Urgent and fast

[Adeyinka]

Hi

I need to set a f/w between a host and a w/s
The rules are set as follows

iptables -A INPUT -s ............. -j ACCEPT
Iptables -A Output -o eth+ -d /////////// -p tcp -j ACCEPT

originator is the W/s with............... source address and packet should be acceptedon the f/w
same packet/originating from the f/w should be sent on any eth+ to the dest add which ids the HOst Ip.

my problem is that the former flusched rule came back after rebooting the machine
the iptables-save seem not to save anything to the /etc/sysconfig/iptables for its initialiasation at reboot
A buddie told me I can re-install without recompling the kernel since X netfilter and iptables are the framework inside the Linux 2.4.x kernel which enables packet filtering. I want to be sure I would not run into more problem since all that is left now is set the rules

I just need JUst in time response. I have 24hr to perform
Thanks

 

[MattG]

What flavor are you running?

To get the FW to start up on boot up it needs to be in the rc.d folder, or in your xinitd stuff.

those 2 rules there are merely accepting INPUT to your machine (the fire wall box)

output is what is coming OUT of the box.

If you want to control a WS that uses the FW as a gateway..youll need to use the FORWARD chain, and the nat chains.

Let me know exactly what you want to do and ill try and help ya out the best i can.

 

[Adeyinka]

Thanks MattG

What I want to achieve is this
I want to be using my firewall (as router, running Linux Redhart 8, iptables v1.2.6a) to accept packet from from a specific IP address say "10.10.0.35" ELSE drop the packet

If accepted, Route same packet to a specific IP address(A host) say with IP address 199.200.5.1
Takes(I mean the firewall in reverse direction) packet from The Host(199.200.5.1) and route it to the the specific IP address(10.10.0.35)
Every other -s packet should not be allowed

And One other thing

If I re install A linux box, I understand Iptables comes bundled with the package and that you don't need to re compile the kernel again? b'cos I have not mastered the kernel stuff and do't want to mess the one already install.

Kindly give me a step my step rule to achieving what I want. I have hrs left to get this thing DONE for good

If you can spare a chat period I am available on yahoo messenger for possible chat assistance. You cant believe I have not rested for the past 36 hrs trying to figure this out

Thanks

 

[MattG]

ok...then your going to want to turn masquerading on.


iptables -t nat -A POSTROUTING -j MASQUERADE

that will set it up for your computer to be a "gateway", however, make sure that the router itself has a gateway that can access the outside world.

in order to accept from a certain box youll need the port you want them to be accepted on...lets say HTTP

iptables -A FORWARD -s 10.10.0.35 -d <destination here> -p tcp --dport 80 -j ACCEPT

If your looking to just drop "ping packets"

youll do a iptables -A INPUT -p icmp -j DROP

That will cause no ping packets to be accepted, and therefore are dropped.

It almost sounds like your wanting to forward a web server address to another box, which might be located on a internal network?

To do that you have to use DNAT

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 199.200.5.1

Just remember that ORDER DOES COUNT.

Set up your logs after your masquerading line..so you can see what is going on.

Then put your accept lines, and then your drop lines.


put this all into a script..dont type it in the console line by line.

and at the top, flush all your chains

iptables -F
iptables -t nat -F

That will flush all chains giving you a fresh start.

Hope that helps you out a bunch.

 

[Adeyinka]

Hi

based on suggestions . Is like I am not sure if the /etc/init.d/rc.d/iptables script is what should be updated
I am currently using PICO editor.
I have changed the File access to chmod 755 for it to execute
But in most of the doc read. refrence is always made to Append the following line(my saved script in /etc/firewall) to the /etc/rc.d/rc.mu script:
I have even gone ahead to seach if such directory exist but found none


I think I can find a way of even testing my script before appending it to the said file in case their are errors to be corrected
Expecting all ya reply in a giffy

 

[MattG]

What Version of Linux are you using?

in your rc.d folder you should see a bunch of files named rc.whatever, rename dyour script rc.firewall and chmod 755 and it will execute that on startup.

To just test your script do a :

./rc.firewall

and it will run it.

Then do a iptables -L and see if your rules are there.

 

[Adeyinka]

Hi

running Linux 8

I want to know if I have to run the ./rc.firewall from the # prompt or from the PICO editor
I have tried to run from the # but nothing seems to be working

I just need to test the script before appending it to the script

 

[MattG]

in order for you to execute the script it needs to be executable.

so

chmod 755 rc.firewall
./rc.firewall