Find the answer to your Linux question:
Results 1 to 6 of 6
In the act of full-disclosure, this is in regards to something I am doing at my job. I have been given the task of creating a new linux lab environment. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2011
    Posts
    87

    iptables help


    In the act of full-disclosure, this is in regards to something I am doing at my job.

    I have been given the task of creating a new linux lab environment. It consists of 3 workstations - Windows7, WindowsXP and Ubuntu that are all on a 192.168.x.y network. I have an internal red hat server that is on the 192.168.x.y network. Finally, I have a red hat router/firewall server, that has two NICs. One on the 192.168.x.y (eth0) and one on 172.16.x.y (eth1) network that gets me out to the internet.

    I am trying to set up iptable rules so that people on the LAN can access Web and FTP without getting outside, and people on the WAN to access Web and FTP without getting inside.

    Here is what I have so far:
    Code:
    #!/bin/bash
    
    #flush cache
    iptables F INPUT
    iptables F OUTPUT
    iptables F FORWARD
    iptables F t nat
    
    #enable ip forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    #enable masquerading
    iptables A POSTROUTING t nat o eth0 j MASQUERADE
    #ICMP packets
    
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
    iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT
    
    #establish DNS
    iptables -A INPUT -i eth1 -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o eth0 -p tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
    
    #DNS
    iptables -A FORWARD -p tcp --sport 53 -j ACCEPT
    iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
    iptables -A FORWARD -p udp --sport 53 -j ACCEPT
    iptables -A FORWARD -p udp --sport 53 -j ACCEPT
    
    #HTTP
    iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
    iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
    iptables -A FORWARD -p udp --sport 80 -j ACCEPT
    iptables -A FORWARD -p udp --sport 80 -j ACCEPT
    
    #HTTPS
    iptables -A FORWARD -p tcp --sport 443 -j ACCEPT
    iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
    iptables -A FORWARD -p udp --sport 443 -j ACCEPT
    iptables -A FORWARD -p udp --sport 443 -j ACCEPT
    
    #telnet
    iptables -A FORWARD -p tcp --sport 23 -j ACCEPT
    iptables -A FORWARD -p tcp --dport 23 -j ACCEPT
    iptables -A FORWARD -p udp --sport 23 -j ACCEPT
    iptables -A FORWARD -p udp --sport 23 -j ACCEPT
    
    #SSH
    iptables -A FORWARD -p tcp --sport 22 -j ACCEPT
    iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
    iptables -A FORWARD -p udp --sport 22 -j ACCEPT
    iptables -A FORWARD -p udp --sport 22 -j ACCEPT
    
    #FTP
    iptables -A FORWARD -p tcp --sport 21 -j ACCEPT
    iptables -A FORWARD -p tcp --dport 21 -j ACCEPT
    iptables -A FORWARD -p udp --sport 21 -j ACCEPT
    iptables -A FORWARD -p udp --sport 21 -j ACCEPT
    any ideas/suggestions? All help is greatly appreciated.

  2. #2
    Linux User
    Join Date
    Dec 2009
    Posts
    264
    Suggestion:
    Code:
    #!/bin/bash
    
    Net192="eth1"
    Net172="eth0"
    
    #flush cache
    iptables –F INPUT
    iptables -P INPUT REJECT
    iptables –F OUTPUT
    iptables -P OUTPUT ACCEPT
    iptables –F FORWARD
    iptables -P FORWARD REJECT
    
    iptables –N forward_lan
    iptables –F forward_lan
    
    #enable ip forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    #enable masquerading
    #iptables –A POSTROUTING –t nat –o eth0 –j MASQUERADE
    #ICMP packets
    
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT
    
    #allow incoming DNS Requests
    iptables -A INPUT -i $Net192 -p tcp --dport 53 -j ACCEPT
    iptables -A INPUT -i $Net192 -p udp --dport 53 -j ACCEPT
    #allow incoming SSH
    iptables -A INPUT -i $Net192 -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -i $Net192 -p udp --dport 22 -j ACCEPT
    
    #set FORWARD policy
    iptables -A FORWARD --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i $Net192 -j forward_lan
    
    #DNS
    iptables -A forward_lan -p tcp --dport 53 -j ACCEPT
    iptables -A forward_lan -p udp --dport 53 -j ACCEPT
    
    #HTTP
    iptables -A forward_lan -p tcp --dport 80 -j ACCEPT
    iptables -A forward_lan -p udp --dport 80 -j ACCEPT
    
    #HTTPS
    iptables -A forward_lan -p tcp --dport 443 -j ACCEPT
    iptables -A forward_lan -p udp --dport 443 -j ACCEPT
    
    #telnet
    iptables -A forward_lan -p tcp --dport 23 -j ACCEPT
    iptables -A forward_lan -p udp --dport 23 -j ACCEPT
    
    #SSH
    iptables -A forward_lan -p tcp --dport 22 -j ACCEPT
    iptables -A forward_lan -p udp --dport 22 -j ACCEPT
    
    #FTP
    iptables -A forward_lan -p tcp --dport 21 -j ACCEPT
    iptables -A forward_lan -p udp --dport 21 -j ACCEPT
    You don't need a NAT if the destination Server are allowed to know who is connecting.
    You will need to set the route too your RedHat Router in your Internet Router.

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    A lot more information is required in order to setup the firewall properly. Ip address need to be know for the web and ftp servers. Also what are you talking about:

    I am trying to set up iptable rules so that people on the LAN can access Web and FTP without getting outside, and people on the WAN to access Web and FTP without getting inside.
    Are the services inside out outside? If they are on the outside then the inside has already gotten out and if the servers are on the inside then the outside has already gotten in.

    Are you looking to allow the LAN to access the web and ftp servers on the internet and if not where are the servers located that you want to give them access to.

    Where are the servers located that you want to allow the WAN connection to get to?

    another thing you do not want to do is mix STATEFUL with STATELESS firewall rules. Either make the firewall a STATEFUL firewall or STATELESS not mixed.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. #4
    Linux Enthusiast scathefire's Avatar
    Join Date
    Jan 2010
    Location
    Western Kentucky
    Posts
    626
    If you are using passive FTP (i.e. not Windows FTP service) you may also need to add RELATED to your inbound state since the server will tell the client which port to connect on. If you go stateless though, and you are using vsftpd, or any other I would imagine, you can limit the data port range to something more specific, say 60000-65000.
    linux user # 503963

  5. #5
    Just Joined!
    Join Date
    Jan 2011
    Posts
    87
    Are the services inside out outside? If they are on the outside then the inside has already gotten out and if the servers are on the inside then the outside has already gotten in.
    All of my equipment is internal except for the RHEL server that is doing the routing.

    Are you looking to allow the LAN to access the web and ftp servers on the internet and if not where are the servers located that you want to give them access to.
    This is exactly what I'd like to do

    Where are the servers located that you want to allow the WAN connection to get to?
    I was thinking, servers that are on our production network.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by pauhn View Post
    Are the services inside out outside? If they are on the outside then the inside has already gotten out and if the servers are on the inside then the outside has already gotten in.
    All of my equipment is internal except for the RHEL server that is doing the routing.
    So you are not setting up a lab that is internal to the LAN but a LAN that you want to give internet access to.

    Are you looking to allow the LAN to access the web and ftp servers on the internet and if not where are the servers located that you want to give them access to.
    This is exactly what I'd like to do
    OK, this is not that hard to do.

    Where are the servers located that you want to allow the WAN connection to get to?
    I was thinking, servers that are on our production network.
    I would think twice about this. If you must give internet access to servers then I would place those server in a DMZ for security reasons. What are your options?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •