Page 1 of 1

A few basic questions

Posted: 2005/12/13 11:58:10
by dwynter
Hi,

I scanned some of the messages here in the forum and also read the RHEL4 documentation on iptables. But something is not clear to me. In here people are posting traditional iptable config files, but Centos does not use those in etc/sysconfig/iptables. It has an abbreviated form. I have a remote server with a public IP and behind it another server on a LAN with MySQL. I want to do 2 things, connect to port 3306 (MySQL) on that machine on the LAN with my client tools from my machine and also VNC into that database machine.

I already have ssh connected VNC into the machine with the public addr. I am scared to death of changing the 'non standard' iptables config as it talks about using "service iptables save", not the trad method of saving the iptable config file and then "service iptables restart". If I screw up this iptables somehow then it means getting folk to meet me at the hosting centre etc.

So here is my guess at what my RHEL4 version of iptables should look like. Where is the SNAT and DNAT? Where is thos form of iptables documented?

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -s eth0 -d 0.0.0.0/0 -j DROP
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

These would seem to be a good idea too
-A RH-Firewall-1-INPUT -i eth1 -s eth0 -d 0.0.0.0/0 -j DROP
-A RH-Firewall-1-INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT

I need to add in traditional iptable terms the NAT stuff and these other FORWARD rules where suggested elsewhere I assume to allow the VNC to operate to the remote machine.

$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT
$IPTABLES -A FORWARD -j DROP
$IPTABLES -t nat -A PREROUTE -s 82.108.5.145 -i eth0 --dport 3306
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to eth0

Thx.

David

Re: A few basic questions

Posted: 2005/12/13 12:39:08
by dwynter
Thinking about this a bit further (but have not found any real info on the abbreviated form of iptables that RHEL uses) can I do this and will it achieve my aim of VNC to the machine on the LAN and open port 3306 to that same machine?

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:RH-PREROUTE - [0:0]
:RH-POSTROUTE - [0:0]
-A PREROUTING -j RH-PREROUTE
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A POSTROUTING -j RH-POSTROUTE
-A RH-PREROUTE -t nat -A PREROUTE -s 82.108.5.145 -i eth0 --dport 3306
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -o eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -s eth0 -d 0.0.0.0/0 -j DROP
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-POSTROUTE -t nat -A POSTROUTING -o eth0 -j SNAT --to eth0
COMMIT

I am guessing that PREROUTING and POSTROUTING keywords exist as they are the names of the tables. But won't try any of this until someone moere knowledgeable can assure me it will not screw up my access to my macines.

Thx.

David

Re: A few basic questions

Posted: 2005/12/15 13:18:17
by dwynter
Now I found out that the iptables script in /etc/init.d runs the iptables-restore command when you start iptables, now this seems to require the abbreviated form of iptables in /etc/sysconfig which is attained by the command iptable-save. The problem I have it that I need to add a couple of rules and iptables-save basically seems to strip them out when it saves! This seems crazy to me, why have an abbreviated form that cannot cope with some rules? Here are the additional rules.

$IPTABLES -t nat -I PREROUTING -p tcp -d $EXTIP -s $MYIP -i $EXTIF \
-m multiport --dport 722,3306,3307 -j DNAT --to $DB1IP

$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d $DB1IP \
-m multiport --dport 722,3306,3307 -m state --state NEW -j ACCEPT

So how do you get Centos 4 to use a std iptables script rather than the abbreviated from? I have tried the iptables IRC, more people logged in there than any IRC I have been on and yet they are all asleep or don't care.

David

A few basic questions

Posted: 2005/12/18 16:47:30
by theorist
I always use my own script to write and debug the firewall rules. Its just a simple sequence of iptable commands and was originally based on one of the "trinityOS" example firewalls: http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/cHTML/TrinityOS-c.html.
Then when I am happy with my filewall I simply run the
/etc/init.d/iptables save
command and it saves the present rule set to its own internal form (which you have found). Then
/etc/init.d/iptables start
(as usually run on boot) will use my set of filewall rules.

Re: A few basic questions

Posted: 2006/03/14 16:41:27
by miah
N/M