[sud.tech]

I have created a custom firewall script in RHEL 4 .Let me explain the steps which i followed .


etho -Internal lan
eth1 -External lan


During the installtion of RHEL 4 ,i enabled Firewall and after booting to x windows i selected enable firewall and defined the defined and customised ports .

When my client systems tried to access the internet ,they could'nt access ,but when i ran the custom firewall script(fw) they could access .

Now the problem is that when i run the command

iptables -L ----- It processes the fw as well as the ports defined in the gui firewall

even the command service iptables status --- throws the same result.

How do i make ,linux run my customised firewall ,since it seems to run the inbilt iptables script.

The problemm is that i have defined some customised ports ,but when i try to access the ports which are not defined ,it accepts the connection .

Even the PREROUTING iptables command does not run,since i need to access a webserver on private lan configured on port 8080.

Can anybody help

Sud



************************************************** ************************************************** **********************

#! /bin/sh
#
#
# Desc: FireWall Script for a Linux-Based Gateway System.
# This script considers the Host to be Gateway-With-FireWall,
# It takes a restrictive approach, thus allowing only the
# required ports & connections to pass thru.
#

#
# --- DECLARE ALLOWED PORTS --- #
#
# Allow Set-A:
TCP_ALLOW_A="20,21,22,80,81,110"
UDP_ALLOW_A="20,21,22,80,81,110"
#
#
# --- DECLARE VARIABLES ---
#
# Internal Interface/Internal LAN Adapter:
INTR=eth0
#
# External Interface/External (Public/Static-IP) Adapter:
EXTR=eth1
#
# Gateway/Firewall's Internal (LAN) IP:
IN_IP="192.168.3.111"
#
# Gateway/Firewall's External (Public/Static) IP:
OUT_IP="222.x.y.z"

#
# ISP's Gateway:
ISP_GT="222.x.y7.z"

#
# DNS/Nameserver-A:
DNS_A="205.x.y.z"

#
# DNS/Nameserver-A:
DNS_B="205.x.y1.z1"

#
# Trusted Host:
TRST_HOST="192.168.3.0/24"
#

TRST_EXT_HOST="222.x1.y1.z2"



#
# --- POLICY SETUP ---
#
# Flush Existing/Stale Rules (if any):
/sbin/iptables -F
/sbin/iptables -t filter -F
/sbin/iptables -t mangle -F
/sbin/iptables -t nat -F
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
#

service iptables stop
service iptables start
#



# Setup Restrictive Policy:
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP
#


# -- Anti IP-Spoofing --*-
for f in /proc/sys/net/ipv4/conf/*/rp_filter;do
/bin/echo "1" > $f
done
#


# -- SYN-Flood Protection:
sysctl -w net.ipv4.tcp_syncookies=1
#

# -- IP-Forward Enable:
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# -----*-----

# Allow local/loopback device traffic:
/sbin/iptables -A OUTPUT -s localhost -d localhost -j ACCEPT
/sbin/iptables -A INPUT -s localhost -d localhost -j ACCEPT
#

# Allow Ping/ICMP Packets:
/sbin/iptables -A INPUT -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT
#

#
# --- FireWall Rules ---
#
# INPUT Chain:-
# Accept SSH Connections from Trusted Host:
/sbin/iptables -t filter -A INPUT -i $INTR -s $TRST_HOST -p tcp --dport 22 -j ACCEPT
/sbin/iptables -t filter -A INPUT -i $INTR -s $TRST_HOST -p udp --dport 22 -j ACCEPT
#
/sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_HOST -p tcp --sport 22 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_HOST -p udp --sport 22 -j ACCEPT

/sbin/iptables -t filter -A INPUT -i $EXTR -s $TRST_EXT_HOST -p tcp --dport 22 -j ACCEPT
/sbin/iptables -t filter -A INPUT -i $EXTR -s $TRST_EXT_HOST -p udp --dport 22 -j ACCEPT
#
/sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_EXT_HOST -p tcp --sport 22 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_EXT_HOST -p udp --sport 22 -j ACCEPT
#

# Forward DNS Requests:


#not done yet

#
# FORWARD Chain:-


# Allow Connections from Valid (Allowed) Ports:


/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24 -p tcp -m state --state NEW -m multiport --dports $TCP_ALLOW_A -j ACCEPT

/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24 -p udp -m state --state NEW -m multiport --dports $UDP_ALLOW_A -j ACCEPT


# ---- -----------------------------------
# NOTE: DO NOT ADD/REMOVE ANYTHING AFTER THIS LINE:
# ---- -----------------------------------
#
# --- MASQUERADE All-CONNECTIONS ---
#
/sbin/iptables -t nat -A POSTROUTING -o $EXTR -j MASQUERADE
#
# --- --- --- END --- --- --- #
************************************************** ************************************************** ************************

[vigour]

1. Disable the Firewall

Enabling or disabling the Firewall is nothing but injecting or not certain iptables rules.

2. Start your stuff

3. You can save your rules by running:

Code:

services iptables save

This will apply your rules on boot time. Thus every time you change something, you can save it and it will be ran on the next boot.

[sud.tech]

U mean to say

i should first use the command

Service iptables stop

then run my firewall script and save changes
Correct me if i m wrong

[Lazydog]

Simple sets;

1. run service iptables stop
2. run your script
3. run iptable save

Iptables reads /ect/sysconfig/iptables to get it's rules. Step 2 over rights this file with the rules that are in memory (your new rules) when it is executed.

[vigour]

Exactly

[sud.tech]

Thks ,I will check the same and revert back in case of any queries