How to set iptables rules in centos

-
The rules we used for firewall 2 were:
Stop all incoming traffic using the following command:

iptables -P INPUT DROP

Allow SSH session to firewall 2 by using the following command:

iptables -A INPUT -p tcp --dport 22 -s 0/0 -j ACCEPT

Allow ICMP traffic to firewall 2 by using the following command:

iptables -A INPUT -p icmp -j ACCEPT

Allow all related and established traffic for firewall 2 by using the following command:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Stop all forwarding by using the following command:

iptables -P FORWARD DROP

Allow forwarding of TCP traffic on IP interface 172.110.60.0 (client) port 80 (HTTP) and port 443 (HTTPS) to go to 192.168.40.95 (webApp.secure) by using the following commands:

iptables -A FORWARD -p tcp --dport 80 -s 172.110.60.0 /24 -d 192.168.40.95 -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -s 172.110.60.0 /24 -d 192.168.40.95 -j ACCEPT

Allow forwarding of ICMP traffic by using the following command:

iptables -A FORWARD -p icmp -j ACCEPT

Allow forwarding of all related and established traffic by using the following command:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Allow output traffic for ICMP by using the following command:

iptables -A OUTPUT -p icmp -j ACCEPT

Firewall 1
The rules we used for firewall 1 were:
Stop all incoming traffic by using the following command:

iptables -P INPUT DROP

Allow SSH session to firewall 1 by using the following command:

iptables -A INPUT -p tcp --dport 22 -s 0/0 -j ACCEPT

Allow ICMP traffic to firewall 1 by using the following command:

iptables -A INPUT -p icmp -j ACCEPT

Allow all related and established traffic for firewall 1 by using the following command:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Stop all forwarding by using the following command:

iptables -P FORWARD DROP

Allow forwarding of TCP traffic on interface 192.168.40.0 (guest LAN) to go to 172.110.60.10 (webserver2) by using the following command:

iptables -A FORWARD -p tcp -i hsi1 -o hsi2 -d 172.110.60.10 -j ACCEPT

Allow forwarding of ICMP traffic by using the following command:

iptables -A FORWARD -p icmp -j ACCEPT

Allow forwarding of all related and established traffic by using the following command:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Allow output traffic for ICMP by using the following command:

iptables -A OUTPUT -p icmp -j ACCEPT

Comments

Post a Comment

Popular Posts

Install and configure rsyslog Centralized logging server in CentOS

-
 Install and configure rsyslog Centralized logging server in CentOS 6.5 In this tutorial we will learn, how to install and configure rsyslog 7.6 version on RHEL 6.5/CentOS 6.5 .The scenario is, install and setup rsyslog Centralized Logging Server in RHEL/CentOS 6.5. All the logs from client servers will be sent to Centralized logging server i.e rsyslog server. Check Pre-installed rsyslog package Step 1: First of all check the rsyslog package is installed in your system.Generally by-default we get rsyslog version 5.x , after minimal installation of CentOS 6.x / RHEL 6.x We will install the latest rsyslog package. At the time of writing this post, rsyslog stable version 7.6 was available. You can find the latest package information from rsyslog official website Note: By default, RHEL 6.x and CentOS 6.x has rsyslog version 5.x. So here we will update the rsyslog with new version. You can get the rsyslog version information, by using below given two commands rpm -qa|grep rsyslog
Read more

How to fix postfix/smtp Network is unreachable error

-
While configuration postfix authentication getting the error status=deferred (delivery temporarily suspended: connect to smtp.office365.com[2603:1026:3:ca::2]:587: Network is unreachable) its because of you were not using IPv6/ wrong settings for ipv6. You can either use IPv4, or correct your IPv6 settings. [root@mailserver postfix]# netstat -nutlap | grep 25 tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      3956/master tcp        0      0 127.0.0.1:38442         127.0.0.1:3306          ESTABLISHED 2596/httpd [root@mailserver postfix]# vi /etc/postfix/main.cf [root@mailserver postfix]# systemctl restart postfix [root@mailserver postfix]# netstat -nutlap | grep 25 tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      4079/master tcp        0      0 127.0.0.1:38442         127.0.0.1:3306          ESTABLISHED 2596/httpd tcp6       0      0 :::25                   :::*                    LISTEN      407
Read more

Could not join realm: Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli

-
Couldn't join realm: Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli root@HPUX:~# realm join --user=domainuser@windows.local  windows.local -v  * Resolving: _ldap._tcp.windows.local  * Resolving: windows.local  * Performing LDAP DSE lookup on: 192.168.20.24  * Successfully discovered: windows.local Password for domainuser@windows.local:  * Unconditionally checking packages  * Resolving required packages  ! Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli realm: Couldn't join realm: Necessary packages are not installed: root@HPUX:~# apt-get install sssd-tools sssd libnss-sss libpam-sss adcli Reading package lists... Done Building dependency tree Reading state information... Done adcli is already the newest version (0.8.1-1). libnss-sss is already the newest version (1.13.4-1ubuntu1.7). libpam-sss is already the newest version (1.13.4-1ubuntu1.7). sssd is already the newest version (1.13.4-1u
Read more