Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How would I setup port forwarding on my firewall below? For example, if I wanted to forward port 8080 to 192.168.0.5. Below is my firewall script. I have eth0 as my outside internet connection, and eth1 as the LAN. Any suggestions on how to improve this script in general would also be appreciated!!
Im also using redhat 9.0 if this helps.
Thanks!
Code:
#!/bin/sh
# set a few variables
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/sbin/iptables"
# adjust /proc
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
# setup nat
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# blocked hosts
#$iptables -I INPUT -s 212.5.86.163 -j DROP
#$iptables -I FORWARD -s 212.5.86.163 -j DROP
# icmp
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP
# apply icmp type match blocking
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
# open ports to the firewall
$iptables -A INPUT -p udp --dport 27960 -j ACCEPT #Q3 Games / Wolf
$iptables -A INPUT -p udp --dport 14567 -j ACCEPT #BF1942
$iptables -A INPUT -p udp --dport 20100 -j ACCEPT #SOF2
$iptables -A INPUT -p udp --dport 12300 -j ACCEPT #GameSpy
$iptables -A INPUT -p udp --dport 27900 -j ACCEPT #GameSpy
$iptables -A INPUT -p tcp --dport 28900 -j ACCEPT #GameSpy
$iptables -A INPUT -p udp --dport 23000:23009 -j ACCEPT #GameSpy
$iptables -A INPUT -p tcp --dport 22 -j ACCEPT #SSH
$iptables -A INPUT -p tcp --dport 80 -j ACCEPT #HTTP
$iptables -A INPUT -p tcp --dport 27666 -j ACCEPT #DOOM3
$iptables -A INPUT -p udp --dport 27666 -j ACCEPT #DOOM3
$iptables -A INPUT -p tcp --dport 27650 -j ACCEPT #DOOM3
$iptables -A INPUT -p udp --dport 27650 -j ACCEPT #DOOM3
$iptables -A INPUT -p udp --dport 8767 -j ACCEPT #TEAMSPEAK
$iptables -A INPUT -p tcp --dport 14534 -j ACCEPT #TS WEB ADMIN
# drop all other packets
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP
you'll want to add at least the following lines. I'm assuming you want to forward external port 8080 to internal 192.168.0.5 on port 80. I'm also assuming your eth1 is your external interface
You'll have to forgive me, I'm a bit of a noob when it comes to IPTABLES. That script of yours is pretty shmick looking scrag. If I wanted to use a script based off of yours on my own system, where would I put it?? Thanks heaps in advance!
I have this script saved as file under /etc/rc.firewall. To load this automatically on boot up you need to add the line "cd /etc[ENTER] ./rc.firewall" in your startup file "/etc//rc.d//rc.local". rc.local is your "load this on boot" file. Hope this helps as I am typing as I am drunk If not, let me know ill get back to you tommorrow when I am sober
Can I place the Port Forwarding Section any where in the script?
I have created the following rules to foward Bit Torrent, are they correct? Thanks heaps in advance!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.