ESTBLISHED and RELATED packet states through your firewall? I know FTP uses ports 20 and 21, but I think it may also try to use other ports as well. State matching may help here.

dkny01 10-19-2003 09:57 PM

>>"2) Just comment out those lines with a #"

Where does IPTables keep the file? I've looked under /etc/sysconfig/iptables but I cant find the rule there

Hangdog42 10-20-2003 07:36 AM

At least in Slackware, it usually is in /etc/rc.d, however I'm not sure with RH. However, I was assuming you knew since you had modified the script for debugging.

So how are you modifying your firewall?

dkny01 10-23-2003 12:01 AM

i'm doing it by issuing iptables commands on the command line
...

any ideas what is the filename so that i can do a search for it?

or isn't there any commands to delete that rule?
if its any help.....

$iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `INPUT_DROP: '
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:nfs
DROP udp -- anywhere anywhere udp dpt:nfs
DROP tcp -- anywhere anywhere tcp dpts:x11:6009
DROP tcp -- anywhere anywhere tcp dpt:xfs
DROP tcp -- anywhere anywhere tcp dpt:printer
DROP udp -- anywhere anywhere udp dpt:printer
DROP tcp -- anywhere anywhere tcp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP all -- demo.thgenet.com anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `OUTPUT_DROP: '
ACCEPT all -- anywhere anywhere

beolach 10-23-2003 12:33 AM

To remove chains from the active iptables, run:

iptables --line-number -L INPUT

This will give you the rules in the INPUT chain, with the number for each rule. Then run:

iptables -D INPUT <NUM>

where <NUM> is the line number for your log rule from above. Then repeat for the OUTPUT chain. This will delete the rules from the chains.

Also, you may want to consider creating a startup firewall script to automatically load your rulesets (this is what the previous comments were referring to). This HOWTO has excellent examples of such scripts (tarball of all examples).

Hope this helps,
Beolach

dkny01 10-23-2003 12:52 AM

worked like a charm :)
thanks!


All times are GMT -5. The time now is 09:48 AM.