|
|
|
Question : limtied access in rhel server using firewall
|
|
hi,
I want to enable the RHEL 4.0 firewall
1. howwe can set the limited access the port using from limited ip address using enable the RHEL 4 firewall.
2.how to limited access the server using putty and vnc
Regards,
Naresh
|
Answer : limtied access in rhel server using firewall
|
|
Breifly, hmmm.
First you want to be very careful and make sure that you do not make any changes to your iptables confguration unless you are certain you know what the effects will be.
iptables is your firewall application when running it processes all packet traffic on your network interfaces.
If you execute 'iptables --list -n --line-numbers' you will get something like this:
iptables --list -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
5 ACCEPT all -- 10.10.0.0/16 224.0.0.0/8
9 ACCEPT all -- 10.10.1.106 0.0.0.0/0
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
16 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `Blocked-Firewall'
17 DROP all -- 0.0.0.0/0 0.0.0.0/0
You see 4 chains in this example
INPUT
OUTPUT
FORWARD
RH-Firewall-1-INPUT
In this case the INPUT chain has a command that just accepts all traffic and forwards it to the RH-Firewall-1-INPUT chain.
That chain has a number of lines and each packet will be tested by each line until it finds a match, the first line is tricky and looks like it allows all traffic an should match everything but what you cannot see here is that it is associated with the local interface lo not your nic card.
Examples
Line 2 - ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
This line accepts all traffic that is already part of an established connection using all protocols and any source or destination.
Line 9 - ACCEPT all -- 10.10.1.106 0.0.0.0/0
This line accepts all traffic from the host 10.10.1.106
Line 13 - ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
Line 14 - ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
These lines accept all new tcp connections to this host from any other host on ports 22 and 80, 22 is your ssh connection which both putty and VNC use.
Line 16 - LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `Blocked-Firewall'
Line 17 - DROP all -- 0.0.0.0/0 0.0.0.0/0
The last 2 lines are very important, line 16 logs any attempted traffic which has not been previously matched and then line 17 drops those packets. If you do not do this you may inadvertantly allow acces you do not want.
So to answer you original question you would insert a line in your iptables chain like this.
Lets say you wanted to allow the host 192.168.1.1 and 192.168.1.12 to connect to your server via ssh.
iptables -I INPUT -s 192.168.1.1 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -s 192.168.1.12 -p tcp --dport 22 -j ACCEPT
The -I tells it to insert at the begining of the chain INPUT a rule that says ACCEPT from -s(source) 192.168.1.1 using -p(protocol) tcp and --dport(destination port) 22. This will allow that host to make a connection. The drop statement at the end of the chain will drop all other traffice not specifically alowed.
I hope this helps.
|
|
|
|
|
|
|
