Forward; And Nat Rules - Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE Manual

Hide thumbs Also See for ENTERPRISE LINUX 3 - SECURITY GUIDE:

Manual (410 pages)

System administration manual (348 pages)

Reference manual (324 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

page of 136

/ 136
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 7. Firewalls

CIPE connection requests from the outside can be accepted with the following command (replacing x

with your device number):

iptables -A INPUT -p udp -i cipcbx -j ACCEPT

iptables -A OUTPUT -p udp -o cipcbx -j ACCEPT

Since CIPE uses its own virtual device which transmits datagram (UDP) packets, the rule allows the

interface for incoming connections, instead of source or destination ports (though they can be

cipcb

used in place of device options). For information about using CIPE, refer to Chapter 6 Virtual Private

Networks.

There are other services for which you may need to deﬁne rules. Refer to the Red Hat Enterprise

Linux Reference Guide for comprehensive information on IPTables and its various options.

These rules allow access to regular and secure services on the ﬁrewall; however, they do not allow

nodes behind the ﬁrewall access to these services. To allow LAN access to these services, you can use

NAT with IPTables ﬁltering rules.

7.4.

and NAT Rules

FORWARD

Most organizations are allotted a limited number of publicly routable IP addresses from their ISP. Due

to this limited allowance, administrators must ﬁnd creative ways to share access to Internet services

without giving scarce IP addresses to every node on the LAN. Using private IP address is the common

way to allow all nodes on a LAN to properly access network services internally and externally. Edge

routers (such as ﬁrewalls) can receive incoming transmissions from the Internet and route the packets

to the intended LAN node; at the same time, ﬁrewall/gateways can also route outgoing requests from

a LAN node to the remote Internet service. This forwarding of network trafﬁc can become dangerous

at times, especially with the availability of modern cracking tools that can spoof internal IP addresses

and make the remote attacker's machine act as a node on your LAN. To prevent this,

provides routing and forwarding policies that can be implemented to prevent aberrant usage of network

resources.

The

policy allows an administrator to control where packets can be routed within a LAN.

FORWARD

For example, to allow forwarding for the entire LAN (assuming the ﬁrewall/gateway has an internal

IP address on eth1), the following rules can be set:

iptables -A FORWARD -i eth1 -j ACCEPT

iptables -A FORWARD -o eth1 -j ACCEPT

Note

By default, the IPv4 policy in Red Hat Enterprise Linux kernels disables support for IP forwarding,

which prevents boxes running Red Hat Enterprise Linux from functioning as dedicated edge routers.

To enable IP forwarding, run the following command:

sysctl -w net.ipv4.ip_forward=1

If this command is run via shell prompt, then the setting is not remembered after a reboot. You can

permanently set forwarding by editing the

replacing

with

net.ipv4.ip_forward = 0

Execute the following command to enable the change to the

sysctl -p /etc/sysctl.conf

ﬁle. Find and edit the following line,

/etc/sysctl.conf

sysctl.conf

iptables

ﬁle:

Table of Contents

Need help?

Do you have a question about the ENTERPRISE LINUX 3 - SECURITY GUIDE and is the answer not in the manual?

Forward; And Nat Rules - Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE Manual

and NAT Rules

FORWARD

Need help?

Questions and answers

Related Manuals for Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE

Related Content for Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE

Table of Contents