Thanks to Stephen earlier, I solved one problem, now I have another. The
following rules work in that they block everything incoming to the server except for
those services opened, and it allows traffic back and forth to and from the internal
network. However, from the internal network, I can not get onto the server itself.
What do I have to change or add to make folks on the private network (192.168.1.0/24)
to be able to get onto the server itself?
Basically I want only those 4 opened ports from the outside to reach the server,
but anything from the internal network should be able to reach the server as well (and
right now nothing does) and be able to go out to the net.
Also, if anyone sees some blatant problem with these rules, please let me know
since I'm still learning about iptables. My requirements are simple:
From the outside:
- Drop everything incoming to the server
except for ports 21, 22, 25 and 80.
From the inside (private) network:
- Forward traffic from the inside network to the outside world
- Allow everything in and out of the server itself
From the server itself:
- Allow everything/anything to go out to the world.
What'd I forget? Here are the current set of rules:
# Generated by iptables-save v1.2.5 on Sat Jul 6 21:18:47 2002
*nat
:PREROUTING ACCEPT [148:20680]
:POSTROUTING ACCEPT [10:774]
:OUTPUT ACCEPT [10:774]
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d ! 192.168.1.0/255.255.255.0 -j SNAT
--to-source 12.253.88.33
COMMIT
# Completed on Sat Jul 6 21:18:47 2002
# Generated by iptables-save v1.2.5 on Sat Jul 6 21:18:47 2002
*filter
:INPUT DROP [129:18877]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10881:581839]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.1.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Sat Jul 6 21:18:47 2002
--
H | "Life is the art of drawing without an eraser." - John Gardner
+--------------------------------------------------------------------
Ashley M. Kirchner <mailto:[EMAIL PROTECTED]> . 303.442.6410 x130
Director of Internet Operations / SysAdmin . 800.441.3873 x130
Photo Craft Laboratories, Inc. . 3550 Arapahoe Ave, #6
http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
