Iptables Firewall Config - http and https
Hi
I have to do the following on a LINUX firewall using iptables: "Provide access through the firewall to the webserver from address on the internal network using http and https. I then need to block access through the firewall from all other sources and to all other ports." Having investigated this, I am so what confused as to how to configure the firewall to do this. I have founf two options, but am not sure what it is: iptables -A FORWARD -m state --state ESTABLISHED, RELATED, -j accept iptables -A FORWARD -p tcp --dport443 -j accept iptables -A FORWARD -j log iptables -A FORWARD -j drop OR it is this: iptables -A INPUT -i $ETHERNET -p tcp -d $MYIP --dport 80 -j ACCEPT iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP --sport 80 ! --syn -j ACCEPY iptables -A INPUT -i $ETHERNET -p tcp -d $MYIP --dport 22 -s $MYNET -j ACCEPT iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP --sport 22 -d $MYNET ! --syn -j ACCEPT Can someone help me? I am new to this and am confused what the difference is. - but I only want to enable internal traffic, not external. I look forward to some replies Dales79 |
You need to set up the firewall so that users on the inside can reach a specific web-server on the outside?
Or are you trying to just allow your users to browse the web from the inside? If you're trying to allow web-browsing from the inside just set up iptables -A FORWARD -i eth<X> -s <internal netrange> -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i eth<X> -s <internal netrange> -p tcp --dport 443 -j ACCEPT where <X> is the network interface pointing to your lan and <internal netrange> is the network range of you lan, for example 192.168.0.0/24 That takes care of the connections from the inside to web-servers on the ouside, you allso need iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT This is to allow the answers from the web-servers on the outside back in to the client requesting it. Hope this helps |
Sorry if my post wasn't clear
The first thing I have to do is provide access through the firewall to a web-server (located on internal network) from addresses on internal network using http and https. Access should be blocked through firewall from all other sources and to all other ports. The second thing I have to do (which I didn't mention) is to allow one machine (on internal network) to access web-servers on the internet through the firewall. Does that make sense? Thanks |
Just to clarify further:
Is the web-server in question inside the firewall in question or are we talking about the firewall on that web-server? Are the web-server and the firewall the same machine? If the web-server is inside the firewall the clients on the same net should be able to connect to it... To answer the last question about allowing one client inside to reach http/https on the outside: #Open for http-requests from one ip on the inside iptables -A FORWARD -i <internal interface> -p tcp -m tcp --dport 80 -s <ip of client to allow> -j ACCEPT #Open for https-requests from one ip on the inside iptables -A FORWARD -i <internal interface> -p tcp -m tcp --dport 443 -s <ip of client to allow> -j ACCEPT #Open for the replies to those requests iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT Did that help at all? Still not sure I understand what you need, if you could give me the layout of the firewall/server/inside I should be able to help more... |
thanks that does, I think I can poss sort the rest out myself.
Cheers |
All times are GMT -5. The time now is 10:13 PM. |