Kindly help me to configured that, still not able to connect.
I am new to Firewall.
Thanks & Regards
Main Topics
Browse All Topics
Loading Advertisement...
Question
Using IPTABLE and NAT to send mail through Specific Mail Server
Hi!
I am using Red Hat Linux 4 as my Linux Gateway for my client machines.
I have configured SQUID for monitoring HTTP traffic and using these three commands to use NAT:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forw
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
Now my question is that my cleint will be able to send mails onl;y when they use my Mail SERVER ADDRESS i.e., 203.101.80.6.
Mine iptable file is given below:
But its not working
# Firewall configuration written by system-config-securityleve
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:RH-Firewall-1-OUTPUT - [0:0]
-A OUTPUT -j RH-Firewall-1-OUTPUT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
#-A RH-Firewall-1-OUTUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
#-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --syn -s 195.22.3.46 --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --syn -s 195.22.3.138 --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state ESTABLISHED -d ! 203.101.80.6 --sport 25 -j DROP
-A RH-Firewall-1-OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -d ! 203.101.80.6 --dport 25 -j DROP
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
Kindly help me out..
Early reply will be appreciated.
Thanks & Regards
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Subscribe now for full access to Experts Exchange and get
Instant Access to this Solution
- Plus...
- 30 Day FREE access, no risk, no obligation
- Collaborate with the world's top tech experts
- Unlimited access to our exclusive solution database
- Never be left without tech help again
Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.
- "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
- "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
- "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.
See what Experts Exchange can do for you.
Got a question?
We've got the answer.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
Need individual assistance?
Our experts are ready to help.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Want to learn from the best?
Read articles from industry experts.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Working on a long term project?
Store your work and research.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
What Makes Experts Exchange Unique?
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Trusted by the world's most respected brands.
Faithfully serving IT professionals since 1996.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Free Tech Articles
-
WARNING: 5 Reasons why you should NEVER fix a computer for free.
It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
-
SCCM OSD Basic troubleshooting
SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
-
Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
-
Create a Win7 Gadget
This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
-
Outlook continually prompting for username and password
There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
-
Backup Exchange 2010 Information Store using Windows Backup
There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...
Cloud Class Webinars
- Avoiding Bugs in Microsoft Access
Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
- Top 10 Best New Features in Visio 2010
Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
- IT Consultant Business Secrets Revealed
Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
- Disaster Recovery and Business Continuity
Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
- Organize Your Visio Diagrams with Containers and Lists
Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
- How to Us Objects, Properties, Events and Methods in Microsoft Access
Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...
Join the Community
Give a Little. Get a Lot.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Answers
# Firewall configuration written by system-config-securityleve
# Manual customization of this file is not recommended.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:RH-Firewall-1-OUTPUT - [0:0]
:RH-Firewall-1-FORWARD - [0:0]
-A OUTPUT -j RH-Firewall-1-OUTPUT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-FORWARD
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --syn -s 195.22.3.46 --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --syn -s 195.22.3.9 --dport 22 -j ACCEPT
-A RH-Firewall-1-FORWARD -p tcp -i eth0 --dport 25 -j ACCEPT
-A RH-Firewall-1-FORWARD -p tcp -i eth0 --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
This is the iptable of My machine, after that I run my script having these lines:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forw
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
After that I am able to login to my Linux machine from these 2 IP's
195.22.3.9
195.22.3.46
But Client machines are not able to connect to Internet.
Kindly advise
Thanks & Regards
Do the client machines have their default gateway set to be the inside interface of the Linux Firewall?
Is the DNS on the clinet machines pointed to the same name server(s) as are found in /etc/resolv.conf on the Linux firewall?
If either of the above are wrong the clinets won't be able to connect to any Internet sites.
To block SMTP traffic except to a specific IP you could use a rule like:
iptables -A FORWARD -p tcp -d !203.101.80.6 --dport 25 -j DROP
FYI: the firewall that I use can be seen at http://www.entrophy-free.n
If I am using these three commands, without using Firewall, it configured as Linux Gateway for my Client Machines:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forw
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
But my problem is that I have to allow only my mail server SMTP (203.101.80.6) for outgoing mails, but when I configured iptables it stops my http traffic also.
iptables -A FORWARD -p tcp -d !203.101.80.6 --dport 25 -j DROP
I have used this command, but didnt work. Now I will check the link you have provided me and then let you know.
Thanks for your reply.
Hi!
I have modified the Firewall Script as mentioned by you, now I am able to ssh and connecto Webmin using port 50000, but my client machines are not able to browse the Inernet. Mine firewall-gw script is given below:
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forw
IPT="/sbin/iptables"
OUTSIDE=eth1
INSIDE=eth0
INSIDE_IP=195.22.3.10
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
# silent - Just dop the packet
# tcpflags - Log packets with bad flags, most likely an attack
# firewalled - Log packets that that we refuse, possibly from an attack
$IPT -N silent
$IPT -A silent -j DROP
$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP
$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# Use NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 203.101.80.126
#
# To Statically NAT an outside IP (203.101.80.126) to an inside IP (195.22.3.10) you'd
# do something like:
#
$IPT -t nat -A PREROUTING -i $OUTSIDE -d 203.101.80.126 -j DNAT --to-destination 195.22.3.10
$IPT -t nat -A POSTROUTING -o $OUTSIDE -s 195.22.3.10 -j SNAT --to-source 203.101.80.126
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# We've slipped the surly bonds of windows and are dancing on the
# silvery wings of Linux, so don't allow that windows broadcast trash
# to leak out of the firewall.
#
$IPT -A FORWARD -p udp --dport 137 -j silent
$IPT -A FORWARD -p udp --dport 138 -j silent
$IPT -A FORWARD -p udp --dport 139 -j silent
$IPT -A FORWARD -p udp --dport 445 -j silent
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.0.0.10
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 195.22.3.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.0.0.10
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 195.22.3.10
$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 195.22.3.10
#
# Examples of allowing inbound for the port forwarding examples above or for
# allowing access to services running on the firewall
#
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 50000 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the IP to be that of the INSIDE interface
# of the firewall.
#
$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT
#
# If you are running a DHCP server on the firewall uncomment the next line
#
#$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPT -A INPUT -j firewalled
I know I have done some stupid mistake in this script, kindly check
Regards
again Reconfigured file:
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forw
IPT="/sbin/iptables"
OUTSIDE=eth1
INSIDE=eth0
INSIDE_IP=195.22.3.0/255.2
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
# silent - Just dop the packet
# tcpflags - Log packets with bad flags, most likely an attack
# firewalled - Log packets that that we refuse, possibly from an attack
$IPT -N silent
$IPT -A silent -j DROP
$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP
$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# Use NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 203.101.80.126
#
# To Statically NAT an outside IP (203.101.80.126) to an inside IP (195.22.3.10) you'd
# do something like:
#
$IPT -t nat -A PREROUTING -i $OUTSIDE -d 203.101.80.126 -j DNAT --to-destination 195.22.3.10
$IPT -t nat -A POSTROUTING -o $OUTSIDE -s 195.22.3.10 -j SNAT --to-source 203.101.80.126
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# We've slipped the surly bonds of windows and are dancing on the
# silvery wings of Linux, so don't allow that windows broadcast trash
# to leak out of the firewall.
#
$IPT -A FORWARD -p udp --dport 137 -j silent
$IPT -A FORWARD -p udp --dport 138 -j silent
$IPT -A FORWARD -p udp --dport 139 -j silent
$IPT -A FORWARD -p udp --dport 445 -j silent
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.0.0.10
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j REDIRECT --to-port 3128
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 195.22.3.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.0.0.10
$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 195.22.3.10
$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 195.22.3.10
#
# Examples of allowing inbound for the port forwarding examples above or for
# allowing access to services running on the firewall
#
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 50000 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the IP to be that of the INSIDE interface
# of the firewall.
#
$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT
#
# If you are running a DHCP server on the firewall uncomment the next line
#
#$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPT -A INPUT -j firewalled
Thanks a lot, given script worked for me, I have cleared some stupid Mistakes done by me
------------------
#!/bin/sh
#
# Save this in root's home directory as iptables-gw and make it executable
# with 'chmod +x iptables-gw'. Then to install the rule set simply run it
# with './iptables-gw'.
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save
# the running config with 'iptables save' for RedHat to reinstate at the next
# boot IP fordarding must be enabled by other than this script for production
# use. That's best done by editing /etc/sysctl.conf and setting:
#
# net.ipv4.ip_forward = 1
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
#echo 1 > /proc/sys/net/ipv4/ip_forw
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
# I find it easier to modify this file and run it to change the rulesets.,
# rather than modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# The firewall will tend to clutter up a console window with log messages.
# These can be suppressed by editing /etc/sysconfig/syslog and setting:
#
# KLOGD_OPTIONS="-x -c 3"
#
# Author: Jim Levie (jim@entrophy-free.net)
#
# Set an absolute path to IPTABLES and define the interfaces.
#
IPT="/sbin/iptables"
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
OUTSIDE=eth0
INSIDE=eth1
INSIDE_IP=195.22.3.0/255.2
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent - Just dop the packet
# tcpflags - Log packets with bad flags, most likely an attack
# firewalled - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP
$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP
$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# Use NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
echo 1 > /proc/sys/net/ipv4/ip_forw
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 203.101.80.126
#
# To Statically NAT an outside IP (203.101.80.126) to an inside IP (195.22.3.10) you'd
# do something like:
#
#$IPT -t nat -A PREROUTING -i $OUTSIDE -d 203.101.80.126 -j DNAT --to-destination 195.22.3.10
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -s 195.22.3.10 -j SNAT --to-source 203.101.80.126
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# We've slipped the surly bonds of windows and are dancing on the
# silvery wings of Linux, so don't allow that windows broadcast trash
# to leak out of the firewall.
#
$IPT -A FORWARD -p udp --dport 137 -j silent
$IPT -A FORWARD -p udp --dport 138 -j silent
$IPT -A FORWARD -p udp --dport 139 -j silent
$IPT -A FORWARD -p udp --dport 445 -j silent
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.0.0.10
#
# Examples of allowing inbound for the port forwarding examples above or for
# allowing access to services running on the firewall
#
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 3128 -j ACCEPT
#$IPT -A FORWARD -i $OUTSIDE -p tcp -d ! 203.101.80.6 --dport 25 -j DROP
$IPT -A INPUT -i $OUTSIDE -d ! 203.101.80.6 -p tcp --dport 25 -j DROP
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 50000 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the IP to be that of the INSIDE interface
# of the firewall.
#
$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT
#
# If you are running a DHCP server on the firewall uncomment the next line
#
#$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPT -A INPUT -j firewalled
--------------------
But the problem is only one, this rule doesnt work for me
$IPT -A INPUT -i $OUTSIDE -d ! 203.101.80.6 -p tcp --dport 25 -j DROP
Can you also help me to apply this rule so that only the clients using this SMTP address are able to send mails thorugh my Linux Gateway.
Regards
> But my problem is that I have to allow only my mail server SMTP (203.101.80.6) for outgoing mails, but when I configured
# if your mailserver is the firewall itself
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -I INPUT -p tcp --dport 25 -j ACCEPT
iptables -I OUTPUT -p tcp --sport 25 -j ACCEPT
# if your mailserver is not the firewall itself
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -I FORWARD -p tcp -s mailserver-IP --dport 25 -j ACCEPT
iptables -I FORWARD -p tcp -d mailserver-IP --sport 25 -j ACCEPT
# add you other rules as you like/need
Hello:
Thanks for your reply:
Now my script is now as below
#!/bin/sh
IPT="/sbin/iptables"
OUTSIDE=eth0
INSIDE=eth1
INSIDE_IP=195.22.3.0/255.2
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 203.101.80.126
$IPT -t nat -A PREROUTING -i $OUTSIDE -d 203.101.80.126 -j DNAT --to-destination 195.22.3.10
$IPT -t nat -A POSTROUTING -o $OUTSIDE -s 195.22.3.10 -j SNAT --to-source 203.101.80.126
echo 1 > /proc/sys/net/ipv4/ip_forw
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 50000 -j ACCEPT
$IPT -i FORWARD -p tcp -s 203.101.80.6 --dport 25 -j ACCEPT
$IPT -i FORWARD -p tcp -d 203.101.80.6 --sport 25 -j ACCEPT
But still not working, having error while executing the script
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
Warning: wierd character in interface `-p' (No aliases, :, ! or *).
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
Kindly check
Regards
3 Ways to Join
Business Accounts
- Perfect for organizations
- Multiple users
- Save over 36%
- Create a Business Account
Answer for Membership
- Earn free access
- Showcase your knowledge
- No credit card required
- Sign Up to Answer
Loading Advertisement...
by: jleviePosted on 2006-01-01 at 20:56:16ID: 15589646
Restrictions on outgoing connections have to be done via the FORWARD chain, The INPUT chain only affects inbound connections from the Internet or connections to services running on the firewall box.