72


Chapter 7. Firewalls


iptables  A FORWARD  p tcp   sport 137:139  j DROP


iptables  A FORWARD  p udp   sport 137:139  j DROP


To take the restrictions a step further, you can block all outside connections that attempt to spoof


private IP address ranges to infiltrate your LAN. If a LAN uses the 192.168.1.0/24 range, a rule can


set the Internet facing network device (for example, eth0) to drop any packets to that device with an


address in your LAN IP range. Because it is recommended to reject forwarded packets as a default


policy, any other spoofed IP address will be rejected automatically.


iptables  A FORWARD  p tcp  s 192.168.1.0/24  i eth0  j DROP


iptables  A FORWARD  p udp  s 192.168.1.0/24  i eth0  j DROP


Rules can also be set to route traffic to certain machines, such as a dedicated HTTP or FTP server,


preferably one that is isolated from the internal network on a DMZ. To set a rule for routing all


incoming HTTP requests to a dedicated HTTP server at IP address 10.0.4.2 and port 80 (outside of


the 192.168.1.0/24 range of the LAN), network address translation (NAT) calls a


PREROUTING


table


to forward the packets to the proper destination ( the


\


denotes a continuation of a one line command):


iptables  t nat  A PREROUTING  i eth0  p tcp   dport 80 \


 j DNAT   to 10.0.4.2:80


With this command, all HTTP connections to port 80 from the outside of the LAN will be routed to


the HTTP server on a separate network from the rest of the internal network. This form of network


segmentation can prove safer than allowing HTTP connections to a machine on the network.


7.2.


ip6tables


The introduction of the next generation Internet Protocol, called IPv6, expands beyond the 32 bit


address limit of IPv4 (or IP). IPv6 supports 128 bit addresses and, as such, carrier networks that are


IPv6 aware are able to address a larger number of routable addresses than IPv4.


Red Hat Linux supports IPv6 firewall rules using the Netfilter 6 subsystem and the


ip6tables


com 


mand. The first step in using


ip6tables


is to start the IP6Tables service. This can be done with the


command:


service ip6tables start


Warning


The IPChains and IPTables services must be turned off to use the IP6Tables service using the fol 


lowing commands:


service ipchains stop


service iptables stop


To make IP6Tables start by default whenever the system is booted, you must change runlevel status


on the service using


chkconfig


.


chkconfig   level 345 ip6tables on








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      web hosting comparison

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved