Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations sizbut on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Simple problem with ....

Status
Not open for further replies.
FredrikN

FredrikN

Programmer
Jan 5, 2001
60
SE
Hi, I'm trying to write an Online Firewall creator but I have one problem.

This will fix Masq and Forwarding

echo '1'> /proc/sys/net/ipv4/ip_forward
/sbin/iptables --table nat --append POSTROUTING -o eth1 -j MASQUERADE
/sbin/iptables --append FORWARD --in-interface eth0 -j ACCEPT


But problem is that anything from eth1(LAN) will be accepted
out to Internet.

I want to enable Masq and Forwarding AND by default deny everything from eth1.

And then I want to open upp some selected ports, udp and tcp.

I have been reading some docs but can't figure it out

Does anyone have a clue ?

 
Sort by date Sort by votes
Okay..
You are coding a cgi for scenario based firewall sets?
That's a neat idea, I've had it before but was too lazy
to code it ;).

The first thing I would do is define the level for your
rules, casual rules, medium security, lockdown, etc..

From the above I can't tell if you are thinking that this
is a general solution for all seasons.

For my rulesets I will do a basic masq but define it
by protocol and by source/dest. I will also create a logchain and stateful chain for certain situations. My forwarding rules save me most worries about overall
security anyway.

I could add this rule:
eval $cmd -t nat -A POSTROUTING -s $loc_net -o eth1 -j MASQUERADE
#end masquerading rules.
#dnat redirect
And this one..
eval $cmd -t nat -A PREROUTING -i eth1 -p tcp --syn --dport 80 -j DNAT --to-destination x.x.x.x:8015
etc..

But if my forwarding rules look like:
##################################################
(POLICY:DROP)
eval $cmd -A FORWARD -s $loc_net -d 0/0 -o eth1 -j ACCEPT
eval $cmd -A FORWARD -s ! $loc_net -d $loc_net -p tcp --dport 1024:5800 -j ACCEPT
eval $cmd ! $loc_net -d $loc_net -p icmp -j ACCEPT
eval $cmd -A FORWARD -s ! $loc_net -d $loc_net -p udp --dport 1024:5800 -j ACCEPT
eval $cmd -A FORWARD -s ! $loc_net -d $loc_net -p tcp --dport 30000:65000 -j ACCEPT
eval $cmd -A FORWARD -s ! $loc_net -d $loc_net -p udp --dport 30000:65000 -j ACCEPT
#######################################################
The dnat rule is broken.

You can either use OUTPUT rules for your situation,
FORWARD rules, or a custom chain eval'd in one or both.




 
Upvote 0 Downvote
Okej, thanks

Will take a look at it :)

Anyway, here is my project, but remember it's still Beta but if you have any suggestions you are welcome :)


//FredrikN
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TSch
  • Locked
  • Question
Problem with NFS automount
Replies
1
Views
177
iggsterman
iggsterman
harro1968
  • Locked
  • Question
Help with ProxyPass
Replies
0
Views
189
harro1968
harro1968
CecilXavier
  • Locked
  • Question
RHEL IDM with Radius not authenticating
Replies
0
Views
233
CecilXavier
CecilXavier
mjj4golf2
  • Locked
  • Question
Help with setting up a media server
Replies
2
Views
254
vacunita
vacunita
RedLinux
  • Locked
  • Question
Login session issues with HTTP headers
Replies
0
Views
138
RedLinux
RedLinux

Part and Inventory Search

Sponsor

Back
Top