Red Hat Firewall
The iptables scripts is as follows:
# ****************** IPtables initial configuration file ******************
# Extern network card: eth0: 10.0.0.1
# Intern network card: eth1: 192.168.2.1
# Flush all chains
iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT
iptables -t nat -F POSTROUTING
# Set default policy of forward, input and output chain to DROP
# (reject everything)
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# Allow ftp, mail, HTTP, pop and SSL/TLS
iptables -A FORWARD -p tcp -d 192.168.2.0/24 -m multiport \
--sport 21,25,80,110,443 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.2.0/24 -m multiport \
--dport 21,25,80,110,443 -m state --state NEW,ESTABLISHED -j ACCEPT
# DNS
iptables -A FORWARD -p udp -d 192.168.2.0/24 --sport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.2.0/24 --dport 53 -j ACCEPT
# Allow active FTP
iptables -A FORWARD -p tcp -d 192.168.2.0/24 --sport 20 -m state \
--state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.2.0/24 --dport 20 -m state \
--state ESTABLISHED -j ACCEPT
# Allow passive FTP
iptables -A FORWARD -p tcp -s 192.168.2.0/24 -m state \
--state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.2.0/24 -m state \
--state ESTABLISHED -j ACCEPT
# Allow inside users to ping out but not vica versa
iptables -A FORWARD -p ICMP -d 192.168.2.0/24 \
--icmp-type echo-request -j DROP
iptables -A FORWARD -p ICMP -s 192.168.2.0/24 \
--icmp-type echo-reply -j DROP
# Allow all other ICMP packets
iptables -A FORWARD -p ICMP -j ACCEPT
# Set up NAT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.0.0.1
Last edited by Sigmund Gudvang; 05-05-2002 at 06:30 AM.
|