I have created a custom firewall script in RHEL 4 .Let me explain the steps which i followed .
etho -Internal lan
eth1 -External lan
During the installtion of RHEL 4 ,i enabled Firewall and after booting to x windows i selected enable firewall and defined the defined and customised ports .
When my client systems tried to access the internet ,they could'nt access ,but when i ran the custom firewall script(fw) they could access .
Now the problem is that when i run the command
iptables -L ----- It processes the fw as well as the ports defined in the gui firewall
even the command service iptables status --- throws the same result.
How do i make ,linux run my customised firewall ,since it seems to run the inbilt iptables script.
The problemm is that i have defined some customised ports ,but when i try to access the ports which are not defined ,it accepts the connection .
Even the PREROUTING iptables command does not run,since i need to access a webserver on private lan configured on port 8080.
Can anybody help
Sud
**************************************************************************************************************************
#! /bin/sh
#
#
# Desc: FireWall Script for a Linux-Based Gateway System.
# This script considers the Host to be Gateway-With-FireWall,
# It takes a restrictive approach, thus allowing only the
# required ports & connections to pass thru.
#
#
# --- DECLARE ALLOWED PORTS --- #
#
# Allow Set-A:
TCP_ALLOW_A="20,21,22,80,81,110"
UDP_ALLOW_A="20,21,22,80,81,110"
#
#
# --- DECLARE VARIABLES ---
#
# Internal Interface/Internal LAN Adapter:
INTR=eth0
#
# External Interface/External (Public/Static-IP) Adapter:
EXTR=eth1
#
# Gateway/Firewall's Internal (LAN) IP:
IN_IP="192.168.3.111"
#
# Gateway/Firewall's External (Public/Static) IP:
OUT_IP="222.x.y.z"
#
# ISP's Gateway:
ISP_GT="222.x.y7.z"
#
# DNS/Nameserver-A:
DNS_A="205.x.y.z"
#
# DNS/Nameserver-A:
DNS_B="205.x.y1.z1"
#
# Trusted Host:
TRST_HOST="192.168.3.0/24"
#
TRST_EXT_HOST="222.x1.y1.z2"
#
# --- POLICY SETUP ---
#
# Flush Existing/Stale Rules (if any):
/sbin/iptables -F
/sbin/iptables -t filter -F
/sbin/iptables -t mangle -F
/sbin/iptables -t nat -F
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
#
service iptables stop
service iptables start
#
# Setup Restrictive Policy:
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP
#
# -- Anti IP-Spoofing ---
for f in /proc/sys/net/ipv4/conf//rp_filter;do
/bin/echo "1" > $f
done
#
# -- SYN-Flood Protection:
sysctl -w net.ipv4.tcp_syncookies=1
#
# -- IP-Forward Enable:
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# -----*-----
# Allow local/loopback device traffic:
/sbin/iptables -A OUTPUT -s localhost -d localhost -j ACCEPT
/sbin/iptables -A INPUT -s localhost -d localhost -j ACCEPT
#
# Allow Ping/ICMP Packets:
/sbin/iptables -A INPUT -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT
#
#
# --- FireWall Rules ---
#
# INPUT Chain:-
# Accept SSH Connections from Trusted Host:
/sbin/iptables -t filter -A INPUT -i $INTR -s $TRST_HOST -p tcp --dport 22 -j ACCEPT
/sbin/iptables -t filter -A INPUT -i $INTR -s $TRST_HOST -p udp --dport 22 -j ACCEPT
#
/sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_HOST -p tcp --sport 22 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_HOST -p udp --sport 22 -j ACCEPT
/sbin/iptables -t filter -A INPUT -i $EXTR -s $TRST_EXT_HOST -p tcp --dport 22 -j ACCEPT
/sbin/iptables -t filter -A INPUT -i $EXTR -s $TRST_EXT_HOST -p udp --dport 22 -j ACCEPT
#
/sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_EXT_HOST -p tcp --sport 22 -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -o $INTR -d $TRST_EXT_HOST -p udp --sport 22 -j ACCEPT
#
# Forward DNS Requests:
#not done yet
#
# FORWARD Chain:-
# Allow Connections from Valid (Allowed) Ports:
/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24 -p tcp -m state --state NEW -m multiport --dports $TCP_ALLOW_A -j ACCEPT
/sbin/iptables -t filter -A FORWARD -s 192.168.1.0/24 -p udp -m state --state NEW -m multiport --dports $UDP_ALLOW_A -j ACCEPT
# ---- -----------------------------------
# NOTE: DO NOT ADD/REMOVE ANYTHING AFTER THIS LINE:
# ---- -----------------------------------
#
# --- MASQUERADE All-CONNECTIONS ---
#
/sbin/iptables -t nat -A POSTROUTING -o $EXTR -j MASQUERADE
#
# --- --- --- END --- --- --- #
****************************************************************************************************************************