Wondering if anyone is willing to give me a little assistance with some firewall rules. I think what I'm looking for is fairly simple, and I've been trying to use webmin's firewall module without success. I have a web server that I'd like to open up port 80 and forward a specific port for a select number of allowed ips. That's it. Everything else is dropped. allow: port 80 allow: forward port 8000 for x.x.x.x to y.y.y.y Anyone willing to assist with the rules? And lastly, how would I apply it in a way that it will always be in affect? If the machine reboots for example. Any help is appreciated. James
On 28/09/05, James Pifer <jep at obrien-pifer.com> wrote:> Wondering if anyone is willing to give me a little assistance with some > firewall rules. I think what I'm looking for is fairly simple, and I've > been trying to use webmin's firewall module without success. > > I have a web server that I'd like to open up port 80 and forward a > specific port for a select number of allowed ips. That's it. Everything > else is dropped. > > allow: port 80 > allow: forward port 8000 for x.x.x.x to y.y.y.y > > Anyone willing to assist with the rules? And lastly, how would I apply > it in a way that it will always be in affect? If the machine reboots for > example.Have a look at the bastion firewall setup examples from the O'Reilly Linux Server Security book at http://examples.oreilly.com/linuxss2/ They should point you in the right direction. As for starting across reboots, I'd place the script either in root's home or somewhere else normal users can't get to and run it from /etc/rc.d/rc.local Will.
Quoting James Pifer <jep at obrien-pifer.com>:> Wondering if anyone is willing to give me a little assistance with some > firewall rules. I think what I'm looking for is fairly simple, and I've > been trying to use webmin's firewall module without success.The problem is, you either use GUI tools and live with the limitations of the tool, or you do it all by hand. Most GUI tools are not going to allow you to mix and match. If you make some changes manually, next time you use GUI tools it'll discard them. Said that, default config file with firewall rules for iptables on CentOS is /etc/sysconfig/iptables. There's also /etc/sysconfig/iptables.conf with some settings you might need to alter in specific situations (for example, NAT helper modules to be loaded are specified there). The former (the one with rules) might get overwritten, or its rules overriden by GUI various interfaces. As I said, you either use GUI and live with limitations, or do it all by hand and are able to implement whatever you need.> I have a web server that I'd like to open up port 80 and forward a > specific port for a select number of allowed ips. That's it. Everything > else is dropped. > > allow: port 80 > allow: forward port 8000 for x.x.x.x to y.y.y.yWhen you say forward port 8000, what exactly do you have in mind? Simple packet forwarding (if we see packet from xxx to yyy we allow it to be forwarded)? Or do you mean NAT (if we see packet comming in for us on 8000 from xxx, we forward it to yyy optinally chaning port number)? Standard disclaimer. These rules are not going to work on their own, and they are *unsafe*. They are here only to give you a pointer how to solve specific problem, but they are not complete nor secure solution. Before manually applying any firewall rules, make sure you know exactly what you are doing. I personally don't use them as presented here, and would not recommend anybody else to use them as is. This is just simplification of actuall configuration to show how the problem could be solved. Anyhow, in general case, you would do something like this on command line: To allow incomming connections to port 80 is fairly simple (but see disclaimer): # iptables -A INPUT -p tcp --dport 80 -j ACCEPT Now, if you want to allow simple packet forwarding: # iptables -A FORWARD -p tcp --dport 8000 -s x.x.x.x -d y.y.y.y.y -j ACCEPT Now, if you wanted to do NATing, it goes something like this. # iptables -A FORWARD -p tcp ---dport 8000 -s z.z.z.z -d y.y.y.y.y -j ACCEPT # iptables -t nat -A PREROUTING -p tcp --dport 8000 -d x.x.x.x \ -j DNAT --to-destination y.y.y.y If you wanted to change port 8000 to 80, you'd do it something like: # iptables -A FORWARD -p tcp --dport 80 -s z.z.z.z -d y.y.y.y -j ACCEPT # iptables -t nat -A PREROUTING -p tcp --dport 8000 -d x.x.x.x \ -j DNAT --to-destination y.y.y.y:80 Note that chains in filter table will see NATed address, because we used DNAT (rewriting of destination address) target in PREROUTING chain. In short, flow of packets through chains looks something like this. (if from local) local --> OUTPUT -+ +-----------------+ | | | +-> routing --> FORWARD -+-> POSTROUTING --> net | | net --> PREROUTING -+ +-> INPUT --------------------------> local Each chain will see changes made by previous chain. Note that almos all chains are also parts of one of three tables of chains (filter, nat, and mangle), so you actually have two PREROUTING chains (in nat and mangle tables), three OUTPUT chains, and so on... Each with distinct set of rules, and each with distinct set of allowed targets (as documented in manual page for iptables). ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
On Wed, 2005-09-28 at 08:54 -0400, James Pifer wrote:> Wondering if anyone is willing to give me a little assistance with some > firewall rules. I think what I'm looking for is fairly simple, and I've > been trying to use webmin's firewall module without success. > > I have a web server that I'd like to open up port 80 and forward a > specific port for a select number of allowed ips. That's it. Everything > else is dropped. > > allow: port 80 > allow: forward port 8000 for x.x.x.x to y.y.y.y > > Anyone willing to assist with the rules? And lastly, how would I apply > it in a way that it will always be in affect? If the machine reboots for > example.James, I've found that "man iptables" is actually a fairly good introduction to iptables. For your setup, you probably need something along the lines of # iptables -I INPUT -p tcp --dport 80 -j ACCEPT to allow global access to the web server, and similar lines for your more limited access to port 8000. As for making your changes permanent, "service iptables save" will store your current iptables rules in /etc/sysconfig/iptables; this is the file that "service iptables start" uses at boot time. MAKE BACKUP COPIES OF /etc/sysconfig/iptables EVERY TIME BEFORE YOU RUN service iptables save JUST IN CASE YOU DON'T LIKE THE CHANGES. You should check to make sure that the iptables service is set start at boot time. You can do this by running "chkconfig --list iptables"; you will get something like this: iptables 0:off 1:off 2:off 3:on 4:on 5:on 6:off This example means "iptables will be started when entering runlevels 3, 4, or 5, and stopped when entering runlevels 0, 1, 2, or 6." Your server is most likely running at runlevel 3, unless you have a GUI interface running on it. The GUI is only necessary if your server is also someone's desktop. You can find out which runlevel your server is set to use by running "grep ^id /etc/inittab"; you will get a line like this: id:3:initdefault: Look for the number after the first colon. hth
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Sep 28, 2005 at 08:54:56AM -0400, James Pifer wrote:> Wondering if anyone is willing to give me a little assistance with some > firewall rules. I think what I'm looking for is fairly simple, and I've > been trying to use webmin's firewall module without success. > > I have a web server that I'd like to open up port 80 and forward a > specific port for a select number of allowed ips. That's it. Everything > else is dropped. > > allow: port 80 > allow: forward port 8000 for x.x.x.x to y.y.y.y > > Anyone willing to assist with the rules? And lastly, how would I apply > it in a way that it will always be in affect? If the machine reboots for > example. > > Any help is appreciated. > JamesForward port 8000 to several hosts might be difficult using only iptables. You might want to take a look at LVS (Linux Virtual Server) for that, on http://www.linuxvirtualserver.org/ []s - -- Rodrigo Barbosa <rodrigob at suespammers.org> "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDOrK/pdyWzQ5b5ckRAmebAJ9+pOVO7PHVnA0ObezPkVa9OLiz3gCeKdcW kVonZXVG6RIui69MJssKjlQ=VE6J -----END PGP SIGNATURE-----
An embedded and charset-unspecified text was scrubbed... Name: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20050929/740fffde/attachment.ksh> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-keys Size: 1377 bytes Desc: PGP Public Key URL: <http://lists.centos.org/pipermail/centos/attachments/20050929/740fffde/attachment.bin>
Hello all, There is a very nice pice of software called Firewall builder. It comes with a GUI and is very feature rich. http://www.fwbuilder.org/ It's well documented, allowes you do block, redirect, log, Nat, etc.... Very nice for both novice & expirienced users. You build your rules graphicly and deploy them via ssh, create your Firewall RCS and so much more. Hope it helps. Nassri