How To Set Up An Internet Gateway/Firewall/Router Using iptables Or ipchains

Lets Decrypt the Use of Linux ipchains / iptables and IP forwarding to configure Linux server as a firewall or router. This is the method covered in this tutorial.

Linux and iptables / ipchains one can configure a gateway which will allow all clients on a private network to connect to the internet via the gateway and one external Public IP address, called “Network Address Translation” (NAT) or masquerading and private subnets. Iptables/ipchains can also be configured so that the Linux computer acts as a firewall, providing protection to the internal network.

Execute #ifconfig command to configure both internal and external network interfaces.
#/sbin/ifconfig eth0 XXX.XXX.XXX.XXX netmask 255.255.255.0 broadcast XXX.XXX.XXX.255 – External network (internet)
#/sbin/ifconfig eth1 192.168.10.101 netmask 255.255.255.0 broadcast 192.168.10.255 –   Internal private network

 

Steps to configuring a running system from ipchains to iptables:

1. chkconfig –del ipchains —–> Remove ipchains from system boot/initialization process
2. chkconfig –add iptables —— >Add iptables to system boot/initialization process
3. ipchains -F —–> Flush ipchains rules
4. service ipchains stop —–> Stop ipchains
5. rmmod ipchains —-> Unload ipchains kernel module. Iptables kernel module can not be loaded if the ipchains module is loaded
6. service iptables start Load iptables kernel module

Network Address Translation (NAT):

An individual on a computer on the private network can point their web browser to a site on the internet. This request is recognized to be beyond the local network so it is routed to the Linux gateway using the private network address. The request for the page is sent to the web-site using the external internet IP address of the gateway. The request is returned to the gateway which then translates the IP address to the computer on the private network which made the request. This is often called IP masquerading.

Execute the following steps on the Linux gateway computer:

iptables –flush – Flush all the rules in filter and nat tables
iptables –table nat –flush
iptables –delete-chain – Delete all chains that are not in default filter and nat table
iptables –table nat –delete-chain
# Set up IP FORWARDing and Masquerading

#iptables –table nat –append POSTROUTING –out-interface ppp0 -j MASQUERADE
#iptables –append FORWARD –in-interface eth0 -j ACCEPT – Assuming one NIC to local LAN
#echo 1 > /proc/sys/net/ipv4/ip_forward – Enables packet forwarding by kernel

Ipchains
#!/bin/sh
#ipchains -F forward – Flush all previous rules and settings
#ipchains -P forward DENY – Default set to deny packet forwarding
#ipchains -A forward -s 192.168.10.0/24 -j MASQ – Use IP address of the gateway for private network
#ipchains -A forward -i ppp0 -j MASQ – Sets up external internet connection
#echo 1 > /proc/sys/net/ipv4/ip_forward – Enables packet forwarding by kernel
Create a route for internal machine packets:
route add -net 192.168.10.0 netmask 255.255.255.0 gw XXX.XXX.XXX.XXX  eth1
General /sbin/iptables syntax to add rules:
iptables [-t|–table table] -command [chain] [-i interface] [-p protocol] [-s address [port[:port]]] [-d address [port[:port]]] -j policy
General /sbin/ipchains syntax to add rules:
ipchains -A|I [chain] [-i interface] [-p protocol] [-y] [-s address [port[:port]]] [-d address[port[:port]]] -j policy [-l]
Adding Security rules to Gateway
# Allow loopback access. This rule must come before the rules denying port access!!
iptables -A INPUT -i lo -p all -j ACCEPT – Essential rule so your computer to be able to access itself through the loopback interface
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 2049 -j DROP – Block NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 –dport 2049 -j DROP – Block NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 6000:6009 -j DROP – Block X-Windows
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 7100 -j DROP – Block X-Windows font server
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 515 -j DROP – Block printer port
iptables -A INPUT -p udp -s 0/0 -d 0/0 –dport 515 -j DROP – Block printer port
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 111 -j DROP – Block Sun rpc/NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 –dport 111 -j DROP – Block Sun rpc/NFS
iptables -A INPUT -p all -s localhost -i eth0 -j DROP – Deny network packets
Save/restore an tables/ipchains configuration:

 

IpTables:
/sbin/iptables-save > /etc/sysconfig/iptables.rules
/sbin/iptables-restore < /etc/sysconfig/iptables.rules

 

IpChains:
/sbin/ipchains-save > /etc/sysconfig/ipchains.rules
/sbin/ipchains-restore < /etc/sysconfig/ipchains.rules
Post Views: 329
By Jones EricPosted on
, , , , , , , , ,

2 Replies to “How To Set Up An Internet Gateway/Firewall/Router Using iptables Or ipchains”

  1. Pingback: [Security Device]List of Top Fortinet FortiWeb Web Application Firewalls 2021 - Decrypt Info
  2. Pingback: What is online Business its Benefits & Disadvantages - Life Time Words

Leave a Reply