Software Effect Enterprises, Inc
SoftwareEffect.com Home | Site Map
Search SoftwareEffect.com:



Software Effect Enterprises TOC

Notes





iptables Notes

The following is some configuration examples for iptables for some specific applications



NFS Server

The following assumes the nfs clients are in the address range of 10.0.0.1-10.0.0.254

Insert the following lines in your /etc/sysconfig/iptables file

-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 111 -s 10.0.0.0/24 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 2049 -s 10.0.0.0/24 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 52049 -s 10.0.0.0/24 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 52050 -s 10.0.0.0/24 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 111 -s 10.0.0.0/24 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -s 10.0.0.0/24 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 52049 -s 10.0.0.0/24 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 52050 -s 10.0.0.0/24 -j ACCEPT


Create a file named /etc/sysconfig/nfs and put this in it:
MOUNTD_PORT=52049
STATD_PORT=52050

Older versions of nfs software may require you to create a file named /etc/sysconfig/nfslock and put one line in it:
STATD_PORT=52050

Note: nfs and nfslock use a random number port. In order to find out what port is being used the client connects to portmapper (port 111) to find out what port to connect to. To make nfs and nfslock use a fixed port number (so that we can set them up in iptables), we create the /etc/sysconfig/nfs and /etc/sysconfig/nfslock files and restart the nfs service.

Note 2: if your NFS cliients are configured to only use UDP instead of TCP, you can skip the last 4 iptables lines.

Testing notes: run "netstat -lnp" (that is -  lower case LNP) and make sure you see all four of the port number 111, 2049, 52049 and 52050. If you do not, you probably did not restart nfs and/or nfslock or portmap is not running.





Turn your Fedora System into NAT Firewall


If you want to use your Fedora system as a NAT firewall, you need the following:

Set eth0 as the outside interface
Set eth1 as the inside interface
The design of this set up uses 172.16.1.0/24 as the inside network

Modify your /etc/sysconfig/iptables as follows

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [287:23545]
:POSTROUTING ACCEPT [15:2227]
:OUTPUT ACCEPT [21:2948]
-A POSTROUTING -s 172.16.1.0/255.255.255.0 -d 0.0.0.0/0 -j MASQUERADE
COMMIT



Edit /etc/sysctl.conf. Find the line:
net.ipv4.ip_forward = 0
and change to be:
net.ipv4.ip_forward = 1
 
You now have a NAT capable Fedora system.





Today's date is: Monday November 20, 2017
This document last modifiedSunday May 29, 2005