Quoting James Pifer jep@obrien-pifer.com:
Wondering if anyone is willing to give me a little assistance with some firewall rules. I think what I'm looking for is fairly simple, and I've been trying to use webmin's firewall module without success.
The problem is, you either use GUI tools and live with the limitations of the tool, or you do it all by hand. Most GUI tools are not going to allow you to mix and match. If you make some changes manually, next time you use GUI tools it'll discard them.
Said that, default config file with firewall rules for iptables on CentOS is /etc/sysconfig/iptables. There's also /etc/sysconfig/iptables.conf with some settings you might need to alter in specific situations (for example, NAT helper modules to be loaded are specified there). The former (the one with rules) might get overwritten, or its rules overriden by GUI various interfaces. As I said, you either use GUI and live with limitations, or do it all by hand and are able to implement whatever you need.
I have a web server that I'd like to open up port 80 and forward a specific port for a select number of allowed ips. That's it. Everything else is dropped.
allow: port 80 allow: forward port 8000 for x.x.x.x to y.y.y.y
When you say forward port 8000, what exactly do you have in mind? Simple packet forwarding (if we see packet from xxx to yyy we allow it to be forwarded)? Or do you mean NAT (if we see packet comming in for us on 8000 from xxx, we forward it to yyy optinally chaning port number)?
Standard disclaimer. These rules are not going to work on their own, and they are *unsafe*. They are here only to give you a pointer how to solve specific problem, but they are not complete nor secure solution. Before manually applying any firewall rules, make sure you know exactly what you are doing. I personally don't use them as presented here, and would not recommend anybody else to use them as is. This is just simplification of actuall configuration to show how the problem could be solved.
Anyhow, in general case, you would do something like this on command line:
To allow incomming connections to port 80 is fairly simple (but see disclaimer):
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Now, if you want to allow simple packet forwarding:
# iptables -A FORWARD -p tcp --dport 8000 -s x.x.x.x -d y.y.y.y.y -j ACCEPT
Now, if you wanted to do NATing, it goes something like this.
# iptables -A FORWARD -p tcp ---dport 8000 -s z.z.z.z -d y.y.y.y.y -j ACCEPT # iptables -t nat -A PREROUTING -p tcp --dport 8000 -d x.x.x.x \ -j DNAT --to-destination y.y.y.y
If you wanted to change port 8000 to 80, you'd do it something like:
# iptables -A FORWARD -p tcp --dport 80 -s z.z.z.z -d y.y.y.y -j ACCEPT # iptables -t nat -A PREROUTING -p tcp --dport 8000 -d x.x.x.x \ -j DNAT --to-destination y.y.y.y:80
Note that chains in filter table will see NATed address, because we used DNAT (rewriting of destination address) target in PREROUTING chain. In short, flow of packets through chains looks something like this.
(if from local) local --> OUTPUT -+ +-----------------+ | | | +-> routing --> FORWARD -+-> POSTROUTING --> net | | net --> PREROUTING -+ +-> INPUT --------------------------> local
Each chain will see changes made by previous chain. Note that almos all chains are also parts of one of three tables of chains (filter, nat, and mangle), so you actually have two PREROUTING chains (in nat and mangle tables), three OUTPUT chains, and so on... Each with distinct set of rules, and each with distinct set of allowed targets (as documented in manual page for iptables).
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.