Lets Decrypt the Use of Linux ipchains / iptables and IP forwarding to configure Linux server as a firewall or router. This is the method covered in this tutorial.
Linux and iptables / ipchains one can configure a gateway which will allow all clients on a private network to connect to the internet via the gateway and one external Public IP address, called “Network Address Translation” (NAT) or masquerading and private subnets. Iptables/ipchains can also be configured so that the Linux computer acts as a firewall, providing protection to the internal network.
Execute #ifconfig command to configure both internal and external network interfaces.
#/sbin/ifconfig eth0 XXX.XXX.XXX.XXX netmask 255.255.255.0 broadcast XXX.XXX.XXX.255 – External network (internet)
#/sbin/ifconfig eth1 192.168.10.101 netmask 255.255.255.0 broadcast 192.168.10.255 – Internal private network
Steps to configuring a running system from ipchains to iptables:
1. chkconfig –del ipchains —–> Remove ipchains from system boot/initialization process
2. chkconfig –add iptables —— >Add iptables to system boot/initialization process
3. ipchains -F —–> Flush ipchains rules
4. service ipchains stop —–> Stop ipchains
5. rmmod ipchains —-> Unload ipchains kernel module. Iptables kernel module can not be loaded if the ipchains module is loaded
6. service iptables start Load iptables kernel module
Network Address Translation (NAT):
An individual on a computer on the private network can point their web browser to a site on the internet. This request is recognized to be beyond the local network so it is routed to the Linux gateway using the private network address. The request for the page is sent to the web-site using the external internet IP address of the gateway. The request is returned to the gateway which then translates the IP address to the computer on the private network which made the request. This is often called IP masquerading.
Execute the following steps on the Linux gateway computer:
iptables –table nat –flush
iptables –delete-chain – Delete all chains that are not in default filter and nat table
iptables –table nat –delete-chain
#iptables –table nat –append POSTROUTING –out-interface ppp0 -j MASQUERADE
#iptables –append FORWARD –in-interface eth0 -j ACCEPT – Assuming one NIC to local LAN
#echo 1 > /proc/sys/net/ipv4/ip_forward – Enables packet forwarding by kernel
#ipchains -F forward – Flush all previous rules and settings
#ipchains -P forward DENY – Default set to deny packet forwarding
#ipchains -A forward -s 192.168.10.0/24 -j MASQ – Use IP address of the gateway for private network
#ipchains -A forward -i ppp0 -j MASQ – Sets up external internet connection
#echo 1 > /proc/sys/net/ipv4/ip_forward – Enables packet forwarding by kernel
route add -net 192.168.10.0 netmask 255.255.255.0 gw XXX.XXX.XXX.XXX eth1
iptables [-t|–table table] -command [chain] [-i interface] [-p protocol] [-s address [port[:port]]] [-d address [port[:port]]] -j policy
ipchains -A|I [chain] [-i interface] [-p protocol] [-y] [-s address [port[:port]]] [-d address[port[:port]]] -j policy [-l]
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 2049 -j DROP – Block NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 –dport 2049 -j DROP – Block NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 6000:6009 -j DROP – Block X-Windows
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 7100 -j DROP – Block X-Windows font server
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 515 -j DROP – Block printer port
iptables -A INPUT -p udp -s 0/0 -d 0/0 –dport 515 -j DROP – Block printer port
iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 111 -j DROP – Block Sun rpc/NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 –dport 111 -j DROP – Block Sun rpc/NFS
iptables -A INPUT -p all -s localhost -i eth0 -j DROP – Deny network packets
/sbin/iptables-save > /etc/sysconfig/iptables.rules
/sbin/iptables-restore < /etc/sysconfig/iptables.rules
/sbin/ipchains-save > /etc/sysconfig/ipchains.rules
/sbin/ipchains-restore < /etc/sysconfig/ipchains.rules
2 Replies to “How To Set Up An Internet Gateway/Firewall/Router Using iptables Or ipchains”