I am running Redhat 8.0 for a router/firewall for my home office (this is a continuation of a post I made to the network forum entitled no connection on redhat 8.0 at
http://www.linuxquestions.org/questi...threadid=39319
Three components of office network are:
A. FIREWALL /DNS server with three NIC's
eth0 IP Address: 10.1.1.1 (connection to local network)
eth1 IP Address: xxx.xxx.xxx.xxx (connection to the internet)
eth2 IP Address: 10.1.10.1 (connection to Apache server only)
B. APACHE SERVER
eth0 IP Address: 10.1.10.2
C. WORKSTATION
eth0 IP Address: 10.1.1.2
now that i have a connection, i'm running into trouble with my firewall rules. i adapted a firewall rules set from the bastille.org site. see
http://www.bastille-linux.org/jay/soho-iptables-nat.txt
and
http://www.bastille-linux.org/jay/bu...-firewall.html
i have made some modifications to the original script in response to error messages from running the shell script. For example, I deleted the $ from the variables that were in the orginal script pursuant to the suggestion of another user. this change and the other changes have greatly reduced the number of error messages. The other changes were made based on the Linux IP Masquerade HOWTO at
http://www.e-infomax.com/ipmasq/
when running the script, i now get the following errors.
quote:iptables: Bad policy name
iptables: Bad policy name
iptables v1.2.6a: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.
The current script follows:
#!/bin/bash
# Model SOHO firewall adaped from SP article
# by Jay Beale (jay@bastille-linux.org)
#
# Warning: you're going to have to hack this for your own purposes.
#assumptions:
#Kernel IP routing table
# Destination Gateway Genmask Flags Metric Ref Use Iface
# 10.1.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
# $INTERNET 0.0.0.0 255.255.255.0 U 0 0 0 eth1
# 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
# 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
# 0.0.0.0 external ISP gw 0.0.0.0 UG 0 0 0 eth1
#
# ie, internal network is 10.1.1.0/24 on eth0
# our gateway's IP address is 10.1.1.1
#
# Additionally:
# we have another internal network, a DMZ: 10.1.10.0/24 on eth2
#
INTERNAL_IP=10.1.1.1
INTERNAL_NET=10.1.1.0/24
# a routable IP address assigned by ISP
INTERNET=xxx.xxx.xxx.xxx
DMZ=10.1.10.0/24
#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" is external and "eth1" is internal"
#
# NOTE: If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables above. For example:
#
# EXTIF="ppp0"
#
# if you are a modem user.
#
EXTIF="eth1"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
# The location of the iptables and kernel module programs
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
# Insert the required kernel modules
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
echo -en " loading modules: "
# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP
#
echo " clearing any existing rules and setting default policy.."
# Set default policies for packets going through this firewall box
iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP
iptables -P FORWARD DROP
# Set default policies for packet entering this box
iptables -P OUTPUT ALLOW
iptables -P INPUT ALLOW
# Kill spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Anything coming from our internal network should have only our addresses!
iptables -A FORWARD -i eth0 -s ! $INTERNAL_NET -j DROP
# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i eth1 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth1 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth1 -s 10.0.0.0/8 -j DROP
# Note: There are more reserved networks, but these are the classical ones.
# Block outgoing network filesharing protocols that aren't designed
# to leave the LAN
# SMB / Windows filesharing
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
# NFS Mount Service (TCP/UDP 635)
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
# NFS (TCP/UDP 2049)
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
# Portmapper (TCP/UDP 111)
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP
# Block incoming syslog, lpr, rsh, rexec...
iptables -A FORWARD -i eth1 -p udp --dport syslog -j DROP
iptables -A FORWARD -i eth1 -p tcp --dport 515 -j DROP
iptables -A FORWARD -i eth1 -p tcp --dport 514 -j DROP
iptables -A FORWARD -i eth1 -p tcp --dport 512 -j DROP
###
# Transparently proxy all web-surfing through Squid box (commented out)
#$SQUID = 192.168.1.2:8080
#$SQUIDSSL = 192.168.1.2:443
#iptables -t nat -A PREROUTING -i eth1 -tcp --dport 80 -j DNAT --to $SQUID
#iptables -t nat -A PREROUTING -i eth1 -tcp --dport 443 -j DNAT --to $SQUIDSSL
# Transparently forward all outgoing mail to a relay host (commented out)
#$SMTP = 192.168.1.3
#iptables -t nat -A PREROUTING -i eth1 -tcp --dport 25 -j DNAT --to $SMTP
# Transparently redirect web connections from outside to the DMZ web
# server
DMZ_WEB=10.1.10.2
iptables -t nat -A PREROUTING -i eth1 -d xxx.xxx.xxx.xxx -dport 80 -j DNAT --to $DMZ_WEB eth2
# Source NAT to get Internet traffic through
iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to $INTERNET
# STATEFUL PART!
# Allow all remaining packets out of our network
iptables -A FORWARD -m state --state NEW -i eth1 -s $INTERNAL_NET -j ACCEPT
# Optionally, only allow remaining packets out of network if they're from
# known MAC addresses:
#
# iptables -A FORWARD -m state --state NEW -m mac --mac-source 00:60:08:91:CC:B7 -j ACCEPT
#
# Allow the associated packets with those connections back in.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i eth0 -s ! $INTERNAL_NET -j ACCEPT
# Activate the forwarding!
echo 1 >/proc/sys/net/ipv4/ip_forward
# End