Need help in ipTables script
I have a small network within the organization. For simplicity, consider i have 3 systems.
System 1: 192.168.1.10 - acting as webserver System 2: 192.168.1.1 - acting as firwall Webserver and firewall are connected through eth1 interface System 3: 192.168.2.10 - any radnom system which is connected to firewall through eth0 interface. The eth0 on firewall machine (system 2) is configured with the ip 192.168.2.1) I have added following command to let the traffic go throught eth0 to eth1 Code:
echo 1 > /proc/sys/net/ipv4/ip_forward Now, I want to incorporate some firewall rules. 1: System 1 (webserver) can only access firewall through SSH. 2: Ping to any machine is disabled. 3: Any traffic from eth0 to eth1 is allowed only when it is for ssh, pop3, http or https. For these things i configured following iptables script Code:
# Firewall configuration written by system-config-firewall |
I'm no expert but I think you have it backwards. Put the last four lines (counting the comment) at the BEGINNING of the script, so that the first thing it does is drop all packets. Then follow with the rules that enable packets on specific ports to/from specific IP addresses.
|
I can try that tomorrow but i will wait unless i get some comment from some iptables expert. Thanks anyways.
|
@alee: At a glance, I think you're missing some important rules:
Code:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT To allow all icmp traffic: Code:
-A INPUT -p icmp -j ACCEPT --- @Jim Bengtson: You may be thinking of a different packet filtering firewall (like PF). The iptables/netfilter processing is "first match wins". |
okay, I have made following changes to my script but still I can't achieve the desired result
Code:
# Firewall configuration written by system-config-firewall |
So you made those changes and then loaded the new rules?
I'm not sure how other folks manage their rulesets, but I think it would be best to not edit /etc/sysconfig/iptables directly. (Notice the commented text at the top to that effect.) As one example of how you might better manage your ruleset, you could keep a bash script that flushes / loads chains when run, a la: Code:
#!/bin/bash Troubleshooting your borked ruleset (i.e. the topic of this thread) is another story. Are you familiar with tcpdump and/or do you have a cursory understanding about IP, TCP, and UDP? If so, I have a couple suggestions. If not, I don't have an easy approach (short of hand holding). |
I would be happy to read those suggestions.
|
okay, this might be a silly question. but i just checked
Code:
vi /etc/init.d/iptables I am not a pro in linux either :$ |
Do not edit /etc/init.d/iptables in any way.
Here's a sample starting point for you. I whipped this together and it is completely untested. (i.e. Use at your own risk.) It relies on a couple assumptions on my part, and on snippets from the ruleset you posted. Code:
#!/bin/bash Code:
# chmod 700 fw-rules.bash Code:
# /etc/init.d/iptables save ------- If you're still not getting the behavior you'd expect, in future posts include the output of iptables -nvL or iptables-save for others to review. |
with little modification, it worked. Thanks :)
|
All times are GMT -5. The time now is 05:20 PM. |