Install IPTABLES for NAT/Firewall/Transparent Proxy
1. Install the iptables.
[root@proxy log]# yum install iptables
Setting up repositories
updates-released 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:04
base 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
Installed Packages
Name : iptables
Arch : i386
Version: 1.3.0
Release: 2
Size : 393 k
Repo : installed
Summary: Tools for managing Linux kernel packet filtering capabilities.
2. Check the installation.
[root@proxy log]# rpm -qa|grep iptables
3. Start at boot time.
[root@proxy log]# chkconfig iptables on
4. Configure /etc/sysconfig/iptables file
# Firewall created by jepoy habang inaantok... bbzzzz......
# eth0 - public
# eth1 - private
*nat
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j SNAT --to 203.189.x.x
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Tue Oct 11 20:53:45 2005
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
#Forward Chain
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#allow port
-A FORWARD -s 192.168.0.0/24 -d 0/0 -m state --state NEW -p tcp -m multiport --dport smtp,pop3,imap,6301,443,5100,13,554,1101,8080 -o eth0 -i eth1 -j ACCEPT
#allow network to use icmp
-A FORWARD -s 192.168.0.0/24 -d 0/0 -m state --state NEW -p icmp -o eth0 -i eth1 -j ACCEPT
#Input Chain
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#allow public address to use Squid port 3128
-A INPUT -s 203.189.x.0/255.255.255.0 -i eth0 -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
# Allow public for DNS ACCESS
-A INPUT -s 203.189.x.0/255.255.255.0 -i eth0 -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
# SSH Access
-A INPUT -s 203.189.x.5 -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# Application Access
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 1101 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 554 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p icmp -m state --state NEW -m icmp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Logging
-A INPUT -j LOG
-A OUTPUT -j LOG
-A FORWARD -j LOG
COMMIT
3. Restart the service for every changes made.
[root@proxy /]# /sbin/service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter nat [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]