Hi Ashley! I believe that another response answers the question that you asked. I have a similar setup here at my house, although maybe a bit more complex. I would be happy to share my rules with you off line and discuss the issues that they are set up to address. If you are interested, send me a personal e-mail.
Stephen Ashley M. Kirchner wrote: > Thanks to Stephen earlier, I solved one problem, now I have another. The >following rules work in that they block everything incoming to the server except for >those services opened, and it allows traffic back and forth to and from the internal >network. However, from the internal network, I can not get onto the server itself. >What do I have to change or add to make folks on the private network (192.168.1.0/24) >to be able to get onto the server itself? > > Basically I want only those 4 opened ports from the outside to reach the server, >but anything from the internal network should be able to reach the server as well >(and right now nothing does) and be able to go out to the net. > > Also, if anyone sees some blatant problem with these rules, please let me know >since I'm still learning about iptables. My requirements are simple: > > From the outside: > - Drop everything incoming to the server > except for ports 21, 22, 25 and 80. > > From the inside (private) network: > - Forward traffic from the inside network to the outside world > - Allow everything in and out of the server itself > > From the server itself: > - Allow everything/anything to go out to the world. > > What'd I forget? Here are the current set of rules: > ># Generated by iptables-save v1.2.5 on Sat Jul 6 21:18:47 2002 >*nat >:PREROUTING ACCEPT [148:20680] >:POSTROUTING ACCEPT [10:774] >:OUTPUT ACCEPT [10:774] >-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d ! 192.168.1.0/255.255.255.0 -j SNAT >--to-source 12.253.88.33 >COMMIT ># Completed on Sat Jul 6 21:18:47 2002 ># Generated by iptables-save v1.2.5 on Sat Jul 6 21:18:47 2002 >*filter >:INPUT DROP [129:18877] >:FORWARD ACCEPT [0:0] >:OUTPUT ACCEPT [10881:581839] >-A INPUT -i lo -j ACCEPT >-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT >-A INPUT -p tcp -m tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset >-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT >-A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT >-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT >-A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT >-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT >-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT >-A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT >-A FORWARD -d 192.168.1.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT >-A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT >-A OUTPUT -o lo -j ACCEPT >COMMIT ># Completed on Sat Jul 6 21:18:47 2002 > >-- >H | "Life is the art of drawing without an eraser." - John Gardner > +-------------------------------------------------------------------- > Ashley M. Kirchner <mailto:[EMAIL PROTECTED]> . 303.442.6410 x130 > Director of Internet Operations / SysAdmin . 800.441.3873 x130 > Photo Craft Laboratories, Inc. . 3550 Arapahoe Ave, #6 > http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A. > > > > > >_______________________________________________ >Redhat-list mailing list >[EMAIL PROTECTED] >https://listman.redhat.com/mailman/listinfo/redhat-list > > _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
