I have created a custom firewall script in RHEL 4 .Let me explain the steps which i followed . etho -Internal lan eth1 -External lan During the installtion of RHEL 4 ,i enabled Firewall and after booting to x windows i selected enable firewall and defined the defined and customised ports . When my client systems tried to access the internet ,they could'nt access ,but when i ran the custom firewall script(fw) they could access . Now the problem is that when i run the command iptables -L ----- It processes the fw as well as the ports defined in the gui firewall even the command service iptables status --- throws the same result. How do i make ,linux run my customised firewall ,since it seems to run the inbilt iptables script. The problemm is that i have defined some customised ports ,but when i try to access the ports which are not defined ,it accepts the connection . Even the PREROUTING iptables command does not run,since i need to access a webserver on private lan configured on port 8080. Can anybody help Sud ************************************************************************************************************************** #! /bin/sh # # # Desc: FireWall Script for a Linux-Based Gateway System. # This script considers the Host to be Gateway-With-FireWall, # It takes a restrictive approach, thus allowing only the # required ports & connections to pass thru. # # # --- DECLARE ALLOWED PORTS --- # # # Allow Set-A: TCP_ALLOW_A="20,21,22,80,81,110" UDP_ALLOW_A="20,21,22,80,81,110" # # # --- DECLARE VARIABLES --- # # Internal Interface/Internal LAN Adapter: INTR=eth0 # # External Interface/External (Public/Static-IP) Adapter: EXTR=eth1 # # Gateway/Firewall's Internal (LAN) IP: IN_IP="192.168.3.111" # # Gateway/Firewall's External (Public/Static) IP: OUT_IP="222.x.y.z" # # ISP's Gateway: ISP_GT="222.x.y7.z" # # DNS/Nameserver-A: DNS_A="205.x.y.z" # # DNS/Nameserver-A: DNS_B="205.x.y1.z1" # # Trusted Host: TRST_HOST="192.168.3.0/24" # TRST_EXT_HOST="222.x1.y1.z2" # # --- POLICY SETUP --- # # Flush Existing/Stale Rules (if any): /sbin/iptables -F /sbin/iptables -t filter -F /sbin/iptables -t mangle -F /sbin/iptables -t nat -F modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp # service iptables stop service iptables start # # Setup Restrictive Policy: /sbin/iptables --policy INPUT DROP /sbin/iptables --policy OUTPUT DROP /sbin/iptables --policy FORWARD DROP # # -- Anti IP-Spoofing --*- for f in /proc/sys/net/ipv4/conf/*/rp_filter;do /bin/echo "1" > $f done # # -- SYN-Flood Protection: sysctl -w net.ipv4.tcp_syncookies=1 # # -- IP-Forward Enable: echo "1" > /proc/sys/net/ipv4/ip_forward # # -----*----- # Allow local/loopback device traffic: /sbin/iptables -A OUTPUT -s localhost -d localhost -j ACCEPT /sbin/iptables -A INPUT -s localhost -d localhost -j ACCEPT # # Allow Ping/ICMP Packets: /sbin/iptables -A INPUT -j ACCEPT /sbin/iptables -A OUTPUT -j ACCEPT # # # --- FireWall Rules --- # # INPUT Chain:- # Accept SSH Connections from Trusted Host: /sbin/iptables -t filter -A INPUT -i $INTR -s $TRST_HOST -p tcp --dport 22 -j ACCEPT /sbin/iptables -t filter -A INPUT -i $INTR -s $TRST_HOST -p udp --dport 22 -j ACCEPT # /sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_HOST -p tcp --sport 22 -j ACCEPT /sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_HOST -p udp --sport 22 -j ACCEPT /sbin/iptables -t filter -A INPUT -i $EXTR -s $TRST_EXT_HOST -p tcp --dport 22 -j ACCEPT /sbin/iptables -t filter -A INPUT -i $EXTR -s $TRST_EXT_HOST -p udp --dport 22 -j ACCEPT # /sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_EXT_HOST -p tcp --sport 22 -j ACCEPT /sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_EXT_HOST -p udp --sport 22 -j ACCEPT # # Forward DNS Requests: #not done yet # # FORWARD Chain:- # Allow Connections from Valid (Allowed) Ports: /sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24 -p tcp -m state --state NEW -m multiport --dports $TCP_ALLOW_A -j ACCEPT /sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24 -p udp -m state --state NEW -m multiport --dports $UDP_ALLOW_A -j ACCEPT # ---- ----------------------------------- # NOTE: DO NOT ADD/REMOVE ANYTHING AFTER THIS LINE: # ---- ----------------------------------- # # --- MASQUERADE All-CONNECTIONS --- # /sbin/iptables -t nat -A POSTROUTING -o $EXTR -j MASQUERADE # # --- --- --- END --- --- --- # ****************************************************************************************************************************
