Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-14-2006, 07:35 AM
|
#1
|
|
LQ Newbie
Registered: Jan 2006
Posts: 11
Rep: 
|
Iptables Firewall Config - http and https
Hi
I have to do the following on a LINUX firewall using iptables:
"Provide access through the firewall to the webserver from address on the internal network using http and https. I then need to block access through the firewall from all other sources and to all other ports."
Having investigated this, I am so what confused as to how to configure the firewall to do this. I have founf two options, but am not sure what it is:
iptables -A FORWARD -m state --state ESTABLISHED, RELATED, -j accept
iptables -A FORWARD -p tcp --dport443 -j accept
iptables -A FORWARD -j log
iptables -A FORWARD -j drop
OR it is this:
iptables -A INPUT -i $ETHERNET -p tcp -d $MYIP --dport 80 -j ACCEPT
iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP --sport 80 ! --syn -j ACCEPY
iptables -A INPUT -i $ETHERNET -p tcp -d $MYIP --dport 22 -s $MYNET -j ACCEPT
iptables -A OUTPUT -o $ETHERNET -p tcp -s $MYIP --sport 22 -d $MYNET ! --syn -j ACCEPT
Can someone help me? I am new to this and am confused what the difference is. - but I only want to enable internal traffic, not external.
I look forward to some replies
Dales79
|
|
|
|
|
01-14-2006, 08:21 AM
|
#2
|
|
LQ Newbie
Registered: Jan 2006
Location: Norway
Distribution: Debian
Posts: 18
Rep:
|
You need to set up the firewall so that users on the inside can reach a specific web-server on the outside?
Or are you trying to just allow your users to browse the web from the inside?
If you're trying to allow web-browsing from the inside just set up
iptables -A FORWARD -i eth<X> -s <internal netrange> -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i eth<X> -s <internal netrange> -p tcp --dport 443 -j ACCEPT
where <X> is the network interface pointing to your lan and <internal netrange> is the network range of you lan, for example 192.168.0.0/24
That takes care of the connections from the inside to web-servers on the ouside, you allso need
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
This is to allow the answers from the web-servers on the outside back in to the client requesting it.
Hope this helps
|
|
|
|
|
01-14-2006, 08:41 AM
|
#3
|
|
LQ Newbie
Registered: Jan 2006
Posts: 11
Original Poster
Rep:
|
Sorry if my post wasn't clear
The first thing I have to do is provide access through the firewall to a web-server (located on internal network) from addresses on internal network using http and https. Access should be blocked through firewall from all other sources and to all other ports.
The second thing I have to do (which I didn't mention) is to allow one machine (on internal network) to access web-servers on the internet through the firewall.
Does that make sense?
Thanks
|
|
|
|
|
01-14-2006, 05:24 PM
|
#4
|
|
LQ Newbie
Registered: Jan 2006
Location: Norway
Distribution: Debian
Posts: 18
Rep:
|
Just to clarify further:
Is the web-server in question inside the firewall in question or are we talking about the firewall on that web-server?
Are the web-server and the firewall the same machine?
If the web-server is inside the firewall the clients on the same net should be able to connect to it...
To answer the last question about allowing one client inside to reach http/https on the outside:
#Open for http-requests from one ip on the inside
iptables -A FORWARD -i <internal interface> -p tcp -m tcp --dport 80 -s <ip of client to allow> -j ACCEPT
#Open for https-requests from one ip on the inside
iptables -A FORWARD -i <internal interface> -p tcp -m tcp --dport 443 -s <ip of client to allow> -j ACCEPT
#Open for the replies to those requests
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Did that help at all?
Still not sure I understand what you need, if you could give me the layout of the firewall/server/inside I should be able to help more...
|
|
|
|
|
01-15-2006, 01:35 PM
|
#5
|
|
LQ Newbie
Registered: Jan 2006
Posts: 11
Original Poster
Rep:
|
thanks that does, I think I can poss sort the rest out myself.
Cheers
|
|
|
|
All times are GMT -5. The time now is 01:33 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
