TechSpot

urgent and fast

By Adeyinka
Oct 10, 2003
  1. Hi

    I need to set a f/w between a host and a w/s
    The rules are set as follows

    iptables -A INPUT -s ............. -j ACCEPT
    Iptables -A Output -o eth+ -d /////////// -p tcp -j ACCEPT

    originator is the W/s with............... source address and packet should be acceptedon the f/w
    same packet/originating from the f/w should be sent on any eth+ to the dest add which ids the HOst Ip.

    my problem is that the former flusched rule came back after rebooting the machine
    the iptables-save seem not to save anything to the /etc/sysconfig/iptables for its initialiasation at reboot
    A buddie told me I can re-install without recompling the kernel since X netfilter and iptables are the framework inside the Linux 2.4.x kernel which enables packet filtering. I want to be sure I would not run into more problem since all that is left now is set the rules

    I just need JUst in time response. I have 24hr to perform
    Thanks

    :cool:
     
  2. MattG

    MattG TS Rookie Posts: 147

    What flavor are you running?

    To get the FW to start up on boot up it needs to be in the rc.d folder, or in your xinitd stuff.

    those 2 rules there are merely accepting INPUT to your machine (the fire wall box)

    output is what is coming OUT of the box.

    If you want to control a WS that uses the FW as a gateway..youll need to use the FORWARD chain, and the nat chains.

    Let me know exactly what you want to do and ill try and help ya out the best i can.
     
  3. Adeyinka

    Adeyinka TS Rookie Topic Starter Posts: 16

    Thanks MattG

    What I want to achieve is this
    I want to be using my firewall (as router, running Linux Redhart 8, iptables v1.2.6a) to accept packet from from a specific IP address say "10.10.0.35" ELSE drop the packet

    If accepted, Route same packet to a specific IP address(A host) say with IP address 199.200.5.1
    Takes(I mean the firewall in reverse direction) packet from The Host(199.200.5.1) and route it to the the specific IP address(10.10.0.35)
    Every other -s packet should not be allowed

    And One other thing

    If I re install A linux box, I understand Iptables comes bundled with the package and that you don't need to re compile the kernel again? b'cos I have not mastered the kernel stuff and do't want to mess the one already install.

    Kindly give me a step my step rule to achieving what I want. I have hrs left to get this thing DONE for good

    If you can spare a chat period I am available on yahoo messenger for possible chat assistance. You cant believe I have not rested for the past 36 hrs trying to figure this out

    Thanks
     
  4. MattG

    MattG TS Rookie Posts: 147

    ok...then your going to want to turn masquerading on.


    iptables -t nat -A POSTROUTING -j MASQUERADE

    that will set it up for your computer to be a "gateway", however, make sure that the router itself has a gateway that can access the outside world.

    in order to accept from a certain box youll need the port you want them to be accepted on...lets say HTTP

    iptables -A FORWARD -s 10.10.0.35 -d <destination here> -p tcp --dport 80 -j ACCEPT

    If your looking to just drop "ping packets"

    youll do a iptables -A INPUT -p icmp -j DROP

    That will cause no ping packets to be accepted, and therefore are dropped.

    It almost sounds like your wanting to forward a web server address to another box, which might be located on a internal network?

    To do that you have to use DNAT

    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 199.200.5.1

    Just remember that ORDER DOES COUNT.

    Set up your logs after your masquerading line..so you can see what is going on.

    Then put your accept lines, and then your drop lines.


    put this all into a script..dont type it in the console line by line.

    and at the top, flush all your chains

    iptables -F
    iptables -t nat -F

    That will flush all chains giving you a fresh start.

    Hope that helps you out a bunch.
     
  5. Adeyinka

    Adeyinka TS Rookie Topic Starter Posts: 16

    Hi

    based on suggestions . Is like I am not sure if the /etc/init.d/rc.d/iptables script is what should be updated
    I am currently using PICO editor.
    I have changed the File access to chmod 755 for it to execute
    But in most of the doc read. refrence is always made to Append the following line(my saved script in /etc/firewall) to the /etc/rc.d/rc.mu script:
    I have even gone ahead to seach if such directory exist but found none


    I think I can find a way of even testing my script before appending it to the said file in case their are errors to be corrected
    Expecting all ya reply in a giffy
     
  6. MattG

    MattG TS Rookie Posts: 147

    What Version of Linux are you using?

    in your rc.d folder you should see a bunch of files named rc.whatever, rename dyour script rc.firewall and chmod 755 and it will execute that on startup.

    To just test your script do a :

    ./rc.firewall

    and it will run it.

    Then do a iptables -L and see if your rules are there.
     
  7. Adeyinka

    Adeyinka TS Rookie Topic Starter Posts: 16

    Hi

    running Linux 8

    I want to know if I have to run the ./rc.firewall from the # prompt or from the PICO editor
    I have tried to run from the # but nothing seems to be working

    I just need to test the script before appending it to the script
     
  8. MattG

    MattG TS Rookie Posts: 147

    in order for you to execute the script it needs to be executable.

    so

    chmod 755 rc.firewall
    ./rc.firewall
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.