Find the answer to your Linux question:
Results 1 to 2 of 2
Hi, I have given my full setup info below step by step Note: when any of the link goes down i need to use the other link for both http,and ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2006
    Posts
    3

    Exclamation iptablesfirewall urgent - port block not working


    Hi,

    I have given my full setup info below step by step

    Note: when any of the link goes down i need to use the other link for both http,and mail. By default mail go through 1.5 firewall and http goes through 1.6 firewall.

    ---------------ftp & http
    ---------------(1.129)-------(1.6 & 0.5)---(0.1)
    Client ----->TrendMicro---=firewall-1 ----dsl-2
    (8080) | Proxy
    Browser|
    Setting |
    --------------------->firewall-2----dsl-2
    -------->smtp & pop3-------->(1.5& 0.5) (0.1)

    1. #Default POLICIES

    iptables -P INPUT DROP

    iptables -P OUTPUT ACCEPT

    iptables -P FORWARD DROP


    2. i need to alow port 80 only through trend micro proxy and it is succesful
    iptables -A FORWARD -s 192.168.1.129 -p tcp --dport 80 -j ACCEPT
    iptables -A FORWARD -s 192.168.1.129 -p udp --dport 80 -j ACCEPT
    iptables -A FORWARD -s 192.168.1.0/24 -p udp --dport 80 -j DROP

    using the above rule from the internal client machine only allowed through
    proxy server 192.168.1.129. But for mails it uses another DSL Line (refer diag above. one of my clinet ip is 192.168.1.5
    mask 255.255.255.0
    gateway 192.168.1.5
    gateway may change anytime dep on link status. Suppose 192.168.1.5 link goes down i just interchange ip in both the server instead of going to each pc and change the gateway. Sec i will change proxy (1.129) gateway also to
    1.5. Till the link comes up i will use that. incase anotehr dsl ( 1.6) goes down i will just change proxy gateway to 1.5.

    now i want to allow only smpt pop3 dns for all (192.168.1.0/24) and i added the below rules in both firewall (1.5 & 1.6)
    iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 25 -j ACCEPT
    iptables -A FORWARD -s 192.168.1.0/24 -p udp --dport 25 -j ACCEPT
    iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 110 -j ACCEPT
    iptables -A FORWARD -s 192.168.1.0/24 -p udp --dport 110 -j ACCEPT

    To block all the other ports i have added the below entry. But it completely disalbe the all ports. ($privports = 0:1023)
    iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport $privports -j REJECT

    how will i disable the 0:1023 ports execpt the below two conditions
    1. http trafic accept only through 192.168.1.129(proxy)
    2. smtp and pop3 shoule be allowd from both the network.

    Please advice

    Thanks
    Krishnan

  2. #2
    Just Joined!
    Join Date
    Mar 2006
    Location
    Lawrence KS USA
    Posts
    11
    I think what you want to do is set the default policy of REJECT for the FORWARD chain then apply your specific allow rules.

    iptables -P FORWARD REJECT

    This sets the chain policy to reject. All other rules applied after that will be allowed any anything not specified will be rejected.

    HTH

    Jason

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •