Iptables rules for basic firewall

winxandlinx · 10-17-2006, 12:52 AM

Hi Everyone ,

i am using redhat 9 .in that i have

iptables.i want to block everything in that first

means, packets coming from outside to iptables

and packets going local to internet through iptables

tell me the rule for this process so that i can

understand ,later on let me enable the other rules

here. Helping this issue and making me understand about

iptables are really appricaited and really helpful

for me.

Thanks & Regards
winxandlinx

Samotnik · 10-17-2006, 02:00 AM

Well
iptables -P INPUT -j DENY
iptables -P OUTPUT -j DENY

winxandlinx · 10-17-2006, 02:22 AM

Thanks

Just tell me that whether input denotes that from lan to internet

output denotes - packet comes from internet to lan ???

amitsharma_26 · 10-17-2006, 02:53 PM

Quote:

Originally Posted by winxandlinx

Just tell me that whether input denotes that from lan to internet

output denotes - packet comes from internet to lan ???

No, INPUT denotes a chain, path, way, stack or queue within which all the packets traverse which are destined for your host (could be any interface). Any packet meant for your box(any interface) will come into INPUT & hence to apply any rule at these packets.. we use INPUT chain.
Similarly OUTPUT denotes as any packet which has been originating by your host(box, computer).

Hope this clears your doubt.

winxandlinx · 10-18-2006, 01:17 AM

Thanks for it
now it is clarified

Now initially i enable these rules in my firewal

iptables -P INPUT -j DENY
iptables -P OUTPUT -j DENY

Now i want to enable web browsing to my lan
Thing is they want to access internet only in internet explorer or mozial

what rule i should put

will be very much appriciated

Thanks & Regards
winxandlinx

amitsharma_26 · 10-18-2006, 09:17 AM

Quote:

Originally Posted by winxandlinx

Now i want to enable web browsing to my lan
Thing is they want to access internet only in internet explorer or mozial

Do you have any proxy server setup @ your box ? (or if not what are your plans/how do you provide browsing access to your lan users)
probably if you have any proxy server setup.. You got to run,

Code:

iptables -A INPUT -p tcp -i <lan-eth-interface> -s lan-ip/netmask --dport <proxy-port> -j ACCEPT
& iptables -A OUTPUT -o <lan-eth-interface> -m state --state ESTABLISHED,RELATED -j ACCEPT

or you could use masquareding for all your users..
Run

Code:

iptables -t nat -A POSTROUTING -o <internet-ethernet> -s <lan-ip-series>/netmask -j MASQUERADE

PRIOR to this, all your clients should have you as their default gateway & have your dns server ip in their dns entries.

___________________
With best regards,
Amit..
--

Quote:

Originally Posted by Albert einstein

Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world.

--
RSYNC tutorial : http://www.amitsharma.linuxbloggers.com/how_to_rsync.htm
FIND command tutorial : http://amitsharma.linuxbloggers.com/how_to_find.htm
Samba tutorial : http://www.amitsharma.linuxbloggers.com/how_to_samba.htm
Port forwarding tutorial: http://amitsharma.linuxbloggers.com/portforwarding.htm

winxandlinx · 10-27-2006, 06:08 AM

In my sitution

i am not using any proxy server

my local lan user are getting internet access via gatewayy

gateway machine is iptable

so tell me how can i enable only

broswing for my local lan

Thanks & Regards
winxandlinx

amitsharma_26 · 10-27-2006, 07:12 AM

Quote:

Originally Posted by winxandlinx

In my sitution

i am not using any proxy server

my local lan user are getting internet access via gatewayy

gateway machine is iptable

so tell me how can i enable only

broswing for my local lan

Thanks & Regards
winxandlinx

then you can use masquareding as suggested in my previous post or if you have a static ip address at your internet interface, you should opt for SNATing.

Code:

iptables -t nat -POSTROUTING -d <dns-server-ip> -j SNAT --to <your-internet-eth-ip>
& iptables -t nat -POSTROUTING -m multiport --dport 80,443 -j SNAT --to <your-internet-eth-ip>