Chapter 43. Securing Your Network
704
[root@myServer ~ ] # iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
This allows users to browse websites that communicate using the standard port 80. To allow access
to secure websites (for example, https://www.example.com/), you also need to provide access to port
443, as follows:
[root@myServer ~ ] # iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Important
When creating an
iptables
ruleset, order is important.
If a rule specifies that any packets from the 192.168.100.0/24 subnet be dropped, and this
is followed by a rule that allows packets from 192.168.100.13 (which is within the dropped
subnet), then the second rule is ignored.
The rule to allow packets from 192.168.100.13 must precede the rule that drops the
remainder of the subnet.
To insert a rule in a specific location in an existing chain, use the
-I
option. For example:
[root@myServer ~ ] # iptables -I INPUT 1 -i lo -p all -j ACCEPT
This rule is inserted as the first rule in the INPUT chain to allow local loopback device
traffic.
There may be times when you require remote access to the LAN. Secure services, for example SSH,
can be used for encrypted remote connection to LAN services.
Administrators with PPP-based resources (such as modem banks or bulk ISP accounts), dial-up
access can be used to securely circumvent firewall barriers. Because they are direct connections,
modem connections are typically behind a firewall/gateway.
For remote users with broadband connections, however, special cases can be made. You can
configure
iptables
to accept connections from remote SSH clients. For example, the following rules
allow remote SSH access:
[root@myServer ~ ] # iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[root@myServer ~ ] # iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
These rules allow incoming and outbound access for an individual system, such as a single PC
directly connected to the Internet or a firewall/gateway. However, they do not allow nodes behind
the firewall/gateway to access these services. To allow LAN access to these services, you can use
Network Address Translation
(NAT) with
iptables
filtering rules.
43.8.5.
FORWARD
and NAT Rules
Most ISPs provide only a limited number of publicly routable IP addresses to the organizations they
serve.
Содержание ENTERPRISE LINUX 5 - VIRTUAL SERVER ADMINISTRATION
Страница 22: ...xxii ...
Страница 28: ......
Страница 36: ...10 ...
Страница 40: ...14 ...
Страница 96: ...70 ...
Страница 116: ...90 ...
Страница 144: ...118 ...
Страница 146: ......
Страница 158: ...132 ...
Страница 165: ...Installing and Removing Packages 139 Figure 11 7 Installing and removing packages simultaneously ...
Страница 166: ...140 ...
Страница 172: ...146 ...
Страница 178: ......
Страница 228: ...202 ...
Страница 264: ...238 ...
Страница 318: ...292 ...
Страница 330: ...304 ...
Страница 388: ...362 ...
Страница 428: ...402 ...
Страница 452: ......
Страница 458: ...432 ...
Страница 476: ...450 ...
Страница 478: ...452 ...
Страница 494: ...468 ...
Страница 498: ...472 ...
Страница 530: ...504 ...
Страница 536: ...510 ...
Страница 544: ...Chapter 36 Log Files 518 Figure 36 7 Log file contents after five seconds ...
Страница 546: ......
Страница 550: ...524 ...
Страница 576: ......
Страница 584: ...558 ...
Страница 608: ......
Страница 776: ...750 ...
Страница 796: ...770 ...
Страница 800: ...774 ...
Страница 804: ......
Страница 806: ...780 ...
Страница 808: ...782 ...
Страница 816: ...790 ...
Страница 820: ...794 ...
Страница 822: ...796 ...
Страница 830: ...804 ...
Страница 836: ...810 ...
Страница 844: ...818 ...
Страница 848: ...822 ...