iptables - TechRepublic
General discussion
December 20, 2001 at 01:10 AM
vze2f6h6

iptables

by vze2f6h6 . Updated 24 years, 6 months ago

I have 3 machines. One is the firewall (RH7.1) and the other sit behind it. One runs win2k and the other RH7.1 also. I have everything working expect two things. I can’t ssh from my firewall to my main RH machine. I can go from my main machine to the firewall. The other problem is that the firewall doesn’t forward port 80 to my main machine which runs apache. I am new to setting up firewalls. I took one from the net and modified it a little, and I don’t know if I am missing something or not. Here is the code.
#!/bin/bash

#flush all tables and reset the counters
iptables -F
iptables -X
iptables -Z
iptables -t nat -F

#set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#Enable ip forwarding
/bin/echo “1” > /proc/sys/net/ipv4/ip_forward

#start masquerading
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/24 -j ACCEPT
iptables-A FORWARD -s ! 192.168.0.0/24 -j DROP

#make sure NEW tcp connections are SYN packets
iptables -A INPUT -i ppp0 -p tcp ! –syn -m state –state NEW -j DROP

##Fragments
iptables -A INPUT -i ppp0 -f -j LOG –log-prefix “IPTABLES FAGMENT:”
iptables -A INPUT -i ppp0 -f -j DROP

#make sure new tcp connections are syn packets
iptables -A INPUT -i ppp0 -p tcp ! –syn -m state –state NEW -j DROP

#WWW
iptables -A OUTPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ppp0 -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT

#DNAT
iptables -A PREROUTING -t nat -p tcp -i ppp0 –dport 80 -j DNAT –to 192.168.0.3:80

any suggestions?
Thanks

Oh, and I can hit the apache server from my win2k machine.

This discussion is locked

All Comments