Firstly if you have not installed iptables install it as follows.
Debian
apt-get install iptables-services
Redhat
yum install iptables-services
It is important to install iptables-services packages.
1) Load the modules.
This is not need to done in newer linux versions.
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_ftp
2) Disable ECN if enabled.
If ECN (Explicit Notification Congesion) enabled will slow down the connection.
echo 0 > /proc/sys/net/ipv4/tcp_ecn
3) Enable ipv4 forwading
echo 1 > /proc/sys/net/ipv4/ip_forward
or
sudo sysctl -w net.ipv4.ip_forward=1
Remember.. This will only temporary enable the ipv4 forwarding. When ever you restarted the network service or reboot the system this will disabled. To enable this on boot follow the below commands
nano /etc/sysctl.conf
Then you will open up for edit the sysctl.conf file. At the end of file add the following line.
net.ipv4.ip_forward = 1
If this line already exist with "= 0", change it to "= 1"
If this line already exist with "#" infront of the line, remove the "#"
4) Flushing the existing iptables rules.
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -F FORWARD
$iptables -F -t nat
iptables -F -t nat, this will remove all rules in nat table. (by default iptables work with filter table. So it is important to flush the nat table in our case)
5) Defining the standard policy
The syntax for this is as follows
iptables -P "chain" "action"
With -P we can define default policy.
What is default policy. Why we are adding a default policy.
Every firewall has a default policy. It may be a accept or drop. Default policy is the last rule of the firewall after it has matched all the rules that we have given. Let's say firewall received a ip packet. It goes with all the entries in it's table for find what do with this packet. is it forward or drop it. So in here if the firewall couldn't find any matching in it's entries with the IP packet it will do the last action which is the default policy. If default policy is Drop, it will drop the packet. If its Accept, it will forward the packet.
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD ACCEPT
In here i have put DROP as the default policy for INPUT chain. Because i don't want to go through my firewall unwanted packets.
now the network we are going to face is as follow
(localnetwork with some PCs) ----[firewall(centos)]---(ADSL router)
In this local network it may be contain no. of PCs. Each PC has a certain IP address which belongs to same subnet. We will call this network as localnet
Firewall has 2 interfaces which are localint( ip of the localint is localaddr) and publicint (ip address of the publicint is publicaddr)
ADSL router is the Gateway for us.
And please consider another few things. When i mention localnet it should be with subnet mask of the local network.
ex:
192.168.1.0/24
When I mention any it means any network/ any ip. You should consider it as 0.0.0.0/0
This is how we indicate any network.
6) Allowing access from the local network
$iptables -A INPUT -s $localnet -d $localaddr -j ACCEPT
$iptables -A INPUT -s $localnet -d $publicaddr -j ACCEPT
7) Allowing the packet goes from our local interface
$iptables -A INPUT -i lo -j ACCEPT
8) Allowing secure connections to establish
$iptables -A INPUT -s $any -d $publicaddr -m state --state ESTABLISHED,RELATED -j ACCEPT
9) Masquerade the local network to the public network (NATing)
$iptables -t nat -A POSTROUTING -s $localnet -d $any -j MASQUERADE
How to save configured iptables rules and make it work on boot.
Up to now we have setup the iptables rules. But if we reboot or restart the iptables service all the rules will be deleted that we have made. So we need to save them.
Save iptables rules in a seperate file
We can save the iptables rules in a separate file for restore later. To do this follow the command
iptables-save > "file you want to save as"
ex ;
iptables-save > /etc/iptables-save
Then it will be save as you named it.
To restore the iptables rules from that saved file simply run
iptables-restore < "the rules file that you saved"
check whether the rules has been restored by running
iptables -L
Save iptables rules in boot
To enable the iptables rules that we have created firstly we have to edit /etc/sysconfig/iptables-config
nano /etc/sysconfig/iptables-config
in that file find the following lines.
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
find those two lines and change the "no" to "yes"
Then after you have change all iptables rules simply run the following command to save the iptables rules in /etc/sysconfig/iptables file.
service iptables save
all the current iptables rules will rewrite to iptables file and after you rebooted they will saved as they were.
if you need to enable the iptables service at boot simply run the following command
systemctl enable iptables
You can find the details of IPTABLES and how it works in the following link
http://www.karlrupp.net/en/computer/nat_tutorial
Its a very good link for this.
If you want to learn deeper and more precisely about iptables please refer the following link. It is best for this.
http://www.linuxhowtos.org/Security/iptables.htm
Reference ;
https://www.centos.org/forums/viewtopic.php?t=38943
No comments:
Post a Comment