Logo Page Web Française
Accueil Association BSD Linux Dev Reseau Infologisme Mac OSX
tl tr
Subject Firewall Date 2012-02-20
Title Webmin - IPTables Linux Firewall Configuration Section BSD Linux
Article

Prerequisites

Server and Software version required :

Operating System : Arch Linux, Fedora or another Linux
Firewall : IPTables
Server Administration : Webmin


Components or Packages necessary
Arch Linux
iptables 1.4.12.2-1 A Linux kernel packet control tool
Fedora
iptables-1.4.12-2.fc16.i686.rpm
iptables-1.4.12-2.fc16.x86_64.rpm

IPTables

FC16 or Fedora 16 Linux Distribution.

Configure Firewall IPTables from Linux to host one Website, the use of Webmin facilitates largely the life for protocols and the following services :
Service Port Server
FTP 21 ProFTPd
SSH 22 OpenSSH
SMTP 25 Postfix ou Sendmail *
DNS 53 Bind
HTTP 80 Apache
HTTPS 443 Apache
* Authorize the port 25 that if one SMTP Server is operational and serves the outgoing e-mail.

Network Interface : eth0, eth1, eth2, etc.

Remark : The respect of the order of rules is primordial.

With Webmin in the section Networking then Linux Firewall, the loading of rules takes some seconds and we obtain one following table below :
Incoming packets (INPUT)
Select all. | Invert selection.
Action Condition Move Add
Accept If state of connection is ESTABLISHED, RELATED
Accept If protocol is ICMP
Accept If input interface is lo
Accept If input interface is eth1
Accept If input interface is eth2
Accept If protocol is TCP and destination port is 21 and state of connection is NEW
Accept If protocol is TCP and destination port is 22 and state of connection is NEW
Accept If protocol is TCP and destination port is 25 and state of connection is NEW
Accept If protocol is TCP and destination port is 53 and state of connection is NEW
Accept If protocol is UDP and destination port is 53 and state of connection is NEW
Accept If protocol is TCP and destination port is 80 and state of connection is NEW
Accept If protocol is TCP and destination port is 443 and state of connection is NEW
Reject Always
Select all. | Invert selection.

Forwarded packets (FORWARD)
Select all. | Invert selection.
Action Condition Move Add
Accept If state of connection is ESTABLISHED, RELATED
Accept If protocol is ICMP
Accept If input interface is lo
Accept If input interface is eth1
Accept If input interface is eth2
Reject Always
Select all. | Invert selection.

Outgoing packets (OUTPUT)
There are no rules defined for this chain.

Click this button to make the firewall configuration listed above active. Any firewall rules currently in effect will be flushed and replaced
Click this button to reset the configuration listed above to the one that is currently active.
Yes No Change this option to control whether your firewall is activated at boot time or not.
Click this button to clear all existing firewall rules and set up new rules for a basic initial configuration.

Configuration – File iptables

To add a new rule, the simplest is to click on Accept of the concerned line, for example that of the entrance interface which is lo, then to edit an identical rule with the button « Clone Rule » which is at the down of the formulary, change the input interface lo by example per eth1, save this new rule and mount the rule in the list.


The rules of the Firewall from the file /etc/sysconfig/iptables


# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 21 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 25 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 53 --state NEW -j ACCEPT
-A INPUT -p udp -m state -m udp --dport 53 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth2 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed



Warning at the syntax of the File /etc/sysconfig/iptables


Related article about the subject

Webmin - Configure and launch or start
Webmin - Server and System Administration

Author
Eric Douzet
Début de page
bl br
C-extra.com v. 1.2.0 © 2000-2014, all rights reserved  -  Updated April 12, 2014 Infologism.com