Page Web Française

Subject Firewall Date 2009-01-20 Title Webmin - Configure IPTables Firewall - Fedora FC9 - FC10 Section BSD Linux Article With a Linux distribution Fedora 9 or FC9 and Fedora 10 or FC10. With Webmin to click on the icon Networking then Linux Firewall, the loading of the rules take a few seconds and one obtains a following table: For the following peripherals and services: DNS for Bind Domain Name Server, port 53. HTTP for Apache Web server, port 80 and 443 to be useful in SSL. FTP for ProFTPd sever, port 21. SSH for OpenSSH, port 22. SMTP for Postfix or Sendmail, port 25. eth0, eth1, eth2... etc, which is the network lan adapters, very important if the station or the waiter is behind a router or uses a network SMB. Packet filtering (filter) Packet alteration (mangle) Network address translation (nat) Incoming packets (INPUT) Select all. | Invert selection. Action Condition Move Add Accept If state of connection is ESTABLISHED,RELATED Accept If protocol is ICMP Accept If input interface is lo Accept If input interface is eth1 Accept If input interface is eth2 Accept If protocol is TCP and destination port is 21 and state of connection is NEW Accept If protocol is TCP and destination port is 22 and state of connection is NEW Accept If protocol is TCP and destination port is 25 and state of connection is NEW Accept If protocol is TCP and destination port is 53 and state of connection is NEW Accept If protocol is UDP and destination port is 53 and state of connection is NEW Accept If protocol is TCP and destination port is 80 and state of connection is NEW Accept If protocol is TCP and destination port is 443 and state of connection is NEW Reject Always Select all. | Invert selection. Accept Drop Userspace Exit chain Forwarded packets (FORWARD) Select all. | Invert selection. Action Condition Move Add Accept If state of connection is ESTABLISHED,RELATED Accept If protocol is ICMP Accept If input interface is lo Accept If input interface is eth1 Accept If input interface is eth2 Reject Always Select all. | Invert selection. Accept Drop Userspace Exit chain Outgoing packets (OUTPUT) There are no rules defined for this chain. Accept Drop Userspace Exit chain Click this button to make the firewall configuration listed above active. Any firewall rules currently in effect will be flushed and replaced Click this button to reset the configuration listed above to the one that is currently active. Yes No Change this option to control whether your firewall is activated at boot time or not. Click this button to clear all existing firewall rules and set up new rules for a basic initial configuration. The respect it order of the rules is of primary importance, it is not for nothing, that one can up them or descend them! Add the new rule, simplest is to click on Accept line concerned, for example that of the interface of entry is lo, then to publish an identical rule with the button "Cloner the rule" which is in bottom of the form, to change the interface of entry lo for example eth1, to safeguard this new rule and to assemble it in the list. Rules File of Firewall /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -i eth2 -j ACCEPT -A INPUT -p tcp -m state -m tcp --dport 21 --state NEW -j ACCEPT -A INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT -A INPUT -p tcp -m state -m tcp --dport 25 --state NEW -j ACCEPT -A INPUT -p tcp -m state -m tcp --dport 53 --state NEW -j ACCEPT -A INPUT -p udp -m state -m udp --dport 53 --state NEW -j ACCEPT -A INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT -A INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -i eth1 -j ACCEPT -A FORWARD -i eth2 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Generated by webmin *mangle :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed # Generated by webmin *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed Warning to the syntax of this file /etc/sysconfig/iptables Author Eric Douzet

C-extra.com v. 1.2.0 © 2003-2010, all rights reserved  -  Updated September 02, 2010 Infologism.com