Find the answer to your Linux question:
Results 1 to 3 of 3
Hi, I'm setting up an apache cluster using ipvsadm using a linux server as a router. My linux server has two NIC's and I have this script #!/bin/sh EXTIF="eth1" INTIF="eth0" ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2007
    Posts
    2

    IPtables help


    Hi,

    I'm setting up an apache cluster using ipvsadm
    using a linux server as a router. My linux server
    has two NIC's and I have this script

    #!/bin/sh

    EXTIF="eth1"
    INTIF="eth0"
    # Clearing any existing rules and setting default policy
    iptables -P INPUT ACCEPT
    iptables -F INPUT
    iptables -P OUTPUT ACCEPT
    iptables -F OUTPUT
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -t nat -F
    # FWD: Allow all connections OUT and only existing and related ones IN
    iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
    #" Enabling SNAT (MASQUERADE) functionality on $EXTIF
    iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

    to make the linux server a linux router.

    I want to block all the ports on the external NIC ($EXTIF) except for ports 80,443,20,21.

    Can some one give me some info on how to modify this script so that I can
    block all the ports except for the ones I've mentioned.

    Thanks

  2. #2
    Linux User DOllaBillz217's Avatar
    Join Date
    Mar 2007
    Location
    St. Louis, MO
    Posts
    263
    You can allow and deny in /etc/hosts.allow and /etc/hosts.deny files, but its probably best to have a iptables script in place. Go to www.netfilter.org and it will explain everything you need to know in order to complete this.
    $Billz

    How much wood would a wood chuck chuck if a wood chuck could chuck wood? None they eat plants!

    Dell Optiplex GX260, LTSP Diskless Workstation, Fedora Core 6

  3. #3
    Linux Newbie framp's Avatar
    Join Date
    Jul 2006
    Location
    Stuttgart, Germany
    Posts
    240
    Quote Originally Posted by suseman3 View Post
    I want to block all the ports on the external NIC ($EXTIF) except for ports 80,443,20,21.
    Hm ... actually all these ports are already blocked for connections not requested from your local net. Your default rule for forwarding is DROP which is fine. So your setup is secure.
    There is one issue: You accept all connections to your router
    Code:
    iptables -P INPUT ACCEPT
    iptables -F INPUT
    iptables -P OUTPUT ACCEPT
    iptables -F OUTPUT
    which might be risky. But if you don't have any services running on your router that's OK. I suggest to remove the 4 lines if there is no strong reason for them You should have all ports closed and open only the ports which have to be open.
    "Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side effect." Linus Benedict Torvalds

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •