Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Exclamation iptablesfirewall urgent - port block not working


    I have given my full setup info below step by step

    Note: when any of the link goes down i need to use the other link for both http,and mail. By default mail go through 1.5 firewall and http goes through 1.6 firewall.

    ---------------ftp & http
    ---------------(1.129)-------(1.6 & 0.5)---(0.1)
    Client ----->TrendMicro---=firewall-1 ----dsl-2
    (8080) | Proxy
    Setting |
    -------->smtp & pop3-------->(1.5& 0.5) (0.1)

    1. #Default POLICIES

    iptables -P INPUT DROP

    iptables -P OUTPUT ACCEPT

    iptables -P FORWARD DROP

    2. i need to alow port 80 only through trend micro proxy and it is succesful
    iptables -A FORWARD -s -p tcp --dport 80 -j ACCEPT
    iptables -A FORWARD -s -p udp --dport 80 -j ACCEPT
    iptables -A FORWARD -s -p udp --dport 80 -j DROP

    using the above rule from the internal client machine only allowed through
    proxy server But for mails it uses another DSL Line (refer diag above. one of my clinet ip is
    gateway may change anytime dep on link status. Suppose link goes down i just interchange ip in both the server instead of going to each pc and change the gateway. Sec i will change proxy (1.129) gateway also to
    1.5. Till the link comes up i will use that. incase anotehr dsl ( 1.6) goes down i will just change proxy gateway to 1.5.

    now i want to allow only smpt pop3 dns for all ( and i added the below rules in both firewall (1.5 & 1.6)
    iptables -A FORWARD -s -p tcp --dport 25 -j ACCEPT
    iptables -A FORWARD -s -p udp --dport 25 -j ACCEPT
    iptables -A FORWARD -s -p tcp --dport 110 -j ACCEPT
    iptables -A FORWARD -s -p udp --dport 110 -j ACCEPT

    To block all the other ports i have added the below entry. But it completely disalbe the all ports. ($privports = 0:1023)
    iptables -A FORWARD -s -p tcp --dport $privports -j REJECT

    how will i disable the 0:1023 ports execpt the below two conditions
    1. http trafic accept only through
    2. smtp and pop3 shoule be allowd from both the network.

    Please advice


  2. #2
    Just Joined!
    Join Date
    Mar 2006
    Lawrence KS USA
    I think what you want to do is set the default policy of REJECT for the FORWARD chain then apply your specific allow rules.

    iptables -P FORWARD REJECT

    This sets the chain policy to reject. All other rules applied after that will be allowed any anything not specified will be rejected.



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts