On Sun, Oct 19, 2003 at 02:52:23PM +0800, smart penguin wrote: > Guys thanks for the response, this is my present network setting : > > Server : (RH9, internal eth0 192.168.0.5 external eth0 : > 203.204.202.11), the reason for having an external because i have a > dsl connection. > Services : Samba, DNS, Squid, SSHd, Apache (for local, and > planning to implement outside web). >
Much better. :) So let's get this straight. You're running your Linux box as a router, right? So definitely you'll want: iptables -t nat -A POSTROUTING -s 192.168.0.1 -j MASQUERADE and turn on IP forwarding in your sysctl.conf. > > My ideal firewall would be : > (First, i need to know how to execute the command, and what files or > directory, where to put the command) Read man iptables for more details. iptables_save can save your results in a file that may be used by the iptables initscript. > > 1. to be able to connect the RH9 server to the internet safely without > the hassle of being paranoid. Start with this: iptables -t filter -A INPUT -p tcp --syn -j REJECT iptables -t filter -A INPUT -p udp --syn -j REJECT This denies all incoming connections. The further rules we add below will relax this default policy as they get processed before these rules (they should appear at the bottom when you do iptables -t filter -L -n). You'll certainly want to allow DNS, so you have to add: iptables -t filter -I INPUT -p udp --sport 53 --dport 1024:65535 -j \ ACCEPT iptables -t filter -I INPUT -p udp --sport 1024:65535 --dport 53 -j \ ACCEPT > > 2. to be able all workstation to browse the internet, through SQUID > without being DENIED by the firewall. iptables -t filter -I INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.5 \ --dport 3128 --syn -j ACCEPT assuming of course, you use the default port 3128 for Squid. > > 3. to be able to use the MIRC, AudioGalaxy and Chikka, from the > workstation, without jepordizing the server and all the workstation > This is a problem. I don't know what ports to open for AudioGalaxy and Chikka, but this ought to allow IRC through: iptables -t filter -I INPUT -p tcp -s 192.168.0.0/24 --dport 6661:6669 \ --syn -j ACCEPT > 4. to be able to connect to the RH9 server from the workstation using > the SAMBA > iptables -t filter -I INPUT -p udp -s 192.168.0.0/24 -d 192.168.0.5 \ --dport 137 -j ACCEPT iptables -t filter -I INPUT -p udp -s 192.168.0.0/24 -d 192.168.0.5 \ --dport 138 -j ACCEPT iptables -t filter -I INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.5 \ --dport 139 --syn -j ACCEPT > 5. to be able to have a working apache locally with a secure server. > iptables -t filter -I INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.5 \ --dport 80 --syn -j ACCEPT iptables -t filter -I INPUT -p tcp -s 192.168.0.0/24 -d 192.168.0.5 \ --dport 443 --syn -j ACCEPT > 6. and should i be able to buy a domain name, and implement the apache > from outside, i would be confident that the RH9 server is AT LEAST > safe enough. > When you're ready to do this add: iptables -t filter -I INPUT -p tcp -s 0/0 -d 203.204.202.11 --dport 80 \ --syn -j ACCEPT iptables -t filter -I INPUT -p tcp -s 0/0 -d 203.204.202.11 --dport 443 \ --syn -j ACCEPT This will allow connections originating anywhere to connect to your 203.204.202.11 IP's http and https ports. But be forewarned that if you happen to run insecure content, e.g. broken or badly written CGI scripts, this won't help at all. > 7. to be able to connect through SSH from a PARTICULAR workstation > with an IP ADD: 192.168.0.3 > iptables -t filter -I INPUT -p tcp -s 192.168.0.3 -d 192.168.05 --dport 22 --syn -j ACCEPT > From the above mentioned request, i really appreciate for the > help. Thank you all. > No problem. :) So you can understand what all these rules mean, I suggest you look at the copious documentation for netfilter, some of which can be found here: http://www.netfilter.org/documentation/index.html Start with the networking concepts howto there, then read the Andreasson tutorial. > > jeremy > > P.S. > > And also i need to know on how i can reset the Iptables/firewall > setting, in case i would accidentally type the wrong or excute the > wrong command. > iptables -t filter -F This will remove all iptables rules and leave your server open to all connections. iptables -t nat -F removes all NAT rules. -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
