You
can select the basic firewall setting at installation of Red Hat
7.2 and 7.3, but unfortunatery this setting uses ipchains and
iptables is not used even is installed. And adding that since the
Masquerade setting is not done, you have to setup by yourself but
you also have to study the ipchains. It is thankful if when the
installer detects two ethernet cards or modem and ethernet card ,
setup the Masquerade. If you have to setup firewall at all, why
don't we use iptables. So I read the iptables manual and searched
for web site but it explains the external internet and LAN setting
or large size of office's firewall construction right out on, I
couldn't make out the things and I had not setup it. One day, I
realized a fact and I totally understood like scales fell from my
eyes. Now let's setup while explaining that fact.
Fundamentally
for iptables explanation, we don't need to concern with the
external internet or LAN setting at first hand. If you don't
understand that point, you would misunderstand that the port which
is connected to external internet is INPUT and LAN side is OUTPUT
like me. Let's forget about it. The most important thing is the
machine which runs iptables resides at center. This machine has
many interfaces such as lo for localloopback, eth0, eth1, ppp0 and
so on. A controlling the packet flow witch comes from these
interfaces and access to this machine is INPUT chain. Contrary, a
controlling the packet flow witch goes from this machine to these
interfaces is OUTPUT chain. Controlling other packet flows between
each interfaces such as from eth0 to eth1 or from lo to eth1 is
FORWARD chain. Rest thing is varying the controls depending on
what is connected to each interfaces. Now let's setup
actually.
First of all, stop the running ipchains. Uncheck
the check mark on ipchains in service setting of system setting
and confirm the iptables has been check marked and after save,
reboot the machine. Then login as root and input as
#
iptables -L
If you get the answer as
Chain
INPUT (policy ACCEPT)
target prot opt source destination
Chain
FORWARD (policy ACCEPT)
target prot opt source
destination
Chain OUTPUT (policy ACCEPT)
target prot opt
source destination
then iptables is running. All the
packets are ACCEPTed at default setting.
Now we assume that
the eth0 is connected to external internet and the eth1 is
connected to LAN. At first set the all input packets are
dropped.
# iptables -P
INPUT DROP
# iptables -P FORWARD DROP
Now, the no
packet can enter the machine. Only output from this machine is
available. This is perfect as a firewall but we can not
communicate. So that have input from LAN side and from
localloopback is allowed without condition.
#
iptables -A INPUT -i eth1 -j ACCEPT
# iptables -A INPUT -i lo
-j ACCEPT
# iptables -A FORWARD -i eth1 -j ACCEPT
Allow
to respond to ping if you need.
#
iptables -A INPUT -i eth0 -p icmp --icmp-type 8 -j ACCEPT
Now
you can access this machine by FTP and SSH from LAN side. Then
setup access grant from external internet to eth0. It is
accessible if you write the same program to both INPUT and FORWARD
chain but I don't want to write the same program twice and
maintenance becomes mess, so I write the processes to the user
chain which works like subroutine of program.
#
iptables -N eth-in
Set the ports which allowed to
access from outside.
#
iptables -A eth-in -p tcp --dport ftp -j ACCEPT
# iptables -A
eth-in -p tcp --dport ssh -j ACCEPT
# iptables -A eth-in -p tcp
--dport telnet -j ACCEPT
# iptables -A eth-in -p tcp --dport
smtp -j ACCEPT
# iptables -A eth-in -p tcp --dport domain -j
ACCEPT
# iptables -A eth-in -p tcp --dport http -j ACCEPT
#
iptables -A eth-in -p tcp --dport pop3 -j ACCEPT
# iptables -A
eth-in -p tcp --dport postgres -j ACCEPT
# iptables -A eth-in
-p tcp --dport webcache -j ACCEPT
# iptables -A eth-in -p tcp
--dport vnc-1 -j ACCEPT
Where vnc-1 is defined as 5901
in /etc/services.
Now it is possible to access to those
ports. If you want to allow other port, add that port. Then allow
input that is response of output.
#
iptables -A eth-in -m state --state ESTABLISHED,RELATED -j
ACCEPT
Since basic rule is now established, connect
INPUT and FORWARD to this user chain.
#
iptables -I INPUT -i eth0 -j eth-in
# iptables -I FORWARD -i
eth0 -j eth-in
The input is OK now but every output
is allowed to external. For preventing unnecessary output set up
the OUTPUT.
Make the user chain.
#
iptables -N eth-out
Have Windows packets not go
out.
# iptables -A eth-out -p
udp --dport 137:139 -j DROP
# iptables -A eth-out -p tcp
--dport 137:139 -j DROP
Have LAN packets not go
out.
# iptables -A eth-out -d
192.168.0.0/24 -j DROP
Connect the chain.
#
iptables -I FORWARD -o eth0 -j eth-out
# iptables -I OUTPUT -o
eth0 -j eth-out
Now we have finished the setting of
filter table which is the first table of テツ
iptables'
three tables. Then to validate the ipforwarding change the line
net.ipv4.ip_forward = 0 of /etc/sysctl.conf file to
net.ipv4.ip_forward = 1.
It is better to add lines apropos.
#
Disables the reply to broadcasts
icmp
net.ipv4.icmp_echo_ignore_broadcasts = 1
This
makes not to respond to broadcast ping.
At this time,
packet from LAN can be transferred but can not communicate with
external. Because since the LAN IP address is set in packet as
original, when packet reaches to other end it would be rejected.
So to convert the IP address, setup the MASQUERADE to nat table.
#
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
When
you finish the setup do
#
service iptables save
save the setting until now. We
need to restart the network, please confirm after reboot.
You
can see the settings with
#
iptables -t filter -n -L -v --line-numbers
Though
you can also setup ip forwarding and port forwarding, I don't need
at this time. I will do on occasion demand.
05/18/2002
When
you attempt to use ftp on these settings, it stops when enter the
PASV mode. At PASV mode, after establish the connection with port
21, client appoints >1024 port so that this becomes new
connection and is rejected. You need to have been loaded
ip_conntrack_ftp module to use ftp in PASV mode. Add one line
above ip_conntrack
ip_conntrack_ftp to /etc/modules.conf then it is loaded at
boot up and ftp will be possible to use.
11/14/2003
Back
|