Software Effect Enterprises

SoftwareEffect.com Home | Site Map

Search SoftwareEffect.com:

Software Effect Enterprises TOC

Home

Notes

Configuring Squid with WCCP
Linux IP Tables

iptables Notes

The following is some configuration examples for iptables for some specific applications

NFS Server

The following assumes the nfs clients are in the address range of 10.0.0.1-10.0.0.254

Insert the following lines in your /etc/sysconfig/iptables file

-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 111 -s 10.0.0.0/24 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 2049 -s 10.0.0.0/24 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 52049 -s 10.0.0.0/24 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 52050 -s 10.0.0.0/24 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 111 -s 10.0.0.0/24 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -s 10.0.0.0/24 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 52049 -s 10.0.0.0/24 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 52050 -s 10.0.0.0/24 -j ACCEPT

Create a file named /etc/sysconfig/nfs and put this in it:
MOUNTD_PORT=52049STATD_PORT=52050

Older versions of nfs software may require you to create a file named /etc/sysconfig/nfslock and put one line in it:
STATD_PORT=52050
Note: nfs and nfslock use a random number port. In order to find out what port is being used the client connects to portmapper (port 111) to find out what port to connect to. To make nfs and nfslock use a fixed port number (so that we can set them up in iptables), we create the /etc/sysconfig/nfs and /etc/sysconfig/nfslock files and restart the nfs service.

Note 2: if your NFS cliients are configured to only use UDP instead of TCP, you can skip the last 4 iptables lines.

Testing notes: run "netstat -lnp" (that is - lower case LNP) and make sure you see all four of the port number 111, 2049, 52049 and 52050. If you do not, you probably did not restart nfs and/or nfslock or portmap is not running.

Turn your Fedora System into NAT Firewall

If you want to use your Fedora system as a NAT firewall, you need the following:

Set eth0 as the outside interface
Set eth1 as the inside interface
The design of this set up uses 172.16.1.0/24 as the inside network

Modify your /etc/sysconfig/iptables as follows

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i eth1 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT *nat :PREROUTING ACCEPT [287:23545] :POSTROUTING ACCEPT [15:2227] :OUTPUT ACCEPT [21:2948] -A POSTROUTING -s 172.16.1.0/255.255.255.0 -d 0.0.0.0/0 -j MASQUERADE COMMIT

Edit /etc/sysctl.conf. Find the line:
net.ipv4.ip_forward = 0
and change to be:
net.ipv4.ip_forward = 1

You now have a NAT capable Fedora system.

Today's date is: Friday, 29-Aug-2008 00:03:47 EDT
This document last modifiedSunday May 29, 2005