IPTABLES
in [Setup]
|
From: Charly on 14 Nov 2005 10:44 Hi, I am a newby but a need to know something I think is quite complex. I need to setup the firewall IPTABLES on CentOS (Readhat). I wanted to know: 1) can I setup it from the conf file ? I see on the newsgroup that normally people use the command bar by typing the commands, but I would prefere to do it on the configuration file. 2) I have 2 ethernet: on eth1 I have the wan, on eth0 the lan. I wanted to allow to acces FROM the LAN only to a computer with MAC ADRESS xxxxxx. Could you write me kindly the command I have to put in the conf file ? Or better if you could post a small example... would be great !!! Thanks :-)
From: jayjwa on 27 Nov 2005 06:41 On 2005-11-14, Charly wrote: > 1) can I setup it from the conf file ? I see on the newsgroup that normally > people use the command bar by typing the commands, but I would prefere to do > it on the configuration file. Well, I put mine in a shell script because there are alot of commands. I'm assuming this is what you mean by 'conf file'? I called it 'firewall' and it sets in /usr/sbin/firewall. Running it without args gives: Iptables Firewall Front-End Script. Usage: firewall <command> Where <command> is one of: start - Start the firewall with new rules stop - Down the firewall. Defaults to accept all traffic save - Save the current rules to /etc/iptables.site so they may be built upon instead of restarting anew each time. load - Loads and uses a previously saved iptables.site for the rule base. status - Lists in-use INSPECT or blocking rulesets ban - Instantly ban an IP, host or netblock Some commands have aliases. See the script for details. It's basically a big case statement that looks at the arguments given to the script and then acts on them. To learn how to build good firewalls, look at other examples and read the docs on http://www.netfilter.org/ > 2) I have 2 ethernet: on eth1 I have the wan, on eth0 the lan. I wanted to > allow to acces FROM the LAN only to a computer with MAC ADRESS xxxxxx. Could > you write me kindly the command I have to put in the conf file ? Or better > if you could post a small example... would be great !!! Matching by MAC address is with libipt_mac.so, used like -m mac. On my machine iptables modules are in /usr/lib/iptables. Basically they're called with the -m switch on the filename, minus the "libipt_" part and ".so" part. Try iptables -A INPUT -m mac -h MAC v1.3.3 options: --mac-source [!] XX:XX:XX:XX:XX:XX Match source MAC address That should work for almost all the modules, iptables -A INPUT -m (name of the module) -h gives options. Interfaces are selected with the -i option, source with -s, destination with -d. Start first by dealing with only the INPUT and OUTPUT chains until you get a feel for them. iptables -A INPUT -i eth0 -m mac --mac-source XX:XX:XX:XX:XX:XX would mean match the packets coming in on eth0 with a source MAC of XX:XX:XX:XX:XX:XX, place that rule (Append) onto the rules we have already on the INPUT table. You can then choose what to do with the packet, -j LOG to log it, -j REJECT to reject it, -j DROP to drop it, -j ACCEPT to accept it, and so on. -- / / __ __ __ __ __ __ __ / /__ / / / \/ / / /_/ / \ \/ / /_____/ /_/ /_/\__/ /_____/ /_/\_\ ::[ATr2 RG 2005]::
From: Enrique Perez-Terron on 27 Nov 2005 13:57 On Mon, 14 Nov 2005 16:44:27 +0100, Charly <NOSPAMMMMM(a)SPM.spc> wrote: > Hi, I am a newby but a need to know something I think is quite complex. > I need to setup the firewall IPTABLES on CentOS (Readhat). > I wanted to know: > 1) can I setup it from the conf file ? I see on the newsgroup that normally > people use the command bar by typing the commands, but I would prefere to do > it on the configuration file. If Centos is similar to redhat, then there is a tool, /usr/bin/system-config-securitylevel you should use to set up a first approximation to what you want. No, and yes, there is (not) a config file. Confused? You set up the firewall using command line commands. (Write them into a script.) Then you save the state of the firewall to a file, which is used to restore the state on each reboot. This file is kind-of a config file. But read on. If CentOs still is similar to Redhat/Fedora, saving the state of the firewall is done with the command service iptables save The tool mentioned above will to this for you, but you need to do this again manually after you tweak the firewall manually. You do not need to issue any commands to restore the saved state on boot. When the computer boots, the init program will run the equivalent of service iptables start The "service" command in turn does "bash /etc/rc.d/init.d/iptables start" or "... save". If you read the bash script, you will find that the state file is /etc/sysconfig/iptables. This is a text file and you can inspect it. It is not quite the same format as the corresponding command line commands, but not very different either. You will also find that there is another config file, /etc/sysconfig/iptables-config, but this contains very little information. You can learn from it that if you tweak the firewall and then restart iptables (or reboot) without saving, you lose the tweaks. This is a good idea, for when you tweak the firewall, it takes effect immediately, and there is no need to restart. Use save when you are satisfied, restart if you regret and want to start over from the last (presumably good) saved config. The saving of state is done with a program called /sbin/iptables-save, the converse is, you guessed it, /sbin/iptables-restore. > 2) I have 2 ethernet: on eth1 I have the wan, on eth0 the lan. I wanted to > allow to acces FROM the LAN only to a computer with MAC ADRESS xxxxxx. Could Every rope has two ends and either end is "the end" of it. Almost nobody seems to be capable of expressing directions unambiguously. It may be quite likely that you mean one way, but it is not impossible that you mean the opposite. May I presume that, you mean you want to give *your permission* to this MAC-address-equipped computer, to access the linux box, which of course has an entirely different MAC address; and you want the permission to be applicable only if the access is routed directly through the LAN? (As if this MAC-address-xxxxx computer has another wan access and could access your Linux box looping back through the internet and the first wan?) Or should I presume that the computer you are configuring happens to be the one having mac address xxxxxx on its lan interface, and you want to allow anything on the lan to access the computer you are configuring, but only anything on the lan, nothing on the wan? Look at your grammar, that is the source of the ambiguity. You use the word "to" a couple of places, but it is not clear if "to" gives the direction of the permission assignment or the direction of the access. I'm not a native English speaker, but to me "wanted to allow to access to" does not parse. Try "wanted to allow access to X" or "wanted to allow Y to access X". You also have the word "from", but you attach it to the lan, not to a device where the access would really originate. Since both the accessor and the accessed is on the lan, it does not help much. Access from the lan to... To what? Access from anything on the lan to the computer with this mac address? But does it make sense? How will you control that using iptables on a linux box sitting... Where? Is the linux box somehow intermediate here? Or is the linux box the same as the one with the mac address? In the latter case, why do you use the word "a", "the" would be more appropriate. Since we have been talking about iptables all the time, the computer running iptables has been part of the equation all the time. Then "a computer" is another computer. Or will you only allow the linux box to access the owner of mac address xxxxxx (and disallow everything else)? But that would be access from the linux box to the mac-xxxxxx box, not "from the lan"? You use the word "only". Do you mean "from the lan only", or "only to a computer with mac address xxxxxx"? A comma before or after "only", even if a bit artifical, would help grouping the words one way or the other. This rant only to remind you that the iptables command language allows you to formulate rules relative to the mac address of either end of an exchange, and depending on circumstances, both things may make sense. People thend to formulate the rules relative to the interface (eth0, eth1, ppp0, etc) rather than the mac address of the local interfaces, but if you move the nics around, (like I did when I got worried about the airflow around a video card that was always very hot), then the cards my change interface name. Still, if they are different models, you may tend to stick the same cables in the same card as before.... You get the picture? > you write me kindly the command I have to put in the conf file ? Or better > if you could post a small example... would be great !!! Start here: http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-5.html and continue here: http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-9.html Notice that some of the commands in the latter are actually the same as in the former, just that the former says "if OK, accept, otherwise drop," the latter says "if not OK, drop, otherwise accept." If you use system-config-security-level, you will have implemented the advices on these two pages. Once this is in order, you can turn to the start of the document and get a broader understanding. -Enrique
|
Pages: 1 Prev: Kodak DVC325 webcam driver? Next: Internal DNS Configuration |