HPE Community
Operating System - Linux
1830233 Members
2302 Online
109999 Solutions
New Discussion

Re: Need ipchains help

 
SOLVED
Go to solution
Steve Nold
New Member

‎03-15-2002 08:28 AM

‎03-15-2002 08:28 AM

Need ipchains help

I'm trying to use a RedHat 7.2 box with ipchains to accomplish two things:

1 - Act as a firewall in general to deny inbound access to all but very specific services.

2 - Allow me to forward connection attempts to specific services (http, for instance) to a different machine sitting behind the Linux box's second interface.

I have tried all kinds of different ipchains commands with no luck. Can someone help me with the specific syntax of how to accomplish port forwarding with ipchains?

And yes, I've read the ipchains howto, etc., but can't find specific examples of how to get the port forwarding pieces working correctly.

Thanks.
0 Kudos
Reply
4 REPLIES 4
Scott Nelson_1
Occasional Contributor

‎03-15-2002 09:44 AM

‎03-15-2002 09:44 AM

Re: Need ipchains help

Here is an example where mail (SMTP) packets arriving at external.example.com get forwarded to internal.example.com:

ipmasqadm portfw -a -P tcp -L external.example.com smtp -R internal.example.com smtp

Hope this helps.
0 Kudos
Reply
Jeffrey S. Sims
Trusted Contributor

‎03-15-2002 10:01 AM

‎03-15-2002 10:01 AM

Re: Need ipchains help

Steve,

First you would want to define your default policy and judging from your post I would think you wanted to deny everything unless you specifically allow it. You would do this by editing the file /etc/rc.d/rc.firewall and putting the following lines at the top.

####Set default policy to deny ####
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT

Now all your network traffic is blocked and you have to decide what you want to enable.

You may want to create some variables in this file to eliminate having to type numbers repeatedly. Some examples would be:

EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"

IPADDR="your.ip.address"
ANYWHERE="any/0" #match any IP address
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"


Anyway, after you have all the variables you need or want then you can start enabling what you want to let through.

To allow you to run any local network service you choose you have to enable unrestricted loopback traffic. Do this by entering

ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

Now you need to accept traffic for the services that you want to offer. To receive mail sent to this machine from an external address you would use:

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $UNPRIVPORTS -d $IPADDR 25 -j ACCEPT

Ok well this should at least get you going and let you see the syntax for the ipchains commands that you will be using. Check out a book called Linux Firewalls by Robert L. Ziegler ISBN 0-7357-0900-9

Have fun and hope this helps
Reply
Mark Fenton
Esteemed Contributor

‎03-15-2002 06:56 PM

‎03-15-2002 06:56 PM

Solution

Re: Need ipchains help

Steve -- I don't think ipchains will be a very satisfying solution for your port redirection issues (though ipmasqadm will handle it OK).

Since you are using RH 7.2, why not try iptables instead? One tool that can accomplish the entire firewalling setup.

Jefferey's setup for ipchains is a great start, and most of that would be applicable to an iptables configuration as well.

There are several iptables firewall builders available (check out http://freshmeat.net and search on iptables firewall). I'm kind of partial to shorewall, though it is somewhat more difficult to make jump through hoops than some others I've worked with.

If you are still having trouble with specific NAT issues, please to post a more detailed description of what it is that's not working.

Best regards.
Mark
Reply
Steve Nold
New Member

‎03-18-2002 11:19 AM

‎03-18-2002 11:19 AM

Re: Need ipchains help

Thanks for all the responses. After spending some time with it over the weekend, I've decided to bite the bullet and dive into iptables, since it seems to be more robust that ipchains.

Thanks again, everyone.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.