[CentOS] A little iptables help

Wed Sep 28 14:47:47 UTC 2005
Aleksandar Milivojevic <alex at milivojevic.org>

Quoting James Pifer <jep at obrien-pifer.com>:

> Wondering if anyone is willing to give me a little assistance with some
> firewall rules. I think what I'm looking for is fairly simple, and I've
> been trying to use webmin's firewall module without success.

The problem is, you either use GUI tools and live with the limitations of the
tool, or you do it all by hand.  Most GUI tools are not going to allow you to
mix and match.  If you make some changes manually, next time you use GUI tools
it'll discard them.

Said that, default config file with firewall rules for iptables on CentOS is
/etc/sysconfig/iptables.  There's also /etc/sysconfig/iptables.conf with some
settings you might need to alter in specific situations (for example, NAT
helper modules to be loaded are specified there).  The former (the one with
rules) might get overwritten, or its rules overriden by GUI various 
interfaces.
As I said, you either use GUI and live with limitations, or do it all by hand
and are able to implement whatever you need.

> I have a web server that I'd like to open up port 80 and forward a
> specific port for a select number of allowed ips. That's it. Everything
> else is dropped.
>
> allow: port 80
> allow: forward port 8000 for x.x.x.x to y.y.y.y

When you say forward port 8000, what exactly do you have in mind?  
Simple packet
forwarding (if we see packet from xxx to yyy we allow it to be forwarded)?  Or
do you mean NAT (if we see packet comming in for us on 8000 from xxx, we
forward it to yyy optinally chaning port number)?

Standard disclaimer.  These rules are not going to work on their own, and they
are *unsafe*.  They are here only to give you a pointer how to solve specific
problem, but they are not complete nor secure solution.  Before manually
applying any firewall rules, make sure you know exactly what you are doing.  I
personally don't use them as presented here, and would not recommend anybody
else to use them as is.  This is just simplification of actuall configuration
to show how the problem could be solved.

Anyhow, in general case, you would do something like this on command line:

To allow incomming connections to port 80 is fairly simple (but see 
disclaimer):

# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Now, if you want to allow simple packet forwarding:

# iptables -A FORWARD -p tcp --dport 8000 -s x.x.x.x -d y.y.y.y.y -j ACCEPT

Now, if you wanted to do NATing, it goes something like this.

# iptables -A FORWARD -p tcp ---dport 8000 -s z.z.z.z -d y.y.y.y.y -j ACCEPT
# iptables -t nat -A PREROUTING -p tcp --dport 8000 -d x.x.x.x \
           -j DNAT --to-destination y.y.y.y

If you wanted to change port 8000 to 80, you'd do it something like:

# iptables -A FORWARD -p tcp --dport 80 -s z.z.z.z -d y.y.y.y -j ACCEPT
# iptables -t nat -A PREROUTING -p tcp --dport 8000 -d x.x.x.x \
           -j DNAT --to-destination y.y.y.y:80

Note that chains in filter table will see NATed address, because we used DNAT
(rewriting of destination address) target in PREROUTING chain.  In short, flow
of packets through chains looks something like this.

                                 (if from local)
  local --> OUTPUT     -+      +-----------------+
                        |      |                 |
                        +-> routing --> FORWARD -+-> POSTROUTING --> net
                        |      |
  net   --> PREROUTING -+      +-> INPUT --------------------------> local

Each chain will see changes made by previous chain.  Note that almos 
all chains
are also parts of one of three tables of chains (filter, nat, and mangle), so
you actually have two PREROUTING chains (in nat and mangle tables), three
OUTPUT chains, and so on...  Each with distinct set of rules, and each with
distinct set of allowed targets (as documented in manual page for iptables).

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.