![]() Iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.0/24 -sport 80 -j ACCEPT # www > internal hosts Iptables -A FORWARD -i eth0 -o eth1 -p tcp -dport 80 -s 192.168.1.0/24 -j ACCEPT # internal hosts > www Iptables -A FORWARD -i eth1 -o eth0 -p icmp -icmp-type echo-reply -j ACCEPT # Now external hosts can reply to pings to your internal hosts Iptables -A FORWARD -i eth0 -o eth1 -p icmp -icmp-type echo-request -J ACCEPT # Now your internal hosts ping outside hosts Iptables -A FORWARD -i eth1 -o eth1 -j DROP # no roundy rounds Iptables -A FORWARD -i eth0 -o eth0 -j DROP # no roundy rounds I wouldn't ACCEPT everything through the FORWARD chain otherwise you are defeating the purpose of building a firewall. Iptables -A OUTPUT -j LOG -log-prefix "DROPPED OUTGOING: " #This will log so you now if you are blocking something you dont want to and if your exploited Iptables -A OUTPUT -o eth0 -p udp -d 192.168.1.0/24 -dport 22 -j ACCEPT #Now your sshd can talk to internal hosts Iptables -A OUTPUT -o lo -j ACCEPT #You have to have this Iptables -A INPUT -j LOG -log-prefix "DROPPED INCOMING: " #This will log connect attempts so you know what is going on ![]() Iptables -A INPUT -i eth0 -p udp -dport 22 -s 192.168.1.0/24 -j ACCEPT #Now you can ssh to the firewall Iptables -A INPUT -i lo -j ACCEPT #You have to have this It has to connect to itself through the lo device or everything is going to be very slow. Yes you have to turn on forwarding if you want to route.īy setting INPUT and OUTPUT to DROP with no rules you pc isn't going to work very well. If you anywhere can help me, then I will say my opinion on the firewall rules, that is my field. Let's assume to accept ICMP ping in order to ping from LAN to eth1 (just to see if a server inside DMZ is up) and port 80 to verify that a request passes correctly from eth0 to eth1 and then outside. # Turn on the forwarding (is it necessary?)įrom this point I accept every advice from anybody. I don't know why my FC5 doesn't recognize iptables, so I have to write the whole path /sbin/iptables. ![]() GUI (assume eth0 LAN internal and eth1 DMZ/MAN/external)Įth1 = 192.168.2.1 or in alternative DHCPĭNS will work one external or the DMZ gateway ![]() easyfw uses ipfwadmin & ipchains (deprecated)Īnyways, let's begin from the basics since it can be generally useful for anyone needin to build his own firewallįresh installation of Fedora Core (FC5 in my case) bifrost didn't work for me and lacks of documentation. redhat-config-netwotk (I think should be the name for O.S. I have a comphrensive background of firewalling and a theoretical knowledge of iptables, but the solution is not so obvious. I could not solve a just simple problem with Fedora Core: make a SIMPLE Fedora Box to use as dual-homed firewall. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |