iptables setup

You can select the basic firewall setting at installation of Red Hat 7.2 and 7.3, but unfortunatery this setting uses ipchains and iptables is not used even is installed. And adding that since the Masquerade setting is not done, you have to setup by yourself but you also have to study the ipchains. It is thankful if when the installer detects two ethernet cards or modem and ethernet card , setup the Masquerade. If you have to setup firewall at all, why don't we use iptables. So I read the iptables manual and searched for web site but it explains the external internet and LAN setting or large size of office's firewall construction right out on, I couldn't make out the things and I had not setup it. One day, I realized a fact and I totally understood like scales fell from my eyes. Now let's setup while explaining that fact.

Fundamentally for iptables explanation, we don't need to concern with the external internet or LAN setting at first hand. If you don't understand that point, you would misunderstand that the port which is connected to external internet is INPUT and LAN side is OUTPUT like me. Let's forget about it. The most important thing is the machine which runs iptables resides at center. This machine has many interfaces such as lo for localloopback, eth0, eth1, ppp0 and so on. A controlling the packet flow witch comes from these interfaces and access to this machine is INPUT chain. Contrary, a controlling the packet flow witch goes from this machine to these interfaces is OUTPUT chain. Controlling other packet flows between each interfaces such as from eth0 to eth1 or from lo to eth1 is FORWARD chain. Rest thing is varying the controls depending on what is connected to each interfaces. Now let's setup actually.

First of all, stop the running ipchains. Uncheck the check mark on ipchains in service setting of system setting and confirm the iptables has been check marked and after save, reboot the machine. Then login as root and input as
# iptables -L

If you get the answer as

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

then iptables is running. All the packets are ACCEPTed at default setting.

Now we assume that the eth0 is connected to external internet and the eth1 is connected to LAN. At first set the all input packets are dropped.

# iptables -P INPUT DROP
# iptables -P FORWARD DROP

Now, the no packet can enter the machine. Only output from this machine is available. This is perfect as a firewall but we can not communicate. So that have input from LAN side and from localloopback is allowed without condition.

# iptables -A INPUT -i eth1 -j ACCEPT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A FORWARD -i eth1 -j ACCEPT

Allow to respond to ping if you need.
# iptables -A INPUT -i eth0 -p icmp --icmp-type 8 -j ACCEPT

Now you can access this machine by FTP and SSH from LAN side. Then setup access grant from external internet to eth0. It is accessible if you write the same program to both INPUT and FORWARD chain but I don't want to write the same program twice and maintenance becomes mess, so I write the processes to the user chain which works like subroutine of program.
# iptables -N eth-in

Set the ports which allowed to access from outside.
# iptables -A eth-in -p tcp --dport ftp -j ACCEPT
# iptables -A eth-in -p tcp --dport ssh -j ACCEPT
# iptables -A eth-in -p tcp --dport telnet -j ACCEPT
# iptables -A eth-in -p tcp --dport smtp -j ACCEPT
# iptables -A eth-in -p tcp --dport domain -j ACCEPT
# iptables -A eth-in -p tcp --dport http -j ACCEPT
# iptables -A eth-in -p tcp --dport pop3 -j ACCEPT
# iptables -A eth-in -p tcp --dport postgres -j ACCEPT
# iptables -A eth-in -p tcp --dport webcache -j ACCEPT
# iptables -A eth-in -p tcp --dport vnc-1 -j ACCEPT
Where vnc-1 is defined as 5901 in /etc/services.

Now it is possible to access to those ports. If you want to allow other port, add that port. Then allow input that is response of output.
# iptables -A eth-in -m state --state ESTABLISHED,RELATED -j ACCEPT

Since basic rule is now established, connect INPUT and FORWARD to this user chain.
# iptables -I INPUT -i eth0 -j eth-in
# iptables -I FORWARD -i eth0 -j eth-in

The input is OK now but every output is allowed to external. For preventing unnecessary output set up the OUTPUT.
Make the user chain.
# iptables -N eth-out

Have Windows packets not go out.
# iptables -A eth-out -p udp --dport 137:139 -j DROP
# iptables -A eth-out -p tcp --dport 137:139 -j DROP

Have LAN packets not go out.
# iptables -A eth-out -d -j DROP

Connect the chain.
# iptables -I FORWARD -o eth0 -j eth-out
# iptables -I OUTPUT -o eth0 -j eth-out

Now we have finished the setting of filter table which is the first table of
テツ iptables' three tables. Then to validate the ipforwarding change the line net.ipv4.ip_forward = 0 of /etc/sysctl.conf file to net.ipv4.ip_forward = 1. It is better to add lines apropos.
# Disables the reply to broadcasts icmp
net.ipv4.icmp_echo_ignore_broadcasts = 1

This makes not to respond to broadcast ping.

At this time, packet from LAN can be transferred but can not communicate with external. Because since the LAN IP address is set in packet as original, when packet reaches to other end it would be rejected. So to convert the IP address, setup the MASQUERADE to nat table.
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

When you finish the setup do
# service iptables save
save the setting until now. We need to restart the network, please confirm after reboot.

You can see the settings with
# iptables -t filter -n -L -v --line-numbers

Though you can also setup ip forwarding and port forwarding, I don't need at this time. I will do on occasion demand.


When you attempt to use ftp on these settings, it stops when enter the PASV mode. At PASV mode, after establish the connection with port 21, client appoints >1024 port so that this becomes new connection and is rejected. You need to have been loaded ip_conntrack_ftp module to use ftp in PASV mode. Add one line above ip_conntrack ip_conntrack_ftp to /etc/modules.conf then it is loaded at boot up and ftp will be possible to use.



Modified date:05/16/2004, 14:03:33