72
Chapter 7. Firewalls
iptables  A FORWARD  p tcp   sport 137:139  j DROP
iptables  A FORWARD  p udp   sport 137:139  j DROP
To take the restrictions a step further, you can block all outside connections that attempt to spoof
private IP address ranges to infiltrate your LAN. If a LAN uses the 192.168.1.0/24 range, a rule can
set the Internet facing network device (for example, eth0) to drop any packets to that device with an
address in your LAN IP range. Because it is recommended to reject forwarded packets as a default
policy, any other spoofed IP address will be rejected automatically.
iptables  A FORWARD  p tcp  s 192.168.1.0/24  i eth0  j DROP
iptables  A FORWARD  p udp  s 192.168.1.0/24  i eth0  j DROP
Rules can also be set to route traffic to certain machines, such as a dedicated HTTP or FTP server,
preferably one that is isolated from the internal network on a DMZ. To set a rule for routing all
incoming HTTP requests to a dedicated HTTP server at IP address 10.0.4.2 and port 80 (outside of
the 192.168.1.0/24 range of the LAN), network address translation (NAT) calls a
PREROUTING
table
to forward the packets to the proper destination ( the
\
denotes a continuation of a one line command):
iptables  t nat  A PREROUTING  i eth0  p tcp   dport 80 \
 j DNAT   to 10.0.4.2:80
With this command, all HTTP connections to port 80 from the outside of the LAN will be routed to
the HTTP server on a separate network from the rest of the internal network. This form of network
segmentation can prove safer than allowing HTTP connections to a machine on the network.
7.2.
ip6tables
The introduction of the next generation Internet Protocol, called IPv6, expands beyond the 32 bit
address limit of IPv4 (or IP). IPv6 supports 128 bit addresses and, as such, carrier networks that are
IPv6 aware are able to address a larger number of routable addresses than IPv4.
Red Hat Linux supports IPv6 firewall rules using the Netfilter 6 subsystem and the
ip6tables
com 
mand. The first step in using
ip6tables
is to start the IP6Tables service. This can be done with the
command:
service ip6tables start
Warning
The IPChains and IPTables services must be turned off to use the IP6Tables service using the fol 
lowing commands:
service ipchains stop
service iptables stop
To make IP6Tables start by default whenever the system is booted, you must change runlevel status
on the service using
chkconfig
.
chkconfig   level 345 ip6tables on






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

web hosting comparison

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved