Find the answer to your Linux question:
Results 1 to 6 of 6
I have created a custom firewall script in RHEL 4 .Let me explain the steps which i followed . etho -Internal lan eth1 -External lan During the installtion of RHEL ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2008
    Posts
    3

    Running cutomised firewall in RHEL 4


    I have created a custom firewall script in RHEL 4 .Let me explain the steps which i followed .


    etho -Internal lan
    eth1 -External lan


    During the installtion of RHEL 4 ,i enabled Firewall and after booting to x windows i selected enable firewall and defined the defined and customised ports .

    When my client systems tried to access the internet ,they could'nt access ,but when i ran the custom firewall script(fw) they could access .

    Now the problem is that when i run the command

    iptables -L ----- It processes the fw as well as the ports defined in the gui firewall

    even the command service iptables status --- throws the same result.

    How do i make ,linux run my customised firewall ,since it seems to run the inbilt iptables script.

    The problemm is that i have defined some customised ports ,but when i try to access the ports which are not defined ,it accepts the connection .

    Even the PREROUTING iptables command does not run,since i need to access a webserver on private lan configured on port 8080.

    Can anybody help

    Sud



    ************************************************** ************************************************** **********************

    #! /bin/sh
    #
    #
    # Desc: FireWall Script for a Linux-Based Gateway System.
    # This script considers the Host to be Gateway-With-FireWall,
    # It takes a restrictive approach, thus allowing only the
    # required ports & connections to pass thru.
    #

    #
    # --- DECLARE ALLOWED PORTS --- #
    #
    # Allow Set-A:
    TCP_ALLOW_A="20,21,22,80,81,110"
    UDP_ALLOW_A="20,21,22,80,81,110"
    #
    #
    # --- DECLARE VARIABLES ---
    #
    # Internal Interface/Internal LAN Adapter:
    INTR=eth0
    #
    # External Interface/External (Public/Static-IP) Adapter:
    EXTR=eth1
    #
    # Gateway/Firewall's Internal (LAN) IP:
    IN_IP="192.168.3.111"
    #
    # Gateway/Firewall's External (Public/Static) IP:
    OUT_IP="222.x.y.z"

    #
    # ISP's Gateway:
    ISP_GT="222.x.y7.z"

    #
    # DNS/Nameserver-A:
    DNS_A="205.x.y.z"

    #
    # DNS/Nameserver-A:
    DNS_B="205.x.y1.z1"

    #
    # Trusted Host:
    TRST_HOST="192.168.3.0/24"
    #

    TRST_EXT_HOST="222.x1.y1.z2"



    #
    # --- POLICY SETUP ---
    #
    # Flush Existing/Stale Rules (if any):
    /sbin/iptables -F
    /sbin/iptables -t filter -F
    /sbin/iptables -t mangle -F
    /sbin/iptables -t nat -F
    modprobe ip_tables
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe ip_nat_ftp
    #

    service iptables stop
    service iptables start
    #



    # Setup Restrictive Policy:
    /sbin/iptables --policy INPUT DROP
    /sbin/iptables --policy OUTPUT DROP
    /sbin/iptables --policy FORWARD DROP
    #


    # -- Anti IP-Spoofing --*-
    for f in /proc/sys/net/ipv4/conf/*/rp_filter;do
    /bin/echo "1" > $f
    done
    #


    # -- SYN-Flood Protection:
    sysctl -w net.ipv4.tcp_syncookies=1
    #

    # -- IP-Forward Enable:
    echo "1" > /proc/sys/net/ipv4/ip_forward
    #
    # -----*-----

    # Allow local/loopback device traffic:
    /sbin/iptables -A OUTPUT -s localhost -d localhost -j ACCEPT
    /sbin/iptables -A INPUT -s localhost -d localhost -j ACCEPT
    #

    # Allow Ping/ICMP Packets:
    /sbin/iptables -A INPUT -j ACCEPT
    /sbin/iptables -A OUTPUT -j ACCEPT
    #

    #
    # --- FireWall Rules ---
    #
    # INPUT Chain:-
    # Accept SSH Connections from Trusted Host:
    /sbin/iptables -t filter -A INPUT -i $INTR -s $TRST_HOST -p tcp --dport 22 -j ACCEPT
    /sbin/iptables -t filter -A INPUT -i $INTR -s $TRST_HOST -p udp --dport 22 -j ACCEPT
    #
    /sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_HOST -p tcp --sport 22 -j ACCEPT
    /sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_HOST -p udp --sport 22 -j ACCEPT

    /sbin/iptables -t filter -A INPUT -i $EXTR -s $TRST_EXT_HOST -p tcp --dport 22 -j ACCEPT
    /sbin/iptables -t filter -A INPUT -i $EXTR -s $TRST_EXT_HOST -p udp --dport 22 -j ACCEPT
    #
    /sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_EXT_HOST -p tcp --sport 22 -j ACCEPT
    /sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_EXT_HOST -p udp --sport 22 -j ACCEPT
    #

    # Forward DNS Requests:


    #not done yet

    #
    # FORWARD Chain:-


    # Allow Connections from Valid (Allowed) Ports:


    /sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24 -p tcp -m state --state NEW -m multiport --dports $TCP_ALLOW_A -j ACCEPT

    /sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24 -p udp -m state --state NEW -m multiport --dports $UDP_ALLOW_A -j ACCEPT


    # ---- -----------------------------------
    # NOTE: DO NOT ADD/REMOVE ANYTHING AFTER THIS LINE:
    # ---- -----------------------------------
    #
    # --- MASQUERADE All-CONNECTIONS ---
    #
    /sbin/iptables -t nat -A POSTROUTING -o $EXTR -j MASQUERADE
    #
    # --- --- --- END --- --- --- #
    ************************************************** ************************************************** ************************

  2. #2
    Just Joined! vigour's Avatar
    Join Date
    Oct 2007
    Posts
    68
    1. Disable the Firewall

    Enabling or disabling the Firewall is nothing but injecting or not certain iptables rules.

    2. Start your stuff

    3. You can save your rules by running:

    Code:
    services iptables save
    This will apply your rules on boot time. Thus every time you change something, you can save it and it will be ran on the next boot.

  3. #3
    Just Joined!
    Join Date
    Jun 2008
    Posts
    3
    U mean to say

    i should first use the command

    Service iptables stop

    then run my firewall script and save changes
    Correct me if i m wrong

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Simple sets;

    1. run service iptables stop
    2. run your script
    3. run iptable save

    Iptables reads /ect/sysconfig/iptables to get it's rules. Step 2 over rights this file with the rules that are in memory (your new rules) when it is executed.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #5
    Just Joined! vigour's Avatar
    Join Date
    Oct 2007
    Posts
    68
    Exactly

  7. #6
    Just Joined!
    Join Date
    Jun 2008
    Posts
    3
    Thks ,I will check the same and revert back in case of any queries

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •