[CentOS] Iptables - PREROUTING

Maciej Zenczykowski maze at cela.pl
Fri May 20 15:38:41 UTC 2005


okay, first of all you shouldn't do it in a script,
instead you should be modifying /etc/sysconfig/iptables
and using /etc/init.d/iptables start/stop

and add ip_nat_ftp to the proper spot (modules to load) in 
/etc/sysconfig/iptables-config

next you need to rewrite the following for iptables-save/restore format

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

[spot for nat rules]

COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

[spot for filter rules]

COMMIT


[in the filter rules:]
-A INPUT -i lo -j ACCEPT

# the following is _not_ nice
-A INPUT -i eth0 -p ICMP --icmp-type echo-request -j DROP

-A INPUT -i eth0 -s rango_ip/29 -d 0/0 -p all -j ACCEPT
-A INPUT -i eth1 -s 172.16.0.0/24 -d 172.16.0.211/32 -p all -j ACCEPT


[above in the nat spot]
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.16.0.3:80
-A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 172.16.0.3:443


[again in the filter spot]
-A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 80 -j ACCEPT
-A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 443 -j ACCEPT

-A FORWARD -i eth1 -p tcp -s 172.16.0.0/24 --dport 53 -j ACCEPT
-A FORWARD -i eth1 -p udp -s 172.16.0.0/24 --dport 53 -j ACCEPT

You _DO_ _NOT_ WANT TO ACCEPT everything from port 53 - I can break 
through this firewall in 5 seconds.
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT

same here, plus squid doesn't use udp
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT

the default should be to drop

-A INPUT -j LOG --log-level info
-A OUTPUT -j LOG --log-level info
-A FORWARD -j LOG --log-level info

[in nat again]
-A POSTROUTING -s 172.16.0.6/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.10/32 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.9/32 -o eth0 -j MASQUERADE


this should be in /etc/sysctl.conf
> echo 1 > /proc/sys/net/ipv4/ip_forward

do the above changes and repost with what you have and we'll go from 
there...

Cheers,
MaZe



More information about the CentOS mailing list