Netfilter
Rules
* INPUT
* FORWARD
* OUTPUT
ipchains
* For Linux 2.2 kernels
* Packets destined for locally running daemons: input.
* Packets from remote and destined for locally running daemons: input, forward, output.
* Packets from locally running daemons: output.
iptables
* For Linux 2.4 or later kernels.
* /sbin, /etc/init.d, /etc/sysconfig.
* Packets destined for locally running daemons: input.
* Packets from remote and destined for locally running daemons: forward
* Packets from locally running daemons: output.
# clear all rules iptables -F # Default all inputs to drop iptables -P INPUT DROP # Allow FTP iptables \ -A INPUT \ # add new rule to input filter -i eth0 \ # applies only to eth0 -p tcp \ # applies to tcp protocol -s any/0 \ # applies to all sources --sport 1024:65535 \ # applies to all sources and source port from 1024 to 65535 -d MY.NET.IP.ADDR \ # destined for IP --dport 21 \ # destine for port 21 -j ACCEPT \ # if packet matches, allow it otherwise use default rule # same for FTP port 20 iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 1024:65535 -d MY.NET.IP.ADDR --dport 20 -j ACCEPT # Allow passive FTP iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 1024:65535 -d MY.NET.IP.ADDR --dport 1024:65535 -j ACCEPT # Allow DNS iptables -A INPUT -i eth0 -p udp -s any/0 --sport 1024:65535 -d MY.NET.IP.ADDR --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 1024:65535 -d MY.NET.IP.ADDR --dport 53 -j ACCEPT # Allow Telnet iptables -A INPUT -i eth0 -p tcp -s 209.100.100.10 --sport 1024:65535 -d MY.NETWORK.IP.ADDR --dport 23 -j ACCEPT # Allow SSH iptables -A INPUT -i eth0 -p tcp -s 209.200.200.10 --sport 1024:65535 -d MY.NETWORK.IP.ADDR --dport 22 -j ACCEPT # Allow Email iptables -A INPUT -i eth0 -p tcp ! --syn -s EMAIL.NET.IP.ADDR --sport 25 -d MY.NETWORK.IP.ADDR --dport 1024:65535 -j ACCEPT # Allow HTTP iptables -A INPUT -i eth0 -p tcp -d MY.NETWORK.IP.ADDR --dport 80 -j ACCEPT # Allow HTTPS iptables -A INPUT -i eth0 -p tcp -d MY.NETWORK.IP.ADDR --dport 443 -j ACCEPT # Allow ICMP iptables -A INPUT -i eth0 -p icmp -d MY.NETWORK.IP.ADDR -j ACCEPT # List all rules iptables -L -n # Save rules /etc/init.d/iptables save # Start iptables service iptables start service iptables stop
Routing Tables
* Configuration is memory only. Need to use script to be permanent.
# Added by system when install a NIC to route all packets to eth0 /sbin/route add --net 209.100.100.0 netmask 255.255.0.0 dev eth0 # Forward packets (acting as router) /bin/echo 1 > /proc/sys/net/ipv4/ip_forward # Force all packets destined to 192.168.150.33 to gateway whose ip is 172.24.150.1 /sbin/route add -host 192.168.150.33 gw 172.24.150.1 # Force all packets destined to 192.168.150 network to gate way whose ip is 172.24.150.1 /sbin/route add --net 192.168.150.0 netmask 255.255.255.0 gw 172.24.150.1 # Unmatched packets will be sent to gateway /sbin/route add --default gw 172.24.150.1 # List routing rules netstat -rn route -n ip route list
Sample Routing Script
#!/bin/bash # # Packet Handling Service # # chkconfig 2345 55 45 # description: Starts or stops iptables rules and routing case "$1" in start) # Flush (or erase) the current iptables rules /sbin/iptables -F /sbin/iptables --table nat -flush /sbin/iptables --table nat --delete-chain # Enable the loopback device for all types of packets # (Normally for packets created by local daemons for delivery # to local daemons) /sbin/iptables -A INPUT -i lo -p all -j ACCEPT /sbin/iptables -A OUTPUT -o lo -p all -j ACCEPT /sbin/iptables -A FORWARD -o lo -p all -j ACCEPT # Set the default policies /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT # NAT /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Allow inbound packets from our private network /sbin/iptables -A INPUT -i eth1 -j ACCEPT /sbin/iptables -A FORWARD -i eth1 -j ACCEPT # Allow packets back in from conversations we initiated # from the private network. /sbin/iptables -A FORWARD -i eth0 --match state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT # Allow Sendmail and POP (from anywhere, but really what we # are allowing here is inbound connections on the eth0 interface). # (Sendmail and POP are running locally on this machine). /sbin/iptables -A INPUT --protocol tcp --destination-port 25 -j ACCEPT /sbin/iptables -A INPUT --protocol tcp --destination-port 110 -j ACCEPT # Routing Rules -- # Route packets destined for the 192.168.150.0 network using the internal # gateway machine 172.24.150.1 /sbin/route add -net 192.168.150.0 netmask 255.255.255.0 gw 172.24.150.1 # By default, if we don't know where a packet should be sent we # assume it should be sent to the Internet router. /sbin/route add default gw 209.100.100.1 # Now that everything is in place we allow packet forwarding. echo 1 > /proc/sys/net/ipv4/ip_forward ;; stop) # Flush (or erase) the current iptables rules /sbin/iptables -F # Set the default policies back to ACCEPT # (This is not a secure configuration.) /sbin/iptables -P INPUT ACCEPT /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -P OUTPUT ACCEPT # Remove our routing rules. /sbin/route del -net 192.168.150.0 netmask 255.255.255.0 gw 172.24.150.1 /sbin/route del default gw 209.100.100.1 # Disable packet forwarding echo 0 > /proc/sys/net/ipv4/ip_forward ;; status) enabled=`/bin/cat /proc/sys/net/ipv4/ip_forward` if [ "$enabled" -eq 1 ]; then echo "Running" else echo "Down" fi ;; *) echo "Requires start, stop or status" ;; esac
References
The Linux Enterprise Cluster by Karl Kopper